Flow-Tools: Notes on Reading Captured Flow Data

Notes on Reading Captured Data Using Flow-Tools

Flow-Tools is a set of libraries and tools designed to capture, report and otherwise manipulate Netflow data. If you are unfamiliar with Netflow, check out the Netflow Wikipedia page. If you are unfamiliar with flow-tools you can search Google for additional resources. The site referenced as the source (http://www.splintered.net/sw/flow-tools/) appears to be down at the moment.




I am by no means a flow-tools expert, but I wanted to take this note in case I ever need to quickly capture some flow data and look at it. There is a chance I am just thick or out of practice, but the docs can be confusing. Sometimes getting flows set up in a formal NMS takes too much time when all you need is a quick answer. If you’re shipping your flows off somewhere, you can capture them to a file using flow-receive, which is too easy to talk about.

It’s the flow-report part that tripped me up for a while. Note, I received flow data into a file I called “flow-out”.

First, create a report definition file. In this example, I call it “report” just to be confusing.


stat-report srx3x1n
type ip-source/destination-address/ip-destination-port
output
format ascii
options +header,+xheader,+totals
fields +other
path /home/chouston/flow-tools/output-srx3x1n

stat-definition srx3x1n-src-dest-dport
filter tcp
report srx3x1n

This report file defines a “report” called srx3x1n which will output in ASCII format to a file in my home directory with source-ip,dest-ip,dest-port on each line of output for the flows in my data.

Now you can “flow-cat” your captured flow data (flow-out in my example) and express the data using the report file you just generated.

`flow-cat flow-out | flow-report -s /path/to/report -S srx3x1n-src-dest-dport`

That will cause the file output-srx3x1n to be generated which will contain data like:

# < some possibly usefule header data >
# recn: ip-source-address*,ip-destination-address*,ip-destination-port*,flows,octets,packets,duration
x.x.x.x,y.y.y.y,80,2,423,2,0
...

Voila. Once you figure it out, that’s a really easy way to quick and dirty analyze netflow data on the command line.

Leave a Reply