NetFlow / IPFIX
NetFlow v9 / IPFIX biflow records — network telemetry as exported by routers, switches, and firewalls. TCP, UDP, and ICMP flows with byte/packet counters, AS numbers, and interface indexes.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-netflow/generator.yml \
--id netflow \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| tcp-flow | TCP flows (HTTPS, HTTP, SSH, RDP, SMB, LDAP) | ~71% | network |
| udp-flow | UDP flows (DNS, NTP, SNMP, syslog) | ~27% | network |
| icmp-flow | ICMP flows (echo, unreachable, time exceeded) | ~2% | network |
Realism Features
- Protocol-realistic traffic profiles — each service has appropriate byte ranges, packet counts, and flow durations
- TCP flag simulation — cumulative bitmasks for completed (70%), active (15%), refused (10%), half-open (5%) flows
- Direction-aware routing — outbound (60%), inbound (25%), internal (15%)
- BGP AS numbers from 13 major cloud/CDN providers (Google, Cloudflare, AWS, Microsoft, Meta)
- Response ratio modeling — each service defines initiator-to-responder byte ratios
- VLAN tagging — workstations (VLAN 10), servers (VLAN 20), DMZ (VLAN 30)
Sample Output
{
"@timestamp": "2026-02-21T12:00:05.000000+00:00",
"event": {
"action": "netflow_flow",
"category": ["network", "session"],
"dataset": "netflow.log",
"kind": "event"
},
"source": { "ip": "10.1.1.30", "port": 52341, "locality": "internal" },
"destination": { "ip": "203.0.113.50", "port": 443, "locality": "external" },
"network": {
"bytes": 397540,
"direction": "outbound",
"transport": "tcp"
},
"netflow": {
"bgp_destination_as_number": 13335,
"tcp_control_bits": 27,
"vlan_id": 10
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| exporter_ip | 10.0.0.1 | NetFlow/IPFIX exporter IP |
| exporter_port | 2055 | Exporter UDP port |
| source_id | 512 | IPFIX Observation Domain ID |
| collector_name | netflow-collector | Filebeat collector hostname |
| agent_id | a1b2c3d4-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.