NetFlow is suite of protocols for computing and relaying flow-level statistics. An exporter, such a router or switch, aggregates packets into flow records and sends them to a collector.
VAST has currently only native support for NetFlow v5 and v9. Please get in touch if you need support for v7 or IPFIX.
VAST can either act as collector or parse binary NetFlow data on standard
input. For the complete set of options, please consult the documentation for
the netflow-v5 and
netflow-v9 commands. (We use
netflow-v5 in the
examples below, but they also work with
The standard mode of operation is the collector mode, which opens a UDP listening socket at port 9995:
vast import netflow-v5
You can now point your exporter to the VAST collector, e.g., via
nfreplay < nflow.bin # Exports all records to 127.0.0.1:9995
If you have local binary netflow capture data, you can ingest it by passing
the filename via
vast import netflow-v5 -r nflow.bin
This method comes in handy when you have already binary captures from
or other sources that you want to feed into VAST.
Passing binary data via standard input requires explicit specification of
-r - on the command line. This behavior is different from other commands
that primarily operate on log files, where the absence of
reads data from standard input.