FastNetMon supports many different implementations of standard Netflow protocol:
- Netflow v5
- Netflow v9
- Netflow Lite
- Inline monitoring services
Also, it support many vendor specific implementations (list isn’t complete):
You can enable Netflow plugin this way:
sudo fcli set main netflow enable
Specify port for Netflow capture (2055 is default port for Netflow protocol). You may add multiple ports if you prefer:
sudo fcli set main netflow_ports 2055
Then specify interface for listening (0.0.0.0 is default):
sudo fcli set main netflow_host 0.0.0.0
If your run any kind of firewall on your network or on server with FastNetMon itself you will need to allow traffic over ports you’ve added towards machine with FastNetMon.
FastNetMon could automatically extract sampling rate from Netflow v5, v9 and IPFIX but in some rare cases you should specify it explicitly
sudo fcli set main netflow_sampling_ratio 1 sudo fcli set main netflow_custom_sampling_ratio_enable enable
Also, you should carefully review your active and inactive timeouts from Netflow agent side and set them to smallest possible values which do not overload your hardware. Then you need to select maximum value from them and use it for average_calculation_time option in seconds. Without these changes FastNetMon could calculate traffic bandwidth incorrectly
sudo fcli set main average_calculation_time XXX
You can confirm that router uses correct flow duration using this command
sudo fcli show system_counters|grep duration
Apply changes and restart daemon:
sudo fcli commit
After this steps you need to configure Netflow / IPFIX on agent’s side (switch, router, server) to configured port.
We have detailed guides for following vendors:
If you’re unhappy with attack detection speed or traffic accuracy provided by IPFIX and Netflow protocols we can recommend checking this page about alternative options.