flowd
flowd is a small, fast and secure NetFlow™ collector. It offers the following features:
- Understands NetFlow protocol v.1, v.5, v.7 and v.9 (including IPv6 flows)
- Supports both IPv4 and IPv6 transport of flows
- Secure: flowd is privilege separated to limit the impact of any compromise
- Supports filtering and tagging of flows, using a packet filter-like syntax
- Stores recorded flow data in a compact binary format which supports run-time choice over which flow fields are stored
- Ships with both Perl and Python interfaces for reading and parsing the on-disk record format
- Is licensed under a liberal BSD-like license
- Supports reception of flow export datagrams sent to multicast groups (IPv4 and IPv6), thereby allowing the construction of redundant flow collector systems
flowd works with any standard NetFlow exporter, including hardware devices (e.g. routers) or software flow tracking agents, such as my own softflowd and pfflowd. Please refer to the README for more information.
The flowd sensor follows the Unix philosophy of "doing one thing well" - it doesn't try to do anything beyond accepting NetFlow packets and storing them in a standard format on disk. In particular, it does not include support for storing flows in multiple formats or performing data analysis. That sort of thing is left to external tools. The source distribution includes several example tools including a basic reporting script and one to store flows in a SQL database.
Mailing list
The netflow-tools mailing list is available for flowd discussion, support, development and release announcements.
News
Tue, 02 Nov 2010: Project moved to Google Code
flowd has moved to Google Code. Release tarballs are available from there and should download quite a bit faster. Revision control now uses Mercurial, which supports local branches and modifications much better than CVS. Bug tracking remains at bugzilla for now, but it might too move in the future.
Moving to Google Code makes it much easier to add additional developers to the project. If you have contributed in the past to flowd and are interested in becoming a developer, then please let me know.
Fri, 25 Jul 2008: flowd-0.9.1 released
flowd-0.9.1 has just been released, containing a number of bug fixes that have accrued in the time since the last one. Please see the ChangeLog for details of what has changed.
Sat, 04 Mar 2006: flowd-0.9 released
flowd-0.9 has (finally) been released. This major release offers major improvements to performance, functionality and upgrades the Python API significantly. Please see the release notes for all the details.
Sun, 26 Feb 2006: Analysis tools in Python
Using the new Python API in flowd-0.9, it is very easy to write custom
processing applications. Here are the results of a couple of hours of
figuring out
RRDtool's
subleties: a small pair of
scripts
to chart NetFlow data (example
results).
Details on how to use these scripts are contained in this
mailing list post.
The scripts currently summarise traffic by IP protocol, but this approach can
be extended to plotting any pretty much any classification of traffic - reports
by IP address, or by [IP address + TCP port] are easy to realise too.
Sun, 04 Sep 2005: Release (0.9) approaching
A new release of flowd is coming soon. If you want to help, please download and test a snapshot release of flowd and report back to the mailing list.
Download
flowd is available at Google Code. There you will find tarball releases and a Mercurial source repository.