Webview Netflow Reporter (wvnetflow) in a Docker Container
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
docker_scripts
docs
etc
images
CHANGELOG
COPYRIGHT
Dockerfile
README.md

README.md

Overview - Webview Netflow Reporter

A lightweight Netflow collector and web display tool based on wvnetflow and flow-tools in a Docker container. Webview Netflow Reporter was created by Craig Weinhold craig.weinhold@cdw.com.

This container listens on ports 2055 for netflow exports, and displays the collected data in a web interface. This screenshot shows off the varying data sent through a router.

wvnetflow screen shot There is much more information in the docs directory, and on the original wvnetflow site hosted at SourceForge.net

Testing Status: This container has been tested with Docker Community Edition Version 17.03.1-ce-mac5 (16048) running on a mid-2011 Mac mini, OSX 10.12.4, with a 2.3 GHz Intel Core i5 processor and 8 GBytes RAM. It works great with my LEDE/OpenWrt router after installing the softflowd package to export netflow info. If you try it out, please file an issue and let me know how it worked for you.

QuickStart - Install and Test Webview Netflow Reporter

  1. Install Docker (the Community Edition works fine) on a computer that's always running. wvnetflow will run there and collect the netflow data 24x7.

  2. Clone the wvnetflow-dockerized repo to that computer.

    $ git clone https://github.com/richb-hanover/wvnetflow-dockerized.git
    
  3. Build the container from the Dockerfile. The commands below build it with the name wvnr_img. This can take many minutes, since many files need to be downloaded and installed.

    $ cd wvnetflow-dockerized
    $ docker build -t wvnr_img .
    
  4. Run the container named wvnr_img. This will print a container-ID on the console.

    $ docker run -d -p 83:80 -p 2055:2055/udp --name wvnr_img wvnr_img
    9c1b567e0aba007368ed062d4aa226675fa1e011600cdf59593d42a689d05034
    
  5. Point your web browser to http://localhost:83 You will see the Webview Netflow Reporter home page. Notes:

    • The docker run... command above maps external port 83 to the docker container's web port 80. Change it to use a different external port if needed.
    • If you installed the Docker container on a separate computer, use the IP address of the computer where you're running wvnetflow.
  6. Configure your router to export Netflow version 5 flows to port 2055 of the collector.

  7. Wait... It can take 15 minutes before the flow data has been collected and charted. See the Status page (below) for progress information.

Quick Start - Home page

This information describes the links in the header bar. Read the docs and wvnetflow page for more details.

  1. Analysis provides a GUI to select which traffic to chart. See the Traffic Analysis screen shot below for details. (The container must run and receive flow records for at least 5-15 minutes before traffic can be graphed.)

  2. Ad Hoc Query lets you build queries to view the netflow data in different ways.

  3. Configuration shows the configuration file for the /usr/local/webview/flowage/flowage.pl program that drives wvnetflow.

  4. Exporters lists the exporters that are providing netflow data.

  5. Status displays running statistics about the wvnetflow server. It will take up to five minutes before the Flowage Activity Log shows entries.

  6. About leads to the github page that hosts the repository.

Traffic Analysis

The GUI for creating and displaying netflow data has many controls. To see the most recent data received, use the defaults, and:

  • Click the Local exporter (in Interfaces section)
  • Select a duration ("Day" in the image)
  • Click "Graph" to display the data.

Modifying the Docker Image

  • Build the docker container. This creates an image named wvnr_img

    $ cd <folder-containing-wvnetflow-Dockerfile>
    $ docker build -t wvnr_img . 
    
  • Run that newly-built image, and listen on port 83 for browser connections, and port 2055 for netflow records:

    $ docker run -d -p 83:80 -p 2055:2055/udp --name wvnr_img wvnr_img
    
  • Add "-d" in the command above to daemonize the container when you run it (e.g., docker run -d -p ...) This allows you to continue working in the same terminal window.

  • Connect to the container via a terminal (like ssh), if you want to "look around" inside the container. This is not required: wvnetflow is already running and collecting data.

    $ docker exec -i -t wvnr_img /bin/bash
    
  • To make a change to the container, stop it with the command below (this removes the wvnr_img name), edit the Dockerfile, then rebuild and docker run...

    $ docker rm -f wvnr_img
    
  • Verify the port bindings between internal ports (2055 & 80) and their external mappings using docker port image_name

    $ docker port wvnr_img
    2055/udp -> 0.0.0.0:2055
    80/tcp -> 0.0.0.0:83
    

Known Issues/Questions

  1. This program only listens for a single netflow exporter sending to port 2055. This works great in a home networking environment, with a single router managing the bottleneck link to the ISP, and where you want to know "who's hogging the network".

    Because of the current Docker networking setup, this container cannot distinguish between multiple exporters sending flows. I have not tested alternate setups (e.g., host network vs. bridge network) to see how this might change.

  2. By default, this wvnetflow container treats all private internet (RFC1918) address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4) as "local", and all other addresses as remote. This allows the Applications graph to distinguish between "in" and "out" traffic. (This is perfect for a single router in a home network.) Change this by editing the /usr/local/webview/flowage/flowage.cfg file.

  3. The flowage.pl program currently runs every five minutes. This means that the data displayed in the graphs can be as much as 10 minutes old. For small installations (with a single exporter), it would be good to make the charts display data that's only one minute old. (This setting might impose too much load on large installations that have many exporters and high traffic rates.)

  4. The current source code for wvnetflow is saved in a separate Github repo at: https://github.com/richb-hanover/wvnetflow