The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.


Net::Flow - decode and encode NetFlow/IPFIX datagrams.


EXAMPLE#1 - Output Flow Records of NetFlow v5, v9 and IPFIX -

The following script simply outputs the received Flow Records after decoding NetFlow/IPFIX datagrams. It can parse the NetFlow v5, v9 and IPFIX. If it receive NetFlow v9/IPFIX datagrams, several Templates of NetFlow/IPFIX can be kept as ARRAY reference $TemplateArrayRef. By adding it as the input parameter, it can parse the NetFlow/IPFIX datagrams without templates. If it received same Template Id, it is overwritten by new one.

    use Net::Flow qw(decode encode) ;
    use IO::Socket::INET ;
    my $TemplateRef = undef ;

    my $sock = IO::Socket::INET->new( LocalPort=>'9995',
                                  Proto=>'udp' ) ;

    while ($sock->recv($packet,1548)) {

        my (
            = Net::Flow::decode(
                                ) ;

        grep{ print "$_\n" }@{$ErrorsArrayRef} if( @{$ErrorsArrayRef} ) ;

        foreach my $HashRef ( @{$FlowArrayRef} , @{$TemplateArrayRef} ){

            print "\nData Information\n" ;

            foreach my $Key ( keys %{$HashRef}){

                if( ref $HashRef->{$Key} ){

                    foreach my $FieldHashRef ( @{$HashRef->{$Key}} ){

                        printf " Id=%03d Length=%s\n",
                        $FieldHashRef->{Id}, $FieldHashRef->{Length}
                        if $Key eq "Template" ;

                        printf " Id=%03d Value=%s\n",
                        $FieldHashRef->{Id}, unpack("H*",$FieldHashRef->{Value})
                            if $Key eq "Flow" ;



                    print " $Key=$HashRef->{$Key}\n" ;


EXAMPLE#2 - Convert Protocol from NetFlow v5 to NetFlow v9 -

The following script converts NetFlow protocol from NetFlow v5 to NetFlow v9 as converter. At first, it decodes NetFlow v5 datagram. After that, these flow records are encoded into NetFlow v9 according to the particular template which include sampling interval and sampling mode. And they are sent to the next collector.

    use Net::Flow qw(decode encode) ;
    use IO::Socket::INET ;

    my $TemplateRef = undef ;
    my $MyTemplateRef={
        'SetId'        =>0,
        'TemplateId'   =>300,
                     { 'Length' => 4, 'Id' => 8  }, # SRC_ADDR
                     { 'Length' => 4, 'Id' => 12 }, # DST_ADDR
                     { 'Length' => 4, 'Id' => 2  }, # PKTS
                     { 'Length' => 4, 'Id' => 1  }, # BYTES
                     { 'Length' => 2, 'Id' => 7  }, # SRC_PORT
                     { 'Length' => 2, 'Id' => 11 }, # DST_PORT
                     { 'Length' => 1, 'Id' => 4  }, # PROT
                     { 'Length' => 1, 'Id' => 5  }, # TOS
                     { 'Length' => 4, 'Id' => 34 }, # SAMPLING_INT
                     { 'Length' => 1, 'Id' => 35 }, # SAMPLING_ALG
        } ;

    my @MyTemplates = ( $MyTemplateRef ) ;

    my $EncodeHeaderHashRef = {
        'SourceId'    => 0,
        'VersionNum'  => 9,
        'SequenceNum' => 0,
    } ;

    my $r_sock = IO::Socket::INET->new( LocalPort => '9995',
                                       Proto => 'udp') ;

    my $s_sock = IO::Socket::INET->new( PeerAddr => '',
                                       PeerPort => '9995',
                                       Proto => 'udp' ) ;

    while ( $r_sock->recv($packet,1548) ) {

        my $PktsArrayRef = undef ;

        my ( $HeaderHashRef,
            $ErrorsArrayRef )
            = Net::Flow::decode(
                                ) ;
        grep{ print "$_\n" }@{$ErrorsArrayRef} if( @{$ErrorsArrayRef} ) ;

        foreach my $HashRef ( @{$FlowArrayRef} ){

            $HashRef->{"SetId"} = 300 ;
            push( @{$HashRef->{Flow}},
                 {"Id"=>34,"Value"=>pack("N",$HeaderHashRef->{SamplingInterval})} ) ;
            push( @{$HashRef->{Flow}},
                 {"Id"=>35,"Value"=>pack("C",$HeaderHashRef->{SamplingMode})} ) ;


        $EncodeHeaderHashRef->{"SysUpTime"}    = $HeaderHashRef->{"SysUpTime"} ;
        $EncodeHeaderHashRef->{"UnixSecs"}     = $HeaderHashRef->{"UnixSecs"} ;
        $EncodeHeaderHashRef->{"SequenceNum"} += 1 ;

        ( $EncodeHeaderHashRef,
            = Net::Flow::encode(
                                ) ;

        grep{ print "$_\n" }@{$ErrorsArrayRef} if( @{$ErrorsArrayRef} ) ;

        foreach my $Ref (@{$PktsArrayRef}){
            $s_sock->send($$Ref) ;


The Flow module provides the decoding function for NetFlow version 5,9 and IPFIX, and the encoding function for NetFlow version 9 and IPFIX. It supports NetFlow version 9 (RFC3945) and NetFlow version 5 ( and IPFIX(draft-ietf-ipfix-protocol-26.txt). Regretfully, it doesn't provide the full specification of IPFIX, yet. It is future work. You can easily make the Flow Proxy, Protocol Converter and Flow Concentrator by using the combination of both function. And also, You can make the flexible collector which can receive any Templates by using the Storable perl module.


decode method

    ( $HeaderHashRef,
     $ErrorsArrayRef ) =
                          ) ;

It returns a HASH reference containing the NetFlow Header information as $HeaderHashRef. And it returns ARRAY references with the Template and Flow Record (each ARRAY element contains a HASH reference for one Template or Flow Record) as $TemplateArrayRef or $FlowArrayRef. In case of an error a reference to an ARRAY containing the error messages is returned as $ErrorsArrayRef. The returned template ARRAY reference can be input on the next received packet which doesn't contain Template to decode it.

Return Values


A HASH reference containing information in case of IPFIX header, with the following keys:


A HASH reference containing information in case of NetFlow v9 header, with the following keys:


A HASH reference containing information in case of NetFlow v5 header, with the following keys:


All values of above keys are shown as decimal.


This ARRAY reference contains several Templates which are contained input NetFlow payload and input Template ARRAY reference. Each Template is given HASH references. This HASH reference provides Data Template and Option Template, as follows. A HASH reference containing information in case of Data Template, with the following keys:


A HASH reference containing information in case of Option Template, with the following keys:


In case of IPFIX, "OptionScopeLength" and "OptionLength" are omitted.

A HASH reference containing information in case of Withdraw Template Message, with the following keys:


All values for above keys other than "Template" are shown as decimal. The value for "Template" is a ARRAY references. Each ARRAY element contains a HASH reference for one pair of "Id" and "Length". This pair of "Id" and "Length" are shown as Field type. The order of this ARRAY means the order of this Template to decode data. A HASH reference containing information for each field type, with the following keys:


"EnterpriseNum" is given if the value is present in the packets. And also, in case of Withdraw Template Message, this pair of "Id" and "Length" is replaced by the pair of "TemplateId" and "FieldCount".

The values for "Id","Length","TemplateId","FieldCount" are shown as decimal.


This ARRAY reference contains several HASH references for each Flow Record. This HASH reference provides Flow Record for Data Template and Option Template, as follows. A HASH reference containing information, with the following keys:


The values for "SetId" are shown as decimal which means decoded Template Id. The value for "Flow" is a ARRAY references. Each ARRAY element contains a HASH reference for one pair of "Id" and "Value". This pair of "Id" and "Value" are shown as Field type. A HASH reference containing information for each Field type, with the following keys:


The values for "Id" is shown as decimal. The value for "Value" is shown as binary data. It is extracted from NetFlow/IPFIX datagram directly without modification. If one Flow Record has multiple Fields of same type, the value for "Value" become a ARRAY references. In this case, each ARRAY element contains value shown as binary data. The order of this ARRAY means the order of multiple Fields of same type in one Flow Record.

encode method

    ( $HeaderHashRef,
     $ErrorsArrayRef) = 
                       ) ;

Input parameters are same data structure returned from decode function. "$MaxSize" means maximum payload size. This function make several NetFlow payloads without exceeding the maximum size. These values for the input $HeaderHashRef, such as "UnixSecs", "SysUptime","SourceId" and "ObservationDomainId", are used in this method. The other values are ignored. These values for output $HeaderHashRef means header information of the latest IPFIX/NetFlow datagram.

Return Values


This ARRAY reference contains several SCALAR references for each NetFlow datagram which is shown binary. It can be used as UDP datagram.


Atsushi Kobayashi <>


This perl module was supported by the Ministry of Internal Affairs and Communications of Japan.


Copyright (c) 2007 NTT Information Sharing Platform Laboratories

This package is free software and is provided "as is" without express or implied warranty. It may be used, redistributed and/or modified under the terms of the Perl Artistic License (see