pfflowd

pfflowd converts OpenBSD PF status messages (sent via the pfsync interface)
to Cisco NetFlowdatagrams. These datagrams may be sent (via UDP) to a host
of one's choice. Utilising the OpenBSD stateful packet filter infrastructure
means that flow tracking is very fast and accurate.

NB. pfflowd requires an OpenBSD system with changes which were committed to
CVS after version 3.3 was released. An unsupported patch is included which may
work on 3.3-stable kernels. If you are not running OpenBSD or are unwilling
to patch your system, then you may be interested in softflowd, my software
implementation of a NetFlow monitor.

Details

OpenBSD's PF stateful packet filter will count bytes and packets for flows it
tracks statefully. PF also contains a mechanism (pfsync) which allows realtime
reporting of state expiry. pfflowd listens for these state expiry messages and
converts them to NetFlow datagrams.

Reusing the kernel's packet filtering system has a number of advantages. On
systems which are firewalling, there is no duplication of effort between tracking
flows for firewalling and tracking flows for accounting. Also, flow tracking is
very fast - using PF's highly optimised state matching code. Running pfflowd on
a system which is already firewalling imposes negligible additional load.

The pfflowd homepage is located at:

	http://www.mindrot.org/pfflowd.html

Cryptographic signatures and checksums may be provided by 
the developers at the URL(s) above.  Wiretapped recommends
that users check these before use of the software/information.