report

How to Export Netflow Data From pfSense Using pfflowd

Understanding the amount and type of traffic passing through a network device is very useful for troubleshooting network problems, locating bandwidth hogs, and classifying traffic.

NetFlow is procotol that allows network devices to transmit information about the data passing through it to an analyzer running at a remote location on the network.

This data contains several pieces of information including source and destination IP address, protocols in use, and port numbers

Pfflowd allows a pfSense system to export PF status messages in a standard NetFlow format.

By making this data available in a standard format you can take advantage of the many different NetFlow analyzers available.

Installing the pfflowd Package

To begin exporting NetFlow data from pfSense you must first install the pfflowd package. The package can be installed by accessing the package manager found in the system menu.

Locate the pfflowd package and click the plus symbol button next to it to begin the installation.

Configuring pfflowd

Once the installation is complete the package needs to be configured. The configuration page for pfflow can be found in the under the services menu in the web interface.

Host - Enter the IP address of the computer you want to receive the NetFlow traffic data. This is the location where you will want to run the NetFlow analyzer client from.

Port -This setting controls the destination UDP port for the NetFlow datagrams. Most clients use port 2205 by default so in most cases this is what you should enter.

Source Hostname / IP -This setting controls which interface the pfSense system will use to send the NetFlow packets from. Usually you'll want to enter the IP address of the LAN interface of the pfSense box. You can find the IP in the status \ interfaces menu.

pfSense Rule Direction Restriction - Leave this set to any to capture traffic in both directions. If desired you can capture a single direction of traffic.

NetFlow Version - Most clients should support version 9. If you're NetFlow analyzer only supports an older version you can configure it with this setting.

Once you save the settings pfflow will begin sending NetFlow packets to the destination IP address specified in the settings;

Enabling SNMP

Most NetFlow clients utilize SNMP to confirm connectivity to a host so I recommend enabling it before starting an analyzer client.

The modify the configuration open the settings page in the services \ SNMP page.

1. Click the 'Enable' checkbox to turn on the SNMP service.

2. Set a read only community string. This is essentially a password used to access pfSense via SNMP.

3. Click save to apply the changes.

Viewing NetFlow Data

At this point pfSense is configured to stream NetFlow data in real time to the IP address which you configured earlier.

There are several NetFlow analyzers available to use. SolarWinds offers a free real time flow analyzer that does that job quite well.

After downloading and installing the SolarWinds analyzer click on the tools menu, then select add NetFlow device.

Enter the IP address of the pfSense machine running pfflowd, and the SNMP community string that matches the string on the system.

Selecting the Capture Interface

If the previous step was successful you should see a list of interfaces attached to the pfSense system running pfflowd.

To begin a flow capture session select the interface you're interested in and click on the start flow capture button.

In most cases you'll probably want to capture data from the LAN interface but in some situations WAN data is useful as well.

You can find the interface names associated with the LAN and WAN interfaces in the status \ interfaces menu.

NetFlow Data Analysis

Once the capture begins the analyzer will start displaying data for the traffic passing through pfSense on the interface you selected.

The SolarWinds analyzer can break down the traffic into applications, conversations, domains, endpoints, and protocols. The capture can also be saved and downloaded for later analysis.

Digging Deeper

Hopefully this hub has opened your eyes to the many uses of pfflowd and NetFlow data. NetFlow doesn't export the entire packet though making it a bad choice for solving highly complex network problems.

If you do need to capture full ethernet frames you can run Wireshark directly from pfSense as well as download captures for offline analysis.

© 2013 Sam Kear

More by this Author


Comments 2 comments

eno 2 years ago

Helpful post - Thanks for sharing!


snailkhan 12 months ago

thanks for the article. i tried to follow it on pfsense 2.2.5 and it doesn'nt have pfflowd but softflowd . i tried to configue it but when i start to capture in realtime analyzer on any interface it says netflow not enabled..

can you please update the article to pfsense 2.2.5 ?

here is my thread on pfsense forums regarding it.

https://forum.pfsense.org/index.php?topic=102831.m...

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article

    Menu

    Explore