Before starting the development of Fl0wer, I've made several considerations. Netflow and IPFIX protocols were the choice for several reasons and here it is why:

  • Netflow and IPFIX are very compact protocols. In a few bytes of information you can know that a certain type of conversation happened on your network. Taking a raw dump of the whole conversation could take from Megabytes to Terabytes and more (imagine the copy of a file over NFS or a large backup). Obviously using the raw dump, you can know every bit of what really happened but let's face it: how often do you need it ? Sniffing traffic is priceless when there are problems, but normally, is it what you really need ? To have a distributed view of your network you would need several terabytes of storage per day, rotate it and have custom sniffers all around your network (and this also means several single points of failure). Rather costly and inadequate in the average, although there can be cases where you should go this way. With Netflow/IPFIX you can track your whole network at an extremely lower storage-per-day and network-appliance-deployment price.
  • Netflow and IPFIX don't violate your user's privacy. Well, at least not at their traffic content. Knowing an IP talked to another IP using a certain port and protocol from a certain time to a certain time and transferred (or not transferred) x bytes and y packets can be a good compromise regarding privacy. It's like the phone bill: you know who talked with who, when and how long, but you don't know what they talked about (although with Netflow you can have an idea).
  • Netflow is external to your targets: you can obviously install a netflow exporter software like softflowd or other on the systems you want to monitor, but if you have a router/UTM/Firewall/Switch/Virtualization Solution that supports Netflow or IPFIX, even if the host you monitor is compromised, you will still have its network traces since the tracking device is external to the host and the attacker does not even know that he is being traced (unless you leave it with its default login credentials, but that's another sad story). What this means ? It means that at least at the network level, you know with who the compromised host talked with. And if you need to do forensic analysis on it, you have at least something to start with.
  • Probably in biggest companies, a lot of security policies are already enforced, but in 2017, there is still people using telnet over the Internet, people that send and receive mail without encryption using "Free access" (and untrustable) wifi access points, people that open Windows shares over the Internet to work with other people and too few security consultants they can ask to (and they'll probably never do since they don't even know that their behaviour is totally unsafe).
  • The more the Internet gets pervasive around us (think of it 20 years ago !), the more the data transfers (fortunately) are getting encrypted and DPI (Deep Packet Inspection) will loose more and more its "added" benefits (unless you have so much computing power to decrypt strong encryption in real-time). So, if you can't see what's inside the packet, where is the added value of DPI ? What whill happen in the near future ? Reputation will be more and more pervasive, like it is today for most things. Certification Authorities, shamefully, made a fortune with this. Shamefully since the way this trust is managed is obscene (go to see the Symantec vs. Google story). But reputation for IP addresses is already a reality. Go and checkout the blacklists at Alienvault OTX, FireHol or Or go and see what a lot of $bigname Firewall appliance vendors are selling: subscription plans to so called "Security Intelligence" features of their UTM or big iron devices, which (besides other things), include obviously this kind of technology (which you can deploy on Fl0wer for free with a bit of clever unix scripting).

Just my 2 cents.