HiTB 2004 example code: jflow

requirements

libnet 1.0.2 (in OpenBSD ports)
libnids (in OpenBSD ports)
libpcap (in OpenBSD base)

my development environment is OpenBSD.

jflow features

jflow takes traffic read using libnids and constructs netflow v1 records out of it:

$ sudo tcpdump -lni fxp0 -s1500 -Tcnfp udp port 5000 
11:21:50.256833 NetFlow v1, 611.550 uptime, 1095175310.000000000,  2 recs
  started 7209.020, last 536870.912
    65.205.8.103:80 > 192.168.7.190:37116 >> 0.0.0.0
    6 tos 0, 623 (623 octets)
  started 1103956.071, last 167772.606
    192.168.7.190:37116 > 65.205.8.103:80 >> 0.0.0.0
    6 tos 0, 4851 (4851 octets)
...
11:21:58.578965 NetFlow v1, 626.438 uptime, 1095175810.000000000,  1 recs
  started 1893728.316, last 2220884.028
    192.168.7.160:137 > 192.168.7.255:137 >> 0.0.0.0
    17 tos 0, 1 (50 octets) (ttl 64, id 8693)

NOTE

this code is NOT suitable for real world use, it contains a number of flaws which make it inaccurate.

download

jflow-0.1.tar.gz

license

BSD, 3 clause

useful NetFlow stuff for security

An IDS Using NetFlow Data
Using NetFlow Data
Detecting Worms and Abnormal Activities with NetFlow, Part 2