requirements

my development environment is OpenBSD.

jflow features

jflow takes traffic read using libnids and constructs netflow v1 records out of it:
$ sudo tcpdump -lni fxp0 -s1500 -Tcnfp udp port 5000 
11:21:50.256833 NetFlow v1, 611.550 uptime, 1095175310.000000000,  2 recs
  started 7209.020, last 536870.912
    65.205.8.103:80 > 192.168.7.190:37116 >> 0.0.0.0
    6 tos 0, 623 (623 octets)
  started 1103956.071, last 167772.606
    192.168.7.190:37116 > 65.205.8.103:80 >> 0.0.0.0
    6 tos 0, 4851 (4851 octets)
...
11:21:58.578965 NetFlow v1, 626.438 uptime, 1095175810.000000000,  1 recs
  started 1893728.316, last 2220884.028
    192.168.7.160:137 > 192.168.7.255:137 >> 0.0.0.0
    17 tos 0, 1 (50 octets) (ttl 64, id 8693)

NOTE

this code is NOT suitable for real world use, it contains a number of flaws which make it inaccurate.

download

jflow-0.1.tar.gz

license

BSD, 3 clause

useful NetFlow stuff for security