NetFlow is suite of protocols for computing and relaying flow-level statistics. An exporter, such as a router or switch, aggregates packets into flow records and sends them to a collector.


This feature is available as a plugin for VAST. Please contact us if you are interested in trying it out.


VAST has native support for NetFlow v5, v9, and IPFIX. We have a in-depth blog post about how we implement Flexible NetFlow.


VAST can either act as collector or parse binary NetFlow data on standard input. For the complete set of options, please consult the documentation for the vast import netflow command.


VAST can be configured to continuously import NetFlow messages from a given endpoint, which makes it a NetFlow collector. The NetFlow version is automatically identified at runtime, and mixing multiple versions (e.g., from multiple export devices) is possible.

To spin up a collector, use the vast import netflow command:

vast import -l :2055/tcp netflow

A commonly used NetFlow collector is nfcapd, which writes NetFlow messages into framed files. To replay from nfcapd you can use nfreplay:

vast import -l :9995/udp netflow
nfreplay < path/to/capture.nfcapd # Exports all records to

Because VAST behaves like any other UNIX tool, it can also import NetFlow messages from files or standard input directly:

# from file
vast import -r path/to/netflow.bin netflow
# pipe multiple files at once
cat path/to/*.bin | vast import netflow