After releasing Fl0wer 1.5 and upon finishing the Fl0wer 1.6 version, I wanted to take a little break to make some reasoning (that's the reason for so long delay).

When I started development of Fl0wer, it was the beginning of 2015 (almost 4 years I'm working on it, happy birthday !) and before jumping in the development of such a complex project, I obviously evaluated what was available both on the free market and on the commercial side. I already started an open-source Netflow collector called Neye in 2004 (in my spare time, when I was a Sun Microsystems Professional Services employee), mostly as a divulgative project, and I knew the complexity of the topic.

As a freelance senior UNIX/Linux & Networking engineer and subject matter expert, I have been asked from a customer to provide a consultancy about Netflow technologies, so I made a market analysis to understand what could be practically used by a company to monitor their traffic without investing gazillion of money, possibly capable to integrate with big-data and third party platforms.

Well, after that market analysis, Netflow and IPFIX technologies seemed to me like the Unfinished Symphony of Schubert !

Extremely useful information that is literally wasted by software written just for curiosity/hobby (open-source, even from Universities) or for pure manager eye-candy (business). My thought has been: "It is pure madness, it's just like people is not getting the real value of the information they can have available at their fingertips !"

So, after more than 20 years from Netflow inception, I rolled up my sleeves and decided to start writing Fl0wer to try to give people a real tool that they can use in their daily work to keep networks up & running smoothly and possibly safe from cyber-criminals. I refreshed my C language skills and studied Python since what I wanted to follow the UNIX philosophy:

"Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface."

The idea was clear: a simple and amazingly fast & portable collector/analyzer written in C language exposing a RESTful interface with all open-source CLI and GUI written in Python using Tkinter (yeah, simple, compact and portable !).

So all the work started, with countless days & nights working on it (and lot more to come !).

And after 4 years of hard work, dealing with problems of all kinds, Fl0wer 1.6 is an excellent result and a product of which I'm very satisfied, but as all creators, I'm always working to improve it, using it daily and try to put myself in customer's shoes. People and customers never have the time to give you a feedback (except bad ones), but as always, a good way to try to understand what can be improved is to look what others are doing, so I started a new market analysis like I did at the beginning in 2015. And things have not improved at all, on the contrary, they have worsened.

From my point of view, today's Netflow/IPFIX solutions are:
- useless (they don't bring added value to who really needs this information, which typically is not managers but technicians)
- costly (the business ones)
- ugly designed (the free ones, with architectures & dependencies that would drive mad even the most adventurous DevOps)

And today I want to share what I have seen while evaluating a couple of so-called "trending" products in the Netflow/IPFIX arena. I will not make the names, but one is a your-choice-cloud/on-premise solution and the other one is a SIEM from a 3 letter hardware/software giant (yeah, you guessed it).

The cloud/on-premise solution required just a few steps of registration and configuration of my border router to export flows in clear over the Internet to their cloud.
I tried to play the "lazy systems engineer that doesn't care about the security and sends everything off" role, but really, this idea really scares me.

Anyway, the "cloud solution" is getting the flows from my border router and makes really eye-candy time-series charts, but trying to get any kind of INSIGHT on the data, well, no, it doesn't. Simply no.
It shows me who are my top-talkers, with who I'm talking about, it shows some tcp/udp port usage and stop. I honestly didn't try the Detection Polices and Features, but if the situation is what I've seen with the basis of the information, I'm not expecting miracles. Fortunately this is a free offer for up to 1 million of flows per day (at home with Fl0wer I make an average of 30 million flows per day, but ok, I'm a nerd and that is expected), but the on-premise product (which should not suffer of sending your network flows over the Internet in clear-text) has a cost of 7500$ per year. 7500$ per year. For some nice charts. 7500$ per year. In clear, over the Internet. Oooook, next one please.

In the meanwhile, I read the documentation of the 3 letter giant on how to install their flagship solution "community edition". A minimal CentOS 7.3 with SElinux disabled (cough cough) is required to run, so I fired up Virtualbox (too lazy to startup my OpenNebula infrastructure), created the VM, installed CentOS 7.3, configure network, yum update to install latest fixes, disable selinux, reboot, mount the 3Gb ISO image with the product and run setup. A quick ls on the ISO revealed a ton of RPMS regarding Perl, Java, PostgreSQL and other stuff. I really didn't want to see what was doing, it was just to try it. It started installing stuff like a monkey, yum updating and after 2 hours it is still showing the message:
"Preparing system: user java postgresql dirs elxocmcore nfs"
and it is probably stuck somewhere thanks to systemd (sigh). On a dual Xeon X5670 with 24Gb of RAM, an 8Gb VM is starving. From one of the largest multimillion companies, it fails at install (later, I discovered that no, you don't have to patch it, it should do it by itself). Ooook.

I'm too tired right now, I'll try to play with it in the next days, but what I've seen in quasi-2020 is that, using other products, you are right, you are getting no value for your time and money from Netflow and IPFIX technologies, and that's it. And that's a pity.

Feel free to try the evaluation version, or do you prefer sticking with the overpriced, closed & '90ies style products already on the market ?

Available NOW at