Netflow Tools Extra Quality May 2026

Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector (Linux VM)] | v Kafka (3 brokers) | +---> ClickHouse (3-node cluster) +---> Elasticsearch (security logs) | v Grafana (dashboards) Kibana (security analysts) ( /etc/pmacct/pmacct.conf ):

This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade. netflow tools

:

: 30-day retention, detect botnet C2, per-department billing. Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector

1. Core Concept: What NetFlow Actually Is NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network metadata. It is not packet capture (full payload) nor simple SNMP counters (bytes/sec). It is flow-level accounting . It is flow-level accounting

SELECT src_host, sum(bytes) as total_bytes FROM netflow.flows WHERE flow_start > now() - 3600 GROUP BY src_host ORDER BY total_bytes DESC LIMIT 10; | Symptom | Likely Cause | Fix | |---------|--------------|-----| | No flows received | ACL blocking UDP 2055 | show access-list | | Flows show 0 bytes | Sampling rate too high | Reduce sampling-rate | | AS numbers are 0 | BGP table not loaded | ip flow-export bgp-nexthop | | Timestamps wrong | NTP drift | ntp peer on exporter | | High CPU on router | Flow cache too large | ip flow-cache entries 65536 |