NetFlow Tutorial

I’ve seen quite a few solutions out there for netflow, and with unifi now supporting it, I’d be curious to see a video on how you use it. What tools do you use and how do you apply them?

My use-case is typically for spot troubleshooting, so I don’t run a full-time collector/analyzer, but I could see the benefit of commercial tools like those in the class of solarwinds – especially for those in the SOC environment.

Do you stay in the commercial space for this, or do you have any tools that are friendly for smaller installations and home-labs? Do you tend to stay with templates and v9, or do you prefer IPFIX?

Your coverage of Graylog for SIEM type monitoring has been pretty good. I’d love to see something similar for the netflow use-case.

Thanks in advance.

Graylog supports Netflow as a way to ingest data but there are not a lot of open source tools that I am aware of that are good or easy to get setup.

So do you use Graylog for collecting Netflow? If you’re using commercial solutions, that’s ok, too. I’m just curious.

We don’t really rely on netflow much other than maybe some troubleshooting as needed and Graylog can work for that.

For the little bit of Netflow stuff I’ve done with my old Cisco ASA and current pfSense firewalls I’ve used the nfdump command line utilities (I’m a macOS user, by the way). There are lots of options for filtering and aggregating the collected flow data so you can probably see anything you’re interested in, but you’ll have to deal with the large range of command line arguments to do so, which some (many?) people find off-putting. I’ve preferred to stick with Netflow V9 since I like some of the NAT detail it includes, which is a common feature with firewalls, but these tools can handle pretty much all the different flow export versions and formats. It’s not fancy, but it seems to work well.