Netflow for home router & Linux servers

Fri, 10 Apr 2026 01:50:00 +0530

For the last few weeks, I have been running a NetFlow collector for the home router. This is something I wanted to do for a long time, but I was missing the time to invest. There are a few open source options, and I guess many commercial solutions offering NetFlow, often bundled with other products.

My personal monitoring is 100% open source and presently running Prometheus + Thanos + Node Exporter + Blackbox Exporter + SNMP Exporter + Grafana + Grafana Loki + a few more exporters. So I started looking for open source options which are still under active development and supported.

Two of them are quite popular - Pmacct and Akvorado. Pmacct is extremely advanced, flexible, but at the same time overall complicated to set up (and maintain). Even their quickstart file 3100-line file is full of setup options. On the other hand, Akvorado seems simpler to maintain. Some complications, anyway, are expected with NetFlow because the goal is not just to collect the data but also to have a system to store it, analyse it, map IPs to location/AS numbers, etc., dashboards, etc. It’s a tool developed by French ISP Free, which is part of the Iliad group, which also owns Scaleway.

Setting up Akvorado is easy if you are familiar with Docker. They have a simple 4 command quick-start which deploys all their containers as part of the stack. They deploy a few containers as part of the overall stack.

The big picture page on their demo site documentation covers the overall architecture. I started feeding it data from the home (Mikrotik) router and later also added various Linux servers/VMs I manage for R&D, DNS, as well as to host this blog and other infrastructure. For Linux, I am using Pmacct as an exporter, as Akvorado’s documentation suggests using it in exporter mode and has a sample config which works.

Some data

Now that it’s been running for a few weeks, I can see major sources of data coming to the home. Before jumping to data, it’s important to note that I have regular camera feeds uploading traffic to my server in Mumbai, and some backups, route collector data pull and automated speedtests at home. All these kinds of “pollute” data, and thus, it is more fun to exclude and look for remaining data coming from regular usage by end devices at home. In the setup, I can easily filter data based on srcAS, dstAS, srcIP, dstIP, port, in and out interfaces, etc.

Here’s the data for the last 10 days towards end devices (excluding home server and camera traffic)

While most of ASNs here are expected, but just for the context, Esto AS135817 is one of the upstreams at home (friendly ISP that I reach over a GRE tunnel over an IX from an underlying ISP), and most of the traffic hitting it is actually CDN traffic for Google GGC, Facebook FNA, etc., sitting on their IPs.

What is more fun here are the Sankey graphs, where for a given interval, I can map ANY attribute -> ANY other attribute. e.g., srcAS -> Home Out interfaces or SrcPort -> SrcAS -> Destination IPs, etc.

Here’s the Sankey Graph for SrcPort -> SrcAS -> In Interface at home

On this connection, I get most of Google traffic from Google’s AS directly; however, for a few days, I was on Airtel as primary due to an outage on the underlying ISP and thus could not reach Esto over the tunnel. For those days, traffic patterns were very different. Both Google and Akamai terminated most of the traffic on caching nodes within Airtel.

Traffic profile when running home traffic via Airtel:

Akvorado has support for Grafana, and while their dashboard seems good for usual lookups, I miss a pie chart. Let’s see what the pie chart of the last 10 days’ traffic looks like:

Another fun thing is to look for traffic by Etype for IPv4 Vs IPv6 comparison. Let’s see how much IPv4 Vs IPv6 traffic there is in the last week:

The same logic can be used to have a pie chart, but it has to be in Grafana.

Thus for now 89% of traffic is IPv6 at home. On that note, time to end this post. 😀

Akvorado on Personal blog of Anurag Bhatia

Netflow for home router & Linux servers

Some data