NEye, an Open Source Netflow
Release 1.0.1 is out !
- Fixed and improved MySQL 4.0.21 support.
- Removed some locks and improved parallelism on SMP systems.
- Added Irix 6.5.25m in the binary distributions.
- Can run as a low-privilege user with a bit of startup-script
- Added fixed address & fixed flow rate to trafgen utility
How many times were you asking yourself: "what is
running on our
And how many times you were tracking your application flows to redesign
services ? And how to try to track that Denial Of Service that bad guys
on your public services ? And when you need to develop the firewall
rules you would
always like to know whether some services are really needed or not,
even on host based
firewalls.... And running a snoop on the system to collect data for
would not even be taken into consideration, due to privacy (if you're
a customer) or log size issues... Let's face it: it's very simple, but
at the same
time very difficult to have a clear idea of network flows and this is
due to a lot
of reasons, often unrelated. We often face problems that could be
solved very easily
but probably we all lack the time or the tools, so this kind of issues
solved on a best-effort basis.
Also, without having an idea of network flows, sizes, directions and
peak times is
difficult to plan a network growth.
developed inside the IOS a mechanism of
network statistics commonly called netflow. This technology works in a
but efficient way, and has been ported to several platforms. When a
router (but not only) gets an incoming packet on an interface, it
tuple (src ip, src port, dst port) and other info inside his
and if properly configured, it can send periodic reports of the
table to a system called the "collector". The information sent is then
and stored on the collector system and you can do network analysis on
that box, even
offline. This technology is not intrusive (it only takes a look to the
header), is not limited to Ipv4 (altough most networks around are IP
works on any interface. The CPU processing required on the Cisco device
low and since reports are sent periodically, even the collector does
not need so
much horsepower although obviously the greater, the better.
NEye (Network Eye) is a NetFlow collector software working on Unix
which is capable of receiving flows from Cisco Routers (but not only)
store them in ASCII (for raw grepping), in SQLite databases (for quick
SELECTs) or in full blown MySQL databases. It's written in C language,
use of POSIX threads if available (thus scalable) and is Open Source
under BITGPL, read LICENSE).
I started working on it in Jan 2004, it was initially born as
but name was already used. Then moved to OpenStreams but too damn long.
First production release of NEye release 1.0 is codenamed
released August 2004. Current release is 1.0.1, codenamed
don't want to know why, believe me), released 6 February 2005.
This software is BITGPL (Boycott Italian Telcos GPL).
What does this means ?
Simple. It is open source under GNU GPL with a few limits which are:
a) Italian Telcos are NOT allowed to use this software for any reason.
Even reselling it to a telco or providing them with it for free under
some sort of "service" contract. No. They have to provide me with
bandwidth first. They have lot of money and don't need my software, go
out and buy Cisco software, you can afford it.
b) This software will become totally GNU GPL when the first Italian
telco will provide me with large bandwidth connection to my home for
Actually they aren't even able to know if they can provide me with an
ISDN connection. I'm tired of them.
c) I'll send my attourneys (seriously) if I catch someone working for an
Italian telco using this software (or any variant based on this work).
I'm not joking. Think twice.
This is due to the fact that my home is not served by any connection
line deserving this name. No ADSL, no ISDN, nothing. HDSL is covered
(at least they think) but they're asking my eyes for it, so it seems
natural to me to deny them the use of this software. Until now I paid
tons of bucks and they're not even thinking to offer me a decent
So, you get what you deserve. If you want to read the whole story
you can do it at http://neye.unsupported.info/odyssey.html.
If you are a normal user NOT working for any italian telco, simply
use the --with-telcosux switch when running the configure script
and live happy.
And do whatever you want with it without infringing the BITGPL license !
In that case normal GPL, described in file COPYING applies.
Go here to get it.
Going Up & Running
Go here for all the gory details.
Things I'd love to do in the near/far future:
- Complete the AS/400 port (no CVS, damn !)
- Complete the OpenVMS port
- Decide myself to code a decent report engine
- MVS support (S/390 needed)
- Add Oracle and Postgres support
As you might have noticed, actually I don't plan any more Netflow V9
- Enhance the threading engine
No requests about that, junky and insecure protocol IMHO and less time
for development, that should be enough to justify it.
Licensing is not so restrictive so it would be nice to hear from you if
you use it and
how, if you have strange problems, cool ideas which are not already
planned or useful
Flames will go to /dev/null and questions like "What is netflow ?" or
"Can you help me
to install xyz on my kkk box" will probably follow the same fate.
If you want to donate hardware that supports NetFlow V9 or have a spare
which is wasting your space let me know. If you want to contribute
ideas, let me know.
First, always try to help yourself, I think I'm a kind BOFH but I'm
definitely not at
your service. I'm always low on time and late on everything, please
help me to improve
If you dare to get in touch with me, there are some pointers in my personal page.