NetFlow/IPFIX Exporting with pmacct

This blog post is for network experimenters who want to export flow records from an Ubuntu Linux host bridging multiple network segments. Such a network might look like this:


An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is recorded as flow records.

Flow records can be useful for various applications. Here is an example flow record:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2018-08-04 21:31:34.518     0.000 TCP ->            100     4600     1


Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes per flow.

NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX.

In this tutorial we use pmacct[1], a free and open source set of passive network monitoring tools primarily developed by Paolo Lucente.  Pmacct originally stood for “Promiscuous mode IP Accounting”[2], but now has other features too. In this blog post we’re only covering how to use pmacct as a NetFlow/IPFIX exporter.

We assume that you already have a free unused Ubuntu server with multiple NICs (physical or virtual) running a recent release and access to the command line. We’re going to make changes to it, so it does need to be a box that you don’t care about, and you should have physical access to it so you can reconfigure it if you lose remote connectivity.


Start by ensuring Ubuntu is up-to-date:

sudo apt-get update
sudo apt-get upgrade


Set up Bridging

Install bridge utils:

sudo apt-get update
sudo apt-get install bridge-utils


Configure Bridging

Configure bridging in the /etc/network/interfaces file. The exact configuration will depend on your interfaces. Here is an example that bridges interfaces eth0 and eth1, and assigns them with an IP address:

# The loopback network interface
auto lo
iface lo inet loopback

# Bridge for pmacct NetFlow/IPFIX collector:
auto br0
iface br0 inet static
  bridge_ports eth0 eth1


Check iptables

Double check that iptables is configured correctly.

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The FORWARD chain should be set to ACCEPT.

If you happen to have Docker installed, note that Docker sets the FORWARD chain to DROP. If this is the case you’ll either need to fix it (which Docker overwrites on reboot) or remove Docker. It can be temporarily fixed when needed by running (beware: may be security implications, could break Docker too):

sudo iptables -P FORWARD ACCEPT


Enable forwarding

To enable forwarding, edit /etc/sysctl.conf:

sudo vi /etc/sysctl.conf

Uncomment (remove the leading #) in this line:


To be safe, you’re probably going to want to reboot the server at this point.


Install libpcap

We need libpcap for packet capture into pmacct:

sudo apt-get update
sudo apt-get install libpcap-dev


Install pmacct

Now we install the pmacct project. Create src directory off your home directory:

mkdir src

Downloaded latest version of pmacct (check in, it is currently ) into ~/src/

cd src


tar xvfz pmacct-1.7.1.tar.gz

cd ~/src/pmacct-1.7.1



sudo make install


Configure pmacct

Create directory for pmacct config file:

mkdir ~/pmacct
cd ~/pmacct
vi pmacctd.conf

Paste this config in (updating IP etc as appropriate):

daemonize: true
#daemonize: false
interface: br0
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe
nfprobe_version: 10
nfprobe_timeouts: tcp=30:maxlife=60


Run pmacct

sudo pmacctd -f ~/pmacct/pmacctd.conf


Check if pmacct is Running

If pmacct is configured to run as a daemon, you’ll need to check if processes are running. You should see a couple of pmacctd processes:

$ ps -ef | grep pmacct
root      2835     1  0 20:26 ?        00:00:00 pmacctd: Core Process [default]
root      2836  2835  0 20:26 ?        00:00:00 pmacctd: Netflow Probe Plugin [default_nfprobe]
user1       2838  2798  0 20:26 pts/5    00:00:00 grep --color=auto pmacct


Congratulations, you now have a working NetFlow/IPFIX exporter. Check out the Collecting NetFlow post for how to build a NetFlow/IPFIX collector to receive the flow records.

[1] See:

[2] Source:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s