NFDUMP is a set of tools to capture/record, dump,
filter, and replay NetFlow (v5/7/9) data. Can filter flows according
to multiple user-defined profiles. NfSen is a Graphical
Web-based front-end for the NFDUMP tools. Plots aggregate statistics
over time, supports filtering and drilling down up to the individual
Open source implementation of an IPFIX meter developed at the
University of Waikato. Reads packets from PCAP interfaces, trace
files, or DAG capture cards. Templates can be defined by the user.
IPFIX messages are exported via SCTP, TCP or UDP, or flow records can
be written directly to an SQLite database. Supports extension through
a documented development interface.
As far as I can see, Mark Fullmer, the author, is no longer
maintaining this code - the last changelog entry on the original site
is from 2005. But some people seem to have put it on a public code
where issues can be logged and where there is a public code
repository that shows some activity.
Similar to cflowd but implemented as
a set of smaller tools, with the addition of compression of the
recorded data, thus capable of recording many more flows in a given
amount of disk space. See paper
about its application for Intrusion Detection. There is also
list for the package.
There is a short presentation called Ohio
Gigapop Traffic Measurements that shows some examples on how
flow-tools can be used.
can be used to filter flow-tools-recorded flows through
user-specified tests; a set
contribs" by Horatio B. Bogbindero; some patches and
module by Robin
a script that extracts lists of the highest bandwidth consumers by
host and by port
- Installed at UCB,
seems to have similar uses as the older MATHE
Invented as a web interface
to flow-tools, it has added support
for SiLK in version 4.0 (which handles IPFIX
netflow (e.g., Cisco v9, Flexible Netflow, etc.) This new version
introduces a much-improved user interface with an actively updating
dashboard. It also supports analysis of IPv6 traffic. Consists of
three tools: FlowViewer provides the user with web access
to many of the textual and statistical
reports. FlowGrapher provides a web page with a graph of
the selected flow data. These web pages can be
saved. FlowTracker allows the user to maintain this
information long-term by creating four MRTG-like graphs. Filtered
flow data is collected every five minutes and the graphs are
updated. FlowTracker requires Tobi
package. Screenshots are available.
A traffic analysis and visualization tool that describes the
traffic mix of a link through textual reports and time series plots.
The underlying research is documented in a SIGCOMM 2003 paper,
Automatically Inferring Patterns of Resource Consumption in
Network Traffic, C. Estan, S. Savage, G. Varghese (PDF
Netpy is a network traffic analysis and visualization package
developed at University of Wisconsin-Madison. This application is
intended for the use of network administrators and it can help
understand usage trends in your network as well as support interactive
analysis of specific network events of interest. Netpy is distributed
under GPL and a BSD-like license. Netpy stores NetFlow records in a
local database after applying some sampling to reduce the size of the
data. The analysis engine supports interactive analyses on this data
where the user chooses the time interval of interest, the filtering
rules to apply to the traffic and the type of analysis. The netpy
console allows the user to manage the database, and perform analyses
interactively or through scripts. The graphical user interface
visualizes the results of the analyses accessing the database locally
or remotely through a netpy server that is also part of the
Stager is a system for aggregation and presentation of network
statistics from the flow-tools package. Includes PostgreSQL storage
of aggregated statistics, as well as a Web frontend. A public demo is available.
Developed to analyze (sampled) Netflow data from the Internet2
Abilene backbone. This is used to generate the Internet2 NetFlow Weekly
Reports, which contain interesting statistics not easily found
elsewhere, such as distribution of bulk flow throughput. There are
two mailing lists for announcements
and for user
Set of Perl and PHP scripts to support external traffic
engineering and planning. Works with Netflow v8/v9 with "AS"
router-based aggregation, or with unaggregated Netflow v5 data. An
earlier version was described in this
at SwiNOG 16.
Rather complex system with distributed log servers. Released in
1998, this was the first open-source software system to work on
NetFlow data, but doesn't seem to be maintained anymore. CAIDA have
prepared a nice FAQ
which contains interesting information both on Cflowd and on NetFlow
in general. CAIDA has announced that they no longer support cflowd,
and recommend that people move to flow-tools instead.
Small Netflow monitoring tool developed by ARIN, available under
GPL. Features include easy configuration, maintenance of and graph
generation from RRDtool files,
pf/tcpdump-style filter rules. There is a mailing list for
announcements and discussion.
Tool to analyze traffic to "would-be" BGP neighbors. Presented by
Richard Steenbergen and Nathan Patrick at NANOG 35, October
2005. There is supposed to be both an easy-to-use Perl version and a
high-performance (but somewhat complex) C version.
Software used for charging, monitoring, and traffic analysis at
SWITCH. Includes its own NetFlow v5/v9 accounting receiver which
aggregates traffic into multidimensional matrices
(AS/site/application). Can handle IPv6 as well as IPv4 flows. Most
of the software is written in Common Lisp.
A small program that receives UDP datagrams and redistributes
them to a set of receivers. Useful to distribute NetFlow accounting
streams to multiple post-processing programs. Is able to distribute
only a specified percentage of all packets to each receiver. Note
that recent versions added the possibility of ``spoofing'' the
original sender's IP address.
"A NetFlows Conversion/Anonymization Tool for Format
Interoperability and Secure Sharing". Converts NetFlow data between
various formats including NetFlow v5 and v7, NFDUMP, CiscoNCSA and ArgusNCSA, and is able to
apply various methods of anonymization based on user configuration.
See also the FlowCon 2005 paper by
K. Luo, Y. Li, A. Slagell, and W. Yurick.
An open-source project started in 2001 by Costas Kotsokalis of
GRNET. Uses NetFlow accounting data to detect (Distributed) Denial of
Service attacks. Status as of November 2006: Supports NetFlow v1, v5
and v8 (router-aggregated) (with v8 untested for its biggest
part). The system supports proof-of-concept attack trace-back using a
mesh of detectors. Updates have been introduced so that the project
compiles on newer systems.
Real-time 3D traffic visualization system developed at Merit. This client/server system
based on Netflow and OpenGL plots traffic patterns by IP address, AS,
or port numbers, and allows interactive exploration of this data.
Sample graphics and a paper are available from the Website.
MHTG (Multi Host Traffic Grapher)
Uses NetFlow to generate per-host graphs of traffic for a campus
network. Nice user interface implemented as a Java applet which
allows interaction with traffic plots. The software consists of a C++
program to process NetFlow data, a Mysql backend, and Perl frontend
and the Java grapher. Used to be available
under http://mhtg.the.net/mhtg.html, but can no longer be
found as of May 2009.
A library of bitmap counting algorithms that count the number of
active flows in a network traffic trace. To be able to use it, you
should be familiar with the paper that describes the algorithms it
implements: _Bitmap algorithms for counting active flows on high speed
links_, C. Estan, G. Varghese, M. Fisk, Internet Measurement
Conference 2003 (PDF
SiLK, the System for Internet-Level Knowledge, is a collection of
netflow tools developed by the CERT/NetSA (Network Situational
Awareness) Team to facilitate security analysis in large networks.
The toolset includes programs such as rwfilter,
rwcount, rwuniq. Supports Netflow v5/v9, IPFIX;
IPv4 and IPv6 accounting.
This UDP/Netflow Processing Framework is a system for
real-time processing of UDP packet streams such as Netflow export
data. It features a general infrastructure for dynamically
configurable plugin modules.
A small self-contained program that generates NetFlow accounting
data for a traffic stream sniffed off one or several interfaces.
Works under Unix and Windows environments. It can be used to build
inexpensive NetFlow probes.
Traffic probe that can generate NetFlow data. Based on the
libpcap library. Fairly small implementation in C. It
includes a Linux-only variant, fprobe-ulog, that
uses the libipulog library to get the packets from the
Linux netfilter (iptables) code for higher performance and
access to the internal SNMP interface indices.
Traffic probe that can generate NetFlow data. Based on libpcap.
Comes with a NetFlow collector in Perl. Both the server (probe) and
client (collector) support export/import over IPv6. Very lean (as of
June 2004) implementation in C. The pfflowd
variant is based on OpenBSD's PF interface. The flowd companion
NetFlow collector includes features such as multicast, IPv6 and
NetFlow v9 support, as well as fast upfront filtering.
"a tool for gathering, storing and analyzing traffic accounting
for Cisco routers with NetFlow enabled switching (version 5). This
package could be used by ISP for planning, analysis and billing
A set of tools to account and aggregate IP traffic. Supports
libpcap, Netflow v1/5/7/8/9, and sFlow v2/4/5 for both IPv4
and IPv6 traffic. Can make use of real-time BGP information, which
can be sent directly to the collector via one or multiple feeds.
Graphical representation of the data collected
by pmacct. Useful for traffic monitoring and
bandwith management. Open source software developed
by Aptivate, a non-profit NGO
for international development.
NEye is a Netflow V5 collector. It logs incoming Netflow V5 data
to ASCII, MySQL, or SQLite databases, and it makes full use of POSIX
threads if available. It works on most major platforms (Linux,
Solaris, AIX, Irix, HP/UX, Mac OS X, Digital Unix, etc.) and older
ones too (Ultrix, Nextstep, etc.).
An article (in French) about a Netflow accounting and
visualization system used at EPFL.
Uses an Oracle database and Perl DBI/GD scripts to generate a nice
breakdown of external traffic to departments/institutes.
Open source tools for analyzing sFlow data. Allows sFlow data to
be used with a number of open source tools, including: tcpdump, snort
and MRTG or rrdtool. Also able to convert sFlow packets to NetFlow
Perl module to parse sFlow messages. Written by Elisa Jasinska
from AMS-IX as a basis of the sFlow-based traffic analysis service for
AMS-IX members. The use of this at AMS-IX has been described in
presentations and a paper, links to which can be found in
the references section.
(quoted from project page) This tool generates extended
netflow-like flow statistics from large pcap files or extensive
ethernet interface measurements. It is intended to serve as an IT
troubleshooting tool and a pre-processing for scientific analysis and
Webview Netflow Reporter is an enterprise-focused Netflow
reporter/analyzer tool featuring clickable graphs, powerful
categorization that goes beyond simple TCP/UDP port names, automatic
exporter discovery, and full access to all aspects of the raw flow
data (millisecond accuracy, QoS settings, TCP flags, etc).
It uses flow-tools and/or flowd as a collector.
The Andrisoft WANGuard Platform relies on NetFlow v.5 or Port
Mirroring / SPAN to provide in-depth network traffic analysis and DDoS
detection and mitigation. It can be used to generate traffic graphs
and traffic accounting reports per IP, per subnet, per IP Zone or per
router interface / switch port.
The NetCountant network usage-based billing system and
the NetScope real-time network monitoring and performance
analysis solution support NetFlow, RMON2, RADIUS, other SNMP MIBs, and
``Layer 7'' application/content switches.
Peakflow DOS detects denial-of-service attacks, and
Peakflow Traffic analyzes traffic and routing history. Both
can process NetFlow accounting data. As of November 2003, Arbor is
said to support Netflow v9.
BENTO stands for ``BGP Enabled Network Traffic Organizer'' and is
a high-performance NetFlow data processor with an integrated BGP-4
implementation to facilitate traffic analysis based on complex
external routing relationships. Product offerings include a
software/support package and an ``appliance'' consisting of a
preconfigured rack-mount server.
Analyzes NetFlow data for network monitoring as well as attack
detection and response. Works with NetFlow data export version
1,5,6,7 and 9. NetImonitor is primarily designed for use in the
Complete NetFlow monitoring solution, providing wire speed
processing with no packet loss, for all types of networks from 10Mbps
to 10 Gbps. Autonomous probes generate statistical information on
network traffic. Collectors perform storage, display and analysis of
this information and further plugins (extension modules)
supervision of both network and services, for the detection of
anomalies, innovative instruments for displaying network statistics,
intelligent reporting and much more.
LAN and WAN bandwidth analysis based on NetFlow data. Includes a
Web interface including Java applets to display traffic graphs and to
enable drill-down. Runs on Microsoft Windows NT4/2000/XP and on Unix.
of NetFlow Liveavailable.
Note that Crannog has been acquired by Fluke Networks in January 2007,
and rebranded this product
is a flow collector appliance that supports NetFlow V1/5/7/9, sFlow
V2/4/5, NetStream, and IPFIX. GenieATM supports BGP4 to perform
various AS-related analysis. It also supports DDoS mitigation.
Intelligence traffic measurement and visualisation software
for GNU/Linux and Windows (client only) platforms. Free trial
available. Includes 3D visualization using OpenGL.
The author also wrote bbnfc, a
``bare-bones Netflow collector tool'' that simply receives and
displayes Netflow v5 packets.
StableNet PME provides End-to-End (E2E) Service Level Management
(SLM) by monitoring and reporting on the systems, networks and
applications. StableNet supports the following flow technologies out
of the box: Netflow, cFlow, sFlow, Netstream.
is a commercial, web-based application running on Linux that
provides real-time and historical analysis of flow information from
NetFlow, sFlow, LFAP or HP Extended RMON sources. Web queries provide
easy access to historical traffic matrices. Real-time top talker
charts identify sources of congestion. Includes network-wide
threshold and alert features as well as anomaly detection.
InterMapper Flows is a NetFlow and sflow collector and analyzer.
It is integrated into the GUI of the InterMapper network monitoring
software to make it easy to see exactly where traffic comes from,
who's sending it, and what it's used for. Runs on Windows, MacOS X,
Linux, and Unix.
Netflow-based bandwidth monitoring tool from AdventNet. Supports
location of bottlenecks and allows drilling down to find traffic that
is causing them. Thirty-day evaluation license available free of
charge. Versions for Windows and Linux (x86).
Profiler analyzes and models enterprise network traffic. It
provides visibility into network behavior, protects against worms and
other malware, and supports auditing and policy enforcement. It
supports Netflow v1/5/7/9 as well as other data collection mechanisms.
Highly scalable flow-based network management system including
support for baselining, event alerting, root cause analysis, and
traffic accounting. Visualization capabilities support both
real-time (network forensics, security) and long-term uses such as
network auditing and trending. Can process Netflow v5/7/9
(including Flexible Netflow), IPFIX and sFlow.
An application that performs in-depth NetFlow/IPFIX/sFlow packet
analysis, and provides tabular and other visualizations in an
Office-like user interface. It supports the following protocols
(formats): NetFlow v1/v5/v7/v8/v9, sFlow v2/v4/v5
Application for network traffic investigation, analysis and
reporting. Works with IPFIX, Netflow v5 and v9, and can monitor both
IPv4 and IPv6 traffic. Supports visualization, anomaly detection,
and raw flow archival. The graphical user interface is Web-based.
Runs on Windows and Linux.
Collector is an open-source (GPL'ed) tool that captures packets
and generates a Netflow (v5) accounting stream.
The NetUsage suite strives to provide visibility of network
traffic, producing meaningful reports not only for network
professionals, but for IT management, business managers and accounts
departments. Supports network traffic monitoring, capacity planning,
business justification and cost control.
An add-on to OpsView Enterprise, this tool can process Netflow as
well as SNMP and configuration data from multiple network elements.
It provides graphical presentations of network usage such as
top-talkers diagrams and time series, and allows drilling down to
analyzes NetFlow, J-Flow,
and sFlow data and performs CBQoS monitoring to deliver a complete
picture of network traffic, identifying who and what are consuming
your bandwidth. Free 30-day trial available.
Perspective Network Traffic Flow provides in-depth visibility
into traffic network patterns and usage to determine how traffic
impacts the overall health of the network. Supports NetFlow
(v1/5/7/9), sFlow, JFlow, and any switch/router that supports port
replication or mirroring.
Windows-based network availability and bandwidth monitoring
software from Paessler. Uses
SNMP, NetFlow and packet capture for monitoring and classifying
bandwidth usage. Besides different commercial licenses, there is
also a freeware license limited to 10 monitoring sensors.
Windows-based software to analyze NetFlow (and Cisco IP
Accounting) statistics. I-ABA specifically analyzes AS-to-AS traffic
streams. Trial versions can be downloaded.
application and network performance management appliances
This appliance-based product can process various sources of data
including SNMP, Netflow, and Cisco IP SLA probes.
component can drill down into flow-based usage statistics and
generate reports based on flexible configuration.
Has a Netflow Application Pack for its PROVISO system
for network performance monitoring and service assurance. Quallaby
was acquired by Micromuse, which was itself acquired by IBM. The
Netflow Application Pack is maintained in the 4.4.1 release and
supports Netflow versions up to v8.
Appliance-based product from Brazil. Used for management of the
backbones of two major South American telecommunications companies.
Features include a Web GUI with HTTPS support and integrated Java
grapher applet with zoom, drill-down etc., configurable aggregation,
SNMP-based device/interface discovery. Supports Netflow v1/v5/v9
and similar accounting mechanisms from other vendors (Juniper,