Netflow Tools ^new^ ✔

ip flow-cache timeout active 1 # Export every 1 min (active flows) ip flow-cache timeout inactive 15 # Export after 15 sec idle ip flow-cache timeout fast 30 # For TCP FIN/RST : Shorter timers = more exports = higher CPU/network load. Longer timers = delayed visibility. 3. NetFlow Tool Stack Architecture A production NetFlow deployment has four layers : Layer 1: Exporters (Network Devices) Configure routers/switches/firewalls to send NetFlow.

(v5 to collector 192.168.1.100):

:

SELECT src_host, sum(bytes) as total_bytes FROM netflow.flows WHERE flow_start > now() - 3600 GROUP BY src_host ORDER BY total_bytes DESC LIMIT 10; | Symptom | Likely Cause | Fix | |---------|--------------|-----| | No flows received | ACL blocking UDP 2055 | show access-list | | Flows show 0 bytes | Sampling rate too high | Reduce sampling-rate | | AS numbers are 0 | BGP table not loaded | ip flow-export bgp-nexthop | | Timestamps wrong | NTP drift | ntp peer on exporter | | High CPU on router | Flow cache too large | ip flow-cache entries 65536 | netflow tools

This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade. ip flow-cache timeout active 1 # Export every

1. Core Concept: What NetFlow Actually Is NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network metadata. It is not packet capture (full payload) nor simple SNMP counters (bytes/sec). It is flow-level accounting . stores to disk/time-series DB.

softflowd -D -i eth0 -v 5 -n 192.168.1.100:2055 Receives UDP datagrams, parses, stores to disk/time-series DB.