Free-ish Linux Netflow collector/analyser options

I’m looking for a free-ish Linux open sources Netflow collector/analyser. I have 5 Juniper MX routers that will send IPFIX flows to for an ISP network. I’m hoping it is something I can run in AWS/EC2 as I don’t want to worry about storage again in my lifetime. Does anyone have any recommendations?

For reporting I would like to generate basic usage reports to/from IP/Subnet/ASN. It would be great if it could also detect DDoS and activate flowspec back into my core routers but that isn’t a requirement



Try FlowViewer (analyzing, graphing, tending software) + SiLK (robust, high-performance capture software from Carnegie-Mellon).

Pretty full netflow analysis package; free.




There was a long thread back in January that I think will provide
you many of the suggestions you're seeking. If you haven't seen it, it
starts here:

  <Flow collection and analysis>


The ELK stack does a good job of collecting netflow records with the addition of Filebeat. Check out my tattle-tale tool that collects netflow data: It has numerous rules in logstash/conf.d to try to just look for spoofed DDoS amplification requests but if you remove those rules (except for 40-ifName.conf

and 50-reverse-dns.conf) it should be a pretty nice netflow collection solution. If you are looking for a free solution to identify DDoS attacks from netflow and generate Flowspec rules, check out

Also, here’s a doc for best practices when implementing Flowspec:


Juniper added sFlow support to MX routers in Junos 18.1R1,

You might want to consider deploying sFlow instead of IPFIX, particularly if you are interested in DDoS mitigation where low latency and visibility into packet headers can be helpful.