diff --git a/netflow.md b/netflow.md
new file mode 100644
index 0000000..60f7c26
--- /dev/null
+++ b/netflow.md
@@ -0,0 +1,61 @@
+# Using netflow
+
+Our system support two modes of operation for netflow data collection:
+
+1. Netflow conntrack: This mode uses the conntrack events generated by the kernel to collect netflow data. This mode is the default mode of operation, doesn't need any special rules in iptables.
+This mode primarily used for LE (Law Enforcement) purposes, to provide information on requests of ISF/Army, when they provide for you IP addresses + ports and ask for the username.
+It might be used with any other netflow collector, or https://gitlab.com/nuclearcat1/leconnlog
+
+2. Netflow full: This mode uses the iptables rules to collect netflow data. This mode is more resource intensive, but provides more detailed information about the traffic. This mode is used for the billing or statistical purposes, when you need to know the amount of traffic consumed by each user. Requires special iptables rules to be added to the system.
+
+## Supported standards
+
+Our system supports the following netflow standards:
+
+1. Netflow v5
+2. Netflow v9
+3. IPFIX (v10)
+
+## Netflow conntrack
+
+To enable netflow conntrack mode, you need to set the following options in the config file:
+
+```
+insmod /tmp/ipt_NETFLOW.ko natevents=1 destination="10.168.101.3:2056" protocol=9
+sysctl -w net.netfilter.nf_conntrack_events=1
+```
+
+Where:
+
+- `natevents=1` - enables the netflow conntrack mode
+- `destination=` - specifies the destination for the netflow data. The format is `IP:PORT`
+- `protocol=9` - specifies the netflow protocol version. The supported values are 5, 9, 10
+
+You can verify that the module is loaded by running the following command:
+
+```
+lsmod | grep ipt_NETFLOW
+```
+
+And verify statistics by running the following command:
+
+```
+cat /proc/net/stat/ipt_netflow
+```
+
+## Netflow full
+
+To enable netflow full mode, you need to set the following options in the config file:
+
+```
+insmod /tmp/ipt_NETFLOW.ko natevents=0 destination="10.168.101.3:2056" protocol=9
+```
+Then set in appropriate place traffic that should be accounted, for example
+```
+iptables -A FORWARD -i ppp+ -j NETFLOW
+iptables -A FORWARD -o ppp+ -j NETFLOW
+```
+
+Where options are the same as for the netflow conntrack mode, as well as diagnostics commands.
+
+