NetFlow

NetFlow is suite of protocols for computing and relaying flow-level statistics. An exporter, such as a router or switch, aggregates packets into flow records and sends them to a collector.

PRO

This feature is only available in the pro version of VAST. Please contact us if you are interested in trying it out.

note

VAST has native support for NetFlow v5, v9, and IPFIX. We have a in-depth blog post about how we implement Flexible NetFlow.

Import

VAST can either act as collector or parse binary NetFlow data on standard input. For the complete set of options, please consult the documentation for the vast import netflow command.

Collector

VAST can be configured to continuously import NetFlow messages from a given endpoint, which makes it a NetFlow collector. The NetFlow version is automatically identified at runtime, and mixing multiple versions (e.g., from multiple export devices) is possible.

To spin up a collector, use the vast import netflow command:

vast import netflow -l :2055/tcp

A commonly used NetFlow collector is nfcapd, which writes NetFlow messages into framed files. To replay from nfcapd you can use nfreplay:

vast import netflow -l :9995/udp
nfreplay < path/to/capture.nfcapd # Exports all records to 127.0.0.1:9995

Because VAST behaves like any other UNIX tool, it can also import NetFlow messages from files or standard input directly:

# from file
vast import netflow -r path/to/netflow.bin
# pipe multiple files at once
cat path/to/*.bin | vast import netflow