Netflow Tools _top_ 【Web】
softflowd -D -i eth0 -v 5 -n 192.168.1.100:2055 Receives UDP datagrams, parses, stores to disk/time-series DB.
plugins: kafka aggregate: src_host, dst_host, src_port, dst_port, proto, tos, src_as, dst_as kafka_topic: netflow_raw kafka_broker_host: kafka1:9092,kafka2:9092 imt_path: /var/spool/pmacct - Top talkers last hour: netflow tools
Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector (Linux VM)] | v Kafka (3 brokers) | +---> ClickHouse (3-node cluster) +---> Elasticsearch (security logs) | v Grafana (dashboards) Kibana (security analysts) ( /etc/pmacct/pmacct.conf ): softflowd -D -i eth0 -v 5 -n 192
This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade. ClickHouse (3-node cluster) +--->
set forwarding-options sampling input rate 1000 set forwarding-options sampling family inet output cflowd 192.168.1.100 port 2055 version 5 :
ip flow-cache timeout active 1 # Export every 1 min (active flows) ip flow-cache timeout inactive 15 # Export after 15 sec idle ip flow-cache timeout fast 30 # For TCP FIN/RST : Shorter timers = more exports = higher CPU/network load. Longer timers = delayed visibility. 3. NetFlow Tool Stack Architecture A production NetFlow deployment has four layers : Layer 1: Exporters (Network Devices) Configure routers/switches/firewalls to send NetFlow.
softflowd -D -i eth0 -v 5 -n 192.168.1.100:2055 Receives UDP datagrams, parses, stores to disk/time-series DB.
plugins: kafka aggregate: src_host, dst_host, src_port, dst_port, proto, tos, src_as, dst_as kafka_topic: netflow_raw kafka_broker_host: kafka1:9092,kafka2:9092 imt_path: /var/spool/pmacct - Top talkers last hour:
Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector (Linux VM)] | v Kafka (3 brokers) | +---> ClickHouse (3-node cluster) +---> Elasticsearch (security logs) | v Grafana (dashboards) Kibana (security analysts) ( /etc/pmacct/pmacct.conf ):
This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade.
set forwarding-options sampling input rate 1000 set forwarding-options sampling family inet output cflowd 192.168.1.100 port 2055 version 5 :
ip flow-cache timeout active 1 # Export every 1 min (active flows) ip flow-cache timeout inactive 15 # Export after 15 sec idle ip flow-cache timeout fast 30 # For TCP FIN/RST : Shorter timers = more exports = higher CPU/network load. Longer timers = delayed visibility. 3. NetFlow Tool Stack Architecture A production NetFlow deployment has four layers : Layer 1: Exporters (Network Devices) Configure routers/switches/firewalls to send NetFlow.