Sample netflow anonymisation script


In this post you will find a simple script once I used to anonymise netflow data.

nfanon command, which is one of the nfdump tools, is deployed.

nfanon is used to anonymise all IP addresses ( src, dst, next hop, router IP etc. ) in the netflow records using the CryptoPAn (Cryptography-based Prefix-preserving Anonymization) module.

nfanon man page

You may find the netflow anonymisation script below.

#!/usr/bin/env bash
#
# Specify directory of the flow to be anonymised, 3 examples below.
#
# Select yesterday’s flow
# YESTERDAY=$(date -d ‘1 day ago’ +’%Y/%m/%d’)
# FILE_DIR=/data/nfsen/profiles-data/live/upstream1/$YESTERDAY/*
#
# Select a specific date
FILE_DIR=/data/nfsen/profiles-data/live/upstream1/2013/06/24/*

# Specify output directory
OUTPUT_DIR=/path/to/output/

# Specify output directory
LOG_FILE=/path/to/log/anonimize-flow.log

# The KEY is used to initialize the Rijndael cipher. KEY is either a 32
# character string, or a 64 hex digit string starting with 0x.
$KEY=al8BpDojSuFZkjm68zRUXZIlIRNYr73D

# Execute nfanon command with the predefined arguments over all flow files.
for f in $FILE_DIR
do
FILENAME=$(basename $f)
/usr/bin/nfanon -K $KEY -r $f -w $OUTPUT_DIR$FILENAME >> $LOG_FILE
done

exit

Hope it works for you as well.

One Reply to “Sample netflow anonymisation script”

  1. This is a very nice script, but have you checked whether nfanon works correctly ? In my case it messes up Packets and Bytes entries among other things, making it unusable. Using nfdump: Version: 1.6.13

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.