Collect Netflow data from a Cisco Router with a Perl program.
Current version 1.07.
Collects NetFlow export packets sent from a router, performs some basic
aggregation, and writes the collected data to a file for further processing
later. Currently understands NetFlow export format versions 1, 5, and
Configuration file options
- Port number
Specify the UDP port to listen on.
- Host host_group => filename
For the named group of hosts, log to this file. %y%m%d%h is replaced
by year, month, day of month, and hour respectively, in localtime. If
the letters are uppsercased, it does the same for GMT/UTC.
- IP IP_address => host_group
All packets sent from this address are considered to be part of the
named host group.
- Local IP_address/network_bits
Specify local networks, for which sources and destinations are recorded
on an IP-by-IP address instead of being aggreggated.
- DefaultFragmentSize number
Specify the size of the blocks IP addresses are aggregated into if they
are not specified in a "Local" declaration.
- KnownPort number
Only one port is logged in any TCP flow. Normally the lowest port is
deemed to be the significant one (eg, for a flow between ports 80 and
3127, port 80 is logged.) If the higher port is listed as a "known
port", it is used instead. Normally used for specifying a high
port-numbered proxy server.
- DumpTime number
The amount of time between writes to the log file. The greater the time,
the more aggregation, but the less granular the data is. Can be set
to zero for no dumping, but a SIGUSR1 will still force a dump.
- LogFile filename
Write messages to this file with a timestamp instead of to stderr. Almost
alwaysused when running as a daemon or service.
Do not log anything to "stderr". Does not prevent things from
being written to a log file. Mainly used to avoid startup messages before
LogFile takes effect for installations that require complete silence.
Log file format
Fixed width format with space separators. Numbers in brackets indicate character positions in the line for this field.
- Unix timestamp at time of writing this line. (1-11)
- Source IP address. (12-26)
- Inbound Interface (the router's SNMP ID of that interface in hexadecimal, 0 for internal). (28-31)
- Destination IP address. (33-47)
- Next Hop IP address. Often 0.0.0.0 if the route only set the interface and not the next hop IP, as is often the case on Dialer interfaces. (49-63)
- Outbound Interface (as per inbound interface). (65-69)
- Protocol Number - 1 for ICMP, 6 for TCP, and 17 for UDP are the most common. (71-73)
- Port designation - < if the listed port was the source, > if the listed port was the destination port. (75)
- Port Number (77-81)
- Source Autonmous System Number, zero if not availible. (83-87)
- Destination Autonmous System Number, zero if not availible. (89-93)
- Source Layer 2 encapsulation overhead per packet, zero if not availible. (95-96)
- Destination Layer 2 encapsulation overhead per packet, zero if not availible. (98-99)
- Layer 3 bytes in the flow. (101-108)
- Packets in the flow. (110-117)
To calculate Layer 2 bytes, take the layer 3 bytes and add the number
of packets multiplied by the layer 2 encapsulation overhead for that interface.
Run Time Options
- A SIGHUP (normally -1) sent to the process in POSIX will cause the
collector to re-read its configuration file.
- A SIGUSR1 signal sent to the process in POSIX will force a dump. This
is usually used with
DumpTime 0 in the configuration
file to have an external process control when dumps are done.
- Download the NetFlow
Collector for POSIX systems such as Unix, Linux, Mac OS X, BeOS, etc.
- Install into /usr/local/netflow, or wherever you feel is appropriate.
- Usually started on system startup by some startup script, an example
netflow.sh) is provided.
Note that it doesn't hold the log file open, so you can safely move the
log file out from underneath it, and it will just create a new one at
the next dump interval.
Windows 32 Installation
- Download the NetFlow
Collector for Win32 and unpack into C:\NetFlow (assumed below) or
C:\Program Files\Iagu\NetFlow. Note the code is identical to the POSIX
version, the difference is that the configuration file is has a three
character extension and the example location for storing the collected
data has changed.
- Download ActivePerl from http://aspn.activestate.com/ASPN/Downloads/ActivePerl/
- You probably want to run it as a service on NT. You can run your Perl
scripts as Windows NT Services via a program called srvany.exe, which
comes with the Windows NT Resource Kit. Once srvany.exe is installed,
read the srvany.wri file which should be with it. This document will
explain how to set up registry entries for your new service.
The command to run is:
srvany perl c:\netflow\netflow-collector.pl c:\netflow\netflow-collector.ini
Contact firstname.lastname@example.org for further information.