Capturing sflow Traffic

Owned by Louis Tissington
Last updated: Nov 18, 2024
2 min read

This guide explains how to configure OpFlow to ingest sFlow data using sfcapd instead of the default nfcapd collector.

Important Considerations

  1. Collector Exclusivity:

    • You cannot run sfcapd and nfcapd simultaneously if they write to the same directory

    • OpFlow can only read from one directory

    • You must choose between sFlow OR NetFlow collection, not both

  2. GUI Behavior:

    • The OpFlow GUI monitors for nfcapd daemon by default

    • Even when sfcapd is collecting flows correctly, the GUI may show warnings about nfcapd being unavailable

    • These warnings can be safely ignored if sfcapd is running properly

    • You can start nfcapd but have it write to another directory like /var/lib/nfdump aswell to remove the warning

Directory Configuration Options

You have two options for configuring the flow collection directory, you will want to consider this before installation:

Option 1: Use Existing nfcapd Directory

If you want to use the default /var/cache/nfdump directory:

  1. Stop the nfcapd service before starting sfcapd

  2. Use the default path in sfcapd configuration

  3. No changes needed to opCommon.json

Option 2: Use Separate Directory

To maintain separate directories for NetFlow and sFlow:

  1. Configure sfcapd to use an alternate directory:

    # In sfcapd.service, change the -l parameter: ExecStart=/usr/bin/sfcapd -D -T all -l /var/lib/nfdump -t 120 -p 6343 -P /run/sfcapd.pid

  2. Update OpFlow configuration:

    # Edit opCommon.json sudo nano /usr/local/omk/conf/opCommon.json # Change the flow directory parameter to: "<opFlow_dir>": "/var/lib/nfdump"

This second option allows you to keep nfcapd running with its original configuration while collecting sFlow data separately.

Installation

For Debian/Ubuntu Systems

sudo apt-get update sudo apt-get install nfdump-sflow

For RHEL/CentOS Systems

 

Configuration Steps

Create a new systemd service file:

Add the following content:

Start sfcapd service:

Command Line Parameters Explained

The sfcapd command uses these parameters:

  • -D: Run as daemon

  • -T all: Capture all flow types

  • -l /var/cache/nfdump: Output directory for flow data

  • -t 120: Create new file every 120 seconds

  • -p 6343: Listen on UDP port 6343 (standard sFlow port)

  • -P /run/sfcapd.pid: PID file location

Manual Start Option

If you prefer to run sfcapd manually instead of as a service:

Troubleshooting

  1. Agent IP Display:

    • If agent IP shows as 0.0.0.0, this may indicate sfcapd wasn't started with proper flags for agent IP identification

Verifying Operations:

Notes

  • The default flow collection directory is /var/cache/nfdump

  • While the GUI may show warnings about nfcapd if it is stopped, sFlow data collection will continue to work

  • sfcapd and nfcapd can't write to the same directory simultaneously, so we cannot ingest both concureently into opFlow