Back to Blog

The Two-Tool Problem

Walk into any ISP, hosting provider, or enterprise network operations center and you will find the same pattern: two separate tools doing two halves of the same job.

Tool one is the flow collector. Kentik, nfsen, ntopng, Plixer, or some home-grown stack built on nfdump. It receives sFlow, NetFlow, or IPFIX from routers, decodes the binary records, aggregates them into time buckets, and provides dashboards showing top talkers, protocol breakdowns, and bandwidth utilization.

Tool two is the DDoS detection tool. FastNetMon, Arbor, Corero, or a cloud scrubbing service. It watches traffic patterns, detects volumetric anomalies, classifies attacks, and triggers mitigation via BGP blackhole or flowspec.

Two license fees. Two dashboards. Two alert pipelines. Two maintenance burdens. Two sets of credentials. Two vendors to coordinate with during an incident at 3 AM.

  • Flow collector license: $500 to $5,000/mo depending on flow volume and feature tier
  • DDoS detection tool: $500 to $2,000/mo for software, or $10,000+ for dedicated appliances
  • Combined cost: $1,000 to $7,000/mo for what is fundamentally the same underlying data

Both tools receive the same flow exports from the same routers. Both decode the same binary protocol records. Both look at the same source IPs, destination IPs, ports, and protocols. The only difference is what they do after parsing: one makes dashboards, the other fires alerts.

What a Flow Collector Actually Does

Strip away the marketing and a flow collector performs five operations:

  1. Receive sFlow, NetFlow, or IPFIX datagrams from routers on a UDP port (typically 2055, 6343, or 4739)
  2. Decode binary protocol records into structured data (source IP, destination IP, ports, protocol, byte count, packet count, SNMP interface index)
  3. Aggregate decoded records into time buckets (usually 5-minute intervals)
  4. Store aggregated data for historical analysis (days, weeks, or months depending on retention policy)
  5. Visualize stored data in dashboards: top talkers, protocol breakdown, bandwidth utilization per interface, AS-path distribution

That is the entire product. Receive bytes, decode bytes, bucket data, store data, draw charts. None of these operations are architecturally complex. None of them require a separate tool from DDoS detection. The flow collector and the DDoS tool are two views of the same parsed data.

What Flowtriq Replaces

Flowtriq's agent includes native binary parsers for every major flow protocol:

  • sFlow v5 — including expanded counter samples and sampled packet headers
  • NetFlow v5 — the legacy fixed-format protocol still used by millions of Cisco devices
  • NetFlow v9 — template-based format with support for custom fields
  • IPFIX — the IETF standard (sometimes called NetFlow v10) with variable-length fields

Zero third-party dependencies. No Java runtime. No Elasticsearch cluster. No separate database. The agent binary handles protocol decoding natively, the same way your existing collector does, using the same router configuration and the same export ports.

But Flowtriq goes beyond what your collector provides:

  • 1-second aggregation instead of the typical 5-minute buckets, giving you per-second PPS, BPS, and protocol breakdown
  • Per-second top source IPs and top destination ports for real-time traffic analysis
  • Automatic DDoS detection with dynamic baselines and attack classification
  • PCAP capture triggered automatically when an attack is detected
  • BGP mitigation via ExaBGP, GoBGP, BIRD, or FRRouting for automated blackhole or flowspec response

One agent. One dashboard. One bill: $9.99/node/month.

The Cost Comparison

Here is what the math looks like for a typical 20-node network:

# Traditional stack for a 20-node network:
# Flow collector license:     $800/mo  (Kentik, or self-hosted nfsen)
# DDoS detection tool:       $600/mo  (FastNetMon Community lacks features)
# Maintenance/updates:       $200/mo  (estimate)
# Total:                    $1,600/mo
#
# Flowtriq:
# 20 nodes × $9.99/mo =     $199.80/mo
# Includes: flow ingestion + DDoS detection + BGP mitigation
# Savings:                  $1,400/mo ($16,800/year)

The savings scale linearly. A 50-node network paying $3,000/mo for separate tools drops to $499.50/mo with Flowtriq. A 100-node network paying $5,500/mo drops to $999/mo.

The cost difference is not because Flowtriq does less. It is because Flowtriq eliminates the architectural redundancy of running two separate systems that parse the same data. One parser, one pipeline, one price.

What You Keep

Switching to Flowtriq does not mean rearchitecting your network. You keep everything that already works:

  • Your existing router configurations. Same sFlow or NetFlow export settings, same UDP ports. Just change the destination IP from your old collector to the Flowtriq agent.
  • Your existing BGP setup. Flowtriq supports ExaBGP, GoBGP, BIRD, and FRRouting for mitigation. If you already have BGP blackhole or flowspec configured, Flowtriq slots in.
  • Your existing alert channels. Slack, PagerDuty, Discord, email, webhooks. Flowtriq sends alerts through the same channels your team already monitors.
  • Your existing workflows. No new dashboards to learn, no new query languages, no new deployment procedures. Install the agent, point your flow exports at it, done.

The migration is a single configuration change on each router: update the flow export destination IP from your old collector to the Flowtriq agent's IP address. Most teams complete the migration in under an hour.

When to Keep Your Existing Collector

Flowtriq is not the right choice for every use case. Keep your existing flow collector if:

  • You need 30+ day historical flow data retention. Flowtriq focuses on real-time detection and short-term analysis. If compliance or capacity planning requires months of granular flow data, a dedicated collector with deep storage is the right tool.
  • You need AS-path analytics or peering analysis. Understanding traffic distribution across transit providers and IXPs is a network-level concern that requires BGP table correlation with flow data. This is outside Flowtriq's scope.
  • You are locked into a multi-year contract. If you have 18 months left on a Kentik or Arbor contract, it may make more financial sense to run Flowtriq in parallel until the contract expires.
  • You need full NetFlow v9/IPFIX template field support for custom analytics. If your team has built custom tooling around vendor-specific information elements, verify that Flowtriq's parser covers the fields you depend on.

For everything else — traffic visibility, top talker analysis, protocol breakdown, bandwidth monitoring, DDoS detection, attack classification, PCAP forensics, and automated mitigation — Flowtriq does it all in a single agent at a fraction of the cost.

One agent. One bill. Full visibility.

Replace your flow collector and your DDoS detection tool with Flowtriq. $9.99/node/month, 7-day free trial.

Start Free Trial →
Back to Blog

Related Articles

Engineering

The blind spots of NetFlow-only DDoS detection

Sampling rates, export intervals, and missing protocol context create systematic gaps in flow-based detection.
Engineering

NetFlow vs sFlow vs packet inspection for DDoS detection

A practical comparison of the three main traffic analysis methods and when to use each.
Features

Native flow collection with Flowtriq

sFlow v5, NetFlow v5/v9, and IPFIX ingestion with 1-second granularity and zero dependencies.