This document describes the installation of a Debian GNU/Linux (Sarge) server for the purpose of collecting and presenting NetFlow data. The NetFlow packets are collected using flow-tools. The data is processed and presented using Stager.


The Stager system reuqires information about routers such as names for interfaces. Several methods are available to aquire this information. Typically the router hostname is obtained by looking up ip address in DNS and interface descriptions are obtained via SNMP. This presents some challenges for our implementation, the reverse DNS for router ip addresses resolves to some meaningless generic name. The interface descriptions contain information unsuitable for netflow.

For the purpose of this document, we maintain router names and interface descriptions in manual text files.

A source for netflow packets is required. Typical Cisco IOS configuration would look like this, assuming is the IP address of this server we are about to build.

ip flow-export version 5
ip flow-export destination 9997

System Installation

Debian Install Install a basic Debian Sarge system. Do not select any particular packages during install. Needed packages will be installed as needed using apt-get.

Use the manual partitioning option to partition the drive.

/boot           200 MB (primary)
swap           1000 MB (logical)
/              1600 MB (logical)
/tmp           2000 MB (logical)
/usr           4400 MB (logical)
/home          4800 MB (logical)
/var          16000 MB (logical)
/space         fill

Essential Packages Install the following useful tools and packages.

apt-get install sysv-rc-conf
apt-get install vim
apt-get install rsync
apt-get install ntp-simple
apt-get install ntpdate
apt-get install bzip2
apt-get install gawk
apt-get install lynx
apt-get install zip
apt-get install unzip
apt-get install postfix

Unwanted Services In order to keep this server secure only specifically needed services should be running. Use the sysv-rc-conf tool to disable lpd, nfs-common, portmap, ppp.

Edit the /etc/inetd.conf file and comment identd and other service to disable.

SMP Kernel Since this particular machine is a dual CPU server an SMP kernel image is quite useful. Use apt to find available kernel images and install the SMP kernel of your choice.

apt-cache search 'kernel-image.*smp'
apt-get install kernel-image-2.6-686-smp

Reboot the server to run the SMP kernel. To see CPU utilization of each CPU use ‘top’ and type ‘1’

System Configuration

ntp The /etc/ntp.conf needs to be edited to obtain time from our local ntp server. A suitable /etc/ntp.conf is:

# /etc/ntp.conf, configuration for ntpd

# File locations
driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/
logfile /var/log/ntpd

# The server we connect to
restrict nomodify

# ... and use the local system clock as a reference if all else fails
fudge stratum 13

# By default noone is allowed to access this host
restrict default ignore

# Local users may interrogate the ntp server more closely.
restrict nomodify

The /etc/default/ntpdate needs to be edited to set the time at system boot. Change the following line:


postfix The /etc/postfix/ file contains all significant postfix configuration information. Just one line needs to be added to have postfix limited to only localhost and not listen on public interfaces:

inet_interfaces = localhost.localdomain

Stager System Installation

apache Install apache from Debian packages. Do not enable suexec.

apt-get install apache
apt-get install apache-dev

postgresql Install postgresql from Debian packages.

apt-get install postgresql
apt-get install postgresql-dev

perl Some additional perl modules are required. These are available as packages.

apt-get install libdbi-perl
apt-get install libdbd-pg-perl
apt-get install libnet-dns-perl
apt-get install libsnmp-perl

php Some libraries are required to build php.

apt-get install libxml2-dev
apt-get install libgd2
apt-get install libgd2-dev

The php apache module is installed from source. It appears that the Debian php package lags significantly behind official php releases and security fixes. To simplify building and rebuilding of php a build script is use. Obtain the latest php release and adjust the release number in

mkdir /usr/local/src/php
cd /usr/local/src/php

The /usr/local/lib/php.ini file is edited to include /usr/local/lib/php in the include_path statment:

include_path = ".:/usr/local/lib/php"

The /usr/lib/apache/1.3/ file is created with the following content:

LoadModule php4_module /usr/lib/apache/1.3/

The /etc/apache/httpd.conf file is edited. The lines that tell apache to parse certain extensions as php are uncommented. In particular these lines are to be uncommented:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Finally the apache configuration utility is run and the apache daemon restarted.

apache-modconf apache enable  mod_php4
/etc/init.d/apache restart

pear The PEAR::DB library is required. Although php includes pear, this is not included.

pear install DB

jpgraph Obtain jpgraph and install.

cd /usr/local/src/php/
tar xzf jpgraph-1.19.tar.gz
cp -r jpgraph-1.19/src /usr/local/lib/php/jpgraph

smarty Obtain smarty and install.

cd /usr/local/src/php/
tar xzf Smarty-2.6.10.tar.gz
cp -r Smarty-2.6.10/libs /usr/local/lib/php/Smarty

flow-tools Obtain flow-tools and install.

mkdir /usr/local/src/flow-tools
cd /usr/local/src/flow-tools
tar xzf flow-tools-0.68.tar.gz
cd flow-tools-0.68
./configure --prefix=/usr/local
make && make install

stager Create a new user for stager.

groupadd netflow
useradd -g netflow -d /var/netflow netflow
mkdir /var/netflow

Obtain stager.

mkdir /usr/local/src/stager
cd /usr/local/src/stager
tar xzf Stager-1.2.4.tar.gz
cd Stager_1_2_4

Install the backend. Accept the presented password or choose a sensible new password.

./         --type=backend      --prefix=/var/netflow       --backends=netflow      --backends=snmp

Fix permissions for some scripts installed by the stager backen installation.

chmod 755 /var/netflow/stager/bin/
chmod 755 /var/netflow/stager/bin/
chmod 755 /var/netflow/stager/bin/
chmod 755 /var/netflow/stager/bin/

Create a temporary directory for stager.

mkdir /var/netflow/stager-tmp
chown netflow.netflow /var/netflow/stager-tmp

Install the frontend. The stager owner is ‘netflow’ and the web group is ‘www-data’.

./         --type=frontend         --prefix=/var/www       --backends=netflow      --backends=snmp

snmp Install snmp command line tools.

apt-get install snmp

Stager System Configuration

flow-tools Create a directory to store flow-tools raw data.

mkdir /var/netflow/raw

Install the flow-capture.init script as /etc/init.d/flow-capture. Use the sysv-rc-conf tool to start flow-capture at the desired run levels.

Make sure the init file is executable.

chmod 755 /etc/init.d/flow-capture

postgresql Prepare a user for the stager postgres databases.

su postgres
psql template1
create user netflow with password '<password>' createdb;

Edit /etc/postgresql/pg_hba.conf, add the following entry before any other entries.

local  all    netflow                                       password
host   all    netflow   password

Restart postgresql.

/etc/init.d/postgresql restart

stager backend Edit the /var/netflow/stager/etc/netflow.cfg configuration file. Edit the lines that specify the database user and passwords.




Edit the /var/netflow/stager/etc/snmp.cfg configuration file. Edit the lines that specify the database user and passwords.



Run the database initialization script. You will be prompted for the netflow database user password multiple times.

/var/netflow/stager/bin/ --clean --backend=netflow

The next step will update the database with router information. This step has to be done every time a new router is configured to send netflow data to stager. Edit /var/netflow/stager/bin/ to point to the location where flow-capture stores raw data.


Create the /var/netflow/stager/etc/exporters.cfg file. It needs to contain name resolution information for all routers we receive netflow traffic from.          rtr-lib-sl

Create the /var/netflow/stager/etc/routers.cfg file. It needs to contain information on all the router interfaces we receive netflow information about.

Execute the stager/bin/ script. Running it first in trial mode (use the --dry-run arg) is recommended. If all looks well run it for real to populate the database.

su - netflow
./stager/bin/ --dry-run -v --plugin=text

If all looks well go for the real thing.

su - netflow
./stager/bin/ --plugin=text

Manually update the time stamps. Note: replace the date with the current date.

psql -U netflow stager
UPDATE obs_point_descr SET timestamp = '2005-10-21';

Create cron entries to populate the database with flow data. These processes should run as netflow user.

crontab -u netflow -e

Here is an example crontab.

# get-netflow, hourly
15  * * * * $HOME/stager/bin/

# aggregate, daily
45 01 * * * $HOME/stager/bin/ --backend=netflow --interval '1 day'  --timeformat 'YYYY-MM-DD'

# aggregate, weekly
50 02 * * 1 $HOME/stager/bin/ --backend=netflow --interval '1 week' --timeformat 'YYYY-IW' --no-cap

# aggregate, monthly
45 03 1 * * $HOME/stager/bin/ --backend=netflow --interval '1 mon'  --timeformat 'YYYY-MM'

# purge, daily
45 04 * * * $HOME/stager/bin/ --backend netflow

apache and php The default web root for the Debian apache install is /var/www. We installed the stager frontend in /var/www/stager. This means stager is automatically availabe at the location.

Edit /usr/local/lib/php/php.ini. Modify the include_path statement and adjust the memory limit

include_path = ".:/usr/local/lib/php:/usr/local/lib/php/Smarty:/usr/local/lib/php/jpgraph"
memory_limit = 20M

Restart apache.

/etc/init.d/apache restart

stager frontend Edit the /var/www/stager/config/user.config.php configuration file. Of most importance is the database section.

'db' => array(
    'my_db' => array(
        'name'          => 'My Database',
        'phptype'       => 'pgsql',
        'database'      => 'stager',
        'username'      => 'netflow',
        'password'      => '<password>',
        'hostspec'      => 'localhost',
        'port'          => '5432'

stager user access control Ok, this needs work :) User access is controlled via sql commands. There is no web frontend for this. Each time adds new descriptors the user access has to be reapplied (as I understand the instructions).