Skip to main content
Version: 2.12.0

Modules Guide

The Modules Guide is a comprehensive technical reference for the intelligence layer of NetFlow Optimizer. While the NFO Engine handles high-performance ingestion, Modules provide the analytical logic required to turn raw telemetry into actionable security and operational insights.

Overview: Modules and Converters

NFO uses a modular architecture to process telemetry. This allows you to enable only the specific intelligence your environment requires, optimizing system resources.

  • Modules: The "brains" of the operation. Modules analyze incoming flow data, apply statistical models, or correlate external context (Threat Intel, User Identity) to generate enriched events.
  • Converters: These work in tandem with modules to format data for specific destinations, ensuring output is perfectly structured for platforms like Splunk, Microsoft Sentinel, or generic JSON/Syslog collectors.

How to Use This Guide

Each module documented in this guide includes the following technical details:

  • Functionality: A detailed explanation of the module's logic and use cases.
  • Configuration Parameters: A reference for tuning thresholds, intervals, and in-memory enrichment databases.
  • Output Fields: A complete schema of fields added to the enriched flow, essential for building SIEM dashboards and detection rules.

Flow Analytics Modules

Primary Modules

📄️ Network Conversations (10062)

Primary module. Bidirectional flow stitching, full enrichment (User ID, Threat Intel, GeoIP), and Cloud Flow Log support. Recommended for security analytics.

📄️ Top Traffic (10067)

Primary module. High-performance consolidation of unidirectional flows for Top N bandwidth reporting. Optimized for high-volume environments.

Which one should I use?

FeatureTop Traffic (10067)Network Conversations (10062)
Primary FunctionConsolidation of unidirectional flows — high-traffic host reportingDetailed bidirectional conversation reporting
Volume ReductionCollection interval, Top N by volume, deduplication, ignore client portsAll Top Traffic options, plus bidirectional stitching, conversation duration, and full enrichment
EnrichmentDNS names onlyApplications, VM names, users, threat reputation
DeduplicationOptionalSame as Top Traffic
Output FormatFixed schemaConfigurable field selection

Recommendation: Use Network Conversations (10062) as your default for security analytics and full visibility. Use Top Traffic (10067) when maximum throughput with minimal processing overhead is the priority, or when bandwidth summary reporting is the primary goal.

Additional Flow Modules

📄️ TCP Health (10060)

Identifies network and application issues by tracking hosts with elevated TCP Reset rates.

📄️ DNS Service (10004)

Monitors DNS server health and performance metrics based on observed traffic.

📄️ DNS Users (10005)

Tracks DNS requestors to identify top users and detect potential data exfiltration patterns.

📄️ CBQoS (10065)

Reports traffic distribution across DSCP bit combinations to validate and audit QoS policies.

📄️ Network Subnets (10011)

Reports top bandwidth consumers organized by monitored subnet for network segmentation visibility.

📄️ Cisco AnyConnect (10567)

Specialized reporting for Cisco AnyConnect NVM flow logs, including logged-in user attribution.

📄️ Services Performance (10017)

Monitors service-level characteristics — latency, response times — at the individual flow level.

📄️ Asset Access (10014)

Matches observed communications against authorized peer lists to surface unauthorized access attempts.

Infrastructure & Device Telemetry (SNMP)

Beyond flow data, NFO includes a dedicated SNMP service for hardware health. These modules provide device-level metrics — CPU/Memory utilization, interface errors and discards — that flow data cannot capture.

📄️ SNMP Information Monitor (10003)

Standard polling of device info, interface status, and health metrics. Enriches flow records with interface names and device context.

📄️ SNMP Custom OID Sets (10103)

Build custom OID sets for vendor-specific hardware polling — temperature sensors, power metrics, proprietary appliances.

📄️ SNMP Traps Monitor (10700)

Passive reception and normalization of hardware alerts into Syslog/JSON events for SIEM forwarding.

📄️ Auto-discovery Reporter (10701)

Reports discovered device inventory, topology connections, and classification changes to your SIEM.

Legacy Modules & Migration Guide

As NFO has evolved, vendor-specific and cloud-specific modules have been consolidated into the Unified Flow Analytics engine. This consolidation provides superior performance, bidirectional stitching, and a standardized data schema across your entire infrastructure.

Migration Path

If you are currently using any of the modules listed below, migrate to Network Conversations Monitor (10062) or Top Traffic Monitor (10067). These primary modules now handle all functionality previously found in specialized collectors.

Detailed specifications for deprecated modules are maintained in the v2.11.2 Documentation Archive.

Legacy / Deprecated Module SetAffected Module IDsRecommended Migration
Network Traffic & Devices10063, 10064, 10066, 10068Top Traffic Monitor (20067)
Amazon AWS VPC Flow Logs10267, 10201Network Conversations (20062)
Microsoft Azure NSG Flow Logs10467, 10401Network Conversations (20062)
Google Cloud VPC Flow Logs10367, 10301Network Conversations (20062)
Cisco ASA Monitoring10018 - 10021Network Conversations (20062)
Palo Alto Networks Monitoring10030 - 10037Network Conversations (20062)
Cisco AVC (App Visibility)10434 - 10435Network Conversations (20062)
VMware / NSX Monitoring10164 - 10167, 10118, 10264Network Conversations (20062)
Email Analytics (Legacy)10025 - 10028Network Conversations (10062)

Why Migrate?

  • Cost Reduction: Eliminates data overlap — deprecated modules often reported the same telemetry in different formats, causing redundant SIEM ingestion.
  • Better Volume Reduction: Modules 10062 and 10067 offer superior deduplication and aggregation compared to legacy sets.
  • Bidirectional Intelligence: Legacy modules reported unidirectional "halves." Network Conversations (10062) stitches them into a single complete record.
  • Unified Schema: Ensures compatibility with the latest NetFlow Logic Apps for Splunk, Microsoft Sentinel, and Elastic.

How to Migrate

  1. Identify: Check your NFO Web UI for modules marked with a Deprecated warning.
  2. Enable Primary: Enable Module 10062 (full enrichment, bidirectional) or Module 10067 (high-volume traffic summaries).
  3. Validate: Confirm the new data is reaching your SIEM and meets your reporting requirements.
  4. Disable Legacy: Disable the legacy module immediately after validation to prevent duplicate data and save system resources.