Instructions

Install dependencies: pip install netflow
Collect NetFlow/IPFIX data from routers or use the built-in collector: python -m netflow.collector -p 9995
Parse captured flow data using netflow.parse_packet().
Analyze flows for:

Port scanning: single source to many destinations on same port
Data exfiltration: high byte-count outbound flows to unusual destinations
C2 beaconing: periodic connections with consistent intervals
Volumetric anomalies: traffic spikes beyond baseline thresholds

Generate a prioritized findings report.

python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json

Examples

Parse NetFlow v9 Packet

import netflow
data, _ = netflow.parse_packet(raw_bytes, templates={})
for flow in data.flows:
    print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-network-flow-data-with-netflow

# Or load dynamically via MCP
grc.load_skill("analyzing-network-flow-data-with-netflow")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Instructions

Install dependencies: pip install netflow
Collect NetFlow/IPFIX data from routers or use the built-in collector: python -m netflow.collector -p 9995
Parse captured flow data using netflow.parse_packet().
Analyze flows for:

Port scanning: single source to many destinations on same port
Data exfiltration: high byte-count outbound flows to unusual destinations
C2 beaconing: periodic connections with consistent intervals
Volumetric anomalies: traffic spikes beyond baseline thresholds

Generate a prioritized findings report.

python scripts/agent.py --flow-file captured_flows.json --output netflow_report.json

Examples

Parse NetFlow v9 Packet

import netflow
data, _ = netflow.parse_packet(raw_bytes, templates={})
for flow in data.flows:
    print(flow.IPV4_SRC_ADDR, flow.IPV4_DST_ADDR, flow.IN_BYTES)

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC6.6 (System Boundaries), CC6.7 (Restriction on Transmission)
ISO 27001: A.13.1 (Network Security), A.13.2 (Information Transfer)
NIST 800-53: SC-7 (Boundary Protection), AC-17 (Remote Access), SI-4 (System Monitoring)
NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add analyzing-network-flow-data-with-netflow

# Or load dynamically via MCP
grc.load_skill("analyzing-network-flow-data-with-netflow")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Analyzing Network Flow Data with NetFlow

Instructions

Examples

Parse NetFlow v9 Packet

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Implementing Network Traffic Analysis with Arkime

Analyzing Network Packets with Scapy

Analyzing Network Traffic with Wireshark

Conducting Man in the Middle Attack Simulation

Configuring Network Segmentation with Vlans

Configuring Pfsense Firewall Rules

Analyzing Network Flow Data with NetFlow

Instructions

Examples

Parse NetFlow v9 Packet

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Implementing Network Traffic Analysis with Arkime

Analyzing Network Packets with Scapy

Analyzing Network Traffic with Wireshark

Conducting Man in the Middle Attack Simulation

Configuring Network Segmentation with Vlans

Configuring Pfsense Firewall Rules