Nfdump netflow/sflow collector cookbook of examples


Start nfcapd netflow collector in a daemon mode listening on port 5001 with all extensions enabled and saving received netflow data into the named folder NFS-cisco-rtr
Read and print all records form a single file nfcapd.202004221040
Display cumulative statistics about all the flows in a records file
Read and print all records from a range of files, starting at nfcapd.202004221040 and up to but not including the current file still being written to nfcapd.current.xxxx
Print sessions where the source or destination IP is 8.8.8.8 from the file nfcapd.202004221040
Print sessions where the destination port is 53, the destination IP is 8.8.8.8, and the protocol is TCP
Show top 10 flows sorted by the bits per second statistics
Aggregate all flows to/from host 8.8.8.8 based on source IP
Calculate statistics for port 443 traffic and sort by bps to see bandwidth abusing hosts
Anonymize IP addresses in all the flows in the file, overwrite in-place
Find records in the time range of 12:19:00 - 12:20:00 matching the filter of protocol = UDP and port = 53
[Save nfdump output as CSV file to be imported and graphed in ...]

Start nfcapd netflow collector in a daemon mode listening on port 5001 with all extensions enabled and saving received netflow data into the named folder NFS-cisco-rtr

nfcapd -D -T all -n NFS-cisco-rtr,13.13.13.137,/var/flows/NFS-cisco-rtr -p 5001

Read and print all records form a single file nfcapd.202004221040

nfdump -r nfcapd.202004221040

Display cumulative statistics about all the flows in a records file

nfdump -I -r nfcapd.202004221040 

Output:

Ident: NFS-cisco-rtr
Flows: 378330
Flows_tcp: 318586
Flows_udp: 54743
Flows_icmp: 3864
Flows_other: 1137
Packets: 11162669
Packets_tcp: 8681920
Packets_udp: 2163252
Packets_icmp: 34346
Packets_other: 283151
Bytes: 6315310484
Bytes_tcp: 5677222352
Bytes_udp: 467682299
Bytes_icmp: 3717079
Bytes_other: 166688754
First: 1587551972
Last: 1587552299
msec_first: 950
msec_last: 914
Sequence failures: 0

Read and print all records from a range of files, starting at nfcapd.202004221040 and up to but not including the current file still being written to nfcapd.current.1609

nfdump -R nfcapd.202004221040

Print sessions where the source or destination IP is 8.8.8.8 from the file nfcapd.202004221040

nfdump -r nfcapd.202004221040 'host 8.8.8.8'

Print sessions where the destination port is 53, the destination IP is 8.8.8.8, and the protocol is TCP

nfdump  -r nfcapd.202004221040  'host 8.8.8.8 and dst port 53 and proto udp '

Show top 10 flows sorted by the bits per second statistics

Note: -o extended sets output to include also bps column. -n 10 limits output to top 10 rows. Finally, -O bps tells nfdump to sort the output by bits per second value.

nfdump -r nfcapd.202004221050 -n 10  -O bps -o extended 'host 8.8.8.8'

Output:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port     Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2020-04-22 12:19:58.824     0.004 TCP      44.30.248.239:443   ->     44.244.6.114:54044 ...AP...  16      141   204984    35250  410.0 M   1453     1
2020-04-22 12:22:37.845     0.004 TCP       175.68.86.47:80    ->     44.244.6.114:53717 ...AP... 128      133   184649    33250  369.3 M   1388     1
2020-04-22 12:20:37.844     0.004 TCP       175.68.86.47:80    ->     44.244.6.114:53717 ...AP... 128      133   184649    33250  369.3 M   1388     1
2020-04-22 12:24:37.845     0.004 TCP       175.68.86.47:80    ->     44.244.6.114:53717 ...AP... 128      132   184609    33000  369.2 M   1398     1
2020-04-22 12:22:59.517     0.008 TCP      44.244.195.12:443   ->     44.244.6.114:58302 ...AP...  16      212   302672    26500  302.7 M   1427     1
2020-04-22 12:23:15.541     0.036 TCP      44.244.195.12:443   ->     44.244.6.114:58302 ...AP...  16      915    1.3 M    25416  298.9 M   1469     1
2020-04-22 12:20:03.728     0.004 TCP        50.62.32.42:80    ->    216.88.40.116:52054 ...AP...  40       99   135345    24750  270.7 M   1367     1
2020-04-22 12:23:08.773     0.012 TCP      44.244.195.12:443   ->     44.244.6.114:58302 ...AP...  16      255   371935    21250  248.0 M   1458     1
2020-04-22 12:22:58.377     0.004 TCP        50.62.32.25:80    ->    216.88.40.116:52157 ...AP...   0       77   109616    19250  219.2 M   1423     1
2020-04-22 12:21:25.568     0.028 TCP     158.255.172.17:443   ->     44.244.6.114:55324 ...AP...  16      483   669748    17250  191.4 M   1386     1
IP addresses anonymised
Summary: total flows: 492540, total bytes: 7.4 G, total packets: 14.6 M, avg bps: 184.8 M, avg pps: 45237, avg bpp: 510
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.216s flows/second: 2277989.2  Wall: 0.404s flows/second: 1219146.3 

Aggregate all flows to/from host 8.8.8.8 based on source IP

nfdump -r nfcapd.202004221005 -A srcip ' host 8.8.8.8'
Date first seen          Duration       Src IP Addr   Packets    Bytes      bps    Bpp Flows
2020-04-22 10:05:01.183   241.032    113.166.180.142       122     6938      230     56   122
2020-04-22 10:05:00.915   295.020   18.113.121.204      1493    96860     2626     64    62
2020-04-22 10:05:03.819   289.848    18.113.43.130       750    63000     1738     84    54
2020-04-22 10:05:02.887   289.828    113.166.180.139       750    63000     1738     84    49
2020-04-22 10:05:01.455   295.148    113.166.180.138       812    50458     1367     62   810
2020-04-22 10:05:03.507   289.852    113.166.180.137       750    63000     1738     84    56
2020-04-22 10:04:55.799   300.484    89.12.212.116       417    33261      885     79   417
2020-04-22 10:05:00.667   289.868    113.166.180.141       750    63000     1738     84    55
2020-04-22 10:04:56.047   303.116           8.8.8.8      6730   768784    20290    114  1825
2020-04-22 10:05:01.127   291.740      113.166.88.58       886    70796     1941     79   172
Summary: total flows: 3622, total bytes: 1.3 M, total packets: 13460, avg bps: 33731, avg pps: 44, avg bpp: 95
Time window: 2020-04-22 10:04:37 - 2020-04-22 10:09:59
Total flows processed: 426270, Blocks skipped: 0, Bytes read: 34102112
Sys: 0.036s flows/second: 11784203.7 Wall: 0.036s flows/second: 11560177.9

Calculate statistics for port 443 traffic and sort by bps to see bandwidth abusing hosts

nfdump -r nfcapd.202004220705 -s srcip/bps -s dstip/bps  ' port 443'

Output:

Top 10 Src IP Addr ordered by bps:
Date first seen          Duration Proto       Src IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2020-04-22 12:19:50.336   309.513 any      219.149.22.196     8957( 2.6)   995109(10.7)    1.3 G(21.6)     3215   34.2 M  1327
2020-04-22 12:19:50.336   309.361 any      219.149.22.201     8167( 2.4)   837173( 9.0)    1.1 G(18.1)     2706   28.6 M  1321
2020-04-22 12:19:37.828   322.081 any        44.244.6.114    58555(16.9)    2.1 M(22.3)  978.3 M(16.0)     6471   24.3 M   469
2020-04-22 12:21:31.120     0.496 any       128.73.82.164        6( 0.0)      958( 0.0)    1.3 M( 0.0)     1931   21.7 M  1406
2020-04-22 12:19:49.064   310.609 any       244.34.184.28     6849( 2.0)   411384( 4.4)  369.3 M( 6.0)     1324    9.5 M   897
2020-04-22 12:23:01.213     2.244 any      148.161.85.162        3( 0.0)     1322( 0.0)    1.9 M( 0.0)      589    6.9 M  1469
2020-04-22 12:19:49.860   309.909 any       244.34.184.29     4425( 1.3)   270828( 2.9)  250.0 M( 4.1)      873    6.5 M   922
2020-04-22 12:19:52.984   306.313 any      219.149.22.228    12205( 3.5)   245171( 2.6)  244.1 M( 4.0)      800    6.4 M   995
2020-04-22 12:21:08.360     6.460 any        92.34.211.23        4( 0.0)     3080( 0.0)    4.5 M( 0.1)      476    5.6 M  1472
2020-04-22 12:19:37.828   321.421 any      219.149.22.229    16208( 4.7)   252091( 2.7)  220.4 M( 3.6)      784    5.5 M   874

Top 10 Dst IP Addr ordered by bps:
Date first seen          Duration Proto       Dst IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2020-04-22 12:19:37.828   322.081 any        44.244.6.114    57453(16.6)    3.5 M(37.6)    3.1 G(51.2)    10892   77.8 M   893
2020-04-22 12:19:43.316   316.633 any       216.88.40.117    56198(16.2)    1.1 M(11.8)  939.0 M(15.4)     3470   23.7 M   854
2020-04-22 12:19:48.900   311.033 any       216.88.40.116    56349(16.3)    1.0 M(11.0)  835.6 M(13.7)     3295   21.5 M   815
2020-04-22 12:19:54.760   300.929 any      93.161.105.117      833( 0.2)    83367( 0.9)  108.3 M( 1.8)      277    2.9 M  1299
2020-04-22 12:19:47.736   310.013 any      210.249.165.16       89( 0.0)    79489( 0.9)   92.7 M( 1.5)      256    2.4 M  1165
2020-04-22 12:19:59.256   298.577 any        70.35.238.51      180( 0.1)   100020( 1.1)   85.8 M( 1.4)      334    2.3 M   858
2020-04-22 12:20:07.024     0.004 any      209.213.75.111        2( 0.0)       28( 0.0)     1120( 0.0)     7000    2.2 M    40
2020-04-22 12:21:16.636     0.004 any       216.88.58.165        2( 0.0)       22( 0.0)      968( 0.0)     5500    1.9 M    44
2020-04-22 12:19:59.472   299.353 any      207.176.46.233       94( 0.0)    42353( 0.5)   45.7 M( 0.7)      141    1.2 M  1079
2020-04-22 12:19:50.356   309.537 any      219.149.22.196     9055( 2.6)   274394( 2.9)   47.0 M( 0.8)      886    1.2 M   171

IP addresses anonymised
Summary: total flows: 346143, total bytes: 6.1 G, total packets: 9.3 M, avg bps: 151.8 M, avg pps: 28957, avg bpp: 655
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.139s flows/second: 3539124.8  Wall: 0.136s flows/second: 3598781.3 

Anonymize IP addresses in all the flows in the file, overwrite in-place

Use bundled with nfdump tool named nfanon. To use it we have to specify a random ASCII of 32 characters or hexadecimal string of 64 characters. The -K option accepts the random key.

To generate random 32 chars:

dd if=/dev/urandom  bs=16 count=1  |  hexdump -v -e '/1 "%02X "' | tr -d ' ' ; echo

1+0 records in
1+0 records out
16 bytes copied, 0.000491685 s, 32.5 kB/s
E9C11DC6F92488E7A13A1F42EF6A9E87
nfanon -K E9C11DC6F92488E7A13A1F42EF6A9E87  -r nfcapd.202004220710

Find records in the time range of 12:19:00 - 12:20:00 matching the filter of protocol = UDP and port = 53

Using -t option we can limit the time range of the records to look into.

 nfdump -r nfcapd.202004220920 -t 2020/04/22.12:19:00-2020/04/22.12:20:00 'port 53 and proto udp' 

Output:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2020-04-22 12:19:55.564     0.000 UDP      56.30.111.241:53    ->    216.88.40.117:64842        1      636     1
2020-04-22 12:19:55.564     0.000 UDP      216.88.40.117:64012 ->    158.174.33.78:53           1       81     1
2020-04-22 12:19:54.852     0.000 UDP      216.88.40.117:63044 ->      70.158.34.8:53           1       80     1
2020-04-22 12:19:55.712     0.000 UDP     219.154.149.77:53    ->    216.88.40.116:49880        1       89     1
2020-04-22 12:19:55.716     0.000 UDP      216.88.40.117:65172 ->   246.220.77.233:53           1       82     1
2020-04-22 12:19:55.152     0.000 UDP      216.88.40.117:63463 ->  177.234.225.103:53           1       79     1
2020-04-22 12:19:55.364     0.000 UDP      216.88.40.117:63493 ->       51.11.3.16:53           1       73     1
IP addresses anonymised
Summary: total flows: 7, total bytes: 1120, total packets: 7, avg bps: 10370, avg pps: 8, avg bpp: 160
Time window: 2020-04-22 12:19:37 - 2020-04-22 12:24:59
Total flows processed: 492540, Blocks skipped: 0, Bytes read: 39403680
Sys: 0.050s flows/second: 9713068.7  Wall: 0.048s flows/second: 10233959.4