NetFlow is functionality standardized in network devices that gathers flow measurements and exports them to another system for analysis. An analysis of this flow data informs network managers of how the network is performing and other usages details. For instance, flow analysis can help to troubleshoot efforts by tracking IPs and highlighting anomalies like excessive traffic use.
What is NetFlow?
Originally introduced by Cisco in 1995, the ability provided by NetFlow to understand flow data became indispensable and the de facto industry standard. By 2008, the popularity of flow-based monitoring protocols motivated the standardization of NetFlow codified by the IETF in IPFIX. Although there are other vendor protocols, notably J-Flow and sFlow, NetFlow is still the most widely used flow-based monitoring protocol.
How does NetFlow work?
NetFlow is functionality typical on routers, however, NetFlow monitoring requires three components to provide usable information to network managers.
- Flow exporter — A flow exporter collects flow data in a flow cache and periodically exports it to the collector. This device is typically a router (a low-level device) or firewall that essentially passes the information onto the collector.
- Flow collector — Flow collectors are data storage servers that take in flow data for later processing by specialized software.
- Flow analyzer — Flow analyzers are applications that analyze flow data and present reports, alerts, dashboards, and network visualizations to inform network managers of the performance and usage of their networks.
What Flow Information is Passed on by NetFlow?
When data packets enter a router it will determine whether to forward that packet or not, if so then it begins to record a data flow in the flow cache based on the attributes of that data packet. The data flow is identified by a set of 5-7 attributes that act like a fingerprint. Packets that share the same fingerprint are grouped together in the flow cache.
Each flow cache entry holds the following information based on the attributes of the data packets.
- Destination IP Addresses
- Source IP Addresses
- Destination Port Number
- Source Port Number
- Source Interface
- Layer 3 Protocol Type
- Class of Service
- Router or Switch Interface
Flow data is tallied in the flow cache until the flow expires. At that point, flow cache information is exported to the collector for storage and later analysis. This flow information can be used to understand network behavior in many ways.
- Source address allows the understanding of who is originating the traffic
- Destination address tells who is receiving the traffic
- Ports characterize the application utilizing the traffic
- Class of service examines the priority of the traffic
- The device interface tells how traffic is being utilized by the network device
- Tallied packets and bytes show the amount of traffic
Additional information added to a flow includes
- Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second
- Next-hop IP addresses including BGP routing Autonomous Systems (AS)
- Subnet mask for the source and destination addresses to calculate prefixes
- TCP flags to examine TCP handshakes
Related Terms
Network forensics can be defined as the evaluation of data and patterns observed in network traffic between network devices, to create an insight into the sources of an attack or network problem and the extent to which damages occurred. By investing in network forensics solutions, IT organizations can ensure that speed does not compromise the ability to respond to network outages, performance degradations, and security threats.
Network troubleshooting is the systematic process of searching for, diagnosing, and correcting network issues. Most critical to troubleshooting efforts is the adherence to a rigorous and repeatable process that relies on using standard and measurable testing methods so that changes to the network can be systematically understood.
