Netflow consists of three parts:
The collector, which collects the connection data on a host,
the capture, which receives data from collectors and writes them to disk in binary format,
the dump tool, which presents the data
We use fprobe as collector and nfcapd as capture tool:
sudo apt-get install fprobe nfdump
fprobe wants to be configured during the installation. It asks for the interface which should be listend upon and where the flow collector does listen. In our example, eth0 should be listend upon and the flow collector is situated on the same computer. Please use 127.0.0.1:9995 for that.
You can edit the frpobe file again:
/etc/default/fprobe
#fprobe default configuration file
INTERFACE="eth0"
FLOW_COLLECTOR="127.0.0.1:9995"
#fprobe can't distinguish IP packet from other (e.g. ARP)
OTHER_ARGS="-fip"
nfcapd needs to be configured by hand.
You need to set nfcapd_start to yes:
/etc/default/nfdump
# nfcapd is controlled by nfsen
nfcapd_start=yes
To change the destination folder of the capture files, change the hardcoded DATA_BASE_DIR in /etc/init.d/nfdump
After that, start the services:
sudo service fprobe stop
sudo service nfdump stop
sudo service fprobe start
sudo service nfdump start
After that, you can evaluate the resulting data
cd /var/cache/nfdump
nfdump -R REPLACE_WITH_FIRST_FILE_BEGINNING_WITH_nfcapd.
You can also define a filter with " ", i.e. nfdump -R nfcapd.201510260926 "port 3720" or "ip 8.8.8.8"
Additional infos:
http://nfdump.sourceforge.net/