IPFIX
Plugin: netflow-plugin
Module: ipfix
Overview
Collect network flow records from IPFIX (NetFlow v10) exporters. IPFIX extends
NetFlow v9 with variable-length fields, vendor-specific information elements,
and template withdrawal. Each record exposes the same core fields as NetFlow plus
any additional IEs the exporter provides.
For full documentation including vendor configuration examples (Cisco, Juniper, Arista,
ASA NSEL), biflow handling, sampling caveats, and verification steps, see the
Network Flows Overview.
The plugin listens on the same UDP socket as NetFlow. IPFIX messages are identified by
version number 10 and decoded using cached templates. Decoded records are enriched and
appended to disk-backed journal tiers.
This integration is only supported on the following platforms:
This integration runs as a single instance per Netdata Agent.
Default Behavior
Auto-Detection
The plugin starts when enabled in netflow.yaml and listens on the configured UDP port.
Limits
Operational limits are driven by sustained flows/s, template churn, cardinality, retention, storage speed, and enrichment. Plan around 25k sustained flows/s per well-provisioned agent for the full raw + rollup pipeline; use distributed agents for larger deployments.
Disabled until exporters send traffic. Once active, CPU and disk I/O scale with flow rate, template volume, and cardinality; size retention and storage from observed flows/s.
Setup
Prerequisites
IPFIX-capable exporter
A router, switch, or firewall configured to export IPFIX datagrams to the
Netdata agent’s UDP listener.
Configuration
Options
IPFIX shares the same netflow.yaml configuration file as NetFlow and sFlow.
Enable IPFIX via the protocols.ipfix option.
| Option | Description | Default | Required |
|---|
| listener.listen | UDP endpoint for IPFIX datagrams. | 0.0.0.0:2055 | no |
| protocols.ipfix | Enable IPFIX decoding. | yes | no |
| journal.journal_dir | Directory for journal files (relative to NETDATA_CACHE_DIR). | flows | no |
| journal.tiers.<tier>.size_of_journal_files | Per-tier hard size cap. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for time-only retention. | 10GB | no |
| journal.tiers.<tier>.duration_of_journal_files | Per-tier maximum age. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for size-only retention. | 7d | no |
via File
The configuration file name for this integration is netflow.yaml.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netflow.yaml
Examples
IPFIX collection
Listen for IPFIX records on Netdata’s default flow listener port.
enabled: true
listener:
listen: "0.0.0.0:2055"
protocols:
v5: false
v7: false
v9: false
ipfix: true
sflow: false
Metrics
Network flow data is stored as journal records, not as traditional metrics.
Use the Network Flows view in the Netdata dashboard to query and visualize flow data.
For the full list of fields and the per-protocol availability matrix, see the
Field Reference.
IPFIX biflow records are emitted as two separate flow records (forward + reverse).
Alerts
There are no alerts configured by default for this integration.
Verifying flow data is arriving and diagnosing failures
See Troubleshooting for
the full diagnostic recipe. For IPFIX specifically, watch the template_errors dimension
on netflow.input_packets – IPFIX is template-driven and data records arriving before
their templates are dropped. See also
Validation and Data Quality.
