NetFlow is a CISCO developed feature/ protocol that can collect flow data of IP network traffic, when the packets go across an interface of a router, either outside or inside. It also exports NetFlow data packets (NetFlow Export Datagram) to a specific port of a specific external server. IT professionals use it for the per-flow traffic monitor.
Network Traffic Flow
What is network traffic flow? A set of IP packets passing an observation point in the network during a specific time interval defined as a network traffic flow. There is a set of common properties in all packets belonging to a particular Flow. These properties can be values of IP header fields, characteristics of the IP packet, or values derived from both IP header and packet characteristics. We can identify the same flow from the following seven properties.
- Source IP address
- Destination IP address
- Source port
- Destination port
- Ingress Interface
- IP protocol
- IP Type of Service
A flow is expired when a TCP connection closed. The exporting process began when the flow expired.
A network monitoring tool based on NelFlow has three significant components.
- Flow exporter
The routers that enabled NetFlow works as the flow exporter. Receiving packets will be aggregated into flows. These flow records export to flow collectors.
- Flow collector
This component collects the exported flow recodes and also responsible for storage and processing flow records.
- Analysis application
Collected flow records are analyzing intrusion activities using analysis applications.
NetFlow Export Datagram
NetFlow packets are UDP. NetFlow export datagrams have four formats named as version 1, version 5, version 7, and version 8.
Version 1, 5, and 7 have two parts in a datagram named as header and flow record. Version 5 was the most popular and appropriate version. Because v5 is available in all the NetFlow enabled routers.
NetFlow Header Records
NetFlow Record Format
Why We Should Use NetFlow for Network Monitor?
NetFlow is the best solution to monitor network traffic levels per service, per host, and traffic accounting. NetFlow records are a smaller size than the record from other packet replicating methods such as port mirroring or hubs. Therefore, storing these records doesn’t take much storage capacity. Analyzing stored records are more useful to identify trends and past events and use them in future network planning. Identifying network anomalies and security vulnerability using generated NetFlow can often protect networks from DDOS attacks, and worm-like behaviors and network administrators can act accordingly. Since this can monitor per IP and per service, network administrators can gain a better understanding of the usage of users and the services. These data can use for user profiling and traffic accounting.
Netflow : Availability
Almost all the routers which have CISCO IOS software 11.1, support the NetFlow. Some routers other than ISOS 11.3 also support NetFlow, such as Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300, 7600, 10000. But Cisco 2900, 3500, 3660, 3750 does not support.
Apart from the routers, some Catalyst series switches support NetFlow, such as Catalyst 4500, Catalyst 5500, and Catalyst 6000. If the other switches have any version of NFFC or RSM or RSFC, it may support NetFlow.
Some devices of major network device manufacture other than CISCO also support NetFlow, such as 8800 Series Switches of 3COM, NetVanta 3200, 3305, 4305, 5305, 1524, 1624, 3430, 3448, 3130, 340, and 344 of Adtran, Juniper, etc.
Other Flow technologies
- JFlow- Juniper
- s-flow – Dell, Netgear, 3Com, HP
- NetStream- Huawei
- Rflow – Ericsson