How do I install nfdump on Ubuntu?

Ensure autotools 2.71 is installed, then use CC=clang-10 with ./configure for compatibility. Build with ./autogen.sh, ./configure, make, and sudo make install, as specified for Ubuntu 18.04 LTS in the README.

What's the difference between nfcapd and nfpcapd in nfdump?

nfcapd collects NetFlow/IPFIX/sFlow data directly from network devices, while nfpcapd converts live or captured pcap traffic to NetFlow records, enabling flow analysis from packet captures. Both store data in nfdump format.

How to filter NetFlow data by IP address using nfdump?

Use the tcpdump-like filter syntax, e.g., 'nfdump -r flowfile "src ip 192.0.2.1"'. This allows precise selection based on source or destination IPs, with examples in the basic usage section.

Does nfdump support exporting flow data to JSON?

Yes, nfdump supports flexible output formats including JSON. Use the appropriate command-line options to export flow records in JSON for integration with other tools or databases.

nfdump vs flow-tools: which is better for network analysis?

nfdump is more modern with active maintenance, multi-threading, and advanced features like data enrichment. Flow-tools is older; nfdump includes ft2nfdump for conversion, but nfdump offers better performance and extensibility.

How to set up real-time traffic analysis with nfdump?

Start nfcapd as a daemon to collect flows from exporters, or use nfpcapd to convert live pcap traffic. Then, run nfdump periodically on the stored files for filtering and aggregation, leveraging the time-based directory structure.

What compression methods does nfdump support for flow data?

nfdump supports LZO, LZ4, ZSTD, and bzip2 compression, with LZO and LZ4 embedded by default. Use the -z option, e.g., -z=lz4, for on-the-fly compression, as detailed in the compression section.

Open-Awesome

nfdump

NOASSERTIONCv1.7.8

A suite of tools for collecting, processing, and analyzing NetFlow, IPFIX, and sFlow data from network devices.

GitHub

897 stars218 forks0 contributors

What is nfdump?

nfdump is a suite of open-source tools for processing NetFlow, IPFIX, and sFlow data from network devices. It solves the problem of collecting and analyzing network traffic flow records for monitoring, security, and troubleshooting purposes by providing efficient collection, advanced filtering, and flexible data export capabilities.

Target Audience

Network administrators, security analysts, and DevOps engineers who need to monitor and analyze network traffic patterns, detect anomalies, and perform security investigations using flow data from routers and switches.

Value Proposition

Developers choose nfdump for its high-performance processing, extensive filtering capabilities similar to tcpdump, and flexibility in output formats and data enrichment, making it a robust, extensible alternative to commercial flow analysis tools.

Overview

Netflow processing tools

Use Cases

Best For

Collecting and storing NetFlow/IPFIX/sFlow data from multiple network devices
Filtering and aggregating network traffic flows for security incident analysis
Enriching flow records with geolocation and AS information for traffic profiling
Converting live pcap traffic or interface captures to NetFlow format
Exporting flow metrics to monitoring systems like InfluxDB or Prometheus
Analyzing historical network traffic patterns for capacity planning

Not Ideal For

Real-time packet-level inspection and deep packet analysis
Teams needing integrated graphical dashboards without command-line work
Environments with unsupported or proprietary flow formats beyond NetFlow/IPFIX/sFlow
Small-scale setups where simpler, out-of-the-box monitoring tools suffice

Pros & Cons

Pros

Multi-Protocol Flow Collection

Supports NetFlow v1, v5/v7, v9, IPFIX, and sFlow data, ensuring compatibility with diverse network devices as listed in the features.

High-Performance Processing

Uses multi-threaded architecture for fast filtering and aggregation, enabling efficient handling of large flow datasets as emphasized in the README.

Advanced Filtering Capabilities

Filter syntax similar to tcpdump but optimized for flow data, allowing precise traffic selection for security and troubleshooting, with examples provided in basic usage.

Flexible Data Enrichment

Enriches flow records with geolocation, AS, and Tor exit node information using optional databases like GeoDB and TorDB, though setup is required.

Efficient Storage Options

Supports on-the-fly compression with LZO, LZ4, ZSTD, or bzip2, balancing performance and storage space, as detailed in the compression section.

Cons

Complex Build and Installation

Requires GNU autotools 2.71 and OS-specific steps, such as devtoolset on CentOS 7.x or clang-10 on Ubuntu 18.04, adding setup overhead and potential compatibility issues.

Legacy File Compatibility Hassles

Only the nfdump tool can read files from nfdump-1.6.x; other programs require conversion, creating interoperability challenges and extra steps for older data.

Limited Built-in Security Features

nfcapd has no access control, relying on host-level security, which might be insufficient for deployments needing fine-grained authentication or encryption.

Dependency on External Components

Enrichment features like geolocation and Tor lookup depend on separate database setups and maintenance, adding operational complexity and potential points of failure.

Frequently Asked Questions

Related Projects

BruteShark

Network Analysis Tool

Stars3,353

Forks355

Last commit3 years ago

PcapPlusPlus

PcapPlusPlus is a multiplatform C++ library for capturing, parsing and crafting of network packets. It is designed to be efficient, powerful and easy to use. It provides C++ wrappers for the most popular packet processing engines such as libpcap, Npcap, WinPcap, DPDK, AF_XDP and PF_RING.

Ettercap Project

Last commit6 days ago

tcpflow

TCP/IP packet demultiplexer. Download from:

Stars1,766

Forks244

Last commit3 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub