Traffic Analytics (NetFlow / IPFIX)

Sentinel Nerd ingests NetFlow v5, v9, and IPFIX (v10) from UniFi gateways (UDM, USG) to give you per-flow visibility — the traffic side of your network, not just the events.

What You Get

  • Top talkers — sort by bytes or packets, grouped by source IP, destination IP, or source → destination pair
  • Protocol breakdown — how much TCP, UDP, ICMP, GRE, etc. traversed the network over any window
  • Per-flow table — sortable by bytes, packets, or time, with reverse-DNS enrichment (e.g. 1.1.1.1 → one.one.one.one)
  • Device attribution — every flow is labeled with the exporter (gateway) that produced it

How Aggregation Works

Raw flow records arrive at high rate (potentially thousands per second on a busy network). Storing every record would explode your index. Sentinel aggregates flows into 60-second tumbling windows keyed on the canonical 5-tuple:

Key: (src_ip, dst_ip, src_port, dst_port, protocol, exporter_ip)

Within a window:
  bytes        → summed
  packets      → summed
  tcp_flags    → OR-merged
  first_seen   → earliest
  last_seen    → latest

At window close, one document is written to the flows-YYYY.MM.DD index per unique 5-tuple. A gateway generating 10 000 flows/second that all collapse to 500 unique conversations produces 500 documents per minute — not 600 000.

Reverse-DNS Enrichment

Public-IP flows are enriched with PTR records at window close. Private (RFC 1918, CGNAT, link-local) IPs short-circuit without querying. Lookups are capped at 50 ms per IP and cached for 1 hour to keep the hot path fast.

Example enriched flow 
{
  "src_ip": "10.0.0.5",
  "dst_ip": "1.1.1.1",
  "src_hostname": null,
  "dst_hostname": "one.one.one.one",
  "src_port": 50000,
  "dst_port": 443,
  "protocol_name": "TCP",
  "bytes": 54302,
  "packets": 87,
  "exporter_ip": "10.0.0.1",
  "version": 9
}

Configuring UniFi Export

On your UniFi gateway (UDM-Pro, UDM-SE, USG), enable NetFlow or IPFIX export and point it at your Sentinel collector:

UniFi NetFlow Export 
Collector host: <your-sentinel-host>
Collector port: 2055
Protocol:       NetFlow v9 (recommended) or IPFIX
Sampling:       1:1 (full fidelity) or 1:N for high-volume networks

Firmware locations

On UDM/UDM-Pro: Settings → System → Advanced → NetFlow. On older USG: configuration gateway (CLI set system flow-accounting).

Enabling the Collector

In your Sentinel configuration:

config/local.toml 
[netflow]
enabled = true
listen_addr = "0.0.0.0"
listen_port = 2055
aggregation_window_secs = 60
template_cache_size = 1000

[netflow.dns]
enabled = true
timeout_ms = 50
cache_size = 10000
success_ttl_secs = 3600
negative_ttl_secs = 600

Viewing Flows

Open the Flows page in the Sentinel UI to see:

  • Time-range selector (last 15m / 1h / 6h / 24h)
  • Top-talkers panel with pivot between source, destination, and pair
  • Protocol breakdown bar chart
  • Per-flow table, sortable, with hostnames

API Access

Flows are queryable via REST. See the Flows API reference for /flows, /flows/top-talkers, and /flows/protocols.

Tune sampling for busy networks

A 1 Gbps uplink under heavy load can exceed 5 000 unique 5-tuples per minute. If ES ingestion becomes a bottleneck, enable sampled NetFlow (1:100 or 1:1000) on the UniFi gateway — top-talker accuracy stays within a few percent at these rates.