FastNetMon – very fast DDoS analyzer with sflow/netflow/mirror support

Written by Mubassir patel


FastNetMon – A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP).

What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.

Supported packet capture engines:

  • NetFlow v5, v9
  • Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support need license), NETMAP and PCAP

You could look comparison table for all available packet capture engines.


  • Can process incoming and outgoing traffic
  • Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
  • Could announce blocked IPs to BGP router with ExaBGP
  • Have integration with Graphite
  • netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
  • Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode
  • Can work on server/soft-router
  • Can detect DoS/DDoS in 1-2 seconds
  • Tested up to 10GE with 5-6 Mpps on Intel i7 2600 with Intel Nic 82599
  • Complete plugin support
  • Have complete support for most popular attack types

Supported platforms:

  • Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
  • FreeBSD 9, 10, 11
  • Mac OS X Yosemite

What is “flow” in FastNetMon terms? It’s one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.

Main program screen image:


Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load: FastNetMon

Example deployment scheme: FastNetMon

Example of notification email about detected attack.

To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343. To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.

About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment