Analyzing Network Flow Data with Netflow

When to Use

• When investigating security incidents that require analyzing network flow data with netflow
• When building detection rules or threat hunting queries for this domain
• When SOC analysts need structured procedures for this analysis type
• When validating security monitoring coverage for related attack techniques

Prerequisites

• Familiarity with network security concepts and tools
• Access to a test or lab environment for safe execution
• Python 3.8+ with required dependencies installed
• Appropriate authorization for any testing activities

Instructions

1. Install dependencies: pip install netflow
2. Collect NetFlow/IPFIX data from routers or use the built-in collector: python -m netflow.collector -p 9995
3. Parse captured flow data using netflow.parse_packet().
4. Analyze flows for:
   • Port scanning: single source to many destinations on same port
   • Data exfiltration: high byte-count outbound flows to unusual destinations
   • C2 beaconing: periodic connections with consistent intervals
   • Volumetric anomalies: traffic spikes beyond baseline thresholds
5. Generate a prioritized findings report.

python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json

Examples

Parse NetFlow v9 Packet

import netflow
data, _ = netflow.parse_packet(raw_bytes, templates={})
for flow in data.flows:
    print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)