The most compelling application of NetFlow tools is in the realm of incident response and digital forensics. When an organization suffers a breach, the immediate question is rarely "what happened?" but rather "how far did it spread?" This is where NetFlow shines. Because NetFlow data is highly compressible and can be stored for long periods (often months or years), it acts as a surveillance camera for the digital infrastructure. If a workstation is compromised, a security analyst can "rewind" the tape. They can visualize the precise moment the malware connected to its Command and Control (C2) server, trace the lateral movement of the attacker as they jumped from server to server, and identify exactly which data stores were accessed. Without NetFlow, investigating a breach is often a guessing game; with it, the attack path becomes a visible, undeniable trail.
# On collector (Ubuntu) sudo apt install nfdump nfsen # Edit /etc/nfsen.conf – set $sources = your router IP:port sudo systemctl start nfsen netflow tool
NetFlow (originally Cisco) is a network protocol that collects IP traffic metadata. It’s – it records who talked to whom, using what protocol, how much data, and for how long. Common variants: NetFlow (v5/v9) , sFlow , IPFIX (standardized v9), jFlow (Juniper). The most compelling application of NetFlow tools is
: A classic set of tools for processing NetFlow data from the command line. If a workstation is compromised, a security analyst
Raw data requires a collector/analyzer to be useful; it isn't "human-readable" on its own.
Access nfsen web UI at http://collector-ip/nfsen