NetFlow Anomaly Detection

v20260317

analyzing-network-flow-data-with-netflow

Parses NetFlow v9/IPFIX data with Python's netflow library, builds traffic baselines, and applies statistical checks to flag volumetric spikes, port scans, data exfiltration, or C2 beaconing before producing a prioritized findings report.

NetFlow Anomaly Detection Cybersecurity Network Security Python Traffic Analysis Threat Hunting

Get Skill

472 downloads

Overview

Instructions

Install dependencies: pip install netflow
Collect NetFlow/IPFIX data from routers or use the built-in collector: python -m netflow.collector -p 9995
Parse captured flow data using netflow.parse_packet().
Analyze flows for:
- Port scanning: single source to many destinations on same port
- Data exfiltration: high byte-count outbound flows to unusual destinations
- C2 beaconing: periodic connections with consistent intervals
- Volumetric anomalies: traffic spikes beyond baseline thresholds
Generate a prioritized findings report.

python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json

Examples

Parse NetFlow v9 Packet

import netflow
data, _ = netflow.parse_packet(raw_bytes, templates={})
for flow in data.flows:
    print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)

Info

Category Development

Name analyzing-network-flow-data-with-netflow

Version v20260317

Size 8.4KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18