Flow Collection
Upstream visibility.
Native flow ingestion.
The FTAgent natively ingests sFlow v5, NetFlow v5/v9, and IPFIX flow data from your routers and switches. No third-party collectors, no middleware. Binary protocol parsers decode flow records in real time and merge them with local detection metrics for complete upstream-to-server DDoS visibility.
How It Works
Flow data from your routers, parsed and merged in real time.
The FTAgent starts a UDP listener on the configured port (6343 for sFlow, 2055 for NetFlow, 4739 for IPFIX) and accepts flow packets from your network infrastructure. Binary protocol parsers handle sFlow v5 sampled packet headers, NetFlow v5 fixed-format records, and NetFlow v9/IPFIX template-based records with automatic template caching.
Decoded flow records are normalized and aggregated into 1-second PPS/BPS windows. The detection loop then merges flow data with local /proc/net/dev metrics, using the higher reading for threshold comparison. This means you see attacks at the router level before they even reach your server.
During attacks, flow-sourced top source IPs and destination ports are included in the initial incident report, giving your team actionable intelligence from the first alert.
| Protocols | sFlow v5, NetFlow v5, NetFlow v9, IPFIX |
| Default ports | 6343 (sFlow), 2055 (NetFlow), 4739 (IPFIX) |
| Aggregation | 1-second PPS/BPS windows |
| Template caching | Automatic (NetFlow v9 / IPFIX) |
| Merge strategy | Higher of flow vs. local reading |
| Attack enrichment | Top source IPs, destination ports |
Switch → UDP:2055 → NetFlow v9 parser
09:44:15 flow=2,340 PPS local=1,190 PPS
merge=2,340 PPS (flow higher)
09:44:16 flow=2,410 PPS local=1,204 PPS
merge=2,410 PPS (flow higher)
09:44:17 flow=89,200 PPS local=1,198 PPS
merge=89,200 PPS THRESHOLD CROSSED
→ Attack seen at router before reaching server
→ Top sources: 45.33.x.x, 192.0.x.x, 203.0.x.x
→ Top ports: UDP/53, UDP/123, UDP/1900
→ Incident opened 0.4s before local spike
_
Supported Protocols
Four protocols, one agent, zero dependencies
sFlow v5
Sampled packet headers from switches and routers. Ideal for high-speed links where full capture is not feasible.
NetFlow v5
Cisco's original fixed-format flow export. Widely supported across legacy and modern Cisco infrastructure.
NetFlow v9
Template-based flow records with automatic template caching. Flexible field definitions for modern deployments.
IPFIX
The IETF standard evolution of NetFlow v9. Vendor-neutral with enterprise information elements and variable-length fields.
Dashboard Configuration
Configure flow collection per-node from the dashboard.
Every flow collection parameter is configurable per-node directly from the Flowtriq dashboard. Select the protocol, set the listening port, define the sample rate multiplier, and restrict which source IPs are allowed to send flow data. Changes push to the agent in real time.
No SSH access required. No config files to edit. Your network team configures the router to export flows, and your Flowtriq admin enables collection from the dashboard.
Router Configuration
Built-in config snippets for popular platforms
Copy-paste router configs to start exporting flow data to your FTAgent in minutes.
set protocols sflow polling-interval 10
set protocols sflow sample-rate ingress 1000
set protocols sflow collector YOUR_AGENT_IP udp-port 6343
set protocols sflow interfaces ge-0/0/0
set protocols sflow interfaces xe-0/0/0
# Replace YOUR_AGENT_IP with the FTAgent server IP
# Adjust interfaces to match your uplinks
flow exporter FLOWTRIQ
destination YOUR_AGENT_IP
transport udp 2055
export-protocol netflow-v9
template data timeout 60
flow monitor FLOWTRIQ-MON
exporter FLOWTRIQ
record netflow ipv4 original-input
interface GigabitEthernet0/0
ip flow monitor FLOWTRIQ-MON input
! Replace YOUR_AGENT_IP with the FTAgent server IP
/ip traffic-flow
set enabled=yes interfaces=ether1
set cache-entries=4k active-flow-timeout=1m
/ip traffic-flow target
add dst-address=YOUR_AGENT_IP port=2055 version=9
# Replace YOUR_AGENT_IP with the FTAgent server IP
# For IPFIX, use version=ipfix and port=4739
Use Cases
Where flow collection shines
Upstream visibility
- See volumetric attacks at the router before they reach your server
- Detect attacks that upstream providers partially filter
- Identify source IPs and attack vectors from flow metadata
- Trigger alerts seconds earlier than local-only detection
- Correlate router-level and server-level traffic patterns
Environments without packet capture
- Cloud VPCs where raw packet access is restricted
- Managed infrastructure with flow export but no shell access
- 100G+ links where full packet capture is impractical
- Multi-site deployments with centralized flow aggregation
- Compliance environments requiring non-intrusive monitoring
FAQ
Common questions about flow collection
Does flow collection replace the local /proc/net/dev detection?
No. Flow collection and local detection work together. The FTAgent's detection loop merges flow-derived PPS/BPS with local kernel stats every second, using the higher of the two readings for threshold comparison. If flow data shows 50,000 PPS from your router but local stats show 1,200 PPS, the agent uses 50,000 PPS. Both data sources remain active at all times.
What happens if my router stops sending flow data?
Detection falls back to local /proc/net/dev metrics seamlessly. The agent treats flow data as supplementary. If no flow packets arrive within the aggregation window, the local reading is used on its own. There is no gap in detection coverage and no manual intervention required.
Do I need to open inbound ports on my server?
Yes. The FTAgent listens on a UDP port for the configured protocol (6343 for sFlow, 2055 for NetFlow, 4739 for IPFIX). You should restrict this port to your allowed source IPs using the per-node configuration in the dashboard. Only your routers and switches need access to this port.
What sample rate should I configure on my router?
It depends on your link speed. Common recommendations: 1:1000 for 10G links, 1:2000 for 40G links, and 1:4096 for 100G+ links. The FTAgent multiplies sampled packet counts by your configured sample rate to estimate true traffic volume. You set the sample rate in the dashboard to match your router configuration.
Can I send flow data from multiple routers to one agent?
Yes. Configure the allowed source IPs in the per-node dashboard settings to include all your flow-exporting devices. The agent accepts and merges flow data from all allowed sources. Each router's flow records are combined into the same 1-second aggregation window alongside local metrics.
Related Features