Your collector gathers the data exported by the sensor and stores it on disk
for long-term reference. If possible, install your collector on a Web server;
it will make reporting much nicer and easier. I recommend flow-capture, a very
popular Netflow collector included in the
flow-tools package. On
FreeBSD, flow-tools is in the Ports tree at
/usr/ports/net-mgmt/flow-tools. Install it with the usual "make all
install." Do not type
make clean! You might have to
rebuild some components by hand. For the same reason, don't use a precompiled
Make a directory for flow-capture to keep its records. I usually use /var/log/netflow, but anywhere you have space works. On a multimegabit network, Netflow files can fill several GB of disk over a few weeks. I also recommend creating a saved subdirectory under your log directory, for the reporting system to use.
Now you need a startup script so flow-capture will run automatically at boot. A command like the following works nicely:
# /usr/local/bin/flow-capture -p /var/run/flow-capture.pid -n 287 \ -N 0 -w /var/log/netflows/ -S 5 0/0/8818
Most of this you can use unchanged. The
-w flag tells
flow-capture where to place its files. The final argument tells flow-capture
which local IP to listen to, which remote IP to listen to, and which UDP port
it should listen on. In this case, 0/0/8818, the collector listens on all
local IP addresses, for requests from any remote IP address, on port 8818. If
you can receive random Internet traffic on your collector, specify a particular
sensor IP in the middle value. (My collector is behind a firewall, and anyone
who can sneak past the firewall would have no trouble deceiving flow-capture as
well.) Flow-capture needs the
-S 5 arguments to interoperate with the reporting package, so
leave them alone.
Once you start flow-capture, flow files will appear in your log directory. The names of these files come from the version of Netflow data they're gathering and the date and time at which this data began. For example, the filename tmp-v05.2005-04-28.201001-0400 indicates a temporary file, containing Netflow version 5 data, collected on April 28, 2005, starting at 20:10:01 (or 1 second after 8:10 p.m.), at -4 hours from GMT. Every five minutes, flow-capture moves the temporary file to a permanent location and starts a new temporary file. Permanent files begin with ft instead of tmp, but otherwise the names are exactly the same.
To confirm that your flow-capture install is actually collecting something, see if the temporary file grows. This should happen quickly, within a few minutes on a busy network.
The information in these files is in a binary format requiring special tools to read. Many of those tools use Cflow.pm.
Many different Netflow reporting tools use the Cflow.pm perl module to read
Netflow files. This includes a library and command-line tool for viewing and
manipulating flow files. The hard part is that each collector has its own
storage format. While the original purpose of Cflow.pm was to process
cflowd(8) files, Cflow.pm can support other formats if properly
This part is where most people give up on Netflow. Follow the directions carefully. Be sure to verify your work when your Cflow.pm install is complete.