Skip to content

NetFlow

NetFlow Collector can be used to visualize and monitor Netflow-enabled devices and capture logs to the GuanCe Cloud to help monitor and analyze Netflow anomalies.

What is NetFlow

NetFlow is the most widely used traffic data statistics standard, developed by Cisco to monitor and record all traffic downstream and upstream flow. Netflow analyzes the traffic data it collects to provide visibility into flows and traffic volumes, and to track where traffic is coming from, where it is going, and what traffic is being generated at any given time. The logged information can be used for usage monitoring, anomaly detection, and a variety of other network management tasks.

The following protocols are currently supported by DataKit:

  • netflow5
  • netflow9
  • sflow5
  • ipfix

Configuration

Preconditions

  • NetFlow enabled device. Enabling method different between devices, referring to official guide is recommended. For example: Enabling NetFlow on Cisco ASA

Collector Configuration

Go to the conf.d/netflow directory under the DataKit installation directory, copy netflow.conf.sample and name it netflow.conf. Examples are as follows:

[[inputs.netflow]]
    source    = "netflow"
    namespace = "namespace"

    #[[inputs.netflow.listeners]]
    #    flow_type = "netflow9"
    #    port      = 2055

    [[inputs.netflow.listeners]]
        flow_type = "netflow5"
        port      = 2056

    #[[inputs.netflow.listeners]]
    #    flow_type = "ipfix"
    #    port      = 4739

    #[[inputs.netflow.listeners]]
    #    flow_type = "sflow5"
    #    port      = 6343

    [inputs.netflow.tags]
    # some_tag = "some_value"
    # more_tag = "some_other_value"

After configuration, restart DataKit.

The collector can now be turned on by configMap injection collector configuration.

Log

Following is example of a log:

{
    "flush_timestamp":1692077978547,
    "type":"netflow5",
    "sampling_rate":0,
    "direction":"ingress",
    "start":1692077976,
    "end":1692077976,
    "bytes":668,
    "packets":1588,
    "ether_type":"IPv4",
    "ip_protocol":"TCP",
    "device":{
        "namespace":"namespace"
    },
    "exporter":{
        "ip":"10.200.14.142"
    },
    "source":{
        "ip":"130.240.103.204",
        "port":"4627",
        "mac":"00:00:00:00:00:00",
        "mask":"130.240.96.0/20"
    },
    "destination":{
        "ip":"152.222.36.168",
        "port":"424",
        "mac":"00:00:00:00:00:00",
        "mask":"152.0.0.0/8"
    },
    "ingress":{
        "interface":{
            "index":0
        }
    },
    "egress":{
        "interface":{
            "index":0
        }
    },
    "host":"MacBook-Air-2.local",
    "next_hop":{
        "ip":"20.104.52.139"
    }
}

Explain as followings:

  • Root/NetFlow node
field description
flush_timestamp Flush/report time
type Flow type
sampling_rate Sampling rate
direction Flow direction
start Flow start time
end Flow end time
bytes Transferred bytes
packets Transferred packets
ether_type Ethernet type (IPv4/IPv6)
ip_protocol IP Protocol (TCP/UDP)
device Device node
exporter Exporter node
source Flow source node
destination Flow destination node
ingress Inbound traffic node
egress Outbound traffic node
host Collector Hostname
tcp_flags TCP flags
next_hop Next_Hop node
  • device node
field description
namespace Device namespace
  • exporter node
field description
ip Exporter IP
  • source node
field description
ip Flow source IP address
port Flow source port
mac Flow source MAC address
mask Flow source IP mask
  • destination node
field description
ip Flow destination IP address
port Flow destination port
mac Flow destination MAC address
mask Flow destination IP mask
  • ingress node
field description
interface Inbound traffic interface
  • egress node
field description
interface Outbound traffic interface
  • next_hop node
field description
ip The IP address of the neighboring router

Metric

For all the following data collections, a global tag named host is appended by default (the tag value is the host name of the DataKit); other tags can be specified in the configuration through [inputs.netflow.tags]:

 [inputs.netflow.tags]
  # some_tag = "some_value"
  # more_tag = "some_other_value"
  # ...
Info

The data collected by Netflow is stored as logging category(L).

netflow

Using source field in the config file, default is default.

  • Tags
Tag Description
host Hostname.
ip Collector IP address.
  • Metrics
Metric Description
bytes Flow bytes.
Type: int
Unit: digital,B
dest_ip Flow destination IP.
Type: string
Unit: N/A
dest_port Flow destination port.
Type: string
Unit: N/A
device_ip NetFlow exporter IP.
Type: string
Unit: N/A
ip_protocol Flow network protocol.
Type: string
Unit: N/A
message The text of the logging.
Type: string
Unit: N/A
source_ip Flow source IP.
Type: string
Unit: N/A
source_port Flow source port.
Type: string
Unit: N/A
status The status of the logging, only supported info/emerg/alert/critical/error/warning/debug/OK/unknown.
Type: string
Unit: N/A
type Flow type.
Type: string
Unit: N/A

Feedback

Is this page helpful? ×