Blog :: Network Operations :: Security Operations

Linux NetFlow Collector

So you are thinking of delving into the world of Linux NetFlow Collectors, but do not quite know where to begin. Well we would like to help you with that.

Before we get into the different solutions available, I have a few recommendations to keep in mind:

  • First, while open source may come with the idea of “free”, it is wise to remember that there is always a cost for everything. Yes, the software may be free, but training and or hiring an individual with expertise in the system will have a cost in both time and money.
  • Second, and slightly along the same line as the above, support. Will you have to rely on community support (which can be great) or does your chosen solution come with its own support staff (usually adding a price)?
  • Third, how do you feel about command line? While Linux solutions are commonly more stable, they are command line driven, which can be a bit of a headache for the uninitiated.
  • Commercial solutions generally way out pace the free solutions in both performance and in rich feature sets.

Network Traffic Analysis

Now that we have that out of the way, let’s get on with the fun and find the best network traffic monitor for you.


First, let’s talk about Silk. Silk is an open source NetFlow Collector developed by Cert NetSA and is compatible with NewFlow V5, V9 and IPFIX. The current code is implemented in C, Perl or Python and has been tested on Linux, Solaris, OpenBSD, OSX and Cygwin, but with very little change can be implemented on just about any Unix Platform. Something to keep in mind, while Silk is well maintained and designed for larger networks, it does require knowledge of scripting languages.


Next, is NFDUMP, which is part of the NfSen project. Like other solutions, NFDUMP provides tools that collect and process NetFlow data on the command line. It supports Netflow V5 and V7, stores data in time sliced files and is written in C. At times DFDUMP can be feel cumbersome and may not be the solution for you if easy scalability is what you are after.


Finally, we move onto Plixer’s very own Scrutinizer, which offers comprehensive network traffic analysis of Netflow, sFlow, J-Flow and IPFIX. If you are looking for a powerful and scalable solution, with company provided support out of box then this may be the solution for you. The free edition offers up to 10,000 flows per second, default flow reports, the ability to monitor unlimited surfaces and a perpetual non-expiring license.  If scalability is what you are after, Plixer offers Scrutinizer Flow Analytics and Advanced Reporting, which have a flow collection rate of 8 million flows per second, unlimited history storage and more.

With your new found knowledge in hand you may find yourself thinking “that is all well and good, but what should I do next?” Well, one option is to scour the internet, searching for endless articles, each suggesting something different from the last. Or, you could take a more hands on approach and start testing solutions or just call our team and we’ll give you a demonstration of the features and benefits.