Flow-tools – a set of utilities for sending, collecting, processing, analyzing NetFlow data.
Install a collector that will receive statistics from sensors:
sudo apt-get install flow-tools
Open the configuration file, for example, in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):
sudo nano /etc/flow-tools/flow-capture.conf
We comment everything and add a line at the end:
-w /var/log/flow -n 275 0/192.168.0.5/555
The -w switch specifies the directory where the files are stored, -n indicates the number of file rotations per day (i.e. 275 files will be saved each day, in case of large traffic, smaller files are then easier to analyze), 0 means that you need to listen to all network interfaces, 192.168.0.5 sensor address from which statistics will be received, 555 port to which data from the sensor will come.
Create a directory for the files:
sudo mkdir /var/log/flow
Restart flow-capture to apply changes to the configuration file:
sudo service flow-capture restart
Check if flow-capture works like this:
sudo service flow-capture status
sudo netstat -lpnu|grep flow-capture
netstat -anpl |grep 555
Errors and attempts to send statistics from sensors will be written in /var/log/syslog.
We can look like this:
sudo less /var/log/syslog | grep flow
If iptables is used, we will allow incoming UDP connections to port 555 to all:
sudo iptables -A INPUT -p udp --dport 555 -j ACCEPT
Either a specific address or network:
sudo iptables -A INPUT -s 10.0.0.0/24 -p udp --dport 555 -j ACCEPT
See also my articles:
Fprobe sensor
Installing and using ipt_NETFLOW
Installing and using softflowd
Opening and analysis of files created with NetFlow
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik
Script to delete old files