Skip to content

shield-wall-net/goflow2

BranchesTags
 
 

Repository files navigation

GoFlow2

NOTE: this is a fork of GoFlow2 that was modified for usage on ShieldWall systems! Only version 1.3.x is meant to be used.

This application is a NetFlow/IPFIX/sFlow collector in Go.

It gathers network information (IP, interfaces, routers) from different flow protocols, serializes it in a common format.

You will want to use GoFlow if:

  • You receive a decent amount of network samples and need horizontal scalability
  • Have protocol diversity and need a consistent format
  • Require raw samples and build aggregation and custom enrichment

This software is the entry point of a pipeline. The storage, transport, enrichment, graphing, alerting are not provided.

GoFlow2 System diagram

Get started

To read about agents that samples network traffic, check this page.

To set up the collector, download the latest release corresponding to your OS and run the following command (the binaries have a suffix with the version):

$ ./goflow2

By default, this command will launch an sFlow collector on port :6343 and a NetFlowV9/IPFIX collector on port :2055.

By default, the samples received will be printed in JSON format on the stdout.

{
  "Type": "SFLOW_5",
  "TimeFlowEnd": 1621820000,
  "TimeFlowStart": 1621820000,
  "TimeReceived": 1621820000,
  "Bytes": 70,
  "Packets": 1,
  "SamplingRate": 100,
  "SamplerAddress": "192.168.1.254",
  "DstAddr": "10.0.0.1",
  "DstMac": "ff:ff:ff:ff:ff:ff",
  "SrcAddr": "192.168.1.1",
  "SrcMac": "ff:ff:ff:ff:ff:ff",
  "InIf": 1,
  "OutIf": 2,
  "Etype": 2048,
  "EtypeName": "IPv4",
  "Proto": 6,
  "ProtoName": "TCP",
  "SrcPort": 443,
  "DstPort": 46344,
  "FragmentId": 54044,
  "FragmentOffset": 16384,
  ...
  "IPTTL": 64,
  "IPTos": 0,
  "TCPFlags": 16,
}

If you are using a log integration (e.g: Loki with Promtail, Splunk, Fluentd, Google Cloud Logs, etc.), just send the output into a file.

$ ./goflow2 -transport.file /var/logs/goflow2.log

You can filter the output using the -format.selector flag. Only the listed fields will be forwarded:

$ ./goflow2 -format.selector TimeReceived,TimeFlowStartMs,TimeFlowEndMs,Bytes,EtypeName,ProtoName,SrcAddr,DstAddr,SrcPort,DstPort

This also allows you to add some additional fields:

  • EtypeName
  • ProtoName
  • IcmpName
  • TcpFlagsName
  • FlowDirectionName (in/out)
  • FlowTypeName (only if flow source is localhost; inbound/outbound/forward)
  • InIfName (only if flow source is localhost)
  • OutIfName (only if flow source is localhost)

License

Licensed under the BSD-3 License.

About

NetFlow Collector

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

17 tags

Packages

No packages published

Languages

  • Go 97.0%
  • Makefile 1.4%
  • Shell 1.2%
  • Dockerfile 0.4%