NetFlow is an enabler of modern network management and security. It is the most widely used standard for network traffic monitoring providing network administrators, security engineers and operations managers with a deep knowledge about their IT environment. NetFlow brings a completely new effectiveness when IT professionals perform troubleshooting, capacity planning, performance diagnostics and many other tasks.
For years, regular monitoring of a network was performed by the SNMP protocol that delivers an overview of the IT infrastructure; giving network administrators information about the availability of its components. Today, when the availability and proper working of a company's network is crucial for its existence, much more information and sophisticated methods are needed. To get this information Cisco has created NetFlow, a standard for collecting network traffic statistics from routers, switches or specialized network probes.
NetFlow provides information from layer 3 and layer 4 which means IP addresses, ports, protocol, timestamps, number of bytes, packets, flags and several other technical details. It could be easily imagined as a list of phone calls. We know who communicates with whom, when, how long, how often etc.; but we do not know what the subject of the conversation was. By collecting, storing and analysing this aggregated information, network administrators, security engineers or operations managers can run proceed several tasks.
Know the network at any time and any point
Monitor network traffic in real-time
Secure the network against internal and external threats
Track the historical data and drill-down to any host, application or conversation
Analyze the network flows for efficient capacity planning and traffic engineering
Fulfill the data retention law (lawful intercept)
Troubleshoot the network failures fast and precisely
Introduce intelligent traffic and financial reporting
Plan and monitor QoS policy in detail
Check the peering and service level agreements (SLA)
Introduce IP based billing and accounting
Find out who are the top users and get their statistics
NetFlow is the most widely used standard for flow data statistics in network communication. In the language of a data network environment, one flow represents a network communication with the same source IP address, source port, L4 protocol, destination IP address and destination port. NetFlow is available in different versions that significantly vary so that understanding the NetFlow version is important when choosing the right solutions for particular needs:
Currently, the most used versions are NetFlow v5 (fixed format) and NetFlow v9 (template-based, flexible). Another commonly used protocol is called IPFIX, also known as NetFlow v10. Internet Protocol Flow Information Export (IPFIX) was created by the IETF working group from the need for a common, universal standard of export for IP flow information. The IPFIX standard defines how IP flow information is formatted and transferred from an exporter to a collector. Previously many data network operators relied on the proprietary Cisco NetFlow standard for traffic flow information export. The IPFIX is a much more flexible successor of the NetFlow format and allows us to extend flow data with more information about network traffic.
The principle of NetFlow is described by the video. When a request from a client to the server is sent (green envelope), the active device with NetFlow export capability looks into the packet header and creates a flow record. The flow record contains information about the source & destination IP addresses and ports, protocol number, number of bytes and packets and all other information from layer 3 and 4. Individual data network communications are identified by five attributes: source & destination IP addresses, ports and protocol number. So when the server responds to the client IP addresses and ports in the packet header are reversed and another flow record is created – NetFlow is one way traffic technology. The subsequent packets with the same attributes update the previously created flow records (e.g.: number of bytes, duration of communication). When the communication is over, flow records are sent to the collector, where data is ready to be stored and analysed for different reasons.
Try Flowmon, a clever network monitoring and security solution based on flow data and NBA.
Learn more about the next generation network traffic monitoring based on flow data.
Get complete network traffic visibility with the high performance NetFlow/IPFIX collector.