This blog post is for network experimenters who want to export flow records from a small network, such as a home network using an OpenWRT router. Such a network might look like this:
Flow records can be useful for various applications. Here is an example flow record:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 -> 10.1.1.1:22 100 4600 1
Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes.
In this tutorial we use OpenWRT, a popular free and open source router operating system, and add the softflowd package to it to generate NetFlow flow records. There are however many other options to achieve the same outcome.
NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX.
We assume that you already have a router running a recent release of OpenWRT and SSH access to the command line on the router.
First step, install the softflowd package:
Start by updating package list:
If the update fails, check that DNS is configured on your router, so that it can resolve internet names.
Now, install softflowd:
opkg install softflowd
# opkg install softflowd Installing softflowd (0.9.9-2) to root... Downloading http://downloads.lede-project.org/releases/17.01.4/packages/mips_24kc/packages/softflowd_0.9.9-2_mips_24kc.ipk Configuring softflowd.
There should now be a config file for softflowd at /etc/config/softflowd. You’ll need to edit it to suit your requirements. Here is an example where NetFlow version 9 has been enabled on interface br-lan to send to NetFlow collector at 192.168.1.40:9995 with max flow record age of 60 seconds:
# cat /etc/config/softflowd config softflowd option enabled '1' option interface 'br-lan' option pcap_file '' option timeout 'maxlife=60' option max_flows '8192' option host_port '192.168.1.40:9995' option pid_file '/var/run/softflowd.pid' option control_socket '/var/run/softflowd.ctl' option export_version '5' option hoplimit '' option tracking_level 'full' option track_ipv6 '0' option sampling_rate '1'
- You should be able to monitor any of the interfaces listed in ifconfig.
- Running NetFlow will have an impact on the CPU of your router. Check impact by running top
- The host_port value should be set to the IP address and port number of a NetFlow Collector (to be discussed in a future post)
- sampling_rate is a denominator, so the default value of 100 will only sample 1 in 100 packets.
# softflowctl dump-flows softflowd: Dumping flow data: ACTIVE seq:1 [0.0.0.0]:0 <> [126.96.36.199]:0 proto:2 octets>:32 packets>:1 octets<:0 packets<:0 start:2018-06-09T03:36:24.488 finish:2018-06-09T03:36:24.488 tcp>:00 tcp<:00 flowlabel>:00000000 flowlabel<:00000000 EXPIRY EVENT for flow 1 in 3572 seconds
If it doesn’t work, check that you have set it to be enabled in the config file.
Statistics can also be shown.
# softflowctl statistics softflowd: Accumulated statistics since 2018-08-04T23:16:28 UTC: Number of active flows: 38 Packets processed: 477496 Fragments: 0 Ignored packets: 315 (315 non-IP, 0 too short) Flows expired: 375 (0 forced) Flows exported: 631 in 59 packets (0 failures) Packets received by libpcap: 477854 Packets dropped by libpcap: 0 Packets dropped by interface: 0 Expired flow statistics: minimum average maximum Flow bytes: 32 1378175 19551484 Flow packets: 1 1261 17790 Duration: 0.00s 25.91s 75.39s Expired flow reasons: tcp = 72 tcp.rst = 7 tcp.fin = 20 udp = 143 icmp = 44 general = 6 maxlife = 83 over 2 GiB = 0 maxflows = 0 flushed = 0 Per-protocol statistics: Octets Packets Avg Life Max Life icmp (1): 20720 247 36.36s 70.01s igmp (2): 432 12 15.93s 59.45s tcp (6): 516731579 472078 41.84s 74.94s udp (17): 62891 406 4.93s 75.39s
Note that this version (0.9.9 as of August 2018) of softflowd doesn’t support IPFIX (won’t start if version set to 10). Options can be listed as follows:
# softflowd -i or -r option not specified. Usage: softflowd [options] [bpf_program] This is softflowd version 0.9.9. Valid commandline options: -i [idx:]interface Specify interface to listen on -r pcap_file Specify packet capture file to read -t timeout=time Specify named timeout -m max_flows Specify maximum number of flows to track (default 8192) -n host:port Send Cisco NetFlow(tm)-compatible packets to host:port -p pidfile Record pid in specified file (default: /var/run/softflowd.pid) -c pidfile Location of control socket (default: /var/run/softflowd.ctl) -v 1|5|9 NetFlow export packet version -L hoplimit Set TTL/hoplimit for export datagrams -T full|proto|ip Set flow tracking level (default: full) -6 Track IPv6 flows, regardless of whether selected NetFlow export protocol supports it -d Don't daemonise (run in foreground) -D Debug mode: foreground + verbosity + track v6 flows -s sampling_rate Specify periodical sampling rate (denominator) -h Display this help Valid timeout names and default values: tcp (default 3600) tcp.rst (default 120) tcp.fin (default 300) udp (default 300) icmp (default 300) general (default 3600) maxlife (default 604800) expint (default 60)
Congratulations, you now have an OpenWRT router that you can use to export flow records. In the next blog post in this series we talk about setting up a NetFlow Collector to receive the records so that they can be written to disk and analysed.