Webview Netflow Reporter (wvnetflow)

Webview Netflow Reporter is a lightweight Netflow collector and web display tool based on wvnetflow and flow-tools in a Docker container. Webview Netflow Reporter was created by Craig Weinhold craig.weinhold@cdw.com. The original wvnetflow site is hosted at SourceForge.net.

The Dockerfile is available from Github.

wvnetflow screen shot

Pros

  • Pretty graphs – Displays stack charts of the kinds of traffic (web, email, network, telnet, ssh, dns, mysql, sip, p2p, file server, etc) flowing through the router at any time. See the graphic above.
  • Click on an interesting point of the graph, and see exactly what traffic was being sent during that period.
  • Automatically detects exporters – no configuration required.
  • Lightweight – Runs on a modest computer. Works great if you’re only handling a single home-router’s flow exports. I haven’t tested it with more exporters/more traffic.
  • The Docker container comes pre-configured to display charts “out of the box”.

Cons

  • No automatic way to see “top talkers” – who’s hogging the bandwidth. You have to click the graph, then scroll through a table of hosts that were transmitting at the time.
  • One-minute granularity – The lowest granularity is one minute, despite the fact that the flow data has millisecond accuracy.
  • Five-minute time chunks – Data only gets updated every five minutes. This probably could be configured to change the processing rate.
  • Text-based configuration – Configuration files are arcane.
  • As-is, this only handles one exporter. See Known Issues/Questions
  • There’s an outstanding issue where there are gaps in the displayed charts. Hopefully this will be resolved.

This article is a part of the Netflow Collector series.

2 Responses

  1. Rich, thanks for your efforts in containerizing webview! It’s made it much easier to deploy. Three responses to some of the “cons” you point out:

    The single exporter limit must be something to do with the containers. Webview definitely supports multiple exporters on a single UDP port. In fact, a key Webview strength is the ease of which you can administer hundreds/thousands of exporters with features like SNMP & interface name discovery, regexp-based interface description parsing/aliasing, graceful handling of hardware and IP changes, exporter clock drift correction, and large-scale health reporting (example http://wvnetflow.sourceforge.net/exporter2.html).

    Webview graphs use 1-minute granularity by default because that’s the de facto standard for active flow timeout on most exporters. You can definitely tune to 1 second; here’s a resolution comparison (http://wvnetflow.sourceforge.net/netflow-rendering.pdf). Note: millisecond timestamps are only useful for forensics, and have no visualization value.

    The top-talkers report (and any report or graph) can be directly hyperlinked for fast retrieval or for embedding into other systems and portals.

    Again, thanks for taking the time to containerize Webview!

    1. Thanks for the comments. Yes, the single-exporter problem is likely to be a macOS vs. Docker thing. I have not found time to spin up a Linux box with Docker to see if it works as desired. (There has been some traffic on the Docker forums that talks about macOS networking needing work to make it the same as with Win/Linux.)

Leave a Reply