Oct 9, 2019 by Thibault | 4307 views
NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect and process network traffic summary.
At the opposite of full packet capture, only a summary of network traffic is collected. For NetFlow version 5, the collected fields are:
More recent versions, including IPFIX, define other fields, and even user-defined fields.
A typical NetFlow monitoring setup consists of three components:
For this post, we will use a single Ubuntu server to export, collect and process NetFlow data:
To install nfdump (and nfcapd):
sudo apt-get install nfdump
To make sure nfcapd is started automatically, modify /etc/default/nfdump as follows:
Start nfdump and nfcapd:
sudo service nfdump restart
By default, nfcapd will listen on port 2055 (UDP) and store NetFlow records in /var/cache/nfdump.
You can check this by typing
sudo service nfdump status
You should find a line like this one:
/usr/bin/nfcapd -D -l /var/cache/nfdump -P ... -p 2055
You can now install fprobe:
sudo apt-get install fprobe
fprobe needs two configuration parameters:
You can modify the configuration of fprobe in /etc/default/fprobe
We can now start fprobe:
sudo service fprobe restart
If everything goes well, you will see new files appear in /var/cache/nfdump :
ls -lh /var/cache/nfdump
To analyze all files in a directory:
nfdump -R /var/cache/nfdump -o long
To specify a time window:
nfdump -R /var/cache/nfdump -t 2019/10/01-2019/10/01.23:59:59
To get some aggregated statistics (top IP addresses for example):
nfdump -R /var/cache/nfdump -t 2019/10/01-2019/10/01.23:59:00 -s ip -O bytes
nfdump also supports Berkeley Packet Filter (BPF), just like tcpdump:
nfdump -R /var/cache/nfdump "port 443"
... and you will find a lot of other analysis possibilities in the man page of nfdump!