Collector sees flows but traffic volumes look 1/1000 of expected. Cause: Exporter samples at 1:1000; collector didn’t multiply by sampling rate.
| Engine | License | Key Strengths | |--------|---------|----------------| | (with nfcapd) | BSD | Lightweight, battle-tested, integrates with nfsen . Limited to v5/v9. | | pmacct | GPLv2 | Extremely flexible: MySQL, PostgreSQL, Kafka, AMQP backends. Supports sFlow, NetFlow, IPFIX. | | Elastiflow (now part of Elastic) | Elastic License | Native Elasticsearch integration, Kibana dashboards, machine learning anomalies. | | Scrutinizer (Plixer) | Commercial | High-scale aggregation, security detection, jumbo flows. | | Kentik | SaaS | Cloud-native, built on ClickHouse, global traffic visibility. | | ntopng (with nProbe) | GPLv3 | Real-time flow analysis, embedded HTTP server, DPI. | netflow collection engine
To save space, the engine can consolidate similar flow records and filter out irrelevant data. Collector sees flows but traffic volumes look 1/1000
Probes deployed per site or per device, forwarding normalized data to a central aggregator. Reduces latency and loss risk. Example: pmacct instances on each branch router, feeding Kafka. Limited to v5/v9
: Acts as a central "listener" for NetFlow records sent via UDP from multiple exporters (routers/switches) across the network.