Softflowd vs pfflowd

wiz561

Hi!

I have a simple question…  What's the difference between softflowd and pfflowd, and which one should I be using?

According to their web page...

NB. If you are using OpenBSD, you may be interested in my pfflowd software instead. pfflowd uses the PF packet filter's stateful connection tracking to monitor flows rather than implementing it in software.

Being that I'm new to networking, it sounds to me as if pfflowd is better to use because it does the same thing as softflowd, but it is 'built into' the OS.  To me, if it's built into the OS, there's a lower overhead and less memory and processor usage.

Am I correct to think this, or is one better than the other?

jimp

It's likely a matter of preference and whichever will output in a format you want with the features you need.

softflowd isn't too hard to setup on pfSense:
http://doc.pfsense.org/index.php/Exporting_NetFlow_with_softflowd

wiz561

thanks for the info.  I got softflowd setup with pfsense and the data is exporting.  I don't have any complaints other than I'd like to exclude the dns flows, but that's not softflowd's problem.

I was just wondering what the differences were (if any) and if one is preferred over the other.

Thanks!

cpk

From what I can tell:

pfflowd converts OpenBSD PF status messages to Cisco NetFlow datagrams.

softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file.

So, the main difference is how they collect data.

I cannot find how to install pfflowd, so you may have to compile it yourself whereas softflowd can be installed using pkgadd (Instructions available at http://doc.pfsense.org/index.php/Exporting_NetFlow_with_softflowd.)

jimp

pfflowd is already a package you can get under System > Packages.

cpk

Thanks for the information, Jim.

One of my failures here was in not understanding that the forum search limits the results to the section being browsed.  Before I posted and while viewing this topic, I copied 'pfflowd' and pasted it into the search field – I found only the posts in this thread.  After I read your information, I did the same search while viewing the main page of the forum -- this time I found all of the threads on pfflowd.  Another lesson learned.