IPFIX
Plugin: netflow-plugin Module: ipfix
Overview
Collect network flow records from IPFIX (NetFlow v10) exporters. IPFIX extends NetFlow v9 with variable-length fields, vendor-specific information elements, and template withdrawal. Each record exposes the same core fields as NetFlow plus any additional IEs the exporter provides.
For full documentation including vendor configuration examples (Cisco, Juniper, Arista, ASA NSEL), biflow handling, sampling caveats, and verification steps, see the Network Flows Overview.
The plugin listens on the same UDP socket as NetFlow. IPFIX messages are identified by version number 10 and decoded using cached templates. Decoded records are enriched and appended to disk-backed journal tiers.
This integration is only supported on the following platforms:
- Linux
This integration runs as a single instance per Netdata Agent.
Default Behavior
Auto-Detection
The plugin starts when enabled in netflow.yaml and listens on the configured UDP port.
Limits
Operational limits are driven by sustained flows/s, template churn, cardinality, retention, storage speed, and enrichment. Plan around 25k sustained flows/s per well-provisioned agent for the full raw + rollup pipeline; use distributed agents for larger deployments.
Performance Impact
Disabled until exporters send traffic. Once active, CPU and disk I/O scale with flow rate, template volume, and cardinality; size retention and storage from observed flows/s.
Setup
Prerequisites
IPFIX-capable exporter
A router, switch, or firewall configured to export IPFIX datagrams to the Netdata agent's UDP listener.
Configuration
Options
IPFIX shares the same netflow.yaml configuration file as NetFlow and sFlow.
Enable IPFIX via the protocols.ipfix option.
Config options
| Option | Description | Default | Required |
|---|---|---|---|
| listener.listen | UDP endpoint for IPFIX datagrams. | 0.0.0.0:2055 | no |
| protocols.ipfix | Enable IPFIX decoding. | yes | no |
| journal.journal_dir | Directory for journal files (relative to NETDATA_CACHE_DIR). | flows | no |
| journal.tiers.<tier>.size_of_journal_files | Per-tier hard size cap. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for time-only retention. | 10GB | no |
| journal.tiers.<tier>.duration_of_journal_files | Per-tier maximum age. Replace <tier> with raw, minute_1, minute_5, or hour_1. Set to null for size-only retention. | 7d | no |
via File
The configuration file name for this integration is netflow.yaml.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netflow.yaml
Examples
IPFIX collection
Listen for IPFIX records on Netdata's default flow listener port.
enabled: true
listener:
listen: "0.0.0.0:2055"
protocols:
v5: false
v7: false
v9: false
ipfix: true
sflow: false
Verifying flow data is arriving and diagnosing failures
See Troubleshooting for
the full diagnostic recipe. For IPFIX specifically, watch the template_errors dimension
on netflow.input_packets -- IPFIX is template-driven and data records arriving before
their templates are dropped. See also
Validation and Data Quality.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.