Network troubleshooting with Netflow on Linux

Network troubleshooting: netflow collector

Netflow can be found in high end networking appliances, such as cisco,... routers. But one can also setup a netflow collector on any unix like os:

It can be used temporary to troubleshoot a network issue, an attack...

The machine to collect from

apt-get install fprobe-ulog # or any other package manager

Edit the config file, set the ip/hostname:port of the collector (usually port 9995)

Firewall rules to log the traffic:

iptables -A INPUT -j ULOG --ulog-qthreshold 50 --ulog-cprange 48
iptables -A FORWARD -j ULOG --ulog-qthreshold 50 --ulog-cprange 48
iptables -A OUTPUT -j ULOG --ulog-qthreshold 50 --ulog-cprange 48

The collector

apt-get install nfdump
vi /etc/default/nfdump


list top records by bandwidth (bits per seconds) on a specific timeslot

nfdump -R /var/cache/nfdump/nfcapd.201202271818 -s record/bps -n 20 \
  -o extended -t 2012/02/28.02:03:00-2012/02/28.02:08:00