What is a Network Traffic Flow? (Part 3)


Network traffic flows (flows) are useful for building a coarse-grained understanding of traffic on a computer network.

Following on from What is a Network Traffic Flow? and What is a Network Traffic Flow? (Part 2), this third post investigates flow metadata, how it adds value to flow analysis, and how to record and transport it. This is the good stuff, where flows become useful…


Figure 1 – What this blog post covers

Continue reading

Collecting NetFlow with nfcapd and nfdump

This blog post is for network experimenters who want to collect (receive) NetFlow or IPFIX flow records using the nfdump package (which includes nfcapd). An example use case, building on previous blog post NetFlow on OpenWRT, is shown in diagram below (highlighted boxes):


Flow records can be useful for various applications such as network visibility and security alerting. Continue reading

NetFlow on OpenWRT

This blog post is for network experimenters who want to export flow records from a small network, such as a home network using an OpenWRT router. Such a network might look like this:


Flow records can be useful for various applications. Here is an example flow record:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows

2018-08-04 21:31:34.518     0.000 TCP ->            100     4600     1

Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes.

In this tutorial we use OpenWRT[1], a popular free and open source router operating system, and add the softflowd package to it to generate NetFlow flow records. There are however many other options to achieve the same outcome. Continue reading