NetFlow

NetFLow Logo

NetFlow is suite of protocols for computing and relaying flow-level statistics. An exporter, such a router or switch, aggregates packets into flow records and sends them to a collector.

VAST has currently only native support for NetFlow v5 and v9. Please get in touch if you need support for v7 or IPFIX.

Import

VAST can either act as collector or parse binary NetFlow data on standard input. For the complete set of options, please consult the documentation for the netflow-v5 and netflow-v9 commands. (We use netflow-v5 in the examples below, but they also work with netflow-v9.)

Collector

The standard mode of operation is the collector mode, which opens a UDP listening socket at port 9995:

vast import netflow-v5

You can now point your exporter to the VAST collector, e.g., via nfreplay:

nfreplay < nflow.bin # Exports all records to 127.0.0.1:9995

File Input

If you have local binary netflow capture data, you can ingest it by passing the filename via -r:

vast import netflow-v5 -r nflow.bin

This method comes in handy when you have already binary captures from nfcapd or other sources that you want to feed into VAST.

Passing binary data via standard input requires explicit specification of -r - on the command line. This behavior is different from other commands that primarily operate on log files, where the absence of -r automatically reads data from standard input.