Home Blog Exporting Flow to multiple servers (Flow Samplicators)

Exporting Flow to multiple servers (Flow Samplicators)

    Rate this post

    NetFlow Samplicator

    In our previous article we have discussed the alternative way to get flow statistics using a NetFlow generator. One of the fundamental features of the generator is its capability to export flow records to multiple destinations (NetFlow collectors). Often, it is necessary to export NetFlow traffic to more than a single NetFlow collector, for instance for production, testing or development purposes. Indeed, many network devices with a built-in NetFlow feature are capable to export flows to multiple destinations as well as most of NetFlow generators. Below is an example of Flexible NetFlow on a Cisco IOS router which is configured to export flow records to two NetFlow collectors – and (Picture 1).

    flow record NETFLOW-RECORD
     match ipv4 source address match ipv4 destination address
     match ipv4 protocol
     match transport source-port
     match transport destination-port
     match ipv4 tos
     match interface input
     collect counter bytes
     collect counter packets
     collect interface output
     flow exporter NETFLOW-EXPORTER1
     source GigabitEthernet0/0
     transport udp 2055
     template data timeout 60
    flow exporter NETFLOW-EXPORTER2
     source GigabitEthernet0/0
     transport udp 2055
     template data timeout 60
    flow monitor NETFLOW-MONITOR
     record NETFLOW-RECORD
     exporter NETFLOW-EXPORTER1
     exporter NETFLOW-EXPORTER2
     cache timeout active 30
     cache timeout inactive 15
    interface GigabitEthernet0/1
    ip flow monitor NETFLOW-MONITOR input

    Flow Samplicator

    Picture 1: Network Topology with NetFlow Exporter and Two Collectors

    However, some network devices do not support the exporting of flow records to multiple locations. In this case, we can use a workaround in the form of a flow samplicator inserted between a NetFlow exporter and collectors. A NetFlow samplicator is a program that receives UDP datagrams on a given port from a single or multiple senders (NetFlow exporters) and resends those datagrams to a specified set of receivers (NetFlow collectors).

    To demonstrate the function of a NetFlow samplicator, we will replace a flow exporter running Cisco IOS with a VyOS appliance (Picture 2). The appliance with the IP address is located in the middle of a network topology and is configured to operate as a NetFlow exporter. It does not support flow exporting to multiple locations. Therefore, the VyOS appliance exports flow records version 9 to the NetFlow samplicator that is listening on the IP address and the UDP port 2055. It is a job of the samplicator to redistribute NetFlow traffic (UDP datagrams) to the configured receivers.

    Net Flow Samplicators

    Picture 2: Network Topology with a NetFlow Exporter, Samplicator and Two Collectors

    Below is the configuration related to NetFlow v9 on VyOS.

    system {
        config-management {
            commit-revisions 100
        console {
            device ttyS0 {
                speed 9600
        flow-accounting {
            interface eth1
            netflow {
                sampling-rate 100
                server {
                    port 2055
                timeout {
                    expiry-interval 60
                    flow-generic 3600
                    icmp 300
                    max-active-life 604800
                    tcp-fin 300
                    tcp-generic 3600
                    tcp-rst 120
                    udp 300
                version 9
            syslog-facility daemon

    Let’s start NetFlow samplicator and check if it is listening on the socket (Picture 3).

    $ sudo samplicate -s -S -p 2055 -d
    -b Set socket buffer size ( default 65536)
    -c Specify a config file to read.
    -d Debug level
    -f Fork. This option sets samplicate to work as background process.
    -n Do not compute UDP checksum (leave at 0)
    -p <port> UDP port to accept flows on (default 2000)
    -S Maintain (spoof) source address.
    -s <address> Interface address to accept flows on (default any)
    -x <delay> Transmission delay in microseconds.

    Checking Whether Samplicator is Listening on IP address UDP 2055

    Picture 3: Checking Whether Samplicator is Listening on IP address UDP 2055

    Soon after the NetFlow samplicator is started, we should see the debugging messages (Picture 4) in the console. The samplicator resends NetFlow records received from the NetFlow exporter with the IP address, the source port 39268 as UDP datagrams to NetFlow collectors and, the destination UDP port 2055.

    Captured Debugging Output from Samplicator CLI

    Picture 4: Captured Debugging Output from Samplicator CLI

    Use Wireshark or tcpdump to open the pcap files captured on both collectors and explore. When we reviewed both captures properly, we could see that flow records contained many flows, counting a single IP packet that has been sent from different source IP addresses to the destination IP address (Picture 5). Those are TCP segments with SYN flag set, sent from the spoofed IP address in order to prevent legitimate users to access SSH service (TCP port 22), running on the host Notice, the source IP address of NetFlow exporter This is the IP address of the VyOS router. As the samplicator is configured with the option -S (spoof source address), it preserves the IP address of the original Netlow exporter (VyOS). Therefore, the IP address configured on the network interface of a UDP samplicator – is not used.

    Wireshark Capture Screen on NetFlow Collector

    Picture 5: Wireshark Capture Screen on NetFlow Collector1


    Ideally, flow exporters should be able to export flow records to multiple destinations. In reality, many network devices with a built-in NetFlow feature can export them only to a single or at most two flow collectors. Luckily, a hack in the form of a UDP samplicator can be used as a great workaround. Running as a virtual appliance or on physical hardware, samplicators resend UDP streams to multiple receivers. The number of receivers is only limited by hardware resources of the samplicator appliance, such as CPU and RAM. The resources of the built-in NetFlow exporters are also saved and performance kept as they do not need to export to multiple locations. Instead, flow export is off loaded to a dedicated appliance.


    Leave a Reply