NFDUMP switches to new release 1.7.0
A lot of old code has beed remove, and was rewritten. nfdump-1.7.0 replaces nfdump-1.6.x. A lot of code has been improved and new features have been added. The nfpcapd collector has been reworked completely. It allows to merge pcap and flow data.
- nfdump is now a multi-threaded program and uses parallel threads mainly for reading, writing and processing flows as well as for sorting. This may result in a 2 to 3 times faster flow processing, depending on the tasks. The speed improvement also heavily depends on the hardware (SSD/HD) and flow compression option.
- For netflow v9 and IPFIX, nfdump now supports flexible length fields. This improves compatibility with some exporters such as yaf and others. The netflow v9 decoder is more flexible in decoding.
- Support for Cisco Network Based Application Recognition (NBAR).
- Supports Maxmind geo location information to tag/geolocate IP addresses and AS numbers.
- nfpcapd automatically uses TPACKET_V3 for Linux or direct BPF sockets for *BSD. This improves packet processing. It adds new options to collect MAC and VLAN information as well as the first packet of the payload.
- Metric exports: By default, every 60s a flow summary statistics can be sent to a UNIX socket. The corresponding program may be nfinflux to insert these metrics into an influxDB or nfexporter for Prometheus monitoring.