jflow - Java-based Netflow Processing

jflow is a set of Java classes for collecting and analyzing NetFlow data. NetFlow is a Cisco invention for monitoring traffic flows inside a network.

jflow supports version 5 and 6 NetFlow packets. It is multithreaded and designed primarily to do real-time traffic accounting and analysis. All flows entering the Collector are processed in two steps:

Filtering: The goal of this stage is to reduce the number of flows. If a flow matches one of the freely pluggable filters, this flow will be ignored and not taken to the accounting step.
Accounting: All flows not matching one of the filters are run through the accounting modules where the actual traffic accounting or analysis takes place.

Please note that jflow does not offer a lot of fancy features, it probably never will. It was designed as a building block for traffic accounting, network monitoring and anomaly detection.

Performance

jflow is currently being used for real-time traffic accounting in networks carrying up to 100 Mbps of data. Performance has never been an issue so far. Of course, it depends on what you want to do with the data.

Using the jflow Classes

Using the jflow classes is relatively simple:

Define your filtering and accounting modules by implementing the interface nettrack.net.netflow.Filter and nettrack.net.netflow.Accountant.
Create an instance of nettrack.net.netflow.Collector.
Attach to the collector either a V5FlowHandler or a V6FlowHandler, depending on the NetFlow version you will be using.
Attach to this handler your filtering and accounting modules.
Start the collector using the start method. Note that the collector is multithreaded. Calling start will start collecting in the background, the call will return immediately.

Examples

jflow is not a complete software tool for using NetFlow data, but rather a set of classes that can help you to write such tools. The examples/ directory contains examples that explain how to use the classes.

print: Print Flows

V5Printer collects version 5 NetFlow data and prints it to the console. It takes the source address of the NetFlow probe as argument:

$ java -cp print.jar:../../lib/jflow.jar V5Print [source]

ipaccount: Per IP Address Accounting

V5IpAccount shows how per-ip address accounting can be done using the jflow classes. It takes as arguments the ip address of the NetFlow probe, and a subnet in network/mask format and does traffic accounting for all the ip addresses in the selected network. Every five seconds, it prints the results:

$ java -cp ipaccount.jar:../../lib/jflow.jar V5IpAccount [source] [network/mask]

recorder: NetFlow Record and Replay

V5Record collects version 5 NetFlow data and dumps it into a file:

$ java -cp recorder.jar:../../lib/jflow.jar V5Record flows.dump

Using V5Replay, this data can now be sent to a host. Just specify the host and port, as well as the timing in milliseconds. To send the data at 100 ms intervals, launch V5Replay as follows:

$ java -cp recorder.jar:../../lib/jflow.jar V5Replay flows.dump [host] [port] 100

License

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA

$Id: README.html,v 1.4 2007-04-24 13:26:25 oli Exp $