NetFlow Collector Software Overview
Posted by: Ben Uphoff in NetFlow for Security, Network Forensics, tags: compliance, data collection, netflow, software toolsNetFlow data remains a largely untapped resource for network security professionals. All modern routers support it yet in most cases, NetFlow is used for network operations management and QOS and then discarded. This is very unfortunate for security analysts who need flow data for a variety of security and compliance reasons. Good flow data is a fundamental aspect of any network forensics investigation. NetFlow data is appealing in that — for networks with routers that support it — it is free and easy to collect.
Luckily, there are several free NetFlow tools available to collect and store NetFlow data, often in a highly efficient compressed binary format. These tools vary greatly in terms of quality and support. The table below summarizes the free NetFlow tools available to network security analysts.
| Name | Version | Last Updated | License |
| NEye | 1.0.1 | February 6, 2005 | GNU-like |
| SiLK | 0.11.7 | September 6, 2007 | GNU |
| Flowd | 0.9 | March 4, 2006 | BSD-like |
| nfdump | 1.5.6 | August 8, 2007 | BSD |
| flow-tools | 0.68 | April 11, 2005 | Apache-like |
| Cflowd | 2.1.b1 | October 24, 2000 | GNU |
| EHNT | 0.4 | August 5, 2003 | GNU |
| Flowc | 1.6 | August 18, 2006 | Apache-like |
From personal experience, I have found SiLK, flow-tools and nfdump to be excellent solutions to capturing flow data. It is interesting to note that only two of the eight tools above have been updated in the last year. Future posts in BreachBytes will cover some of these tools in depth as well as look into performance comparisons of the tools.
Entries (RSS)