On This Page

Home / Edge/ Integrations/ Send Data/NetFlow Destination

NetFlow Destination

The NetFlow Destination exclusively forwards NetFlow v5 and v9 UDP traffic to NetFlow collectors. The NetFlow Destination relies on the __netflowRaw field that is generated from a Cribl Edge NetFlow Source. The raw NetFlow packet data is sent directly to the configured NetFlow collector(s). Events without __netflowRaw are discarded.

Type: Non-Streaming | TLS Support: No | PQ Support: Yes

Requirements

  • Enable pass-through: The NetFlow Source must have Enable pass-through toggled on to generate events containing __netflowRaw.
  • Routing: Ensure only events with __netflowRaw are routed to the NetFlow Destination.

Raw Forwarding

For both NetFlow v5 and v9, Cribl Edge:

  • Can forward NetFlow packets to other NetFlow collectors. However, it cannot modify the contents of the incoming packet. In other words, Cribl Edge forwards the NetFlow/IPFIX export payload as it was received, without modification to the flow records themselves. The original transport headers are not preserved, so the packet is not an exact byte-for-byte copy of the original network packet.
  • Only routes NetFlow packets from upstream Exporters and cannot generate its own NetFlow packets.
  • Cannot send non-NetFlow input data to NetFlow collectors.

Beyond Raw Forwarding

While the NetFlow Destination relies solely on __netflowRaw, other fields such as srcAddr and packets generated by the NetFlow Source are used for:

  • Non-NetFlow Destinations: Providing structured, human-readable data for systems like Splunk or Amazon S3.
  • Analytics: Supporting filtering, enrichment, and aggregation within Cribl Edge.
  • Internal processing: Enabling Pipeline logic and routing decisions.
  • Validation: Assisting in debugging and verifying parsed NetFlow data.

Configure a NetFlow Destination

  1. On the top bar, select Products, and then select Cribl Edge. Under Fleets, select a Fleet. Next, you have two options:
    • To configure via QuickConnect, navigate to Routing > QuickConnect (Stream) or Collect (Edge). Select Add Destination and select the Destination you want from the list, choosing either Select Existing or Add New.
    • To configure via the Routes, select Data > Destinations or More > Destinations (Edge). Select the Destination you want. Next, select Add Destination.
  2. In the New Destination modal, configure the following under General Settings:
    • Output ID: Enter a unique name to identify this NetFlow definition. If you clone this Destination, Cribl Edge will add -CLONE to the original Output ID.
    • Description: Optionally, enter a description.
    • NetFlow Destinations: Add the downstream NetFlow collectors to which Cribl Edge should send data.
      • Address: Hostname or IP address of the NetFlow collector.
      • Port: Port number to connect to on the NetFlow collector. Defaults to 2055, which is the standard port for NetFlow traffic.
  3. Next, you can configure the following Optional Settings:
    • Tags: Optionally, add tags that you can use to filter and group Destinations on the Destinations page. These tags aren’t added to processed events. Use a tab or hard return between (arbitrary) tag names.
  4. Optionally, you can adjust the Processing and Advanced settings outlined in the sections below.
  5. Select Save, then Commit & Deploy.

Processing Settings

Post-Processing

Pipeline: Pipeline or Pack to process data before sending the data out using this output.

Advanced Settings

DNS resolution period (sec): Re-resolve any hostnames after each interval of this many seconds, and pick up destinations from records. Defaults to 0 seconds. A value of 0 means every datagram sent will incur a DNS lookup. A non-zero value improves performance but can reduce the overall reliability if the DNS records for the downstream NetFlow collectors change frequently.

Enable Source IP spoofing: This feature is available only for on-prem or hybrid Worker Groups (not available in Cribl.Cloud or on Cribl Edge Nodes). Toggle on to use the event Source IP and port for outgoing UDP packets.

This field preserves the event’s original IP address and port from the internal __srcIpPort field, rather than the Worker Process’s IP. This is useful when sending data to systems that rely on the Source IP to identify the original sender. For the prerequisites, see udp-sender Helper Installation and Setup.

Maximum transmission unit (MTU): Displayed when Enable Source IP spoofing is enabled. Sets the maximum size of NetFlow records. Defaults to 1500. To avoid packet fragmentation, keep this value less than or equal to the MTU (maximum transmission unit) defined for udp-sender, but make sure it is large enough for data to fit in one packet. When the record length exceeds the MTU, the packet will be dropped.

Environment: If you’re using GitOps, optionally use this field to specify a single Git branch on which to enable this configuration. If empty, the config will be enabled everywhere.

udp-sender Helper Installation and Setup

Enabling IP spoofing requires creating raw network sockets, which demands elevated system privileges. To maintain the Cribl Stream security model, this operation is isolated into a dedicated helper program. IP spoofing is not available on Cribl Edge.

To enable IP spoofing, complete the following installation and privilege configuration steps on every Worker Node:

  1. Download the udp-sender helper binary. The source code and releases are available on the public GitHub repository: https://github.com/criblio/udp-sender/.

  2. Install the executable binary at the required path: /usr/bin/udp-sender

  3. Set permissions: A system administrator with root access must grant the binary the necessary Linux capability (CAP_NET_RAW). This allows the helper to construct and send raw network packets. Use the following command to set the capability:

    sudo setcap 'cap_net_raw+eip' /usr/bin/udp-sender

  4. If you are using package installers, the installation script will automatically create a custom udp-senders group and set the necessary capabilities on the binary using the setcap command. You will need to manually ensure the cribl user is added to this group.

If the udp-sender helper fails to start (for example, due to missing permissions), the Destination will enter into an error state. Check the Worker Process logs for an error message indicating a failure to create a raw socket, which confirms the CAP_NET_RAW capability has not been correctly applied to the /usr/bin/udp-sender file.

For additional technical details on the binary’s function and installation, consult the README in the public GitHub repository.

Internal Fields

The NetFlow Destination forwards the __netflowRaw field that is generated from a Cribl Edge NetFlow Source to downstream NetFlow collectors.

Troubleshooting

The Destination’s configuration modal has helpful tabs for troubleshooting:

Live Data: Try capturing live data to see real-time events as they flow through the Destination. On the Live Data tab, click Start Capture to begin viewing real-time data.

Logs: Review and search the logs that provide detailed information about the delivery process, including any errors or warnings that may have occurred.

Test: Ensures that the Destination is correctly set up and reachable. Verify that sample events are sent correctly by clicking Run Test.

You can also view the Monitoring page that provides a comprehensive overview of data volume and rate, helping you identify delivery issues. Analyze the graphs showing events and bytes in/out over time.