Where do the Flows Come From?

01.10.18 Datové toky, NetFlow

Flow data is the basis of modern network monitoring, helping administrators to ensure the reliability and security of the given environment. But where does flow data come from? There are several options how to get flow data with each option having pros and cons. Let us go through them.

Generating flows by using Flowmon Probe

Flowmon Probe is a dedicated hardware or virtual appliance for generating and exporting flow data from network traffic. It is connected into the network infrastructure using its monitoring ports. There are several ways how to connect a monitoring port and get a copy of the network traffic into the probe:

  1. Probe on a mirror port (SPAN port) – One of the easier ways to connect a probe into the monitored network. The probe’s monitoring port is connected to a switch port to which the network traffic from other switch ports are mirrored. The downsides are a missing interface number and limited capacity of the mirroring port. This option is well suited for enterprise networks.

  2. Probe on a TAP (Terminal Access Point) – This one is a little trickier because you have additional hardware (the TAP) inserted into the line. On the other hand, you will have separate RX and TX, and you can capture all packets. This option is mostly used in the Telco/ISP segment and datacenters. Just do not forget you need two monitoring ports per link if using TAP.  

  3. Probe in virtual environment – Pretty much similar to a probe on a mirror port but the switch is now virtual. The main advantage is the visibility into various virtual environments.

Generating flows by using Other Sources

  1. Switches, routers, firewalls and other sources – exporting flow data from network devices already deployed in your network is a good way to get the most out of your investments. You do not have to deploy and pay for additional hardware, but you should always test the quality and accuracy of exported flow data. Also bear in mind that you will not have application protocol metadata, and flow is not the primary functionality – when the device is under heavy load, flow exporting might be terminated and you will lose  visibility. An example of usage is monitoring  branch offices, and also in the Telco / ISP segment for DDoS protection (exporting flow from edge routers).

  2. Packet brokers – by tapping network traffic from  across the whole network infrastructure (both physical and virtual) and making it available from one point, packet brokers are great in both providing network traffic to Flowmon Probe and also in generating the flow data by themselves. So, the packet brokers provide visibility across the whole network including application protocol metadata. On the other hand it needs additional hardware and expense for environments that do not have packet brokers deployed. Packet brokers are typically used in enterprise networks and DCs.

  3. Virtual platforms – similar with flows from switches / routers, but virtually. The advantage is the built-in and easy-to-use visibility into the virtual environment, which could be otherwise quite challenging. On the other hand you will have L3/L4 information without application protocol metadata. Examples include VMware NSX/VDS and Open vSwitch used in SMB, DC and other segments.

Summary of Flow Gathering with Probe

Flow gathering schemes using Flowmon Probe

Summary of Flow Gathering without Probe

Flow gathering schemes using other sources

When to Choose Probe Over Other Flow Sources

There are many benefits of Flowmon Probe over other flow sources. First, you will get the most accurate flow data even on 100G links – Flowmon Probe will not miss a packet. Second, Flowmon Probe provides a deeper insight into network traffic compared to other flow sources. This includes Network Performance Metrics and also application protocol metadata (DNS, DHCP and more). This will  be highly effective in identifying the root cause of issues  quickly,   reducing Mean-Time-To-Resolve. Third, Flowmon Probe is versatile – it supports various L2 and tunneling protocols and can be deployed in both physical and virtual environments. And last, but not least, Flowmon Probe can capture packets, which provides you with additional use-cases such as Application Performance Monitoring (using Flowmon APM) or just on-demand packet capture when you need even deeper visibility into the packets. You can also trigger capture using anomaly detection (by Flowmon ADS) for further forensic analysis.

So, now we know where flows come from. There are multiple options to get flow data with each option having pros and cons. Flowmon Probe is not always a must, but by providing  many benefits you will gain deeper visibility to troubleshoot a network quickly, making the life of network admins  easier and reducing the  costs of operating a  network  too.