In the (distant) past, I used fprobe with Cerowrt to act as a netflow exporter. (A note on terminology: a "netflow exporter" runs in a router and sends summary stats to a "netflow collector", such as ntop, for display.)

fprobe 1.1 was available in Barrier Breaker, but seems to have fallen out of the CC builds. Last known source bundle was at https://sourceforge.net/projects/fprobe/

Does anyone know whether fprobe still works? Can/will it be added to CC builds? Are there alternatives? Many thanks.

What about pmacct?

Sorry to revive an old thread - do you use pmacct? Thanks.

Yes, I'm using pmacct on different distro (slackware).
I have tried it on my OpenWRT based distro too. It take a little bit more CPU on AA AR71x... (Not tested on BB or CC yet.) but it is working.

Or take a look into old packages for fprobe.

I use softflowd. There's a package in the packages feeds. Just works and does netflow v9

I tried installing it (v0.9.9 on CC 15.05.1) from LuCI, but don't see any data sent to the collector. Here's /etc/config/softflowd:

config softflowd
    option enabled        '1'
    option interface      'br-lan'
    option pcap_file      ''
    option timeout        ''
    option max_flows      '8192'
    option host_port      '192.168.254.5:2055'
    option pid_file       '/var/run/softflowd.pid'
    option control_socket '/var/run/softflowd.ctl'
    option export_version '5'
    option hoplimit       ''
    option tracking_level 'full'
    option track_ipv6     '0'
    option sampling_rate  '100'

Then I invoke with '/etc/init.d/softflowd restart'

ps shows this command is running:

/usr/sbin/softflowd -i br-lan -m 8192 -n 192.168.254.5:2055 -p /var/run/softflowd.pid -c /var/run/softflowd.ctl -v 5 -T full -s 100 -p /var/run/softflowd.pid

I have also tried with eth0 (my WAN port, not br-lan) with the same (non-)results.

Any thoughts about why I don't see any Netflow traffic on port 2055 of 192.168.254.5? Thanks.

(Last edited by richbhanover on 16 Nov 2016, 06:05)

I seem to recall I also had problems with the default init script and config and so I wrote my own very simple hard-coded init script. Suggest you try invoking it manually and see if it works in manual mode. My command line is

/usr/sbin/softflowd -i br-lan -6 -v 9 -n 192.168.254.5:2055 -p /var/run/softflowd.pid

You definitely don't want it running on the WAN port, otherwise you're not going to be able to resolve the internal IPs - all you'll get is the appearance of every connection originating from your WAN IP. I'm running CERT NetSA Silk as the backend, which supports netflow v9 and ipv6.

I'm also on CC 15.05.1 and softflowd 0.9.9

My scripts

#!/bin/sh /etc/rc.common

START=99


IFACE=br-lan
PORT=2055
SERVER=192.168.254.5
PIDFILE=/var/run/softflowd.pid
CTLFILE=/var/run/softflowd.ctl
SOFTFLOWD=/usr/sbin/softflowd
SOFTFLOWCTL=/usr/sbin/softflowctl

EXTRA_COMMANDS="status"
EXTRA_HELP="        status Show the status of the qat device"

reload()
{
    stop
    start
}

restart()
{
    reload
}

start()
{
    ${SOFTFLOWCTL} shutdown 2> /dev/null
    ${SOFTFLOWD} -i ${IFACE} -6 -v 9 -n ${SERVER}:${PORT} -p ${PIDFILE}
}


status()
{
    [ -S ${CTLFILE} ] && ${SOFTFLOWCTL} statistics
}

stop()
{
    [ -S ${CTLFILE} ] && {

        ${SOFTFLOWCTL} shutdown
        rm -f ${PIDFILE} 2> /dev/null
        rm -f ${CTLFILE} 2> /dev/null

    }
}

What backend are you using?

[Sorry to have taken so long to answer this question, but I've been doing a lot of research (see http://richb-hanover.com/netflow-collec … -networks/ ]

I've been horsing around with Webview Netflow Reporter for the moment. I have it built as a Docker container, so it's easy to deploy on one of my always-on computers at home. You can get the Dockerfile at: https://github.com/richb-hanover/wvnetflow-dockerized

I'm successfully using softflowd in LEDE as my exporter. I have a question, though, about your config:

Why did you set the sampling_rate to 100 in your softflowd config? If I'm understanding the program, that would only look at every 100th packet (creating statistical samples of the flow information). This would make sense if the the router were handling hundreds of thousands of packets a second, but at home, recording info for each packet isn't a burden. (I set it to "0" in my config...)

Please let me know what your backend Netflow Collector is. Thanks!

[EDIT: I see that the '100' was in my original config file. I'm not sure where that came from - it's certainly not required...]

(Last edited by richbhanover on 4 Jun 2017, 22:22)