Lib.rs

Network programming
#netflow #ipfix #sflow

app ez_netflow_cli

EZ-Netflow is an all-in-one netflow server and library that's really easy to use. This is the CLI crate, which creates the ready-to-go executable that includes the netflow server and automatic output of data in table format in the console. If you want to incorporate the server into your code check out ez-netflow-lib.

Owned by vektorprime.

2 releases

new 0.1.1 Mar 22, 2025
0.1.0 Mar 22, 2025

#545 in Network programming

MIT license

84KB
1.5K SLoC

EZ-Netflow

This is a netflow server (receiver) built in Rust. It automatically displays stats about the flows it receives and stores the information. Just run ez_netflow.exe to start listening and displaying data.

Goals

  • Be lightweight
  • Be easy to use (simple)
  • Portable (no installation)

EXAMPLE OUTPUT: image

How to use

  1. Download the release
  2. Run the .exe
    • A config file and file-based DB are automatically created
    • It will listen on UDP 2055
  3. Grab the config template from the "Cisco Router Example Config" section
  4. Customize it for your device (change IP and interfaces)
  5. Configure it on your device
    • on a Cisco router that means applying the "flow monitor" to one or multiple interfaces
  6. Wait for netflow data to populate the table
    • The screen will auto-update every 5 seconds
    • Usually 60 seconds is enough time to get output

Config

The config can be modified through config.ini. The file is automatically created with default settings if it doesn't exist.

Currently, these options are available.

database_file_or_mem: {file | mem},
flows_to_display: {int between 1-300),
sort_flows_by_bytes_or_packets: {bytes | packets},
show_only_unicast: {true | false},

Deleting the config.ini will restore the defaults as

database_file_or_mem: file,
flows_to_display: 30,
sort_flows_by_bytes_or_packets: bytes,
show_only_unicast: false,

Database

The storage of flow data can be in db (sqlite) or in memory (volatile). When saved in db, the sqlite db file is named eznf_db.sqlite. To wipe the db, delete the eznf_db.sqlite file and restart ez_netflow.exe.

Cisco Router Example Config


flow exporter NetExporter
 destination <IP OF EZNETFLOW SERVER>
 source <optional but good idea to specify source int>
 transport udp 2055
 template data timeout 30
 !30 is ideal above, but any value will do

flow record NetIPv4
 match ipv4 protocol
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match interface input
 collect interface output
 collect counter bytes
 collect counter packets
 collect datalink mac destination address input
!last line is optional and used to look for broadcast traffic that comes in on the interface


flow monitor NetMonitor
 exporter NetExporter
 cache timeout inactive 60
 cache timeout active 60
 record NetIPv4

!apply it on an interface, e.g. Gi3
interface GigabitEthernet3
 ip flow monitor NetMonitor input
 ip flow monitor NetMonitor output

Limitations

These limitations are being worked on.

  • Only supports flexible netflow.
  • Only supports IPv4.
  • Requires waiting for an initial template (template data timeout in flow exporter config) before processing flows.

More Screenshots

Here's the output of setting "show_only_unicast: true" image

Dependencies

~33MB
~549K SLoC