Collecting NetFlow with nfcapd and nfdump

This blog post is for network experimenters who want to collect (receive) NetFlow or IPFIX flow records using the nfdump package (which includes nfcapd). An example use case, building on previous blog post NetFlow on OpenWRT, is shown in diagram below (highlighted boxes):


Flow records can be useful for various applications such as network visibility and security alerting.

Here is an example flow record:

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2018-08-04 21:31:34.518     0.000 TCP ->            100     4600     1


Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as number of packets and sum of bytes per flow record.

NetFlow is a specification for exporting and collecting flow records. It is superseded by a newer open-standard specification called IPFIX[1].

In this tutorial we use the nfdump package, which incorporates nfcapd, as a NetFlow/IPFIX collector on Ubuntu.

We assume that you already have an Ubuntu instance running a recent release, and access to the command line shell.



Start by ensuring Ubuntu is up-to-date:

sudo apt-get update
sudo apt-get upgrade

Install nfdump Package

Install nfdump (including nfcapd) from package:

sudo apt-get install nfdump


If the package isn’t sufficient for your needs (maybe you want the latest version, play with compile options, etc.) you can compile it yourself – check out instructions in GitHub source[2].

Configure nfdump/nfcapd

The Ubuntu package installs various files[3]. There are init and config files /etc/init.d/nfdump and /etc/default/nfdump, however these are ignored by systemd which uses this file:



By default nfcapd will start running as a daemon listening on UDP port 2055 after a reboot. This can be seen by checking for the nfcapd process (after reboot):

$ ps -ef | grep nfcapd
root       663     1  0 18:14 ?        00:00:00 /usr/bin/nfcapd -D -l /var/cache/nfdump -P /var/run/ -p 2055
user1       1858  1841  0 18:22 pts/0    00:00:00 grep --color=auto nfcapd


This shows that the system is now listening for NetFlow/IPFIX input on UDP port 2055 and is writing the records in binary format to /var/cache/nfdump

You can check that nfcapd is listening with netstat:

$ netstat -n --udp --listen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0  *


To change the settings, for instance change the port number to 9995, follow these steps:

Enable nfdump.service (which is actually nfcapd) in systemd:

sudo systemctl enable nfdump.service


Stop the service:

sudo systemctl stop nfdump.service


Edit the service file to change to port from 2055 to 9995

sudo vi /lib/systemd/system/nfdump.service


Reload systemd daemons and start nfdump:

sudo systemctl daemon-reload
sudo systemctl start nfdump.service


Check with netstat to see if it is listening on the new port. If not, stop and start nfdump.service again.

Logs are stored in /var/log/syslog if needed for checking events:

$ tail -100 /var/log/syslog | grep nfcapd
Aug 19 20:48:36 host1 nfcapd[1833]: Ident: 'none' Flows: 0, Packets: 0, Bytes: 0, Sequence Errors: 0, Bad Packets: 0
Aug 19 20:48:36 host1 nfcapd[1833]: Total ignored packets: 0


Using nfdump to View Flow Records

The nfdump utility reads binary flow records from disk and outputs them in ASCII. At its most basic, just use the -R option to say where the binary files are stored:

$ nfdump -R /var/cache/nfdump
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2018-08-18 21:52:15.536    61.619 UDP ->         29     3301     1


Specific files can be read to limit what data is processed. This can be done by either:

  • Specifying a filename. This file and all more recent files will be read
  • Specifying two filenames separated by a colon. Reads all files between including the two files and all files in between by time.

There are numerous other options, here are some useful ones:

  • Order by time start:
-O tstart
  • Aggregate flow records as bidirectional flows and guess direction:
  • Output to CSV:
-o csv

There are many other options, see the nfdump man page for more information:

man nfdump

Congratulations, you now have a NetFlow/IPFIX collector and can view flow records.

[1] See: + 7012, 7013, 7014 & 7015

[2] See:

[3] See: (change link to relevant version of Ubuntu)

10 thoughts on “Collecting NetFlow with nfcapd and nfdump

  1. nishant ambastha February 19, 2019 / 10:29 pm

    I followed the steps but I’m getting ‘No Matched Flows’ when i’m running nfdump -R /var/cache/nfdump.

    Can you help me figure this out. I’m using Ubuntu in VirtualBox and with two network adapter enabled as NAT.

    Thanks in advance.


    • Matt Hayes February 20, 2019 / 9:36 am

      Hi Nishant, do you have a NetFlow Exporter configured that is sending flow records to your Collector? The Exporter isn’t covered in this blog post, but there are other posts on how to create one


  2. nishant ambastha February 22, 2019 / 6:16 pm

    Hey Matt, do you know how can we define templates so that we can have different templates for IPFIX streams ?


    • Matt Hayes February 23, 2019 / 9:02 pm

      Sorry, not something I’ve looked into, good luck!


Leave a Reply to nishant ambastha Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s