pfflowd
pfflowd converts OpenBSD PF status messages (sent via the pfsync interface) to Cisco NetFlow™ datagrams. These datagrams may be sent (via UDP) to a host of one's choice. Utilising the OpenBSD stateful packet filter infrastructure means that flow tracking is very fast and accurate.
NB. The pfsync interface has been in constant development since it was introduced into OpenBSD. pfflowd tracks these developments, but does not usually retain backwards compatibility.
Mailing list
The netflow-tools mailing list is available for pfflowd discussion, support, development and release announcements.
News
Fri, 07 Jul 2006: pfflowd-0.7 released
pfflowd-0.7 has been released. Thanks to work completed by Mathieu Sauve-Frankel, this release supports version 3 of the pfsync protocol as used by OpenBSD 3.9 and above. pfsync v.3 includes 64 bit packet and byte counters so large flows can be better accounted for.
Mon, 10 Jan 2005: Mailing list created
I have just created a new mailing list for the discussion of pfflowd and the other NetFlow tools developed here. Development and support of the tools are on-topic and I will send announcements of new releases there too.
Mon, 06 Sep 2004: pfflowd-0.6 released
pfflowd-0.6 has been released. This release adds export of flows via IPv6 transport, NetFlow v.5 (thanks to Ben Lovett) and a more lightweight main loop.
Fri, 07 May 2004: pfflowd-0.5 release respun
I have rebuilt the pfflowd-0.5 release without the CVS/ gunk. If you fetched the tarballs yesterday and have noticed that the latest ones have different checksums, then don't be surprised. You can check the PGP signature if you are in doubt - it is new too.
Thu, 06 May 2004: pfflowd-0.5 released
pfflowd-0.5 is now out. This release fixes a couple of bugs, including dropped packets when trying to send to a non-existent flow collector and errors in calculation of the flow start and finish times. pfflowd-0.5 also adds basic filtering on flow direction (in or out). This release targets OpenBSD 3.5 and -current, but can also support 3.4 (see the README for details.)
Details
OpenBSD's PF stateful packet filter will count bytes and packets for flows it tracks statefully. PF also contains a mechanism (pfsync) which allows realtime reporting of state expiry. pfflowd listens for these state expiry messages and converts them to NetFlow™ datagrams.
Reusing the kernel's packet filtering system has a number of advantages. On systems which are firewalling, there is no duplication of effort between tracking flows for firewalling and tracking flows for accounting. Also, flow tracking is very fast - using PF's highly optimised state matching code. Running pfflowd on a system which is already firewalling imposes negligible additional load.
Caveats
There are a number of issues to be aware of when using pfflowd:
- Generated packets are not counted in flow reports. I.e TCP RSTs, ICMP unreachables and TCP handshakes performed by synproxy are not included in flows. This may, depending on one's perspective, make the resultant flow records slightly inaccurate, though the effect on the counters is generally insignificant.
- The kernel only accounts packets that it passes statefully. Since flow reporting is coupled to PF's state tracking, only traffic flows which are passed via a "keep state", "modulate state" or "synproxy state" rule are accounted. Blocked packets are not accounted. Be careful not to create state for the NetFlow™ packets that pfflowd sends itself! (doing so would be a waste of time anyway, as no replies are expected)
Download
pfflowd is available here: