Простейший коллектор, которым я проверял нетфло
#!/usr/bin/perl -w
use strict;
use IO::Socket;
#NetFlow port
my $port = 2055;
#Consts
use constant _MAXREAD => 8192;
my %v9 = (
#Offset Size
_PROTO => [0, 1],
_SRC_PORT => [1, 2],
_SRC_IP => [2, 4],
_DST_PORT => [3, 2],
_DST_IP => [4, 4],
_NAT_IP => [5, 4],
_NAT_PORT => [6, 2],
_NAT_EVENT => [7, 1]
);
# main datagram receive loop
my $_FLOWRECV9_LEN = 0;
my ($datagram, $version, $count, $i, $data, $sys_uptime, $unix_secs);
my (@flow, @rawdata);
my $socket_opened;
foreach (keys(%v9)) { $_FLOWRECV9_LEN += ${$v9{$_}}[1]; }
while(1){
$socket_opened = 1;
my $sock = IO::Socket::INET->new(LocalPort => $port, Proto => 'udp') or $socket_opened = 0;
if ($socket_opened == 0) {
select(undef, undef, undef, 5);
next;
}
while ($sock->recv($datagram, _MAXREAD)) {
($version, $count, $sys_uptime, $unix_secs) = unpack("nnNN", $datagram);
next if ($version ne 9);
$count--;
substr $datagram, 0, 64, '';
for ($i = 0; $i < $count; $i++) {
@flow = unpack("cnNnNNnc", substr($datagram, $i * $_FLOWRECV9_LEN, $_FLOWRECV9_LEN));
my $src_addr = join '.', unpack 'C4', pack 'N', $flow[${$v9{_SRC_IP}}[0]];
my $dst_addr = join '.', unpack 'C4', pack 'N', $flow[${$v9{_DST_IP}}[0]];
my $nat_addr = join '.', unpack 'C4', pack 'N', $flow[${$v9{_NAT_IP}}[0]];
print "ts: $unix_secs, proto: $flow[${$v9{_PROTO}}[0]], src $src_addr:$flow[${$v9{_SRC_PORT}}[0]], ";
print "dst: $dst_addr:$flow[${$v9{_DST_PORT}}[0]], nat: $nat_addr:$flow[${$v9{_NAT_PORT}}[0]], event: $flow[${$v9{_NAT_EVENT}}[0]]\n";
}
}
}