NetFlow is a standardized function in network equipment to collect flow measurements and export them to another system for analysis. Analysis of this flow data informs the network manager of how the network is performing and other usage details. For example, traffic analysis can help troubleshoot problems by tracking IPs and highlighting anomalies such as excessive traffic usage.
What is NetFlow
Originally introduced by Cisco in 1995, the ability to make sense of traffic data provided by NetFlow became so integral that it became the de facto industry standard. By 2008, the popularity of flow-based monitoring protocols drove the standardization of NetFlow encoded in IPFIX by the IETF. Although there are other vendor protocols, notably J-Flow and sFlow, NetFlow remains the most widely used flow-based monitoring protocol.
How NetFlow works
NetFlow is a typical feature on routers, however, NetFlow monitoring requires three components to provide usable information to the network manager.
1. Stream Exporter
The flow exporter collects flow data in the flow cache and periodically exports it to the collector. This device is usually a router (a low-level device) or firewall that basically passes the information on to the collector.
2. Traffic collector
Traffic collectors are data storage servers that receive traffic data for later processing by specialized software.
3. Traffic Analyzer
Traffic analyzers are applications that analyze traffic data and present reports, alerts, dashboards, and network visualizations to inform network managers about the performance and usage of their networks.
What information does NetFlow pass
When a packet enters a router, it decides whether to forward the packet, and if so, it starts recording the flow in the flow cache based on the attributes of the packet. Data streams are identified by a set of 5-7 attributes that act like fingerprints. Packets that share the same fingerprint are grouped together in the flow cache.
Each flow cache entry holds the following information based on the attributes of the packet.
1. Destination IP address
2. Source IP address
3. Destination port number
4. Source port number
5. Source interface
6. Layer 3 protocol type
7. Service categories
8. Router or switch interface
Flow data will be counted in the flow cache until the flow expires. At this point, the stream cache information is exported to the collector for storage and later analysis. This flow information can be used to understand network behavior in a number of ways.
-
The source address allows knowing who initiated the traffic
-
Destination address tells who is receiving traffic
-
Ports characterize applications utilizing traffic
-
Prioritization of class of service inspection traffic
-
The device interface tells the network device how to utilize the traffic
-
Count packets and bytes to show traffic
Additional information added to the stream includes:
-
Flow timestamps to understand the life of flows; timestamps are useful for counting packets and bytes per second;
-
Next-hop IP address, including BGP routing autonomous system (AS);
-
The subnet mask used to calculate the source and destination addresses of the prefix;
-
TCP flags for checking the TCP handshake;
other related terms
Network Forensics
The flow exporter collects flow data in the flow cache and periodically exports it to the collector. This device is usually a router (a low-level device) or firewall that basically passes the information on to the collector.
network troubleshooting
The flow exporter collects flow data in the flow cache and periodically exports it to the collector. This device is usually a router (a low-level device) or firewall that basically passes the information on to the collector.