It is getting more difficult to monitor multiple services as well as to detect and/or to trace Daniel of Service attacks with only tools showing graphs of the whole IP layer traffic like MRTG or by checking counters of router interfaces. In this paper, we discuss the specification of a software-based real-time measurement tool for flow which consists of multiple capture devices, a manager device and user interface devices, enabling flexible flow definition on demand without stopping system and working with IPv4 and/or IPv6, while also enabling high performance. With this discussion, we propose its architecture, bit-pattern-based flow definition method and data structure. Then we report on the performance evaluation of a prototype of proposed real-time flow measurement tools developed on PC-UNIXs and show that the number of bit-pattern composing flow definitions impact on the performance. Lastly we show an example of measuring flows in a real world environment and confirm that the flow extraction is simplified.