Exporting NetFlow from Linux to a collector over IPv6

There is another project out there in the ether that I have a hand in providing input for. One of the features that I felt was necessary for it is exporting NetFlow information from traffic the Linux machine handled, to a collector. This is dual-stack traffic, but I have the collector listening on IPv6.

Firstly, I needed something that would gather and export the data, so I found softflowd. My ubuntu server had it in the repo, so a quick apt install got it onto the machine easily enough. You need to edit /etc/default/softflowd and set what interface(s) you want it capturing & generating flow data from, and what options to feed to the daemon, like what server:port to export that data to:

INTERFACE="eth#"
OPTIONS="-v 9 -n [x:x:x:x::x]:9995"

Fill in the correct interface name you want to gather data from. The -v 9 option tells it to use Netflow v9, which has IPv6 support. The -n option is used for specifying the collector machine’s IP and port, so fill in for the correct IPv6 address of that collector. And that is the format for specifying an IPv6 host running a collector, like nfcapd. Then you can fire up the softflowd daemon, and you should start getting data sent to the collector:

Date flow start          Duration Proto                             Src IP Addr:Port                                 Dst IP Addr:Port   Packets    Bytes Flows
2015-02-13 23:18:13.316     0.001 UDP                              72.52.116.23:53    ->                            72.52.116.26:41933        1      213     1
2015-02-13 23:18:13.316     0.001 UDP                              72.52.116.26:41933 ->                            72.52.116.23:53           1       55     1
2015-02-13 23:15:17.715   180.139 ICMP6                         2001:470:1:9::1.0     ->                      2001:470:1:9::6666.0.0          4      288     1
2015-02-13 23:15:17.715   180.139 ICMP6                      2001:470:1:9::6666.0     ->                         2001:470:1:9::1.0.0          4      256     1
Summary: total flows: 75, total bytes: 291951, total packets: 1559, avg bps: 10006, avg pps: 6, avg bpp: 187
Time window: 2015-02-13 23:15:05 - 2015-02-13 23:18:58
Total flows processed: 75, Blocks skipped: 0, Bytes read: 5300
Sys: 0.008s flows/second: 9149.7     Wall: 0.006s flows/second: 12209.0

IPv6 and Google Analytics

So rather than rely on Webalizer 2.23 with proper IPv6 parsing support (yet all addresses end up being designated as sourcing from Montenegro?), I’m trying out Google Analytics. One of the first things I noticed is that all IPv6 hits/views end up being listed as “(not set)”. Since I control and access my logs I can get specifics, however I’d like a little more detail.

That is when I happened upon the APNIC Labs IPv6 Capability Tracker. Just had to follow their directions for adding the JS code, with some minor tweaks to work with my Google Analytics WP plugin. Now I’m seeing a bit more detail on the types of IPv6 visitors exactly how APNIC Labs promised 😀 Still need to read up on “events” to figure out what the negative values I’m seeing mean.