20

We have a number of Linux servers for which I would like to capture netflow data to be processed by a netflow analyzer. I've been spoiled by the ease in which Mikrotik routers allow netflow data generation, but I haven't managed to find an opensource tool that is able to generate netflow data for multiple interfaces on a Linux system.

I have come across fprobe but it seems quite buggy. Admittedly I haven't spent much time with it yet since I'd also like to evaluate some other possibilities. The other tool I've seen mentioned is nprobe, which appears to be GPL, but is not available as a free download since it is only offered for a fee.

The servers on which I plan to generate netflow data are all Gentoo systems, but this shouldn't really make any difference. At most it means I would have to manually compile a tool from source.

Summary: I'm looking for an opensource netflow generator that will work on Linux and allows capturing flows for multiple interfaces.

Improve this question

4 Answers 4

Reset to default
16

You should check IPT-NETFLOW, it seems exactly what you need implemented as a kernel module for IPTABLES. It is actively maintained and used succesfully in some ISP so should be good enough. Documentation could be better though (look into README file).

Improve this answer
2
  • I don't like the idea of having to compile custom kernel modules - that can affect stability, unless indeed it's a very well tested and stable module...
    – Wim Kerkhoff
    Commented Aug 30, 2011 at 23:51
  • This isn't freebsd where such software can be developed against already in place kernel features like netgraph. Hardly any way to do this without a custom module. The good thing (and that's why i'm commenting) is that the sources are now on github and it also has dkms support now. Looks pretty good. github.com/aabc/ipt-netflow
    – Florian Heigl
    Commented Nov 9, 2015 at 13:46
9

ntop will do it, but is probably not the best choice. Definitely check out pmacct; it's designed exactly for this. From the feature list:

  • Collects data through libpcap, Netlink/ULOG, NetFlow v1/v5/v7/v8/ - v9, sFlow v2/v4/v5 and IPFIX
  • Saves data to a number of backendsincluding memory tables, MySQL, PostgreSQL, SQLite and BerkeleyDB
  • Exports data to remote collectors through IPFIX, NetFlow v5/v9 andsFlow v5
  • Replicates incoming IPFIX, NetFlow and sFlow packets to remote collectors

Among many other things.

Improve this answer
1

Here's a newer project for collecting and analyzing NetFlow data on Linux: ElastiFlow

Improve this answer
0

the advantage of fprobe is that it can generate Netflow streams using regular libpcap or ulogd.

it is a little more dated, and seems indeed buggier, but it may be useful to bootstrap a setup, as it does not require compiling a kernel module (like ipt-netflow) and doesn't ship any additional features (like ntop or pmacct).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .