Skip to content
forked from mbolli/nfsen-ng

Responsive NetFlow visualizer built on top of nfdump tools.


Notifications You must be signed in to change notification settings



Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation


GitHub license GitHub issues Donate a beer

nfsen-ng is an in-place replacement for the ageing nfsen.

Used components



Ubuntu 18.04 LTS:

# run following commands as root
# enable universe repository
add-apt-repository universe && sudo apt update
# install packages
apt install apache2 php7.2 php7.2-dev libapache2-mod-php7.2 pkg-config nfdump rrdtool librrd-dev
# enable apache modules
a2enmod rewrite deflate headers expires
# install rrd library for php
pecl install rrd 
# create rrd library mod entry for php
echo "" > /etc/php/7.2/mods-available/rrd.ini
# enable php mod
phpenmod rrd
# configure virtual host to read .htaccess files
vim /etc/apache2/apache2.conf # set AllowOverride All for /var/www
# restart httpd
service apache2 restart
# install nfsen-ng
cd /var/www/html # or wherever
git clone
chown -R www-data:www-data .
chmod +x backend/cli.php
# next step: configuration

CentOS 7:

# run following commands as root
# update packages
yum update
# enable EPEL repo
yum -y install epel-release
# install yum utils
yum install yum-utils
# install remi release
yum install
# enable the repository for PHP 7.2
yum-config-manager --enable remi-php72
# install packages
yum install git httpd mod_php nfdump php72 php72-php-devel php-devel php-pear php-pecl-rrd rrdtool rrdtool-devel
# configure virtual host to read .htaccess files
vim /etc/httpd/conf/httpd.conf # set AllowOverride All for /var/www/html
# start httpd service
systemctl start httpd
# enable httpd service
systemctl enable httpd
# install nfsen-ng
cd /var/www/html # or wherever
git clone
chown -R apache:apache .
chmod +x nfsen-ng/backend/cli.php
# next step: configuration


Note: nfsen-ng expects the profiles-data folder structure to be PROFILES_DATA_PATH/PROFILE/SOURCE/YYYY/MM/DD/nfcapd.YYYYMMDDHHII, e.g. /var/nfdump/profiles_data/live/source1/2018/12/01/nfcapd.201812010225.

The default settings file is backend/settings/settings.php.dist. Copy it to backend/settings/settings.php and start modifying it. Example values are in italic:

  • general
    • ports: (array(80, 23, 22, ...)) The ports to examine. Note: If you use RRD as datasource and want to import existing data, you might keep the number of ports to a minimum, or the import time will be measured in moon cycles...
    • sources: (array('source1', ...)) The sources to scan.
    • db: (RRD) The name of the datasource class (case-sensitive).
  • frontend
    • reload_interval: Interval in seconds between graph reloads.
  • nfdump
    • binary: (/usr/bin/nfdump) The location of your nfdump executable
    • profiles-data: (/var/nfdump/profiles_data) The location of your nfcapd files
    • profile: (live) The profile folder to use
    • max-processes: (1) The maximum number of concurrently running nfdump processes. Note: Statistics and aggregations can use lots of system resources, even to aggregate one week of data might take more than 15 minutes. Put this value to > 1 if you want nfsen-ng to be usable while running another query.
  • db If the used data source needs additional configuration, you can specify it here, e.g. host and port.
  • log


The command line interface is used to initially scan existing nfcapd.* files, or to administer the daemon.


./cli.php [ options ] import

or for the daemon

./cli.php start|stop|status

  • Options:

    • -v Show verbose output
    • -p Import ports data as well Note: Using RRD this will take quite a bit longer, depending on the number of your defined ports.
    • -ps Import ports per source as well Note: Using RRD this will take quite a bit longer, depending on the number of your defined ports.
    • -f Force overwriting database and start fresh
  • Commands:

    • import Import existing nfdump data to nfsen-ng. Note: If you have existing nfcapd files, better do this overnight.
    • start Start the daemon for continuous reading of new data. Logs go into backend/nfsen-ng.log.
    • stop Stop the daemon
    • status Get the daemon's status
  • Examples:

    • ./cli.php -f import Imports fresh data for sources

    • ./cli.php -f -p -ps import Imports all data

    • ./cli.php start Starts the daemon


The API is used by the frontend to retrieve data.


  • URL /api/config

  • Method: GET

  • URL Params none

  • Success Response:

    • Code: 200 Content:
        "sources": [ "gate", "swi6" ],
        "ports": [ 80, 22, 23 ],
        "stored_output_formats": [], 
        "stored_filters": [],
        "daemon_running": true
  • Error Response:

    • Code: 400 BAD REQUEST Content:
      {"code": 400, "error": "400 - Bad Request. Probably wrong or not enough arguments."}


    • Code: 404 NOT FOUND Content:
      {"code": 404, "error": "400 - Not found. "}
  • Sample Call:

    curl localhost/nfsen-ng/api/config


  • URL /api/graph?datestart=1490484000&dateend=1490652000&type=flows&sources[0]=gate&protocols[0]=tcp&protocols[1]=icmp&display=sources

  • Method:


  • URL Params

    • datestart=[integer] Unix timestamp
    • dateend=[integer] Unix timestamp
    • type=[string] Type of data to show: flows/packets/bytes
    • sources=[array]
    • protocols=[array]
    • ports=[array]
    • display=[string] can be sources, protocols or ports

    There can't be multiple sources and multiple protocols both. Either one source and multiple protocols, or one protocol and multiple sources.

  • Success Response:

    • Code: 200 Content:
      {"data": {
  • Error Response:

    • Code: 400 BAD REQUEST
      Content: json {"code": 400, "error": "400 - Bad Request. Probably wrong or not enough arguments."}


    • Code: 404 NOT FOUND
      Content: json {"code": 404, "error": "400 - Not found. "}
  • Sample Call:

    curl -g "http://localhost/nfsen-ng/api/graph?datestart=1490484000&dateend=1490652000&type=flows&sources[0]=gate&protocols[0]=tcp&protocols[1]=icmp&display=sources"


  • URL /api/flows?datestart=1482828600&dateend=1490604300&sources[0]=gate&sources[1]=swi6&filter=&limit=100&aggregate=srcip&sort=&output[format]=auto

  • Method:


  • URL Params

    • datestart=[integer] Unix timestamp
    • dateend=[integer] Unix timestamp
    • sources=[array]
    • filter=[string] pcap-syntaxed filter
    • limit=[int] max. returned rows
    • aggregate=[string] can be bidirectional or a valid nfdump aggregation string (e.g. srcip4/24, dstport), but not both at the same time
    • sort=[string] (will probably cease to exist, as ordering is done directly in aggregation) e.g. tstart
    • output=[array] can contain [format] = auto|line|long|extended and [IPv6]
  • Success Response:

    • Code: 200 Content:
      ["2017-03-27 10:40:46","0.000","","","0","0","","1","46","0","0"],
  • Error Response:

    • Code: 400 BAD REQUEST
      Content: json {"code": 400, "error": "400 - Bad Request. Probably wrong or not enough arguments."}


    • Code: 404 NOT FOUND
      Content: json {"code": 404, "error": "400 - Not found. "}
  • Sample Call:

    curl -g "http://localhost/nfsen-ng/api/flows?datestart=1482828600&dateend=1490604300&sources[0]=gate&sources[1]=swi6&filter=&limit=100&aggregate[]=srcip&sort=&output[format]=auto"


  • URL /api/stats?datestart=1482828600&dateend=1490604300&sources[0]=gate&sources[1]=swi6&for=dstip&filter=&top=10&limit=100&aggregate[]=srcip&sort=&output[format]=auto

  • Method:


  • URL Params

    • datestart=[integer] Unix timestamp
    • dateend=[integer] Unix timestamp
    • sources=[array]
    • filter=[string] pcap-syntaxed filter
    • top=[int] return top N rows
    • for=[string] field to get the statistics for. with optional ordering field as suffix, e.g. ip/flows
    • limit=[string] limit output to records above or below of limit e.g. 500K
    • output=[array] can contain [IPv6]
  • Success Response:

    • Code: 200 Content:
          ["Packet limit: > 100 packets"],
          ["2017-03-27 10:38:20","2017-03-27 10:47:58","577.973","any","","673","2.7","676","2.5","56581","2.7","1","783","83"],
  • Error Response:

    • Code: 400 BAD REQUEST
      Content: json {"code": 400, "error": "400 - Bad Request. Probably wrong or not enough arguments."}


    • Code: 404 NOT FOUND
      Content: json {"code": 404, "error": "400 - Not found. "}
  • Sample Call:

    curl -g "http://localhost/nfsen-ng/api/stats?datestart=1482828600&dateend=1490604300&sources[0]=gate&sources[1]=swi6&for=dstip&filter=&top=10&limit=100&aggregate[]=srcip&sort=&output[format]=auto"

More endpoints to come:

  • /api/graph_stats


Responsive NetFlow visualizer built on top of nfdump tools.







No packages published


  • PHP 45.7%
  • JavaScript 29.4%
  • HTML 18.7%
  • CSS 6.2%