goflowd is netflow probe like softflowd. It is written by golang. goflowd uses ietf-ipfix-psamp.yang standarized in RFC6728 data model for configuration. The yang model configuraiton is acheived by using openconfig/ygot.
./goflowd -c config.json
Configuration file is json based.
In following sample, the packets are read from enp0s3 interface and export flow to 192.168.1.1 port 4739. In this sample, FlowKeys are sourceIPv4Address, destinationIPv4Address, protocolIdentifier, sourceTransportPort, and destinationTransportPort.
If you want to use offline pcap file instead of online capture, you need to use offlineFile": "file name" instread of ifName": [ "interface name" ].
{
"observationPoint": [
{
"name": "pcap",
"observationDomainId": 1,
"ifName": [ "enp0s3" ],
"direction": "ingress",
"selectionProcess": [
"All"
]
}
],
"selectionProcess": [
{
"name": "All",
"selector": [
{
"name": "Select all",
"selectAll": [
null
]
}
],
"cache": "Flow cache"
}
],
"cache": [
{
"name": "Flow cache",
"timeoutCache": {
"maxFlows": 4096,
"activeTimeout": 5000,
"idleTimeout": 10000,
"cacheLayout": {
"cacheField": [
{
"name": "Field 1",
"ieName": "sourceIPv4Address",
"isFlowKey": [
null
]
},
{
"name": "Field 2",
"ieName": "destinationIPv4Address",
"isFlowKey": [
null
]
},
{
"name": "Field 3",
"ieName": "protocolIdentifier",
"isFlowKey": [
null
]
},
{
"name": "Field 4",
"ieName": "sourceTransportPort",
"isFlowKey": [
null
]
},
{
"name": "Field 5",
"ieName": "destinationTransportPort",
"isFlowKey": [
null
]
},
{
"name": "Field 6",
"ieName": "flowStartMilliseconds"
},
{
"name": "Field 7",
"ieName": "flowEndMilliseconds"
},
{
"name": "Field 8",
"ieName": "octetDeltaCount"
},
{
"name": "Field 9",
"ieName": "packetDeltaCount"
}
]
}
},
"exportingProcess": [
"UDP"
]
}
],
"exportingProcess": [
{
"name": "UDP",
"destination": [
{
"name": "UDP",
"udpExporter": {
"ipfixVersion": 10,
"destinationPort": 4739,
"destinationIPAddress": "192.168.1.1"
}
}
]
}
]
}
| Information Element ID | Information Element Name |
|---|---|
| 4 | protocolIdentifier |
| 5 | ipClassOfService |
| 7 | sourceTransportPort |
| 8 | sourceIPv4Address |
| 11 | destinationTransportPort |
| 12 | destinationIPv4Address |
| 27 | sourceIPv6Address |
| 28 | destinationIPv6Address |
| 31 | flowLabelIPv6 |
| 32 | icmpTypeCodeIPv4 |
| 54 | fragmentIdentification |
| 56 | sourceMacAddress |
| 57 | postDestinationMacAddress |
| 58 | vlanId |
| 60 | ipVersion |
| 139 | icmpTypeCodeIPv6 |
| 176 | icmpTypeIPv4 |
| 177 | icmpCodeIPv4 |
| 178 | icmpTypeIPv6 |
| 179 | icmpCodeIPv6 |
| 180 | udpSourcePort |
| 181 | udpDestinationPort |
| 182 | tcpSourcePort |
| 183 | tcpDestinationPort |
| 193 | nextHeaderIPv6 |
| 195 | ipDiffServCodePoint |
| 196 | ipPrecedence |
| Information Element ID | Information Element Name |
|---|---|
| 1 | octetDeltaCount |
| 2 | packetDeltaCount |
| 6 | tcpControlBits |
| 21 | flowEndSysUpTime |
| 22 | flowStartSysUpTime |
| 150 | flowStartSeconds |
| 151 | flowEndSeconds |
| 152 | flowStartMilliseconds |
| 153 | flowEndMilliseconds |
| softflowd | goflowd | |
|---|---|---|
| Online packet capture | supported | supported |
| Reading pcap file | supported(-r) | supported |
| PSAMP collector | supported(-R) | TODO |
| NetFlow version 1 export | supported(-v 1) | TODO |
| NetFlow version 5 export | supported(-v 5) | supported |
| NetFlow version 7 export | unsupported | TODO |
| NetFlow version 8 export | unsupported | TODO |
| NetFlow version 9 export | supported(-v 9) | TODO |
| IPFIX export | supported(-v 10) | supported |
| IPv6 support(v9,IPFIX) | supported(-6) | supported |
| Bidirectioal flow export | supported(-b) | TODO |
| PSAMP export | supported(-v PSAMP) | TODO |
| ntopng direct injection | supported(-v ntopng) | TODO |
| Flow export on UDP | supported(-P udp) | supported |
| Flow export on TCP | supported(-P tcp) | supported |
| Flow export on SCTP | supported(-P sctp) | TODO |
| Configuration | unsupported | supported |
| FlowKey Configuration | partially supported(-T) | supported |
| Count-based sampling | supported | supported |
| Time-based sampling | unsupported | supported |
- SCTP is mandatory in IPFIX (RFC7011), however go's net.Dial does not support SCTP. Hence, goflowd does not support SCTP export.
- Every packets exported by goflowd contain Template Set.
- Option Template has not implemented.