We are pleased to announce the arrival of PCAP2FLOW, an open source Linux Netflow playback tool. This tool was developed by fresh college hires as an internal testing tool. We are delighted to release it to the open source world.

 Download

What does PCAP2FLOW do ?

It processes a packet capture file and sends only Netflow packets to a receiver.

Who would possibly want something like this ?

If you are evaluating a Netflow based monitoring tool, you can use PCAP2FLOW to exercise it. 

Any other use for this tool ?

Here are some potential applications

• Say you already have a Netflow collector and are not too excited about modifying your routers to add another one. You can then collect pcaps of the Netflow export and play them back later.
• You can use this tool to selectively process Netflows from a single router.

How does it work ?

PCAP2FLOW processes each packet in a capture file looking for UDP packets destined to a set of ports marked as being Netflow. It then sends the UDP payload section (ie the Netflow payload) to the designated collector IP and port.

Where it can be better ?

While this tool works well for our in-house requirements, it can be made better.

• Heuristics to ensure that the packet being sent is indeed Netflow
• Sending it at the same rate as it was originally received 
• Handle link layers, libpcap DLT values other than Ethernet
• Sending to IPv6 collector

How to run it ?

1. First download the tool from the link above
2. Do the usual Linux ./configure, then make followed by make install as root
3. The command pcap2flow mycapturefile.pcap 192.168.1.88 12055  will play out all Netflow packets in the capture file to the collector at 192.168.1.88 listening on port 12055
4. By default it picks out packets on UDP port 2055. You can override it by the -ports switch. For example : -ports 2055,2056,8055,8056 will treat all UDP packets these ports as Netflow and forward them to the collector
5. By default, the playout rate is 50 packets / sec. You can override it by the -gapus switch. For example : -gapus 1000 will send out a packet every 1000 us (1000 packets/sec).

Questions / Requests ?

Send an email to the maintainer Sharmila (sharmila at unleashnetworks ) or post a message in the Forum, we will pick it up.