This blog post is for network experimenters who want to collect (receive) NetFlow or IPFIX flow records using the nfdump package (which includes nfcapd). An example use case, building on previous blog post NetFlow on OpenWRT, is shown in diagram below (highlighted boxes):
Flow records can be useful for various applications such as network visibility and security alerting.
Here is an example flow record:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 -> 10.1.1.1:22 100 4600 1
Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as number of packets and sum of bytes per flow record.
NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX[1].
In this tutorial we use the nfdump package, which incorporates nfcapd, as a NetFlow/IPFIX collector on Ubuntu.
We assume that you already have an Ubuntu instance running a recent release, and access to the command line shell.
Installation
Pre-Work
Start by ensuring Ubuntu is up-to-date:
sudo apt-get update sudo apt-get upgrade
Install nfdump Package
Install nfdump (including nfcapd) from package:
sudo apt-get install nfdump
If the package isn’t sufficient for your needs (maybe you want the latest version, play with compile options, etc.) you can compile it yourself – check out instructions in GitHub source[2].
Configure nfdump/nfcapd
The Ubuntu package installs various files[3]. There are init and config files /etc/init.d/nfdump and /etc/default/nfdump, however these are ignored by systemd which uses this file:
/lib/systemd/system/nfdump.service
By default nfcapd will start running as a daemon listening on UDP port 2055 after a reboot. This can be seen by checking for the nfcapd process (after reboot):
$ ps -ef | grep nfcapd root 663 1 0 18:14 ? 00:00:00 /usr/bin/nfcapd -D -l /var/cache/nfdump -P /var/run/nfcapd.pid -p 2055 user1 1858 1841 0 18:22 pts/0 00:00:00 grep --color=auto nfcapd
This shows that the system is now listening for NetFlow/IPFIX input on UDP port 2055 and is writing the records in binary format to /var/cache/nfdump
You can check that nfcapd is listening with netstat:
$ netstat -n --udp --listen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 0.0.0.0:2055 0.0.0.0:*
To change the settings, for instance change the port number to 9995, follow these steps:
Enable nfdump.service (which is actually nfcapd) in systemd:
sudo systemctl enable nfdump.service
Stop the service:
sudo systemctl stop nfdump.service
Edit the service file to change to port from 2055 to 9995
sudo vi /lib/systemd/system/nfdump.service
Reload systemd daemons and start nfdump:
sudo systemctl daemon-reload sudo systemctl start nfdump.service
Check with netstat to see if it is listening on the new port. If not, stop and start nfdump.service again.
Logs are stored in /var/log/syslog if needed for checking events:
$ tail -100 /var/log/syslog | grep nfcapd Aug 19 20:48:36 host1 nfcapd[1833]: Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad Packets: 0 Aug 19 20:48:36 host1 nfcapd[1833]: Total ignored packets: 0 <snip>
Using nfdump to View Flow Records
The nfdump utility reads binary flow records from disk and outputs them in ASCII. At its most basic, just use the -R option to say where the binary files are stored:
$ nfdump -R /var/cache/nfdump Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2018-08-18 21:52:15.536 61.619 UDP 192.168.1.60:59717 -> 192.168.2.40:514 29 3301 1 <snip>
Specific files can be read to limit what data is processed. This can be done by either:
- Specifying a filename. This file and all more recent files will be read
- Specifying two filenames separated by a colon. Reads all files between including the two files and all files in between by time.
There are numerous other options, here are some useful ones:
- Order by time start:
-O tstart
- Aggregate flow records as bidirectional flows and guess direction:
-B
- Output to CSV:
-o csv
There are many other options, see the nfdump man page for more information:
man nfdump
Congratulations, you now have a NetFlow/IPFIX collector and can view flow records.
[1] See: https://tools.ietf.org/html/rfc7011 + 7012, 7013, 7014 & 7015
[2] See: https://github.com/phaag/nfdump
[3] See: https://packages.ubuntu.com/bionic/nfdump (change link to relevant version of Ubuntu)
Bits 'n Bytes 
I followed the steps but I’m getting ‘No Matched Flows’ when i’m running nfdump -R /var/cache/nfdump.
Can you help me figure this out. I’m using Ubuntu in VirtualBox and with two network adapter enabled as NAT.
Thanks in advance.
LikeLike
Hi Nishant, do you have a NetFlow Exporter configured that is sending flow records to your Collector? The Exporter isn’t covered in this blog post, but there are other posts on how to create one
LikeLike
Hi Matt, Thanks for your response.
Yes I have configured the NetFlow exporter from your other blog
https://mattjhayes.com/2018/08/22/netflow-ipfix-exporting-with-pmacct/
After configuration, pmacct was running as shown in your blog.
LikeLike
Hi Nishant, are you seeing NetFlow packets arriving at the Collector? (can check with tcpdump)
LikeLike
Hey Matt, I figured it out yesterday. I changed my VirtualBox network adapter settings and it worked. Thanks 🙂
LikeLike
Cool, good to hear it is working now
LikeLike
Hey Matt, do you know how can we define templates so that we can have different templates for IPFIX streams ?
LikeLike
Sorry, not something I’ve looked into, good luck!
LikeLike