/
Capturing sflow Traffic

Capturing sflow Traffic

Owned by Louis Tissington
Last updated: Nov 18, 2024
3 min read

This guide explains how to configure OpFlow to ingest sFlow data using sfcapd instead of the default nfcapd collector.

Important Considerations

  1. Collector Exclusivity:

    • You cannot run sfcapd and nfcapd simultaneously if they write to the same directory

    • OpFlow can only read from one directory

    • You must choose between sFlow OR NetFlow collection, not both

  2. GUI Behavior:

    • The OpFlow GUI monitors for nfcapd daemon by default

    • Even when sfcapd is collecting flows correctly, the GUI may show warnings about nfcapd being unavailable

    • These warnings can be safely ignored if sfcapd is running properly

    • You can start nfcapd but have it write to another directory like /var/lib/nfdump aswell to remove the warning

Directory Configuration Options

You have two options for configuring the flow collection directory, you will want to consider this before installation:

Option 1: Use Existing nfcapd Directory

If you want to use the default /var/cache/nfdump directory:

  1. Stop the nfcapd service before starting sfcapd

  2. Use the default path in sfcapd configuration

  3. No changes needed to opCommon.json

Option 2: Use Separate Directory

To maintain separate directories for NetFlow and sFlow:

  1. Configure sfcapd to use an alternate directory:

    # In sfcapd.service, change the -l parameter: ExecStart=/usr/bin/sfcapd -D -T all -l /var/lib/nfdump -t 120 -p 6343 -P /run/sfcapd.pid

  2. Update OpFlow configuration:

    # Edit opCommon.json sudo nano /usr/local/omk/conf/opCommon.json # Change the flow directory parameter to: "<opFlow_dir>": "/var/lib/nfdump"

This second option allows you to keep nfcapd running with its original configuration while collecting sFlow data separately.

Installation

For Debian/Ubuntu Systems

sudo apt-get update sudo apt-get install nfdump-sflow

For RHEL/CentOS Systems

 

Configuration Steps

Create a new systemd service file:

Add the following content:

Start sfcapd service:

Command Line Parameters Explained

The sfcapd command uses these parameters:

  • -D: Run as daemon

  • -T all: Capture all flow types

  • -l /var/cache/nfdump: Output directory for flow data

  • -t 120: Create new file every 120 seconds

  • -p 6343: Listen on UDP port 6343 (standard sFlow port)

  • -P /run/sfcapd.pid: PID file location

Manual Start Option

If you prefer to run sfcapd manually instead of as a service:

Troubleshooting

  1. Agent IP Display:

    • If agent IP shows as 0.0.0.0, this may indicate sfcapd wasn't started with proper flags for agent IP identification

Verifying Operations:

Notes

  • The default flow collection directory is /var/cache/nfdump

  • While the GUI may show warnings about nfcapd if it is stopped, sFlow data collection will continue to work

  • sfcapd and nfcapd can't write to the same directory simultaneously, so we cannot ingest both concureently into opFlow

Related content

How-To Guides
How-To Guides
opFlow
Read with this
Router basic configuration for opFlow
Router basic configuration for opFlow
opFlow
More like this
Troubleshooting opFlow
Troubleshooting opFlow
opFlow
More like this
Solución de problemas opFlow
Solución de problemas opFlow
OPMANTEK LATAM
More like this
opFlow V2 (deprecated since v3) Installation Guide
opFlow V2 (deprecated since v3) Installation Guide
opFlow
More like this
opFlow 4 Installation Guide
opFlow 4 Installation Guide
opFlow
More like this