: Typically a router or switch that observes traffic. It groups packets into flows and exports flow records to a collector.

NetFlow won’t solve every problem. It won’t tell you the exact payload of a suspicious packet. It won’t replace a good NDR (Network Detection and Response) platform.

At its core, NetFlow monitoring is the process of collecting and analyzing "flow" data. A is defined as a unidirectional stream of packets that share specific characteristics—typically a 5-tuple consisting of: Source IP Address Destination IP Address Source Port Destination Port IP Protocol

Most exporters treat each direction as a separate record. Join them in post-processing to see request/response symmetry. Tools like flow-tools or Elasticsearch scripted fields can do this.