Publishing netflow data with Sensors

[Ref: OpenBSD 4.8 amd64, 4.9 amd64 & i386]

Sensors on Edge Devices publish netflow data as a directed UDP broadcast.

On switching appliances, such as Cisco and Juniper, the sensor is normally installed or configurable on the device. Various software tools exist for Unix, including softflowd which is available in the OpenBSD Package Collection.

OpenBSD supports the netflow sensor framework in the default base install configuration through a pseudo network device pflow(4) and the Firewall Packet Filter pf.conf(5). Enabling netflow sensor publication is through configuration.

Our sample sensor configuration will use the below interpretation of the above sample network layout.

ItemDetailsDescription
Sensor IP-Address 10.0.0.1 The IP-Address from where **sensor will broadcast** netflow packets. The IP-Address will also be used by the **collector to identify** traffic origination (which sensor broadcast which netflow packet.)
Collector IP-Address 10.0.0.2 The Collector IP-Address where the netflow packets will be captured. This IP-Address is used by the **sensor to direct** the UDP packet.
UDP Port 12345 The UDP port number on which netflow packets are sent. By using different UDP ports for different sensors, a collector can alternatively differentiate multiple sensors.

We do not concern ourselves with other sensor devices, and this documentation is singularly focused on OpenBSD sensors using:

  1. pflow(4) pseudo-device, and
  2. Packet Filter

Time Configuration

Network analysis is a time sensitive venture, make sure that the clocks on your sensors and collectors are synchronised or you will confuse everyone with the timelines of your logs, analysis, reports.

1. pflow(4) pseudo-device

[Ref: pflow(4) ifconfig(8)]

From the manpage:

The pflow interface is a pseudo-device which exports pflow accounting
data from the kernel using udp(4) packets.  

...

Only states created by a rule marked with the pflow keyword are exported
by the pflow interface.

To configure the pflow pseudo-interface to export netflow data from the current machine (10.0.0.1) to an external collector at host 10.0.0.2 at port 12345, use a command-line such as the following:

$ sudo ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:12345

To ensure the above command-line is set during each host restart set in the interface start up configuration file.

File: /etc/hostname.pflow0

flowsrc 10.0.0.1 flowdst 10.0.0.2:12345
2. Packet Filter pf.conf(5).

As per the pflow(4) and pf.conf(5) the 'pflow' keyword must be used in the Packet Filter for netflow v5 data to be exported from the 'sensor.'

From the manpage, the pflow keyword:

pflow
   States created by this rule are exported on the pflow(4) interface.

For example, to specify 'pflow' for a specific rule: /etc/pf.conf

pass in on $myinf keep state pflow

To set 'pflow' as the default for all state actions in the ruleset: /etc/pf.conf

set state-defaults pflow

Of course, after changing any of the above (whether the interface configuration or the Packet Filter flow) we must restart the Packet Filter.

$ sudo pfctl -nf /etc/pf.conf && sudo pfctl -f /etc/pf.conf
<!--(end)-->