Netflow is a network protocol invented by Cisco that provides granular visibility on network utilization. Routers and switches send (“export”) Netflow datagrams that summarize traffic through them to a Netflow Collector program that displays the data. This gives visibility into “who’s using the network?”
Virtually all Netflow collectors are able to process Netflow version 5 packets, so they provide a minimal level of useful functionality.
About Other “Flow Protocols”: Netflow v9, IPFIX, and sFlow
Netflow version 9 can handle IPv6 addresses (v5 cannot). Many exporters (routers and software) can also export version 9 datagrams. There are other interesting enhancements of Netflow v9, but they generally are not operationally important for basic installations.
IPFIX is sometimes called “Netflow v10” because it is a superset of v9. It, too, is not generally important for basic installations.
sFlow (“sampled flow”) is an alternate flow generation technique that works well in settings with very high packet rates. Because the router only needs to report on a sample of the traffic (say one in 10 or 100 packets), sFlow decreases load on the router as well as the generated traffic. Many Netflow collectors can also handle sFlow, but it may not be important for a basic installation.
Configuring Cisco, Juniper, and other commercial equipment
There are a zillion vendor and other websites that tell how to configure your commercial routers. Look there.
Configuring LEDE and OpenWrt to export Netflow data
Equipment from Linksys, D-Link, TP-Link, and dozens of other “home router” vendors can export netflow datagrams if they run the LEDE or OpenWrt software and the softflowd package.
To do this, install LEDE/OpenWrt on your router, then install the softflowd package. (Ask on the forums if you have questions about this.)
/etc/config/softflowd to have these settings. (Change
192.168.1.1 below to the IP address of your Netflow Collector program.)
root@LEDE:~# cat /etc/config/softflowd
option enabled '1'
option interface 'br-lan'
option pcap_file ''
option timeout 'maxlife=60'
option max_flows '8192'
option host_port '192.168.1.1:2055'
option pid_file '/var/run/softflowd.pid'
option control_socket '/var/run/softflowd.ctl'
option export_version '5'
option hoplimit ''
option tracking_level 'full'
option track_ipv6 '0'
option sampling_rate '0'
Then issue these two commands to start softflowd. Check Troubleshooting (below) to see whether softflowd is working.
service softflowd restart
service softflowd enable
Generating ‘mock’ netflow data
If you don’t have a Netflow-capable router handy, you can still test Netflow collector programs by running a program that creates bogus/fake/mock Netflow data.
One such program is nflow-generator. The Github repo describes how to run it: the instructions have been tested on OSX, but should work for Windows or Linux, if the Go language is installed.
nflow-generator also has a Docker container that has the same functions, but this has not had much testing.
Troubleshooting Netflow Exporters with tcpdump
tcpdump to determine if your Netflow exporter (router or program) is sending netflow datagrams to the computer where you wish to run the Netflow Collector program.
tcpdump captures and displays traffic with certain characteristics. To capture netflow datagrams, use:
tcpdump -i eth0 port 2055
- You may need sudo (e.g.
sudo tcpdump -i eth0...), if you are not running as root.
eth0 with the interface name that will be receiving the Netflow traffic.
- Port 2055 is the default Netflow port; change it to match the port you are using.
If Netflow datagrams are arriving at the host, you will see single-line outputs for each datagram. Use Control-C to stop
If datagrams are not arriving, then check to see that you have specified the correct interface and port in the command above. Also ensure that there is no firewall (either in the network in general, or on the computer running tcpdump) that might be blocking the traffic.
This article is a part of the Netflow Collector series.