flowd
flowd is a small, fast and secure NetFlow™ collector. It offers the following features:
- Understands NetFlow protocol v.1, v.5, v.7 and v.9 (including IPv6 flows)
- Supports both IPv4 and IPv6 transport of flows
- Secure: flowd is privilege separated to limit the impact of any compromise
- Supports filtering and tagging of flows, using a packet filter-like syntax
- Stores recorded flow data in a compact binary format which supports run-time choice over which flow fields are stored
- Ships with both Perl and Python interfaces for reading and parsing the on-disk record format
- Is licensed under a liberal BSD-like license
- Supports reception of flow export datagrams sent to multicast groups (IPv4 and IPv6), thereby allowing the construction of redundant flow collector systems
flowd works with any standard NetFlow exporter, including hardware devices (e.g. routers) or software flow tracking agents, such as my own softflowd and pfflowd. Please refer to the README for more information.
The flowd sensor follows the Unix philosophy of "doing one thing well" - it doesn't try to do anything beyond accepting NetFlow packets and storing them in a standard format on disk. In particular, it does not include support for storing flows in multiple formats or performing data analysis. That sort of thing is left to external tools. The source distribution includes several example tools including a basic reporting script and one to store flows in a SQL database.
Mailing list
The netflow-tools mailing list is available for flowd discussion, support, development and release announcements.
News
Sat, 04 Mar 2006: flowd-0.9 released
flowd-0.9 has (finally) been released. This major release offers major improvements to performance, functionality and upgrades the Python API significantly. Please see the release notes for all the details.
Sun, 26 Feb 2006: Analysis tools in Python
Using the new Python API in flowd-0.9, it is very easy to write custom
processing applications. Here are the results of a couple of hours of
figuring out
RRDtool's
subleties: a small pair of
scripts
to chart NetFlow data (example
results).
Details on how to use these scripts are contained in this
mailing list post.
The scripts currently summarise traffic by IP protocol, but this approach can
be extended to plotting any pretty much any classification of traffic - reports
by IP address, or by [IP address + TCP port] are easy to realise too.
Sun, 04 Sep 2005: Release (0.9) approaching
A new release of flowd is coming soon. If you want to help, please download and test a snapshot release of flowd and report back to the mailing list.
Sun, 21 Aug 2005: CVS snapshots available
There are now CVS snapshots of flowd available in the download section.
Sat, 14 May 2005: flowd-0.8.5 released
Released flowd-0.8.5. This release improves the filtering capabilities of flowd, allowing selection of flows based on TCP flags, address family (IPv4 or IPv6), time of day (e.g. 9am to 5pm) and the day of the week. The Python API has been extended to allow writing of binary flow logs. This release also fixes a couple of bugs and makes some minor improvements to the flowd-reader tool.
Download
flowd is available here: