NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. For example, NetFlow captures the timestamp of a flow’s first and last packets (and hence its duration), the total number of bytes and packets exchanged, a summary of the flags used in TCP connections, and other details. Using a NetFlow collector and analyzer, a network manager can sees where network traffic is coming from and going to and how much traffic is being generated. Today, NetFlow has become a de-facto industry standard and is supported by platforms other than Cisco including; Juniper (Jflow), 3Com/HP, Dell and Netgear (sFlow),Huawei (NetStream), Alcatel-Lucent (Cflow), and Ericsson (Rflow).
When computers need to talk to one another they establish communication channels, commonly referred to as connections. A flow refers to any connection or connection-like communication channel.
NetFlow data can be used for several network management tasks, such as:
- Troubleshooting: Diagnosing and troubleshooting network slowdowns, bandwidth hogs, and traffic spikes.
- Validation of QoS parameters: appropriate bandwidth allocation to each Class of Service (CoS).
- Monitoring: Monitoring network, tracking in and out traffic, and identifying top users.
- Security analysis: Detecting changes in network behavior to identify network anomalies.
- Capacity planning: Tracking network usage to assess future bandwidth requirements.
In more technical terms, a flow is defined by its 5-tuple, a collection of five data points:
- Source and destination IP addresses exchanging information
- Source and destination ports
- The protocol
Routers that have the this feature enabled generate NetFlow records. These records are exported from the router and collected using a collector.
A typical flow monitoring setup consists of three main components:
- Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors. It’s an appliance or network device (usually a router or firewall) in charge of collecting flow information and exporting it to a flow collector.
- Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter. NetFlow collectors can take the form of hardware-based collectors (probes) or software-based collectors. It’s an appliance or server that receives exported flow information.
- Analysis application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example. It’s an application that analyzes flow information collected by the flow collector.
The bandwidth needed to export NetFlow data is typically less than 0.5% of total bandwidth consumption. Of course, don’t worry because most vendors offer a feature called sampled NetFlow. Sampled NetFlow is the statistical sampling of packets where only one out of N packets are processed by NetFlow and the rest are skipped. Certain router models can’t keep up with full NetFlow computing and implement sampling as a way to reduce CPU load.
NetFlow v9 comes with the Flexible NetFlow packets (FNF), which gives a broader view of what is happening in the network, thereby making it useful for:
- Network monitoring
- Application and user profiling
- Capacity planning
- Identifying security anomalies
- Network data mining
- Network fault troubleshooting