Netflow/pflow Export

Collector

/usr/local/bin/nfcapd -D -u _nfcapd -g _nfcapd -t 600 -S 1 -w /netflow -p 9995

PF

Create /etc/hostname.pflow0

flowsrc 192.168.0.3 flowdst 192.168.0.2:9995
pflowproto 10 # for ipv6

Or for specific interfaces only

pass on vlan0 inet keep state (pflow)
pass on vlan0 inet6 keep state (pflow)
pass on vlan1 inet keep state (pflow)
pass on vlan1 inet6 keep state (pflow)

Juniper

set protocols sflow collector 192.168.0.2 udp-port 9995
set protocols sflow interfaces ge-0/0/10.0
set protocols sflow interfaces ge-0/0/11.0
set protocols sflow polling-interval 20
set protocols sflow sample-rate egress 1000
set protocols sflow sample-rate ingreess 1000

nfcapd does not recognize the traffic from Juniper

Ident: none, Error reading netflow header: Unexpected netflow version 0

Example filters

Filter by subnet, and aggregate by source IP

nfdump -r nfcapd.202602091230 -A srcip 'src net 192.168.1.0/24'

Show hosts using highest UDP packet rate

nfdump -r nfcapd.202602091230 -A srcip -O pps 'proto udp'

Eric Radman : a Journal

Netflow/pflow Export

Collector

PF

Juniper

Example filters