Flow-Tools

Flow-Tools is a handy set of programs designed for processing and managing NetFlow exports from routers made by Cisco and Juniper. It comes with a bunch of tools that make it easier to work with flow data. Some of the tools included are: flow-capture, flow-cat, flow-dscan, flow-expire, flow-export, flow-fanout, and many more!

Understanding Flow Data

The cool thing about flow-tools is that it collects and stores data in host byte order by default. And guess what? The files are portable across all endian architectures! This means you can easily work with your data regardless of the system you’re using.

Network Commands Explained

Now let’s talk about how commands work within this software. They use a localip/remoteip/port setup for communication. The "localip" is basically the IP address your host will use when sending or receiving NetFlow PDUs. If you set "localip" to 0, the kernel will decide which IP to use for sending and will listen on all addresses for incoming data.

Exporting Flows from Routers

When exporting flows from a router, there are different configurable versions available. A flow is just a collection of key fields along with some additional data! The key fields include things like source address, destination address, input/output information, ports used, and more.

Different Export Versions

The software supports several export versions per file like versions 1, 5, 6, and 7. Each version adds more fields to help give better insights into network traffic. For instance:

• Version 5: Adds fields like source AS and destination AS.


• Version 7: Includes router info for Catalyst switches.


• Version 8: Reduces exported data size while keeping essential info.

The Tools at Your Disposal

The flow-tools distribution includes various programs such as:

• flow-capture: Collects and manages exported flows.


• flow-report: Generates detailed reports on NetFlow datasets.


• flow-export:


• flow-filter: Filters flows based on specific criteria.


• & many more!