This guide explains how to configure OpFlow to ingest sFlow data using sfcapd instead of the default nfcapd collector.
Important Considerations
Collector Exclusivity:
You cannot run sfcapd and nfcapd simultaneously if they write to the same directory
OpFlow can only read from one directory
You must choose between sFlow OR NetFlow collection, not both
GUI Behavior:
The OpFlow GUI monitors for nfcapd daemon by default
Even when sfcapd is collecting flows correctly, the GUI may show warnings about nfcapd being unavailable
These warnings can be safely ignored if sfcapd is running properly
You can start nfcapd but have it write to another directory like /var/lib/nfdump aswell to remove the warning
Directory Configuration Options
You have two options for configuring the flow collection directory, you will want to consider this before installation:
Option 1: Use Existing nfcapd Directory
If you want to use the default /var/cache/nfdump directory:
Stop the nfcapd service before starting sfcapd
Use the default path in sfcapd configuration
No changes needed to opCommon.json
Option 2: Use Separate Directory
To maintain separate directories for NetFlow and sFlow:
Configure sfcapd to use an alternate directory:
# In sfcapd.service, change the -l parameter: ExecStart=/usr/bin/sfcapd -D -T all -l /var/lib/nfdump -t 120 -p 6343 -P /run/sfcapd.pid
Update OpFlow configuration:
# Edit opCommon.json sudo nano /usr/local/omk/conf/opCommon.json # Change the flow directory parameter to: "<opFlow_dir>": "/var/lib/nfdump"
This second option allows you to keep nfcapd running with its original configuration while collecting sFlow data separately.
Installation
For Debian/Ubuntu Systems
sudo apt-get update sudo apt-get install nfdump-sflow
For RHEL/CentOS Systems
Copy
# Install EPEL repository if not already installed, should be after NMIS install sudo yum install epel-release # Install nfdump with sflow support sudo yum install nfdump-sflow
Configuration Steps
Create a new systemd service file:
sudo nano /etc/systemd/system/sfcapd.service
Add the following content:
[Unit] Description=sfcapd sFlow collector After=network.target [Service] Type=forking ExecStart=/usr/bin/sfcapd -D -T all -l /var/cache/nfdump -t 120 -p 6343 -P /run/sfcapd.pid PIDFile=/run/sfcapd.pid Restart=always [Install] WantedBy=multi-user.target
Start sfcapd service:
sudo systemctl daemon-reload sudo systemctl enable sfcapd sudo systemctl start sfcapd
Command Line Parameters Explained
The sfcapd command uses these parameters:
-D: Run as daemon-T all: Capture all flow types-l /var/cache/nfdump: Output directory for flow data-t 120: Create new file every 120 seconds-p 6343: Listen on UDP port 6343 (standard sFlow port)-P /run/sfcapd.pid: PID file location
Manual Start Option
If you prefer to run sfcapd manually instead of as a service:
sudo sfcapd -D -T all -l /var/cache/nfdump -t 120 -p 6343 -P /run/sfcapd.pid
Troubleshooting
Agent IP Display:
If agent IP shows as 0.0.0.0, this may indicate sfcapd wasn't started with proper flags for agent IP identification
Verifying Operations:
# Check if sfcapd is running sudo systemctl status sfcapd #Check it's running on the correct port sudo lsof -i :<port> #check your recieving packets on the correct port tcpdump -i any udp port <port> -n # View real-time log entries sudo journalctl -u sfcapd -f # Check for flow files being created ls -l /var/cache/nfdump
Notes
The default flow collection directory is
/var/cache/nfdumpWhile the GUI may show warnings about nfcapd if it is stopped, sFlow data collection will continue to work
sfcapd and nfcapd can't write to the same directory simultaneously, so we cannot ingest both concureently into opFlow