NetFlow collector

Tacppd has inbuilt NetFlow information collector. NetFlow - this is Cisco(R) technology, used in Cisco devices for provide information about ip traffic. Router generate UDP packets with information about data flows. Server can accumulate it and do accounting and billing. The most problem - information volume. Usually we cant directly log this NetFlow packets - this is too large logfiles, and too much resources required for process it. Tacppd has simple aggregation system, where it collects flow information in memory for 15 minutes and writes to database only aggregated information. In future versions we plan add some mechanism for provide detailed logs for configured ip addresses. But currently we write only aggregated data. It greatly reduce data volume and do possible billing and normal accounting of traffic information on per-ip basis.

see tacpp.conf.orig or use CLI for configure NetFlow collector. The log file name with NetFlow information looks like nf20011116.log and recreate every day

log file format differ in depend of NetFlow packet versions

format v1:

ip_addr         IP addr of router which sends NetFlow information

version         version of NetFlow packets

SysUptime       time in msecs since router booted

unix_secs       current time in seconds since 0000 UTC 1970 unix_nsecs      residual nanoseconds since 0000 UTC 1970 First           SysUptime at start of flow Last            SysUptime of last packet of the flow

protocol        IP protocol, 6-TCP, 17-UDP, 1-ICMP

srcaddr         ip source addr

srcport         TCP/UDP source port number

dstaddr         ip destination addr

dstport         TCP/UDP destination port

nexthop         next hop router's IP addr

input           input interface index

output          output interface index

dPkts           packets sent in time between First and Last dOctets         octets sent in time between First and Last

format v5: 

ip_addr         IP addr of router which sends NetFlow information

version         version of NetFlow packets

SysUptime       time in msecs since router booted

unix_secs       current time in seconds since 0000 UTC 1970 unix_nsecs      residual nanoseconds since 0000 UTC 1970 flow_sequence   sequence number of total flows seen engine_type     type of flow switching engine (RP,VIP,etc) engine_id       slot number of flow switching engine First           SysUptime at start of flow Last            SysUptime of last packet of the flow protocol        IP protocol, 6-TCP, 17-UDP, 1-ICMP srcaddr         ip source addr srcport         TCP/UDP source port number dstaddr         ip destination addr dstport         TCP/UDP destination port nexthop         next hop router's IP addr input           input interface index output          output interface index dPkts           packets sent in time between First and Last dOctets         octets sent in time between First and Last src_as          source peer/origin Autonomous System dst_as          destination peer/origin Autonomous System src_mask        source route's mask bits 

dst_mask        destination route's mask bits tos             IP Type-of-Service

end