Published Netflow/ipfix/sflow collector Xenoeye 25.02. The collector allows you to collect statistics on traffic flows using Netflow V5, V9, IPFIX, and SFLOW protocols from various network devices. The project’s core is written in C, and the code is distributed under the ISC license. (Source)
The collector aggregates network traffic by selected fields and exports data to PostgreSQL. Reports, graphs (using GNUPLOT, Python scripts + MatPlotlib), and Grafana dashboards can be generated from this data. Additionally, the collector can run user scripts when traffic thresholds are exceeded or fall below the set thresholds.
To calculate current traffic speed, sliding averages are used. The threshold monitoring mechanism is designed to detect DOS/DDOS attacks and initiate suppression using BGP anons (Flowspec or BlackHool). An example of a Telegram Robot script is included with the collector to notify anomalies on messenger platforms. The collector is resource-efficient and can handle small network traffic on Raspberry/Orange Pi or a 2-4GB RAM virtual machine.
Changes in the new version:
- Added support for the sflow protocol, allowing patching of network packets and extraction of DNS and TLS (https) SNI information. Data center administrators can use this feature to combat phishing and assess the network’s domain and site usage.
- Added support for invested/hierarchical monitoring objects to simplify configurations with a large number of objects and improve processing efficiency compared to a “flat” list of monitoring objects.
- Added the ability to classify interfaces, allowing selected network interfaces on routers or switches to be ignored or processed differently.
- Added the ability to monitor traffic drops below thresholds, useful for indirect monitoring of individual servers or services.
- Added the ability to change traffic thresholds without restarting the collector, allowing automatic threshold calculation based on previous period statistics.
- Added an LXC container for quick deployment and testing of the collector, including pre-installed monitoring objects, PostgreSQL, and Grafana.