Netflow Tools Guide

:

interface GigabitEthernet0/1 ip flow ingress ip flow egress ! ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination 192.168.1.100 2055 :

# Flows per second (FPS) spike nfcapd -p 2055 -w -l /data -T all # Real-time: watch -n 1 'nfdump -R /data -r current -s flows | head' (requires NetFlow v9 + BGP table) netflow tools

SELECT src_host, sum(bytes) as total_bytes FROM netflow.flows WHERE flow_start > now() - 3600 GROUP BY src_host ORDER BY total_bytes DESC LIMIT 10; | Symptom | Likely Cause | Fix | |---------|--------------|-----| | No flows received | ACL blocking UDP 2055 | show access-list | | Flows show 0 bytes | Sampling rate too high | Reduce sampling-rate | | AS numbers are 0 | BGP table not loaded | ip flow-export bgp-nexthop | | Timestamps wrong | NTP drift | ntp peer on exporter | | High CPU on router | Flow cache too large | ip flow-cache entries 65536 |

This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade. : interface GigabitEthernet0/1 ip flow ingress ip flow

set forwarding-options sampling input rate 1000 set forwarding-options sampling family inet output cflowd 192.168.1.100 port 2055 version 5 :

Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector (Linux VM)] | v Kafka (3 brokers) | +---> ClickHouse (3-node cluster) +---> Elasticsearch (security logs) | v Grafana (dashboards) Kibana (security analysts) ( /etc/pmacct/pmacct.conf ): ClickHouse (3-node cluster) +---&gt

(v5 to collector 192.168.1.100):