What is NetFlow?
NetFlow is a network protocol developed by Cisco that collects IP traffic information and exports it to a flow collector for analysis. Rather than capturing every individual packet (as a full packet capture would), NetFlow works at the flow level — grouping related packets that share the same source IP, destination IP, source port, destination port, and protocol into a single record called a flow.
This approach gives you actionable traffic intelligence at a fraction of the storage and processing cost of full packet capture. For a mid-size ISP moving multiple gigabits of traffic per second, NetFlow can summarise millions of conversations into manageable flow records that paint a precise picture of network behaviour.
NetFlow v5
The classic Cisco format. IPv4 only, fixed record structure. Widely supported on MikroTik and legacy gear.
NetFlow v9
Template-based and flexible. Supports IPv6, MPLS, and custom fields. The foundation for IPFIX.
IPFIX
IETF-standardised extension of NetFlow v9. Vendor-neutral, extensible, and the modern choice for new deployments.
sFlow is a complementary standard that uses statistical packet sampling rather than full flow export. It scales well on high-speed interfaces but provides estimates rather than exact byte counts. Many ISPs use both — NetFlow/IPFIX for detailed flow analysis on core routers and sFlow for line-rate interfaces on distribution switches.
How NetFlow Works in an ISP Environment
NetFlow operates in three stages: collection, export, and analysis. Here is how each stage fits into a typical ISP deployment:
- 1.Flow generation — The router (e.g., MikroTik, Cisco, Juniper) monitors packets passing through each interface and groups them into flows based on the 5-tuple: source IP, destination IP, source port, destination port, and protocol.
- 2.Flow export — When a flow ends (or a periodic active timeout fires), the router exports the flow record to a designated NetFlow collector. The record includes byte count, packet count, start/end timestamps, and TCP flags.
- 3.Flow collection — A NetFlow collector (such as nfdump/nfcapd, ntopng, Elastiflow, or a custom collector) receives and stores the flow records. Collectors aggregate data from multiple routers into a unified dataset.
- 4.Flow analysis — Analysts and monitoring dashboards query the collected flows to answer questions: Who are the top bandwidth consumers? Is there a traffic spike on a specific prefix? Is a subscriber generating DDoS traffic?
- 5.Alerting & integration — Anomaly detection rules can trigger alerts when flow patterns exceed thresholds — for example, flagging a subscriber generating >1 Gbps of UDP flood traffic as a potential DDoS source.
On MikroTik routers — the most common NAS in South Asian ISP deployments — NetFlow export is enabled via /ip traffic-flow. You configure the collector IP, port, and active/inactive timeouts. MikroTik supports NetFlow v5, v9, and IPFIX, making it compatible with all major collector platforms.
Key Use Cases for ISP Operators
NetFlow is not just a monitoring tool — it is an operational foundation. Here are the most impactful use cases for ISP operators:
🔍 Top Talker Identification
Instantly see which subscribers, IPs, or AS paths are consuming the most bandwidth. Identify heavy users and enforce Fair Usage Policies (FUP) with confidence.
🚨 DDoS & Anomaly Detection
Detect sudden traffic spikes, UDP floods, SYN floods, and volumetric DDoS attacks in near real-time. Trigger blackhole routing or RTBH before your upstream is saturated.
📊 Capacity Planning
Analyse peak traffic hours, utilisation trends on each uplink, and traffic growth over time. Use this data to make informed decisions about when and where to upgrade.
📍 Traffic Engineering
Understand traffic distribution across peering links, transit providers, and CDN caches. Optimise BGP routing policies to reduce transit costs and improve latency.
💰 Bandwidth Billing
Use flow data to verify subscriber data consumption against FUP thresholds. Cross-reference with RADIUS accounting records for accurate monthly billing.
🛡️ Security & Compliance
Maintain a flow log for forensic analysis. When a subscriber is accused of malicious activity, flow records provide a timestamped audit trail of connections.
NetFlow vs. SNMP vs. Packet Capture
ISP operators have several options for traffic visibility. Understanding when to use each method helps you build a layered monitoring strategy:
| Method | Granularity | Overhead | Best For |
|---|---|---|---|
| NetFlow / IPFIX | Flow-level (5-tuple) | Low–Medium | Traffic patterns, top talkers, security analysis |
| SNMP | Interface counters (bytes in/out) | Very Low | Utilisation graphs, uptime monitoring |
| sFlow | Sampled packets (1:N) | Very Low | High-speed links, approximate top-N |
| Packet Capture | Full packet payload | Very High | Deep troubleshooting, protocol debugging |
The recommended approach for most ISPs is to combine SNMP for interface utilisation alerts (fast, lightweight), NetFlow/IPFIX for subscriber-level traffic analysis and security, and packet capture selectively for troubleshooting specific sessions. This layered approach provides comprehensive visibility without excessive resource consumption on your routers.
Enabling NetFlow on MikroTik for ISP Traffic Analysis
MikroTik's Traffic Flow feature is built into RouterOS and requires no additional licensing. Here is how to configure it for export to a NetFlow collector:
Step 1 — Enable traffic flow and configure timeouts
/ip traffic-flow set enabled=yes interfaces=ether1 set active-flow-timeout=1m inactive-flow-timeout=15s
Step 2 — Configure the collector target and set the export version
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 version=9
Step 3 — Verify flow export is active
/ip traffic-flow print /ip traffic-flow target print
Replace 192.168.1.100 with the IP of your NetFlow collector and ether1 with your upstream-facing interface. For accurate subscriber data, apply flow monitoring to the interface facing your subscriber network (e.g., the PPPoE server interface or the bridge carrying subscriber VLANs).
Popular open-source NetFlow collectors compatible with MikroTik include nfdump/nfcapd, ntopng, and Elastiflow (Elasticsearch-based). Commercial options like PRTG, ManageEngine NetFlow Analyzer, and SolarWinds NTA are also widely used in enterprise ISP environments.
NetFlow Visibility Inside ISPbills
ISPbills integrates network telemetry data alongside its billing, RADIUS, and NOC modules to give operators a unified view of both business and network operations. The NOC dashboard brings together:
- •Real-time bandwidth graphs per router interface — powered by SNMP polling and MikroTik RouterOS API, giving operators instant utilisation visibility without needing a separate graphing tool.
- •RADIUS session data — active PPPoE sessions with assigned IPs, session duration, and data transferred (from the radacct table), enabling per-subscriber usage tracking directly inside the billing platform.
- •Device-level traffic monitoring — live traffic rates per MikroTik queue, allowing operators to see per-subscriber bandwidth consumption without leaving the ISPbills dashboard.
- •Zabbix integration — ISPbills connects to Zabbix for infrastructure-level alerting, complementing flow analysis with threshold-based notifications for CPU, memory, and interface utilisation.
- •Telegram alerts — automated notifications for device downtime, high utilisation, and subscriber suspension events keep your NOC team informed in real time.
By combining RADIUS accounting data with live router telemetry, ISPbills provides the subscriber-level traffic context that most standalone NetFlow tools lack — you can see not just what is consuming bandwidth, but which subscriber account it is, what package they are on, and whether their invoice is paid.
NetFlow Best Practices for ISP Operators
Use Sampling on High-Speed Links
On 10 Gbps+ interfaces, enable 1:100 or 1:1000 sampling to reduce router CPU load while still capturing statistically significant traffic patterns.
Set Appropriate Timeouts
Active flow timeout of 1–5 minutes and inactive timeout of 15–30 seconds balances flow record volume with detection latency for anomaly monitoring.
Monitor Egress on Uplink Interfaces
Exporting flows from your upstream-facing interfaces captures all subscriber traffic going to the internet — the most useful vantage point for top-talker analysis.
Retain Flow Data for 90+ Days
Security investigations often require historical flow data. Retain at least 90 days of compressed flow records for forensic and compliance purposes.
Correlate with RADIUS Data
Map source IPs in flow records to RADIUS session data to identify the subscriber behind each flow. This subscriber attribution is essential for FUP enforcement.
Build DDoS Baselines
Establish normal traffic baselines for each prefix and protocol. Anomalies exceeding 3× baseline are a reliable signal for automated DDoS mitigation triggers.
Conclusion: From Blind Spots to Full Visibility
For an ISP operating in a competitive environment, network blind spots are a liability. NetFlow transforms your routers from passive packet forwarders into rich data sources — giving you the subscriber-level, protocol-level, and destination-level visibility you need to manage capacity, enforce policies, and respond to threats.
When combined with a platform like ISPbills that ties flow insights directly to subscriber accounts, billing data, and RADIUS sessions, operators gain a level of operational clarity that simply is not possible with SNMP graphs and manual checks alone. The result is faster incident response, more accurate billing, and a network that scales confidently.
Ready to bring NOC, billing, and traffic visibility together?
ISPbills gives you real-time network monitoring, RADIUS integration, and subscriber management in a single platform — purpose-built for ISP operators.
Related Articles
What is a RADIUS Server? A Complete Guide for ISP Operators
Simplified Network Management for ISPs: NOC Monitoring in One Dashboard
MikroTik Security Essentials: Advanced Tips & Tricks for ISP Operators
How Automation Improves ISP Efficiency: Billing, NOC & Beyond