Collect, Filter, and Replay. Yep, exactly what you read!

[MuriloChianfa]

Hello @phaag and hello people,

I bring an idea for integrate the collection with nfcapd, then filtering with nfdump, and later replay the filtered records. This would allows us to use the existing option -R from nfcapd but with a filter before forwarding with the repeater.

Background

I have some customers that want replay just some specific flows for other systems, and I think we could make an workflow integrating the three nfcapd collecting -> nfdump filtering and saving into another file -> nfreplay sending the filtered data. The problem here is that the minimum nfcapd rotation time is 2 seconds (I have a branch trying to lower it to 1 sec, btw 💅🏼), thus introducing a big delay on the replay process, which wouldn't be good for time sensitive systems, so that Idea started.

Previous Mentions

I searched in the repo about some mentions of it and I just found a pretty old mentioning on #253, where he suggests to run:

nfcapd -T nsel,nel -l /var/log/nat/netflow/ -p 5556 -t 2 -x "nfreplay -r /var/log/nat/netflow/%f -f /srv/scripts/nfdump.filter -v 9"

Therefore, replaying the received data, but just from some subnets (placed into the nfdump.filter file), not all data received.

Just that would be good to replay the filtered data, but we would introduce the delay as mentioned before (and would need the implementation of the filter on nfreplay).

Turning the Idea Feasible

I was thinking on integrate it directly into the -R replay option on nfcapd. I started to implement and test with some data.

Firstly, I start a new nfcapd collector listening for NetFlow v9 from my exporter on port 2055, with the repeater exporting to another local port, but with an additional parameter "-F", where it will filter the flows before forwarding to this repeater instance:

nfcapd -p 2055 -w /tmp/netflow -I main -t 60 -R 127.0.0.1/9997 -F 'in if 222'

Next, I start a "standard" nfcapd listening on port 9997, where it all receive just the data for in if 222:

nfcapd -p 9997 -w /tmp/filtered-netflow -I filtered -t 60

Note

Note that would be possible to have multiple repeaters, each one with a unique filter, example
-R 127.0.0.1/9997 -F 'in if 222' -R 127.0.0.1/662 -F 'in if 10' -R 192.168.0.100/9995 -F 'src net 100.64.0.0/10'

Repeater Destination	Port	Filter Expression	Description
127.0.0.1	9997	in if 222	Replays flows received for input interface 222
127.0.0.1	662	in if 10	Replays flows received for input interface 10
192.168.0.100	9995	src net 100.64.0.0/10	Replays flows coming with source IPs from the CGNAT

Results so far

The original data collected by the first nfcapd, without any filter:

[murilo@workstation: nfdump]$ ./src/nfdump/nfdump -r /tmp/netflow/nfcapd.202601301911 -A inif
Date first seen         Duration           Input   Packets    Bytes      bps    Bpp Flows
2026-01-30 19:11:10.000     00:00:00.000     244         1       99        0     99     1
2026-01-30 19:10:50.000     00:01:03.000     277       191   156463    19868    819    89
2026-01-30 19:10:09.000     00:01:45.000     224     11275   14.3 M    1.1 M   1267  1517
2026-01-30 19:09:59.000     00:01:58.000     222     19683   22.5 M    1.5 M   1144  4733
2026-01-30 19:10:02.000     00:01:55.000      63     5.2 M    2.2 G  153.3 M    427  5182
2026-01-30 19:10:03.000     00:01:55.000     243     17298   16.8 M    1.2 M    972  4385
Summary: total flows: 15907, total bytes: 2.3 G, total packets: 5.2 M, avg bps: 151.8 M, avg pps: 43711, avg bpp: 433
Time window: 2026-01-30 19:09:59.000 - 2026-01-30 19:11:58.000, Duration:    00:01:59.000
Total records processed: 15907, passed: 15907, Blocks skipped: 0, Bytes read: 3351708
Sys: 0.0659s User: 0.1918s Wall: 0.0015s flows/second: 10348812.4 Runtime: 0.0016s

Filtered data collected by the second nfcapd:

[murilo@workstation: nfdump]$ ./src/nfdump/nfdump -r /tmp/filtered-netflow/nfcapd.202601301911 -A inif
Date first seen         Duration           Input   Packets    Bytes      bps    Bpp Flows
2026-01-30 19:09:59.000     00:01:58.000     222     19144   21.8 M    1.5 M   1139  4603
Summary: total flows: 4603, total bytes: 21.8 M, total packets: 19144, avg bps: 1.5 M, avg pps: 162, avg bpp: 1139
Time window: 2026-01-30 19:09:59.000 - 2026-01-30 19:11:57.000, Duration:    00:01:58.000
Total records processed: 4603, passed: 4603, Blocks skipped: 0, Bytes read: 515600
Sys: 0.0619s User: 0.1887s Wall: 0.0007s flows/second: 6689667.8 Runtime: 0.0007s

Discussion

Perceive the exporter is losing some flows when repeating the filtered flows, I still working on it, but that prove that would be possible to implement that idea. 😀 I would like to know what you guys say about it, would be useful for anyone more? More ideas and suggestions are welcome. Thank you!