NetFlow Duplicator: ingest NetFlow and send it out to multiple collectors
NetFlow Duplicator: ingest NetFlow from multiple and send it out to multiple collectors.


After using Samplicator for a long time, it no longer sufficed for environments where a large number of flows were generated and devices are present that do not use the default NetFlow templates.

Roneo is a stripped down Python service, with only the necessary functions to forward NetFlow traffic. Any UDP traffic really, but it's designed for NetFlow.

NetFlow (or sFlow, IPFIX)

Roneo has been tested with NetFlow version v5, v7, v9, and v10 (also known as IPFIX) and sFlow.

Scale wise, it has been tested on a VM with 2 vCPUs and 4GB of memory. It took in 611Mbit p/s of NetFlow, resending it out to 4 target collectors. This is around 300Gbit p/s of real network traffic (average enterprise traffic).


The Python module called Scapy is used to be able to spoof the NetFlow source IP. This way, the collectors seem to get the traffic directly from the source devices. Roneo was created to support vRealize Network Insight, which does some correlation with the NetFlow source IP. For the spoofing to work, it's important to place Roneo in the same IP subnet as the collectors.


mkdir /opt && cd /opt
git clone
cd roneo-netflow-duplicator
pip install -r requirements.txt
cp roneo-config-example.yaml /etc/roneo-config.yaml
# Edit config
(vi|nano|vim|pico|editorofyourchoice) /etc/roneo-config.yaml
python3 --configfile roneo-config.yaml

Starting on system boot

For CentOS 7 / SystemD systems:

cp /opt/roneo-netflow-duplicator/roneo.service /etc/systemd/system/roneo.service
systemctl daemon-reload
systemctl enable roneo
systemctl start roneo
