Posts Tagged ‘netflow software’

Papers about NetFlow applications

Thursday, September 13th, 2007
and Prediction of Flow Statistics from Sampled Packet Streams
Nick Duffield, Carsten Lund, Mikkel Thorup, Proc. ACM SIGCOMM
IMC, 2002. A detailed investigation of the effects of packet sampling
on flow-based traffic accounting.

TCP Use and Performance on Internet2
Stanislav Shalunov, Benjamin Teitelbaum, ACL SIGCOMM IMW, 2001.
See the pointer to the
Abilene usage report page in the projects section of these

Traffic analysis and infrastructure monitoring in CESNET2
Tom Kosnar, PAM 2001.
Flow-Based Traffic Analysis at SWITCH
Simon Leinen, PAM 2001 (poster).
Presentation and BOF
Dave Plonka, NANOG 21, 2001. Slide presentation and RealVideo
recording. Slides also available here.
FlowScan: A
Network Traffic Flow Reporting and Visualization Tool
by Dave Plonka, Usenix LISA 2000. Also available in full as HTML and PS,
as well as the slides
of the presentation.
Cisco NetFlow Exports with Relational Database Technology for Usage
Statistics, Intrusion Detection, and Network Forensics
by Bill Nickless, John-Paul Navarro, and Linda Winkler, Usenix
LISA 2000.

The OSU Flow-tools Package and CISCO NetFlow Logs
by Steve Romig, Mark Fullmer, and Ron Luman, Usenix LISA
Cisco Flow Logs and Intrusion Detection at the Ohio State University
by Steve Romig, Mark Fullmer, Suresh Ramachandran, Usenix
;login: vol.9, 1999. Describes the use of the OSU flow tools for Intrusion
traffic demands for operational IP networks: Methodology and
by Anja Feldmann, Albert Greenberg, Carsten Lund, Nick Reingold,
Jennifer Rexford, and Fred True, ACM TON, June 2001. Also available:
from a presentation to the ISMA workshop.

Netflow software list

Monday, May 21st, 2007

Some lists of NetFlow related software.

NetFlow Software

Thursday, May 10th, 2007
NFDUMP and NfSen
NFDUMP is a set of tools to capture/record, dump,
filter, and replay NetFlow (v5/v7/9) data. Can filter flows according
to multiple user-defined profiles. NfSen is a Graphical
Web-based front-end for the NFDUMP tools. Plots aggregate statistics
over time, supports filtering and drilling down up to the individual
flow level.
Traffic monitoring toolkit from Intel Research. Supports both
continuous real-time processing and retrospective processing.
Supports Netflow and many other traffic capture sources.
YAF – Yet
Another Flow sensor
YAF snoops packets from pcap dump files or live capture,
and produces bidirectional flows. These flows can be sent to
IPFIX collectors, or be stored in
an IPFIX-derived file format.
VERMONT (VERsatile MONitoring
A reference implementation of the IPFIX and PSAMP protocols
developed as part of the HISTORY project at the
German universities of Erlangen and Tübingen, and of the European
DIADEM Firewall
A C library that implements the IPFIX protocol.
Aims to be a compliant implementation of the IPFIX protocol message format, from
which fully compliant IPFIX Collecting Processes and IPFIX Exporting
Processes may be built. In addition of the IPFIX Protocol, libfixbuf
supports efficient persistent storage of IPFIX data using the method
outlined in draft-trammell-ipfix-file-NN.
NetSA Aggregated Flow (NAF)
Tools for creating and analyzing timeslice-organized
bidirectional flow files in the IPFIX-inspired NAF
A Perl-based system to analyze and report on flows collected by
flow-tools, lfapd or cflowd, by Dave Plonka. Sample output graphs are
available too, as well as Majordomo-driven mailing
for announcements and general discussion (archive).
It is currently built on
User-contributed tools based on FlowScan include:

from Stanislav Sinyagin
which claims to be more suitable for larger ISP/Carriers
from Matt Selsky and Johan M. Andersen at Columbia University
which is an alternative graphing tool "designed to combine
the features of CampusIO and SubNetIO". Robert S. Galloway has
contributed a nice howto-style
describing how it can be used.
from Johan M. Andersen at Columbia University
monitors individual users’ network usage against a bandwidth
usage policy.
by Jurgen Kobierczynski
A new reporting module which is highly configurable using an
XML configuration file.
An extension to FlowScan developed by KISTI/KAIST. Adds
servlet-based visualization and support for queries for top
user, AS, port, protocol, etc. This is supposed to be available
but that site doesn’t seem to be responsive.
Similar to cflowd but implemented
as a set of smaller tools, with the addition of compression of the
recorded data, thus capable of recording many more flows in a given
amount of disk space. See paper
about its application for Intrusion Detection. There is also a mailing
for the package.

There is a short presentation called Ohio
Gigapop Traffic Measurements
that shows some examples on how
flow-tools can be used.

The package is widely used, and there are quite a few user
contributions, such as

Web-interface to flow-tools. Consists
of three tools: FlowViewer provides the user with web access
to many of the textual and statistical flow-tools reports.
FlowGrapher provides a web page with a graph of the selected
flow data. These web pages can be saved. FlowTracker
(introduced in FlowViewer 3.0, released in July 2006) allows the user
to maintain this information long-term by creating four MRTG-like
graphs. Filtered flow data is collected every five minutes and the
graphs are updated. FlowTracker requires Tobi Oetiker’s RRDtool package.
Screenshots are available.
which can be used to filter flow-tools-recorded flows through
user-specified tests
a set of "Inter.netPH
by Horatio B. Bogbindero
some patches and a Python
by Robin Sommer.
A script that extracts lists of the highest bandwidth
consumers by host and by port. Installed at
. Seems to have similar uses as the older MATHE system.
A set of Java classes for collecting and analyzing NetFlow data.
Supports Netflow versions 5 and 6, multithreaded implementation to
facilitate real-time traffic accounting and analysis.
A traffic analysis and visualization tool that describes the
traffic mix of a link through textual reports and time series plots.
The underlying research is documented in a SIGCOMM 2003 paper,
Automatically Inferring Patterns of Resource Consumption in
Network Traffic
, C. Estan, S. Savage, G. Varghese (PDF
paper, PPT
Wisconsin Netpy
Netpy is a network traffic analysis and visualization package
developed at University of Wisconsin-Madison. This application is
intended for the use of network administrators and it can help
understand usage trends in your network as well as support interactive
analysis of specific network events of interest. Netpy is distributed
under GPL and a BDS-like license. Netpy stores NetFlow records in a
local database after applying some sampling to reduce the size of the
data. The analysis engine supports interactive analyses on this data
where the user chooses the time interval of interest, the filtering
rules to apply to the traffic and the type of analysis. The netpy
console allows the user to manage the database, and perform analyses
interactively or through scripts. The graphical user interface
visualizes the results of the analyses accessing the database locally
or remotely through a netpy server that is also part of the
Stager is a system for aggregation and presentation of network
statistics from the flow-tools package. Includes PostgreSQL storage
of aggregated statistics, as well as a Web frontend. A public demo is available.
Developed to analyze (sampled) Netflow data from the Internet2
Abilene backbone. This is used to generate the Internet2 NetFlow Weekly
, which contain interesting statistics not easily found
elsewhere, such as distribution of bulk flow throughput. There are
two mailing lists for announcements
and for user
, respectively.
CAIDA cflowd
Rather complex system with distributed log servers. Released in
1998, this was the first open-source software system to work on
NetFlow data, but doesn’t seem to be maintained anymore. CAIDA have
prepared a nice FAQ
which contains interesting information both on Cflowd and on NetFlow
in general. CAIDA has announced that they no longer support cflowd,
and recommend that people move to flow-tools instead.
Small Netflow monitoring tool developed by ARIN, available under
GPL. Features include easy configuration, maintenance of and graph
generation from RRDtool files,
pf/tcpdump-style filter rules. There is a mailing list for
announcements and discussion.
ASFLOW (already missing in
Tool to analyze traffic to "would-be" BGP neighbors. Presented by
Richard Steenbergen and Nathan Patrick at NANOG 35, October
2005. There is supposed to be both an easy-to-use Perl version and a
high-performance (but somewhat complex) C version.
Software used for charging, monitoring, and traffic analysis at
SWITCH. Includes its own NetFlow v5 accounting receiver which
aggregates traffic into multidimensional matrices
(AS/site/application). Most of the software is written in Common
A small program that receives UDP datagrams and redistributes
them to a set of receivers. Useful to distribute NetFlow accounting
streams to multiple post-processing programs. Is able to distribute
only a specified percentage of all packets to each receiver. Note
that recent versions added the possibility of “spoofing” the
original sender’s IP address.
Application Programming Interface (AAPI)/AnonTool
An open-source implementation of Anonymization API. Includes a
set of ready-to-use applications for anonymization of Netflow (v5 and
v9), as well as PCAP traces.
"A NetFlows Conversion/Anonymization Tool for Format
Interoperability and Secure Sharing". Converts NetFlow data between
various formats including NetFlow v5 and v7, NFDUMP, CiscoNCSA and ArgusNCSA, and is able to
apply various methods of anonymization based on user configuration.
See also the FlowCon 2005 paper by
K. Luo, Y. Li, A. Slagell, and W. Yurick.
An open-source project started in 2001 by Costas Kotsokalis of
GRNET. Uses NetFlow accounting data to detect (Distributed) Denial of
Service attacks. Status as of November 2006: Supports NetFlow v1, v5
and v8 (router-aggregated) (with v8 untested for its biggest
part). The system supports proof-of-concept attack trace-back using a
mesh of detectors. Updates have been introduced so that the project
compiles on newer systems.
Real-time 3D traffic visualization system developed at Merit. This client/server system
based on Netflow and OpenGL plots traffic patterns by IP address, AS,
or port numbers, and allows interactive exploration of this data.
Sample graphics and a paper are available from the Website.
(Multi Host Traffic Grapher)
Uses NetFlow to generate per-host graphs of traffic for a campus
network. Nice user interface implemented as a Java applet which
allows interaction with traffic plots. The software consists of a C++
program to process NetFlow data, a Mysql backend, and Perl frontend
and the Java grapher.
Matt’s Quick & Dirty CFLOWD tutorial and scripts…
Postprocessing scripts for cflowd data by Matthew Petach
Converts a cisco NetFlow stream into set of RRDtool files, based
on set of IP netmasks.
By Alex Pilosov.
A library of bitmap counting algorithms that count the number of
active flows in a network traffic trace. To be able to use it, you
should be familiar with the paper that describes the algorithms it
implements: _Bitmap algorithms for counting active flows on high speed
links_, C. Estan, G. Varghese, M. Fisk, Internet Measurement
Conference 2003 (PDF
paper, PPT
An application that converts LFAP data into NetFlow records – see
This well-known libpcap-based network usage monitor has been
extended to produce NetFlow v5 accounting data. It also supports
SiLK, the System for Internet-Level Knowledge, is a collection of
netflow tools developed by the CERT/NetSA (Network Situational
Awareness) Team to facilitate security analysis in large networks.
The toolset includes programs such as rwfilter,
rwcount, rwuniq. There are plans to develop this
further into an "Analyst’s Desktop", described in a FloCon’05 paper,
R: A Proposed Analysis and Visualization Environment for Network
Security Data
, J. McNutt (PDF).
(Ed.: Should this be "RAVE: A Proposed…"?)
The idea is to base this on the R statistical programming
language (see, which
supports exploratory data analysis well.
Java Netflow
Collects Netflow v1/v5/v7/v8/v9 packets from Cisco/Juniper
routers or nProbe. It can store both raw data or analyzed contents to
a database using JDBC.
This UDP/Netflow Processing Framework is a system for
real-time processing of UDP packet streams such as Netflow export
data. It features a general infrastructure for dynamically
configurable plugin modules.
A small self-contained program that generates NetFlow accounting
data for a traffic stream sniffed off one or several interfaces.
Works under Unix and Windows environments. It can be used to build
inexpensive NetFlow probes.
fprobe (I)
Traffic probe that can generate NetFlow data. Based on the
libpcap library. Fairly small implementation in C.
fprobe (II)
Another NetFlow-generating software traffic probe.
Traffic probe that can generate NetFlow data. Based on libpcap.
Comes with a NetFlow collector in Perl. Both the server (probe) and
client (collector) support export/import over IPv6. Very lean (as of
June 2004) implementation in C.

The pfflowd
variant is based on OpenBSD’s PF interface.

The flowd companion
NetFlow collector includes features such as multicast, IPv6 and
NetFlow v9 support, as well as fast upfront filtering.

Argus from QoSient
This network Audit Record Generation and Utilization
can be used for intrusion detection and QoS
monitoring. It is also mentioned
in the reference section of these pages.
(RENATER Network Collector)
GPL’ed Netflow collector with support for Netflow v9, IPv6,
Multicast, and MPLS.
"a tool for gathering, storing and analyzing traffic accounting
for Cisco routers with NetFlow enabled switching (version 5). This
package could be used by ISP for planning, analysis and billing
CESNET NetFlow Monitor
by Jan Nejman.
RUS-CERT tools
The CERT of the Stuttgart University computing center (RUS-CERT)
has published some tools that they use internally to analyze Netflow
data. Some of the documentation is in German.
A set of tools to account and aggregate IP traffic. Supports
libpcap, Netflow v1/v5/v7/v8/v9, and sFlow v2/v4/v5 for both
IPv4 and IPv6 traffic.
NEye is a Netflow V5 collector. It logs incoming Netflow V5 data
to ASCII, MySQL, or SQLite databases, and it makes full use of POSIX
threads if available. It works on most major platforms (Linux,
Solaris, AIX, Irix, HP/UX, Mac OS X, Digital Unix, etc.) and older
ones too (Ultrix, Nextstep, etc.).
and pcNetFlow
Three products from a research project at the NARA Institute of
Science and Technology.
F.L.A.V.I.O. (see also the FreshMeat page)
A Perl-based NetFlow collector that stores flow data "into a
MySQL database and gets it back to graph daily, weekly, monthly and
yearly charts."
Starting with release 4.2, Nevil Brownlee’s NeTraMet
package includes NetFlowMet, which implements an RTFM meter
fed on Netflow accounting data.
NetFlow Accounting
from ABPSoft
A self-contained NetFlow processing system written in C. Writes
captured flows to file. Postprocessor breaks up this data over peers
according to a definition file.
(Extreme Happy NetFlow Tool) by Nik Weidenbacher
Another self-contained NetFlow accounting packet processor. The
receiving process also functions as a server to which various kinds of
clients can connect. Also written in C.
Visage’s NetFlow tools
FTP site with various tools for NetFlow postprocessing. In
particular, you will find:

  1. a UDP duplicator (hack of samplicator to preserve the source router
  2. a couple of hacks to cflowd for dumping the flows every %n
    seconds as well as a "flhh" to output flowdump stuff
    aggregated, ready for a
    `grep|sed "s/../update /"|rrdtool -`
netMET – Network’s
Network measurement solution for the French regional academic
networking community, developed at the C.I.R.I.L in Nancy. Includes
an HTML interface and support for accounting and security
An article (in French) about a Netflow accounting and
visualization system used at EPFL.
Uses an Oracle database and Perl DBI/GD scripts to generate a nice
breakdown of external traffic to departments/institutes.
JANET Traffic Accounting Site
An impressive application of Netflow which is used for
volume-based charging for JANET’s U.S. connection.
Other statistics at JANET
were done using NeTraMet.
InMon sFlow Toolkit
Open source tools for analyzing sFlow data. Allows sFlow data to
be used with a number of open source tools, including: tcpdump, snort
and MRTG or rrdtool. Also able to convert sFlow packets to NetFlow
Perl module to parse sFlow messages. Written by Elisa Jasinska
from AMS-IX as a basis of the sFlow-based traffic analysis service for
AMS-IX members. The use of this at AMS-IX has been described in
presentations and a paper, links to which can be found in
the references section.

Commercial Applications

Watch4net APG (Automated
Performance Grapher)
APG is a reporting tool that provides performance and capacity
reports on network, servers, applications and Netflow data.
Apogee Networks
The NetCountant network usage-based billing system and
the NetScope real-time network monitoring and performance
analysis solution support NetFlow, RMON2, RADIUS, other SNMP MIBs, and
“Layer 7” application/content switches.
Arbor Networks
Peakflow DOS detects denial-of-service attacks, and
Peakflow Traffic analyzes traffic and routing history. Both
can process NetFlow accounting data. As of November 2003, Arbor is
said to support Netflow v9.
Network Signature BENTO
BENTO stands for “BGP Enabled Network Traffic Organizer” and is
a high-performance NetFlow data processor with an integrated BGP-4
implementation to facilitate traffic analysis based on complex
external routing relationships. Product offerings include a
software/support package and an “appliance” consisting of a
preconfigured rack-mount server.
Caligare Flow Inspector
and NetImonitor
Analyzes NetFlow data for network monitoring as well as attack
detection and response. Works with NetFlow data export version
1,5,6,7 and 9. NetImonitor is primarily designed for use in the
United States.
Data Analyzer

Similar to cflowd but productized, with a (Java-based)
GUI and possibly better possibilities of defining filters and
aggregation schemes.

Cisco NAM
(Network Analyzer Module)
This is a "NetFlow collector on a linecard" for the Catalyst
6500/7600 OSR platform.
Network Health uses NetFlow and RMON2 accounting
information “to determine application, bandwitdth and server usage.”
Crannog Software’s Netflow
LAN and WAN bandwidth analysis based on NetFlow data. Includes a
Web interface including Java applets to display traffic graphs and to
enable drill-down. Runs on Microsoft Windows NT4/2000/XP and on Unix.
Evaluation version of NetFlow Live available.
A network traffic monitoring appliance that can generate data in
both Netflow and nTop formats.
IMS accounting and billing system based on
Oracle 9i under Unix.
Gadgets Software &
Professional Services Ltd.
traffic measurement and visualisation software
for GNU/Linux and Windows (client only) platforms. Free trial
available. Includes 3D visualization using OpenGL.

The author also wrote bbnfc, a
“bare-bones Netflow collector tool” that simply receives and
displayes Netflow v5 packets.

The Smart Internet Billing Solution usage management
system and well as OpenView Performance Insight for Networks
(OVPI) use NetFlow accounting data as possible input.
– Performance Management Engine
StableNet PME provides End-to-End (E2E) Service Level Management
(SLM) by monitoring and reporting on the systems, networks and
applications. StableNet supports the following flow technologies out
of the box: Netflow, cFlow, sFlow, Netstream.
InfoVista Corporation
InfoVista Service Level Management (SLM) and conformance
InMon Traffic
is a commercial, web-based application running on Linux that
provides real-time and historical analysis of flow information from
NetFlow, sFlow, LFAP or HP Extended RMON sources. Web queries provide
easy access to historical traffic matrices. Real-time top talker
charts identify sources of congestion. Includes network-wide
threshold and alert features as well as anomaly detection.
IsarFlow from IsarNet
IsarFlow is a traffic analysis tool for accounting, capacity
planning, QoS monitoring, and application distribution within Citrix
sessions based on Netflow.
IxTraffic integrates NetFlow accounting data with
topology information from a live BGP-4 feed to allow analysis of
inter-domain traffic patterns.
Lancope StealthWatch
Flow-based Network Behavior Analysis appliance with advanced user
identity tracking. Can handle Netflow and sFlow data, or capture
packets from mirrored ports.
A network monitoring ("supervision" in franglais) system that
includes a Netflow
. Stores flow data in a MySQL database.
NetFlow Analyzer
Netflow-based bandwidth monitoring tool from AdventNet. Supports
location of bottlenecks and allows drilling down to find traffic that
is causing them. Thirty-day evaluation license available free of
charge. Versions for Windows and Linux (x86).
Mazu Networks
analyzes and models enterprise network traffic. It
provides visibility into network behavior, protects against worms and
other malware, and supports auditing and policy enforcement. It
supports Netflow v1/5/7/9 as well as other data collection mechanisms.
Cisco Info Center USM “acquires, analyzes, displays and
exports Internet usage data.” Note that Micromuse was integrated
into IBM under the "IBM Tivoli Netcool" brand.
OSS Mediation solutions. They also do anomaly
Integrated billing software for "Telephony, Internet and
Networks". Contains interfaces to many accounting systems including
Scalable solution for network capacity planning, troubleshooting,
and traffic analysis, including traffic visualization capabilities.
UTM is a billing
system for ISPs. It can use Netflow (v5) and several other accounting
methods. It supports a rich variety of charging and payment

NDSAD Traffic
is an open-source (GPL’ed) tool that captures packets
and generates a Netflow (v5) accounting stream.

NetUsage from Apoapsis (formerly
called WANBUS)
The NetUsage suite strives to provide visibility of network
traffic, producing meaningful reports not only for network
professionals, but for IT management, business managers and accounts
departments. Supports network traffic monitoring, capacity planning,
business justification and cost control.
SolarWinds Orion NetFlow Traffic Analyzer
Windows-based commercial system that stores NetFlow data,
generates various types of charts, and provides "drill-down"
PRTG Traffic Manager
Windows-based bandwidth management software from Paessler. Uses SNMP, Netflow, and
packet capture for monitoring and classifying bandwidth usage.
Besides the commercial license, there is also a (restricted)
"freeware" license.
QRadar from Q1 Labs
The system can use Netflow data, but also includes its own
payload-aware flow collector which produces bi-directional flow
information in a format called QFlow. Includes anomaly
Plixer Scrutinizer NetFlow Analyzer
NetFlow-based Enterprise-level traffic analysis tool with
GUI-based reporting (topN hosts/applications etc.) and
zoom/drill-down. Uses MySQL
back-end. Free (as in
free beer) edition
I-ABA and M-NTM from Tek Yazilim
Windows-based software to analyze NetFlow (and Cisco IP
Accounting) statistics. I-ABA specifically analyzes AS-to-AS traffic
streams. Trial versions can be downloaded.
Has a Netflow Application Pack for its PROVISO system
for network performance monitoring and service assurance. Quallaby
was acquired by Micromuse, which was itself acquired by IBM. The
Netflow Application Pack is maintained in the 4.4.1 release and
supports Netflow versions up to v8.
nGenius Performance Manager “is a complete solution for
proactive monitoring, troubleshooting, capacity planning, and Voice
over IP (VoIP) monitoring”.
Portal Software
Infranet real-time customer management and billing
Billing software for ISPs.
Commercial vendor of accounting and billing solutions with the
ability to process (among others) Netflow accounting data


Wednesday, November 30th, 2005

Alla fine dopo vari prodotti e test ho scelto Stager come strumento per la visualizzazione di dati provenienti da NetFlow.

"Stager is a system for aggregating and presenting network statistics.
Stager is generic and can be customized to present and process any kind
of network statistics. The backend collects data and stores reports in
a database, automatically handling the aggregation of hourly statistics
into days, weeks, and months. The Web frontend presents data in tables,
matrices, or plots. The reports are fully customizable, and their
definitions are stored in the database."

La documentazione e’ corposa e l’installazione non immediata, anche l’utilizzo da parte degli utenti non e’ diretto. Qui, quo e qua ci sono gli screenshot.

NetFlow analysis tool: FlowScan

Saturday, October 22nd, 2005

FlowScan e’ un tool per l’analisi di dati NetFlow, funziona sia con cflowd che con flow-capture (flow-tools).
FlowScan esamina i dati aggregati, li categorizza e memorizza i risultati in database rrd.
Per chi come me non ha voglia di compilare esistono i pacchetti di flowscan e flow-tools per Debian.
Un esempio di cosa si puo’ ottenere.