This guide explains how to configure OpFlow to ingest sFlow data using sfcapd instead of the default nfcapd collector.

Important Considerations

1. Collector Exclusivity:

   • You cannot run sfcapd and nfcapd simultaneously if they write to the same directory

   • OpFlow can only read from one directory

   • You must choose between sFlow OR NetFlow collection, not both

2. GUI Behavior:

   • The OpFlow GUI monitors for nfcapd daemon by default

   • Even when sfcapd is collecting flows correctly, the GUI may show warnings about nfcapd being unavailable

   • These warnings can be safely ignored if sfcapd is running properly

   • You can start nfcapd but have it write to another directory like /var/lib/nfdump aswell to remove the warning

Directory Configuration Options

You have two options for configuring the flow collection directory, you will want to consider this before installation:

Option 1: Use Existing nfcapd Directory

If you want to use the default /var/cache/nfdump directory:

1. Stop the nfcapd service before starting sfcapd

2. Use the default path in sfcapd configuration

3. No changes needed to opCommon.json

Option 2: Use Separate Directory

To maintain separate directories for NetFlow and sFlow:

1. Configure sfcapd to use an alternate directory:

   # In sfcapd.service, change the -l parameter: ExecStart=/usr/bin/sfcapd -D -T all -l /var/lib/nfdump -t 120 -p 6343 -P /run/sfcapd.pid

2. Update OpFlow configuration:

   # Edit opCommon.json sudo nano /usr/local/omk/conf/opCommon.json # Change the flow directory parameter to: "<opFlow_dir>": "/var/lib/nfdump"

This second option allows you to keep nfcapd running with its original configuration while collecting sFlow data separately.

Installation

For Debian/Ubuntu Systems

sudo apt-get update
sudo apt-get install nfdump-sflow

For RHEL/CentOS Systems

# Install EPEL repository if not already installed, should be after NMIS install
sudo yum install epel-release

# Install nfdump with sflow support
sudo yum install nfdump-sflow

Configuration Steps

Create a new systemd service file:

sudo nano /etc/systemd/system/sfcapd.service

Add the following content:

[Unit]
Description=sfcapd sFlow collector
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/sfcapd -D -T all -l /var/cache/nfdump -t 120 -p 6343 -P /run/sfcapd.pid
PIDFile=/run/sfcapd.pid
Restart=always

[Install]
WantedBy=multi-user.target

Start sfcapd service:

sudo systemctl daemon-reload
sudo systemctl enable sfcapd
sudo systemctl start sfcapd

Command Line Parameters Explained

The sfcapd command uses these parameters:

• -D: Run as daemon

• -T all: Capture all flow types

• -l /var/cache/nfdump: Output directory for flow data

• -t 120: Create new file every 120 seconds

• -p 6343: Listen on UDP port 6343 (standard sFlow port)

• -P /run/sfcapd.pid: PID file location

Manual Start Option

If you prefer to run sfcapd manually instead of as a service:

sudo sfcapd -D -T all -l /var/cache/nfdump -t 120 -p 6343 -P /run/sfcapd.pid

Troubleshooting

1. Agent IP Display:

   • If agent IP shows as 0.0.0.0, this may indicate sfcapd wasn't started with proper flags for agent IP identification

Verifying Operations:

# Check if sfcapd is running
sudo systemctl status sfcapd

#Check it's running on the correct port
sudo lsof -i :<port>

#check your recieving packets on the correct port
tcpdump -i any udp port <port> -n

# View real-time log entries
sudo journalctl -u sfcapd -f

# Check for flow files being created
ls -l /var/cache/nfdump

Notes

• The default flow collection directory is /var/cache/nfdump

• While the GUI may show warnings about nfcapd if it is stopped, sFlow data collection will continue to work

• sfcapd and nfcapd can't write to the same directory simultaneously, so we cannot ingest both concureently into opFlow