A curated collection of tools, datasets, and references for NetFlow, IPFIX, network telemetry, JA3/JA4, JARM, Zeek, and packet-based investigation workflows.
Ideal for threat hunters, SOC analysts, researchers, and network defenders.
- NetFlow & IPFIX Collectors
- Flow Analysis Tools
- JA3 / JA4 / TLS Fingerprinting
- JARM Fingerprinting
- Packet Capture & PCAP Analysis
- Zeek / Bro Resources
- Open Datasets
- BGP, ASN & Routing Context
- Contributing
https://github.com/phaag/nfdump
Classic NetFlow collection and analysis tools.
http://www.pmacct.net
Flexible flow data collection, aggregation, and BGP correlation.
https://github.com/robcowart/elastiflow
Full-featured NetFlow/IPFIX collector with SIEM-scale dashboards.
https://fastnetmon.com
DDoS detection using NetFlow, sFlow, and SPAN traffic.
Simple visualizations of flow patterns over time.
https://tools.netsa.cert.org/silk
Enterprise-grade flow processing & analytics suite.
https://github.com/salesforce/ja3
TLS client fingerprinting for malware and C2 clustering.
Server-side TLS fingerprinting.
Updated fingerprinting for modern TLS protocols.
https://github.com/salesforce/jarm
TLS handshake-based server fingerprinting to track infrastructure.
https://www.wireshark.org
Essential PCAP analysis toolkit.
CLI packet capture powerhouse.
https://www.brimdata.io
Search and visualize large PCAP datasets with Zeek logs.
https://zeek.org
Network security monitoring and protocol analysis at scale.
https://packages.zeek.org
Community scripts and analyzers.
http://mawi.wide.ad.jp
Long-term packet traces for research.
https://www.caida.org
Network topology, AS relationships, and traffic datasets.
https://stat.ripe.net
IP, prefix, and routing visibility.
https://bgp.tools
Live ASN and routing metadata.
http://www.routeviews.org
Global routing table snapshots.
Pull requests and additional tooling recommendations welcome.