Skip to main content
Version: 2.12.0

Understanding NFO Processes

NetFlow Optimizer (NFO) uses a modular process architecture to ensure high performance and system stability. Most components use a Parent/Child model: a parent process monitors the service and automatically restarts the child process if it becomes unresponsive.

Core Component Overview

Process NameComponentRole
nfc_svrNFO EngineThe C++ core that receives and processes flows.
jsvc (tomcat)NFO ControllerThe Java-based Web UI and management layer.
jsvc (updater)EDFNThe enrichment engine (Threat feeds, GeoIP, Cloud).
java (hsqldb)DatabaseThe internal configuration and state database.

Linux

On Linux, NFO components run as standard system daemons. You can verify them using the ps command.

1. NFO Engine (nfc_svr)

The core processing engine.

ps -eo pid,ppid,comm | grep nfc_svr

2. NFO Controller (jsvc/tomcat)

Note that you will see two processes. The parent (PID 1 or a low number) monitors the actual Tomcat server process.

ps -eo pid,ppid,args | grep jsvc | grep tomcat

3. EDFN Enrichment (jsvc/updater)

Like the controller, EDFN runs two processes: a watcher and the functional java engine.

ps -eo pid,ppid,args | grep jsvc | grep updater

4. Configuration Database (java/hsqldb)

ps -eo pid,ppid,args | grep java | grep hsqldb

Windows

On Windows, these components run as Services. You can verify them via Task Manager (Details tab) or the Command Prompt.

View All NFO Processes

Run this command in an Administrator Command Prompt to see all core NFO executables:

tasklist /FI "IMAGENAME eq nfc_svr.exe" /FI "IMAGENAME eq tomcat9.exe" /FI "IMAGENAME eq nfi-updater.exe" /FI "IMAGENAME eq java.exe"

What to look for:

  • nfc_svr.exe: NFO Processing Engine.
  • tomcat9.exe: NFO Web Interface/Controller.
  • nfi-updater.exe: External Data Feeder (EDFN).
  • java.exe: Internal HSQLDB Database.

Troubleshooting Process Failures

  • Automatic Restarts: If you kill a child jsvc process, the parent will usually restart it within seconds. To fully stop a service, use the systemctl (Linux) or net stop (Windows) commands described in the [Administration Guide].
  • Zombie Processes: If you see an nfc_svr process but the Status page is unreachable, check the 20048 port connectivity in the Connectivity & Firewalls guide.
  • High Memory Usage: It is normal for nfc_svr and jsvc to reserve significant RAM based on your [Java Heap Settings] and [Flow Cache] configuration.