Home SIEM Part 2: Netflow

08/05/2025

Introduction

In part 1 I wrestled with DNS logging from my GL.iNet router. In this part I'm desperate for some netflow. I was hoping this would be easy considering that my GL.iNet router is using openwrt which has access to many netflow packages. However, this was a wrong assumption and I discovered there were no netflow packages for my router. Finally I found a package that could get me some connection information.

Conntrack

What I found is a package called conntrack which is a cli for netfilter connection tracking. It doesn't give true netflow information but I could at least track src, dst and ports. It also lacks any kind of output to file or syslog. Which means if I was going to use it, I was going to have to hack it together.

I wanted to avoid any file logging because disk space was so limited. Luckly openwrt has a program called logger. Logger will accept stdin and push it to syslog. So all I needed to do was pipe the stdin output from conntrack into logger.

This was easy enough to do. My super hacky and simple shell script:

#!/bin/sh
conntrack -E -e NEW -j | grep -v dst=192.168.5.250 | logger -t "CONNTRACK"

To get it to run on boot I created an initd script and added it to /etc/init.d/:

#!/bin/sh /etc/rc.common

START=99
STOP=01
USE_PROCD=1

start_service() {
    procd_open_instance conntrack
    procd_set_param respawn
    procd_set_param stdout 1
    procd_set_param stderr 1
    procd_set_param command /bin/sh "/root/conntrack_to_syslog.sh" 
    procd_close_instance
}

This solution worked but I wasn't satisfied. It was missing things I really wanted such as: bytes, flow, full protocol stack, stateful tracking, etc.

Softflowd - Compiling

I really wanted netflow. I decided to compile softflowd package for my router myself. Thankfully this is pretty easy with openwrt.

I started by making sure my build environment was ready. Then pulling the source from github. I used the latest release because I just wanted a single package and the actual release of openwrt didn't have my routers cpu as a target where latest did.

git clone http://github.com/openwrt/openwrt.git

First I needed to ensure I had softflowd source downloaded.

./scripts/feeds update -a
./scripts/feeds install softflowd

Next I needed to make sure the configuration was correct for my router.

make menuconfig

I used the following configuration for my router. Openwrt changed their package manging to apk from ipk, but because I'm on an older release I had to force ipk package.

• Target System -> Qualcomm Atheros 802.11axx WiSoC-s
• Subtarget -> Qualcomm Atheros IPQ60xx
• Target Profile -> GL.iNet GL-AX1800
• Network -> Select "softflow"
• Global Build Settings > Deselect "Use APK instead of OPKG to build distribution"

Now it's time to build everything. This took awhile for me because I was in a very resource limited vm.

make -j$(nproc) V=s

Once done I SCPed the following packages to my router.

• bin/packages/aarch64_cortex-a53/packages/softflowd_1.1.0-r2_aarch64_cortex-a53.ipk
• bin/packages/aarch64_cortex-a53/base/libpcap1_1.10.5-r3_aarch64_cortex-a53.ipk
• bin/targets/qualcommax/ipq60xx/packages/libc_1.2.5-r5_aarch64_cortex-a53.ipk
• bin/targets/qualcommax/ipq60xx/packages/libgcc1_14.3.0-r5_aarch64_cortex-a53.ipk

Finally I installed them using opkg in the following order:

• libgcc1
• libc
• libpcap1
• softflowd

Configuration of softflowd was actually really simple. The package install took my syslog configuration and applied those settings to softflowd config. It worked out of the box. Hurray! All I did was some tuning of flow direction.

For anyone who wants netflow on their GL.iNet AX-1800, I hope you find my learnings helpful.

Also if you have a GL.iNet hopefully these compiled packags will work for you:

• libc - download here
• libgcc1 - download here
• libpcap1 - download here
• softflowd - download here

Thanks,

• Me

Back to top