13.2. Configure Netflow for Trisul

Trisul has the capability to use Netflow like telemetry to gain deep visibility into your traffic performance, monitor traffic flows, and scan for security threats. Trisul features comprehensive support for Netflow v5/v9/JFlow/IPFIX/and SFlow metering. This document describes step-by-step how you can setup Trisul to process Netflow and Netflow-like metering.

13.2.1 Steps

  • Configure your routers

    Configure your routers/switches to send Netflow to the Trisul-Probe’s IP address and note down the following

    • What interfaces on the Trisul server is getting the Netflow records (eth0,eth1,eth2, etc) ? What UDP ports are getting Netflow records ?

    Default ports

    The following ports are configured by default for Netflow and SFlow processing. The versions and flavors are automatically detected. To view or change these, use the Netflow Wizard from Context: default → profile0 → Netflow Wizard

    • Traffic on UDP ports 2055,2056,2057,9500,9993 is interpreted as Netflow/IPFIX/JFlow.
    • UDP Port 6343 is treated as SFlow.
  • Confirm if Netflow records are being recieved

    This is an optional step. Use tcpdump to check whether Netflow records are indeed coming in on the Trisul interface using tcpdump.

    sudo tcpdump  -i eth0 -nnn "udp port 2055"

    You should be seeing some data within a minute or so. If not, check on other interfaces eth1, eth2. We recommend you ensure Netflow is reaching your server on the correct port before proceeding.

  • Change probe NETFLOW_TAP mode

    Use the UI to change the mode from the default “Packet capture” to “Netflow”

    • Login as Admin. Then go to Context: Default —> Start/Stop Tasks
    • For probe0 on the “Packets or Netflow” column, change the drop down from TAP to NETFLOW_TAP
  • Make further tweaks using the Netflow Setup Wizard

    • Login as Admin and open the Netflow Wizard by selecting Context:default → profile0 → Netflow Wizard
    • Specify the interfaces and ports receiving Netflow that you noted down in Step 1
    • Specify your organizations Home Networks
  • Restart trisul-probe and finish

    • Login as Admin. Then select Context:default → Admin Tasks → Start/Stop Tasks
    • Start the probe
    • Logout and log back in a “user” to see the dashboards.

    Congratulations!! Now wait for about 10 minutes for Netflow data to start showing up.

  • 13.2.2 Next steps

    Change the interfaces, ports, etc on which Trisul listens for Netflow

    Use the Netflow Wizard to perform the following tasks

  1. Change interface eth0 on which we are getting Netflow
  2. Change the Home Network
  3. Change the UDP Ports that are mapped to Netflow

Advanced configuration

You can tweak the netflow configuration file for more advanced settings.

Typically, you dont need to do this because the defaults have been carefully selected for you.