NEye logo

NEye, an Open Source Netflow collector


Release 1.0.1 is out !
New features:

The Problem

How many times were you asking yourself: "what is running on our network ?"
And how many times you were tracking your application flows to redesign network and
services ? And how to try to track that Denial Of Service that bad guys are trying
on your public services ? And when you need to develop the firewall rules you would
always like to know whether some services are really needed or not, even on host based
firewalls.... And running a snoop on the system to collect data for forther analysis
would not even be taken into consideration, due to privacy (if you're working for
a customer) or log size issues... Let's face it: it's very simple, but at the same
time very difficult to have a clear idea of network flows and this is due to a lot
of reasons, often unrelated. We often face problems that could be solved very easily
but probably we all lack the time or the tools, so this kind of issues are always
solved on a best-effort basis.
Also, without having an idea of network flows, sizes, directions and peak times is
difficult to plan a network growth.

An Approach

Cisco ( developed inside the IOS a mechanism of
network statistics commonly called netflow. This technology works in a very simple
but efficient way, and has been ported to several platforms. When a Cisco
router (but not only) gets an incoming packet on an interface, it stores its
tuple (src ip, src port, dst port) and other info inside his route-cache map,
and if properly configured, it can send periodic reports of the connection status
table to a system called the "collector". The information sent is then collected
and stored on the collector system and you can do network analysis on that box, even
offline. This technology is not intrusive (it only takes a look to the packet
header), is not limited to Ipv4 (altough most networks around are IP based) and
works on any interface. The CPU processing required on the Cisco device is very
low and since reports are sent periodically, even the collector does not need so
much horsepower although obviously the greater, the better.

Introducing NEye

NEye (Network Eye) is a NetFlow collector software working on Unix systems
which is capable of receiving flows from Cisco Routers (but not only) and
store them in ASCII (for raw grepping), in SQLite databases (for quick & dirty
SELECTs) or in full blown MySQL databases. It's written in C language, making
use of POSIX threads if available (thus scalable) and is Open Source (licensed
under BITGPL, read LICENSE).


I started working on it in Jan 2004, it was initially born as OpenFlows,
but name was already used. Then moved to OpenStreams but too damn long.
First production release of NEye release 1.0 is codenamed "Chestburster" and
released August 2004. Current release is 1.0.1, codenamed "Sventrapapere" (you
don't want to know why, believe me), released 6 February 2005.

NEye License

This software is BITGPL (Boycott Italian Telcos GPL).

What does this means ?

Simple. It is open source under GNU GPL with a few limits which are:
a) Italian Telcos are NOT allowed to use this software for any reason.
Even reselling it to a telco or providing them with it for free under
some sort of "service" contract. No. They have to provide me with
bandwidth first. They have lot of money and don't need my software, go
out and buy Cisco software, you can afford it.
b) This software will become totally GNU GPL when the first Italian
telco will provide me with large bandwidth connection to my home for free.
Actually they aren't even able to know if they can provide me with an
ISDN connection. I'm tired of them.
c) I'll send my attourneys (seriously) if I catch someone working for an
Italian telco using this software (or any variant based on this work).
I'm not joking. Think twice.

This is due to the fact that my home is not served by any connection
line deserving this name. No ADSL, no ISDN, nothing. HDSL is covered
(at least they think) but they're asking my eyes for it, so it seems
natural to me to deny them the use of this software. Until now I paid
tons of bucks and they're not even thinking to offer me a decent service.
So, you get what you deserve. If you want to read the whole story
you can do it at

If you are a normal user NOT working for any italian telco, simply
use the --with-telcosux switch when running the configure script
and live happy.
And do whatever you want with it without infringing the BITGPL license !
In that case normal GPL, described in file COPYING applies.

Obtaining NEye

Go here to get it.

Going Up & Running

Go here for all the gory details.


Things I'd love to do in the near/far future:
As you might have noticed, actually I don't plan any more Netflow V9 support.
No requests about that, junky and insecure protocol IMHO and less time available
for development, that should be enough to justify it.


Licensing is not so restrictive so it would be nice to hear from you if you use it and
how, if you have strange problems, cool ideas which are not already planned or useful
Flames will go to /dev/null and questions like "What is netflow ?" or "Can you help me
to install xyz on my kkk box" will probably follow the same fate.
If you want to donate hardware that supports NetFlow V9 or have a spare Catalyst 6500
which is wasting your space let me know. If you want to contribute ideas, let me know.
First, always try to help yourself, I think I'm a kind BOFH but I'm definitely not at
your service. I'm always low on time and late on everything, please help me to improve
myself :)
If you dare to get in touch with me, there are some pointers in my personal page.