NetFlow Cheat Sheet
Overview
NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow data. A flow is defined as a unidirectional sequence of packets sharing common properties: source/destination IP, source/destination port, IP protocol, type of service, and input interface. Routers and switches export flow records to a collector, providing detailed visibility into who is communicating, what protocols are being used, and how much bandwidth is consumed. NetFlow is the industry standard for network traffic accounting and analysis.
NetFlow has evolved through several versions: v1 (original), v5 (most widely deployed, fixed format), v9 (template-based, flexible), and IPFIX (Internet Protocol Flow Information Export, standardized version of v9). While NetFlow is a Cisco technology, similar protocols exist from other vendors including J-Flow (Juniper), sFlow (multi-vendor, sampled), and NetStream (Huawei). NetFlow data is essential for bandwidth monitoring, capacity planning, security analysis, DDoS detection, forensics, billing, and compliance. Popular collectors include nfsen, ntopng, SolarWinds, PRTG, and ElastiFlow.
Installation (Collector Tools)
nfdump/nfsen (Linux)
# Install nfdump (collector and analysis tool)
sudo apt update
sudo apt install nfdump
# Install nfsen (web frontend for nfdump)
sudo apt install nfsen
# Verify
nfcapd -V
nfdump -VGoFlow2 (Modern Collector)
# Install GoFlow2
go install github.com/netsampler/goflow2@latest
# Or download binary
wget https://github.com/netsampler/goflow2/releases/latest/download/goflow2-linux-amd64
chmod +x goflow2-linux-amd64
sudo mv goflow2-linux-amd64 /usr/local/bin/goflow2softflowd (NetFlow Generator from pcap)
# Generate NetFlow from packet capture
sudo apt install softflowd
# Generate from live interface
sudo softflowd -i eth0 -n 127.0.0.1:2055
# Generate from pcap file
sudo softflowd -r capture.pcap -n 127.0.0.1:2055ElastiFlow (Elasticsearch-based)
# Docker-based deployment
docker run -d \
--name elastiflow \
-p 2055:2055/udp \
-p 4739:4739/udp \
-p 6343:6343/udp \
-e EF_OUTPUT_ELASTICSEARCH_ENABLE=true \
-e EF_OUTPUT_ELASTICSEARCH_ADDRESSES=elasticsearch:9200 \
elastiflow/flow-collector:latestCisco Router Configuration
NetFlow v5
! Enable NetFlow on interface
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
! Configure NetFlow export
ip flow-export version 5
ip flow-export destination 10.0.0.100 2055
ip flow-export source Loopback0
! Set flow cache parameters
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15
! Verify
show ip flow export
show ip cache flow
show ip cache verbose flowNetFlow v9
! Configure flow exporter
flow exporter EXPORTER-1
destination 10.0.0.100
source Loopback0
transport udp 2055
export-protocol netflow-v9
template data timeout 60
option interface-table
option exporter-stats
! Configure flow monitor
flow monitor MONITOR-1
exporter EXPORTER-1
cache timeout active 60
cache timeout inactive 15
record netflow ipv4 original-input
! Apply to interface
interface GigabitEthernet0/0
ip flow monitor MONITOR-1 input
ip flow monitor MONITOR-1 output
! Verify
show flow exporter
show flow monitor
show flow monitor MONITOR-1 cacheFlexible NetFlow (IPFIX)
! Define flow record with custom fields
flow record CUSTOM-RECORD
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match ipv4 tos
match interface input
collect counter bytes long
collect counter packets long
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect transport tcp flags
! Configure monitor with custom record
flow monitor CUSTOM-MONITOR
record CUSTOM-RECORD
exporter EXPORTER-1
cache timeout active 60
cache entries 65536
! Apply to interface
interface GigabitEthernet0/0
ip flow monitor CUSTOM-MONITOR inputnfdump Analysis Commands
Collecting Flows
# Start NetFlow collector
nfcapd -w -D -l /var/cache/nfdump -p 2055
# Collect with rotation interval (5 minutes)
nfcapd -w -D -l /var/cache/nfdump -p 2055 -t 300
# Collect multiple sources (ident per router)
nfcapd -w -D -l /var/cache/nfdump/router1 -p 2055 -I router1
nfcapd -w -D -l /var/cache/nfdump/router2 -p 2056 -I router2Analyzing Flows
# Read all flows from a file
nfdump -r /var/cache/nfdump/nfcapd.202401151200
# Read flows from time range
nfdump -R /var/cache/nfdump -t 2024/01/15.12:00:00-2024/01/15.13:00:00
# Top 10 talkers by bytes
nfdump -r nfcapd.file -s srcip/bytes -n 10
# Top talkers by flows
nfdump -r nfcapd.file -s srcip/flows -n 20
# Top destination ports
nfdump -r nfcapd.file -s dstport/bytes -n 10
# Top protocols
nfdump -r nfcapd.file -s proto/bytes
# Filter by IP address
nfdump -r nfcapd.file 'src ip 192.168.1.100'
nfdump -r nfcapd.file 'dst ip 10.0.0.1'
# Filter by port
nfdump -r nfcapd.file 'dst port 80 or dst port 443'
# Filter by protocol
nfdump -r nfcapd.file 'proto tcp'
nfdump -r nfcapd.file 'proto udp and dst port 53'
# Complex filters
nfdump -r nfcapd.file 'src ip 192.168.1.0/24 and dst port 443 and bytes > 1000000'
# Output format options
nfdump -r nfcapd.file -o long # Detailed output
nfdump -r nfcapd.file -o csv # CSV format
nfdump -r nfcapd.file -o json # JSON format
nfdump -r nfcapd.file -o extended # Extended output
# Custom output format
nfdump -r nfcapd.file -o "fmt:%sa %da %sp %dp %pr %byt %pkt"
# Aggregate flows
nfdump -r nfcapd.file -A srcip,dstip -s record/bytes -n 20
# Time window analysis
nfdump -R /var/cache/nfdump -t 2024/01/15.00:00:00-2024/01/16.00:00:00 \
-s srcip/bytes -n 10Statistical Analysis
| Command | Description |
|---|---|
-s srcip/bytes | Top source IPs by bytes |
-s dstip/bytes | Top destination IPs by bytes |
-s srcip/flows | Top source IPs by flow count |
-s dstport/bytes | Top destination ports by bytes |
-s srcport/bytes | Top source ports by bytes |
-s proto/bytes | Protocol distribution by bytes |
-s record/bytes | Top flow records by bytes |
-s srcas/bytes | Top source AS numbers by bytes |
-s dstas/bytes | Top destination AS by bytes |
Advanced Usage
Security Analysis
# Detect port scanning (many dst ports from one source)
nfdump -r nfcapd.file -s srcip/flows 'flags S and not flags ARFPU' -n 20
# Find large data transfers (exfiltration)
nfdump -r nfcapd.file 'bytes > 100000000' -o long -s record/bytes
# DNS tunneling detection (large DNS flows)
nfdump -r nfcapd.file 'dst port 53 and bytes > 10000' -s srcip/bytes
# ICMP anomalies
nfdump -r nfcapd.file 'proto icmp and packets > 100' -o long
# DDoS detection (many sources to one destination)
nfdump -r nfcapd.file -s dstip/flows -n 10
nfdump -r nfcapd.file 'dst ip 10.0.0.1' -s srcip/flows -n 50
# Find C2 beaconing (regular small flows)
nfdump -r nfcapd.file 'bytes < 1000 and dst port > 1024' \
-A srcip,dstip,dstport -s record/flows -n 20Automated Reporting
#!/bin/bash
# daily_report.sh - Generate daily NetFlow report
DATE=$(date -d yesterday +%Y/%m/%d)
DATADIR="/var/cache/nfdump"
REPORT="/var/reports/netflow-$(date -d yesterday +%F).txt"
echo "=== Daily NetFlow Report: $DATE ===" > $REPORT
echo "" >> $REPORT
echo "--- Top 20 Talkers (by bytes) ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
-s srcip/bytes -n 20 >> $REPORT
echo "" >> $REPORT
echo "--- Top 20 Destinations ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
-s dstip/bytes -n 20 >> $REPORT
echo "" >> $REPORT
echo "--- Protocol Distribution ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
-s proto/bytes >> $REPORTExport to Other Formats
# Export to CSV for spreadsheet analysis
nfdump -r nfcapd.file -o csv > flows.csv
# Export to JSON for Elasticsearch
nfdump -r nfcapd.file -o json > flows.json
# Pipe to other tools
nfdump -r nfcapd.file -o csv | awk -F, '{print $4,$5,$10}' | sort -t' ' -k3 -rn | headConfiguration
nfsen Configuration
# /etc/nfsen/nfsen.conf
$BASEDIR = "/var/cache/nfsen";
$HTMLDIR = "/var/www/nfsen";
$PREFIX = "/usr/bin";
$SUBDIRLAYOUT = 1;
%sources = (
'router1' => { 'port' => '2055', 'col' => '#0000ff' },
'router2' => { 'port' => '2056', 'col' => '#ff0000' },
'switch1' => { 'port' => '2057', 'col' => '#00ff00' },
);
$MAIL = { from => 'netflow@example.com', server => 'localhost' };
# Alert thresholds
@AlertThreshold = (
{ name => 'DDoS', type => 'threshold', field => 'flows',
value => 100000, action => 'email:admin@example.com' },
);Troubleshooting
| Issue | Solution |
|---|---|
| No flows received | Check UDP port open, verify exporter config |
| Incomplete flow data | Check active/inactive timeouts on router |
| High collector CPU | Reduce export rate, increase rotation interval |
| Disk space growing fast | Set data retention, enable compression |
| Version mismatch | Match collector version (v5/v9/IPFIX) to exporter |
| Missing bidirectional data | Enable both ingress and egress on interfaces |
| Sampled data inaccurate | Apply sampling multiplier in collector |
| Template timeout errors | Increase template refresh interval |
Verification Commands
# Check if flows are arriving
sudo tcpdump -i eth0 -n udp port 2055 -c 10
# Verify nfcapd is running
ps aux | grep nfcapd
# Check nfcapd files are being created
ls -la /var/cache/nfdump/
# Read latest capture file
nfdump -r $(ls -t /var/cache/nfdump/nfcapd.* | head -1) | head
# Cisco verification
show ip flow export
show ip cache flow
show flow monitor MONITOR-1 statistics