Asi analyzing-network-flow-data-with-netflow
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/analyzing-network-flow-data-with-netflow" ~/.claude/skills/plurigrid-asi-analyzing-network-flow-data-with-netflow && rm -rf "$T"
manifest:
plugins/asi/skills/analyzing-network-flow-data-with-netflow/SKILL.mdsource content
Analyzing Network Flow Data with Netflow
When to Use
- When investigating security incidents that require analyzing network flow data with netflow
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Familiarity with network security concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Instructions
- Install dependencies:
pip install netflow - Collect NetFlow/IPFIX data from routers or use the built-in collector:
python -m netflow.collector -p 9995 - Parse captured flow data using
.netflow.parse_packet() - Analyze flows for:
- Port scanning: single source to many destinations on same port
- Data exfiltration: high byte-count outbound flows to unusual destinations
- C2 beaconing: periodic connections with consistent intervals
- Volumetric anomalies: traffic spikes beyond baseline thresholds
- Generate a prioritized findings report.
python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json
Examples
Parse NetFlow v9 Packet
import netflow data, _ = netflow.parse_packet(raw_bytes, templates={}) for flow in data.flows: print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)