NetFlow / sFlow / IPFIX Integration
Overview
NetFlow, sFlow, and IPFIX provide network flow data from routers, switches, and firewalls. KYRA MDR collects flow data for traffic analysis, anomaly detection, and network forensics. Supports NetFlow v5/v9, IPFIX (v10), and sFlow v5.
Prerequisites
- A KYRA MDR Collector installed and running with flow receiver enabled
- Network devices configured to export flow data
- Network connectivity from devices to the collector
- Sufficient storage for flow data
Configuration
Configure NetFlow export on a Cisco router:
configure terminalip flow-export version 9ip flow-export destination <collector-ip> 2055ip flow-export source Loopback0interface GigabitEthernet0/0 ip flow ingress ip flow egressendwrite memoryConfigure the KYRA MDR collector to receive flows:
sources: - type: netflow listen_port: 2055 protocols: [netflow-v5, netflow-v9, ipfix, sflow]Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Flow Records | Source/dest IP, port, protocol, bytes | Traffic analysis, baseline |
| Top Talkers | Highest volume connections | Bandwidth anomaly detection |
| Protocol Distribution | Protocol usage breakdown | Shadow IT, tunneling detection |
| Interface Statistics | Per-interface traffic stats | Capacity planning |
| AS Path | BGP autonomous system data | Routing analysis |
| MPLS Labels | MPLS flow information | WAN traffic monitoring |
Troubleshooting
No flow data received: Verify the collector is listening on the correct port (2055 for NetFlow, 6343 for sFlow).
Missing interfaces: NetFlow must be enabled per-interface.
High volume: Use sampling (1:100 or 1:1000) on high-speed interfaces to reduce volume.
Contact kyra@seekerslab.com for support.