Tools !exclusive! | Netflow

ip flow-cache timeout active 1 # Export every 1 min (active flows) ip flow-cache timeout inactive 15 # Export after 15 sec idle ip flow-cache timeout fast 30 # For TCP FIN/RST : Shorter timers = more exports = higher CPU/network load. Longer timers = delayed visibility. 3. NetFlow Tool Stack Architecture A production NetFlow deployment has four layers : Layer 1: Exporters (Network Devices) Configure routers/switches/firewalls to send NetFlow.

:

interface GigabitEthernet0/1 ip flow ingress ip flow egress ! ip flow-export source Loopback0 ip flow-export version 5 ip flow-export destination 192.168.1.100 2055 : netflow tools

Edge Router (NetFlow v9) --UDP 2055--> [pmacct collector (Linux VM)] | v Kafka (3 brokers) | +---> ClickHouse (3-node cluster) +---> Elasticsearch (security logs) | v Grafana (dashboards) Kibana (security analysts) ( /etc/pmacct/pmacct.conf ): ip flow-cache timeout active 1 # Export every

This guide covers production-grade NetFlow tooling. Start with nfdump for small environments, pmacct + ClickHouse for mid-scale, and GoFlow2 + Kafka for carrier-grade. Start with nfdump for small environments, pmacct +

: 30-day retention, detect botnet C2, per-department billing.