NetFlow – Page 2

Installing and using flow-tools

Flow-tools – a set of utilities for sending, collecting, processing, analyzing NetFlow data.

Install a collector that will receive statistics from sensors:

Installing and using trafshow

trafshow – a utility for displaying traffic statistics passing through network interfaces.

Since the utility is included in the Netdiag (Net-Diagnostics) set, everything is installed together.

You can install Netdiag and trafshow in Ubuntu / Debian using the following command:

sudo apt-get install netdiag

In CentOS/RedHat/Fedora:

sudo yum install netdiag

Command viewing guide:

man trafshow

Simple launch:

sudo trafshow

I’ll describe the possible startup options:
-v (view the version of the program)
-n (do not convert the addresses into DNS names, and port numbers for example 80 in http, etc., in the running program, you can toggle the option with the N key)
-a len (summarizing traffic flows using the IP prefix IP netmask len, in the program is switched by pressing the A key)
-с conf (using an alternative color configuration instead of the standard / etc / trafshow)
-i name (indication of the network interface)
-s str (search for an item in the list and go to it)
-u port (listening to the specified UDP port for Cisco Netflow, the default number is 9995, to disable use 0)
-R refresh (update interval, default 2 secs, in the program is changed with the R key)
-P purge (cleaning of obsolete records after the specified time, by default 10 seconds, in the program is changed by the key P)
-F file (using a file for filters)
expr (what packages will be displayed, if not specified, then all)

Installing and using softflowd

Softflowd – NetFlow network traffic analyzer.

You can install in Ubuntu/Debian using the command:

sudo apt-get install softflowd

After installation, you need to open its configuration file, for example, in the nano editor (Ctrl+X for exit, y/n for saving or canceling changes):

sudo nano /etc/default/softflowd

And specify the parameters, for example:

INTERFACE="any"
OPTIONS="-n 192.168.1.40:5556"

After the changes, perform a restart:

sudo /etc/init.d/softflowd restart

Let’s look at the statistics of softflowd:

softflowctl statistics

If it is not running, there will be an error:

ctl connect(“/var/run/softflowd.ctl”) error: Connection refused

Display information about all monitored threads:

sudo softflowctl dump-flows

Information about softflowctl can be viewed by the command:

man softflowctl

I’ll describe other startup options:
-n (specify the network node and port on which will work softflowd)
-i (interface on which will work softflowd)
-r pcap_file (reading information from a file, not a network interface)
-p pidfile (alternative location for storing the process identifier, standard /var/run/softflowd.pid)
-c ctlsock (alternative location for the socket, standard /var/run/softflowd.ctl)
-m max_flows (maximum number of threads for simultaneous tracking)
-6 (consider also IPv6 data)
-D (debug mode)
-T track_level (level of tracking, can be full, proto, ip)
-v netflow_version (netflow version)