Network traffic flows (flows) are useful for building a coarse-grained understanding of traffic on a computer network.
Following on from What is a Network Traffic Flow? and What is a Network Traffic Flow? (Part 2), this third post investigates flow metadata, how it adds value to flow analysis, and how to record and transport it. This is the good stuff, where flows become useful…
Figure 1 – What this blog post covers
This blog post is for network experimenters who want to export flow records from an Ubuntu Linux host bridging multiple network segments. Such a network might look like this:
An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is recorded as flow records. Continue reading
This blog post is for network experimenters who want to collect (receive) NetFlow or IPFIX flow records using the nfdump package (which includes nfcapd). An example use case, building on previous blog post NetFlow on OpenWRT, is shown in diagram below (highlighted boxes):
Flow records can be useful for various applications such as network visibility and security alerting. Continue reading
This blog post is for network experimenters who want to export flow records from a small network, such as a home network using an OpenWRT router. Such a network might look like this:
Flow records can be useful for various applications. Here is an example flow record:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows
2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 -> 10.1.1.1:22 100 4600 1
Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes.
In this tutorial we use OpenWRT, a popular free and open source router operating system, and add the softflowd package to it to generate NetFlow flow records. There are however many other options to achieve the same outcome. Continue reading