Softflowd
Softflowd is flow-based network traffic analyser capable of Cisco NetFlow™ data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow™ to a collecting host or summarised within softflowd itself.
NB. If you are using OpenBSD, you may be interested in my pfflowd software instead. pfflowd uses the PF packet filter's stateful connection tracking to monitor flows rather than implementing it in software.
Mailing list
The netflow-tools mailing list is available for softflowd discussion, support, development and release announcements.
News
Thu, 02 Nov 2006: softflowd-0.9.8 released
It has been over a year since the last release of softflowd, but I'm happy to announce that softflowd-0.9.8 has just been released. This release collects a number of small (but important) bugfixes that have accrued over the last year along with a couple of new features. See the release notes for details.
Fri, 14 Jan 2005: softflowd-0.9.7 released
softflowd-0.9.7 released. This release fixes some bugs and adds some options to facilitate export of flow records to multicast groups.
Mon, 10 Jan 2005: Mailing list created
I have just created a new mailing list for the discussion of softflowd and the other NetFlow tools developed here. Development and support of the tools are on-topic and I will send announcements of new releases there too.
Thu, 30 Sep 2004: softflowd-0.9.6 released
softflowd-0.9.6 has just been released. This version adds support for the NetFlow v.9 export format and tracking of IPv6 flows.
Fri, 27 Aug 2004: softflowd-0.9.1 released
softflowd-0.9.1 has been released. This version fixes a few small bugs and adds NetFlow v.5 protocol support.
Details
Softflowd semi-statefully tracks traffic flows. Upon expiry of a flow, its statistics are accumulated and reports them to a designated collector host using the standard NetFlow protocol. Currently the statistics collected are summaries only: min/max/avg/total bytes, packets on a aggregate or per-protocol basis.
Softflowd can export using NetFlow version 1, 5 or 9 datagrams and it is fully IPv6 capable: it can track and report on IPv6 traffic and flow export datagrams can be sent to an IPv6 host. Any standard NetFlow collector should be able to process the reports from softflowd.
As softflowd watches traffic promiscuously, it is likely to place additional load on hosts or gateways on which it is installed. However, this implementation has been designed to minimise this load as much as possible. Alternately, softflowd can read pcap save files recorded from tcpdump and friends.
Unless reading from a traffic dump, softflowd run as a daemon. A "remote control" program (softflowctl) is included which allows runtime control and extraction of statistics from a daemonised softflowd.
Softflowd is developed on Linux and OpenBSD. It requires libpcap and its associated headers to build, these are available from tcpdump.org, or from your operating system vendor. As of version 0.9, there is some support for Solaris but this is still experimental.
Download
softflowd is available here: