Showing results for 
Search instead for 
Did you mean: 
Cisco Community November 2020 Spotlight Award Winners

Using a Raspberry PI as a Stealthwatch Cloud flow collector - Updated

Cisco Employee



Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch.  We created a very lightweight version of the Stealtwatch Cloud sensor.  It will create flows on any ethernet port, so you can attach LAN port to SPAN and/or forward NetFlow/IPFIX to it.  I would recommend keeping device counts under 100.


We now have an IMG file that works on Pi versions 3 or 4.  Thanks to Steven Marin who created it.


Cisco Employees get to keep their SWC account as long as it is being used


Cheers - John














See attachment for directions on using pre-built Image


Package Install on existing PI (not a full image)


sudo apt-get install tcpdump

sudo apt-get update && sudo apt-get install -y libglib2.0-0 liblzo2-2 libltdl7 libpcap0.8 zlib1g


sudo dpkg -i ona-service_RaspbianJessie_armhf.deb


sudo dpkg -i netsa-pkg_raspbian.deb



Cisco Employee

It was easy to send NetFlow from my Meraki MX to the Pi running the sensor code!  Thanks for sharing! 11_14_47.jpg


Cisco Employee

Just tried this and it works like a charm! thank you Steven for making this image available. I just ran into a small issue with the priority of the interfaces. The raspberry will default to the Eth0 interface which in my case will be used to connect to a SPAN port so when I connect Eth0 it loses internet connectivity. This can be easily solved by modifying the interface metric parameter on this file:



just add the following configuration and reboot


interface eth0 metric 300


interface wlan0 metric 200



Randall Vega


Cisco Employee

Are there any ports for Buster, Buster 64, and Ubuntu?

Cisco Employee

the commands in the dhcpcd.conf file need to be on separate lines to work correctly


interface eth0

metric 300

interface wlan0

metric 200

Cisco Employee
Content for Community-Ad