Skip to content

⭐ ⭐ Use ML to classify flows and packets as benign or malicious. ⭐ ⭐


Notifications You must be signed in to change notification settings


Documentation GitHub license GitHub stars GitHub issues Slack


FlowMeter is an experimental utility built for analysing and classifing packets by looking at packet headers.

Primary design goals:

FlowMeter aims to:

  • Classify packets and flows as benign or malicious with high true positives (TP) and low false positives (FP).
  • Use the labeled data to reduce amount of traffic requiring deeper analysis.

Additionally, Deepfence FlowMeter also categorizes packets into flows and shows a rich ensemble of flow data and statistics.

FlowMeter takes packets and returns file with statistics of flows.
Flowmeter takes packets and returns file with statistics of flows and classifies packets as benign or malicious.

When to use FLowMeter

Use FlowMeter if you wish to build and operate machine-learning models on network packet data.

Quick Start

For full instructions, refer to the FlowMeter Documentation.

FlowMeter QuickStart

Who uses FlowMeter?

  • We use FlowMeter internally to quickly analyse and label packets. It forms one part of a project to build a fast pre-filter for packets before we conduct deeper layer-7 analysis in Deepfence ThreatMapper.

Get in touch

Thank you for using FlowMeter.

  • Start with the documentation
  • Got a question, need some help? Find the Deepfence team on Slack
  • GitHub issues Got a feature request or found a bug? Raise an issue
  • productsecurity at deepfence dot io: Found a security issue? Share it in confidence
  • Find out more at

Security and Support

For any security-related issues in the FlowMeter project, contact productsecurity at deepfence dot io.

Please file GitHub issues as needed, and join the Deepfence Community Slack channel.


The Deepfence FlowMeter project (this repository) is offered under the Apache2 license.

Contributions to Deepfence FlowMeter project are similarly accepted under the Apache2 license, as per GitHub's inbound=outbound policy.