The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

cflowd: Traffic Flow Analysis Tool

cflowd is a flow analysis tool that was used for analyzing Cisco's NetFlow enabled switching method. The current release (described below) includes the collections, storage, and basic analysis modules for cflowd and for arts++ libraries. This analysis package permits data collection and analysis by ISPs and network engineers in support of capacity planning, trends analysis, and characterization of workloads in a network service provider environment. Other areas where cflowd may prove useful include usage tracking for Web hosting, accounting and billing, network planning and analysis, network monitoring, developing user profiles, data warehousing and mining, as well as security-related investigations.

As of 2004, cflowd is no longer supported by CAIDA. Instead, please consider the use of flow-tools, which will provide a toolset for working with NetFlow data. flow-tools can also be used (like cflowd) in conjunction with FlowScan, maintained by Dave Plonka at the University of Wisconsin, Madison.

Changes from 1.3b2 to 2.0

  • cflowd has been completely redesigned and reimplemented for the 2.0 release.
  • Added support for v1 flow-export.
  • All tables are now per input interface.
  • New tabular data: port matrix, interface matrix, nexthop table. The old port table has been replaced by the more granular port matrix.
  • A new cflowdmux process which permits access to raw flow packets.
  • A fully functional central collector is now included (cfdcollect). This allows you to archive time-series tabular data from multiple instances of cflowd.
  • All counters are 64 bits.
  • New filtering code is significantly faster; flowdump benefits from the increased performance.
  • Local clients (cfdases, cfdnets, et. al.) will show the time interval for current data.
  • Local clients can show pkts/sec and bits/sec in addition to packet and byte counters.
  • Added manpages.
  • mmap() is gone for the tabular data; local clients connect to a UNIX domain socket to view current data. This removed a lot of code complexity.


The cflowd system contains four major components:
  • cflowdmux
    This is the program that acts as the receiver of flow-export data from one or more Cisco routers. It writes raw packets into shared memory, and permits clients to have access to raw flow data. An example client (flowwatch) is included.
  • cflowd
    cflowd takes data from raw flows (collected by cflowdmux) and creates tabular summaries of traffic data (AS matrix, net matrix, port matrix, interface matrix, nexthop table and protocol table). It also acts as a server of tabular data to cfdcollect.
  • cfdcollect
    This is a central collector which collects data from instances of cflowd. It is used to archive the tabular data at regular intervals, producing time-series data for each of the tabular data types. The archived data may be processed with arts++.
  • utilities
    There are a handful of utilities included in the package which may be used to examine data on the host(s) where cflowd is running.


cflowd requires the arts++ package. You should download and install arts++ before downloading and building cflowd. cflowd needs header files and libraries from the arts++ package, and the arts++ package contains the C++ library for handling the data stored by cfdcollect (as well as a handful of utilities for aggregating and viewing the data).


  • arts++
    arts++ is required by cflowd.
  • cflowd
    The latest release (currently in alpha state).

Other Documents

Related Objects

See to explore related objects to this document in the CAIDA Resource Catalog.
Last Modified