Getting to know your network traffic and its patterns can you save hours in troubleshooting, network capacity planning, or security analysis. Information such as, who are the top talkers on the network, what protocols are they using, and the top destinations are key into a successful network monitoring. Netflow is a network protocol that collects information about all the traffic running through a Netflow-enabled device, records traffic data, and helps discover traffic patterns.

Network admins have many reasons for using Netflow. They use it to ensure and improve security by knowing the baseline of where the traffic is and its inconsistencies. An admin can also use it to learn how traffic patterns look like before adding a new device or application.

With Netflow, an admin can create billing reports based on bandwidth usage. Netflow was initially developed by and for Cisco switching technologies aroundsince the release of IOS Cisco networking devices series, and implemented Netflow for the first time. The latest version of this protocol is Netflow Version 9. To be able to obtain traffic information, the NetFlow V9 data communication frames carry a vast arrange of information.

The Field Type in the data frame of a NetFlow packet contains information such as but not limited to :. With this information, Netflow allows devices to create a record for each traffic flow.

The device sends these records to a Netflow collector, which analyzes the data and reports statistics top talkers, top protocols, etc.

As mentioned earlier, Netflow is a Protocol that Collects Flow Data from the network traffic and forwards it to a collector. The Netflow collector, which consolidates all data, receives the record from the exporter as shown in the picture below. Three fundamental elements usually referred to as Netflow Collector, Exporter, and the Analyzer, play an essential role in Netflow.

Their ultimate job is to organize the flow data together into a readable format so that the network admin can analyze using applications and make some sense out of the data.

The Netflow records are usually sent using a UDP and received by a collector. It is used to manage and keep track of network devices and their performance.

SNMP is recommended for every day monitoring situations, such as bandwidth utilization, CPU loads, or interface status, and many other parameters. Netflow also provides a means to monitor a network, but it uses an entirely different method than SNMP. The following table shows the fundamental functionality differences. Pcap packet capture is a protocol used for capturing network traffic.

Unix systems implement a pcap in a library called libpcap. There is also a Windows libpcap port called WinPcap.Terminology Used in This Document. This other device processes the packet parses, aggregates, and stores information on IP flows.

A FlowSet is a generic term for a collection of records that follow the packet header in an export packet. There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.

It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.

A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices.

Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness. Each group of data records that is, each data FlowSet references a previously transmitted template ID, which can be used to parse the data contained within the records. NetFlow Version 9 Packet Layout.

Table 1. NetFlow Version 9 Export Packet. Packet Header. Template FlowSet. Data FlowSet. The collector must always cache any received templates, and examine the template cache to determine the appropriate template ID to interpret a data record. Ordinarily, templates are "piggybacked" onto data FlowSets. However, in some instances only templates are sent. When a router first boots up or reboots, it attempts to synchronize with the collector device as quickly as possible. The router may send template FlowSets at an accelerated rate so that the collector device has sufficient information to interpret any subsequent data FlowSets.

Also, template records have a limited lifetime, and they must be periodically refreshed.NetFlow is a feature that was introduced on Cisco routers around that provides the ability to collect IP network traffic as it enters or exits an interface.

By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup using NetFlow consists of three main components: [1].

Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—typically a server that does the actual traffic analysis. Cisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values: [2].

Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key [ clarification needed ]and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet. A typical output of a NetFlow command line tool nfdump in this case when printing the stored flows may look as follows:. The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter.

Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. A common value is UDP portbut other values like or, etc. For efficiency reasons, the router traditionally does not keep track of flow records already exported, so if a NetFlow packet is dropped due to network congestion or packet corruption, all contained records are lost forever.

The UDP protocol does not inform the router of the loss so it can send the packets again. This can be a real problem, especially with NetFlow v8 or v9 that can aggregate a lot of packets or flows into a single record. A single UDP packet loss can cause a huge impact on the statistics of some flows.

That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol SCTP to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays.

There may be performance limitations if a router has to deal with many NetFlow collectors, and a NetFlow collector has to deal with many routers, especially when some of them are unavailable due to failure or maintenance. SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment.

Simple stateless equipment can also filter or change the destination address of NetFlow UDP packets if necessary.

Since NetFlow export almost only use network backbone links, packet loss will often be negligible. If it happens, it will mostly be on the link between the network and the NetFlow collectors. NetFlow version 5 one of the most commonly used versions, followed by version 9 contains the following:. There is no explicit way to distinguish between these cases.

Complete Guide to Netflow: How Netflow & its Components Work. Netflow Monitoring Tools

By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.

NetFlow Traffic Analyzer Overview

NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported.

NetFlow usually captures all packets received by an ingress IP interface, but some NetFlow implementations use IP filters to decide if a packet can be observed by NetFlow. Some NetFlow implementations also allow the observation of packets on the egress IP interface, but this must be used with care: all flows from any ingress interface with NetFlow enabled to any interface with NetFlow enabled could be counted twice.

Standard NetFlow was designed to process all IP packets on an interface.This article will cover the basics of Netflowincluding its use cases, Netflow supported devicesNetflow historyand variants. This will lead onto coverage of the various Netflow componentsincluding the Netflow ExporterNetflow Collectorand Netflow Analyzerwith some brief coverage of its main competition.

Visibility plays a key role in the maintenance and security of any network. With it, admins can identify issuesdiscover non-compliant usersrefine their provisioning, and more. Netflow is a protocol developed by CISCO that fulfils this purpose, letting interested parties understand network patterns and protocol distributionwhile supporting more granular data like IP service type for diagnosis.

Its relatively low overhead and trusted history means that Netflow is still around in some forms a decade after its release. As well as user and application monitoringadmins utilize Netflow for network planningapplication reporting and profilingsecurity analysisand usage-based reporting and billing.

Broadly, a flow is a group of packets part of the same conversation between two endpoints in a network. More technically, a single flow is defined by its 5-tuplea collection of five data points that include:.

Meanwhile, Catalyst and Nexus switches have a dedicated hardware TCAM implementation, generally supporting more flows. Netflow began its evolution in with IOS Initially, it was designed for LAN and scaled poorly, resulting in the rise of the express forwarding technique. Cisco, seemingly recognising the value of its solution, later enabled hardware-based implementationswhich allow for higher bandwidth. However, with the rise of Netflow came a number of other popular vendors trying to cash in on it.

In a bid to avoid trademark battles, various competitors implemented their own flavors of the technique. Netflow version 9 is described in RFC on the informational track rather than standards. Netflow is generally supported in three versions. Cisco did not publicly release versionsand v1 is naturally obsolete. Routers and switches most commonly support Netflow v5v8and v9with v6 out of support and v7 seemingly exclusive to Catalyst 5K series switches.

Suffice it to say that the IP address of the collector and the UDP destination port must be configured on the sending router, with the most common port being UDP Some Netflow implementations protect against packet loss through use of SCTPhowever, this is not always performant if multiple independent collectors are in play.

As mentioned earlier, a Netflow enabled device inspects a number of parameters to define differentiate flows. These provide some natural, basic visibility.

The source and destination addresses can tell admins who is sending and receiving trafficfor example. The ports show which applications are utilizing the traffic, class of service indicates the priority, and the interface how traffic is being utilized by the device. However, the collection of various data points can lead to information beyond this. Tailed packets and bytes reveal the amount of traffic, and can be combined with data like timestamps for bytes per second, TCP flags to examine handshakes, subnet mask for prefix calculation.

The amount of real-world benefit often depends on the analysis tools at your disposal. With the right Netflow Analyzeradmins can use collected data to determine the following:. Each of these has a different role, and is often based on different hardware. These are fairly self-explanatory. The Netflow Exporter is an appliance or network devicean example device is a router or firewall.

It gathers packets into flows and exports flow records to collectors when it decides the flow expires. The Netflow Exporter determines which flows are new by the 5-tuple data points mentioned above.In this post, we will try to clarify key concepts around Netflow technology and potentially correct some common misconceptions.

Also, we will share what we measured in different networks in Europe and North America. This information will be helpful to understand the parameters of this equation.

Netflow – What is it, a Definition & How to Collect & Analyze Flow Data (sFlow, Ipfix, jFlow, etc)

Netflow is used to create a statistical view of the flow matrix from the router or line card perspective. Aside from the configuration and show commands, nothing will be performed at the Route Processor level. Each NPU is connected at 2.

This parameter is fixed and not configurable via CLI. We will come back later on this shaper since it will directly influence the netflow performance and capabilities.

It is used on routing devices to generate flow records from packet streams by extracting fields from sampled packets.

Netflow packet Version 5 (V5)

A database, or cache, is used to store the current flows and their accounting information. This concept of timers is very important since it will dictate how fast we flush the cache content, and inform the remote collector of the existence of a flow. At the potential risk of reaching the maximum size of this cache.

Several processes are involved in the Netflow operation and configuration. They are present in both Route Processor and Line Card. It represents the numbers of packets we can route, filter, encapsulate or decapsulate, count, police, remark, … every second.

In the same vein, you may have heard about NDR Non-Drop Rate to express the minimal packet size a system can forward at line rate on all ports simultaneously. It will be covered in the next part of this blog post. So, understanding the traffic profiles and the average packet size per link and per ASIC is mandatory to qualify your network.

IP Application Services

