Recently I’m working a lot on my so called “pysflowd” application. pysflowd is a python based sflow collector, which collects, stores, analyzes and exports (to Elasticsearch) sflow datagrams.
pysflowd reads sflow datagrams from a udp socket, parses the datagram and stores the parsed data into a in-memory sqlite3 database (which is quite fast).
Afterwards, analyzer and exporter threads pick up the sqlite3 data, calculate traffic from or to a single ip-address as well as export the “flow” to Elasticsearch.
After flows has been exported to ES, we can easily use them for network abuse analysis (I’m rewriting my old-fashioned abuse-detector) as well as using them for analytical, invoicing and any other metrics related purpose.
Thats what it looks like in Kibana, after export to ES: