Some highly secure environments do not allow general purpose tunnels like GRE or VPN. In those sites, the shim tunnel comes in handy. But the receiver needs to support detunneling.

This nfshim daemon adds a 12 byte shim header before the Netflow header.

See https://github.com/trisulnsm/netflow-shim-tunnel

Using this shim technique, NETFLOW/SFLOW from routers in a DMZ can be tunneled to an internal Security Zone where Trisul NetworK Analytics is running. Relaying netflow to a remote Trisul without using NAT GRE or VPN tunneling. This of course requires the netflow collector to support the ability to unpack the packets. Trisul Network Analytics can do that.