cflowd is a flow analysis tool that was used for analyzing Cisco's NetFlow enabled switching method. The current release (described below) includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful include usage tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.
As of 2004, cflowd is no longer supported by CAIDA. Instead, please consider the use of flow-tools, which will provide a toolset for working with NetFlow data. flow-tools can also be used (like cflowd) in conjunction with FlowScan, maintained by Dave Plonka at the University of Wisconsin, Madison.
- Frequently Asked Questions (FAQ)
- Changes from 1.3b2 to 2.0
- Software Downloads
- cflowd press release
- Mail Lists
Changes from 1.3b2 to 2.0
- cflowd has been completely redesigned and reimplemented for the 2.0 release.
- Added support for v1 flow-export.
- All tables are now per input interface.
- New tabular data: port matrix, interface matrix, nexthop table. The old port table has been replaced by the more granular port matrix.
- A new cflowdmux process which permits access to raw flow packets.
- A fully functional central collector is now included (cfdcollect). This allows you to archive time-series tabular data from multiple instances of cflowd.
- All counters are 64 bits.
- New filtering code is significantly faster; flowdump benefits from the increased performance.
- Local clients (cfdases, cfdnets, et. al.) will show the time interval for current data.
- Local clients can show pkts/sec and bits/sec in addition to packet and byte counters.
- Added manpages.
- mmap() is gone for the tabular data; local clients connect to a UNIX domain socket to view current data. This removed a lot of code complexity.
ComponentsThe cflowd system contains four major components:
This is the program that acts as the receiver of flow-export data from one or more Cisco routers. It writes raw packets into shared memory, and permits clients to have access to raw flow data. An example client (flowwatch) is included.
cflowd takes data from raw flows (collected by cflowdmux) and creates tabular summaries of traffic data (AS matrix, net matrix, port matrix, interface matrix, nexthop table and protocol table). It also acts as a server of tabular data to cfdcollect.
This is a central collector which collects data from instances of cflowd. It is used to archive the tabular data at regular intervals, producing time-series data for each of the tabular data types. The archived data may be processed with arts++.
There are a handful of utilities included in the package which may be used to examine data on the host(s) where cflowd is running.
Requirementscflowd requires the arts++ package. You should download and install arts++ before downloading and building cflowd. cflowd needs header files and libraries from the arts++ package, and the arts++ package contains the C++ library for handling the data stored by cfdcollect (as well as a handful of utilities for aggregating and viewing the data).
A mailing list has been set up for the discussion of cflowd, at firstname.lastname@example.org. To subscribe or unsubscribe, send mail to:
with one of the following in the in the body of the message:
subscribe subscribe email@example.com unsubscribe unsubscribe firstname.lastname@example.org
The archive is updated nightly.