What is IPFIX - Netflow's main Contender in Traffic Analysis

What is IPFIX? IPFIX stands for IP Flow Information Export, is a term that most network admins and engineers may not be familiar with, but if you couple it with the term Netflow, which is commonly used when you reference analyzing network data, things will start to make more sense.

IPFIX is very similar to Netflow, in the sense that it allows for network engineers and administrators to collect flow information from Switches, Routers and any other network devices that support the protocol and analyze the the Traffic Flow information that is being sent by processing it through a Network/Netflow Analyzer.

Most commercial netflow analyzers have started integrating compatibility to collect and analyze IPFIX flow traffic as well as Netflow traffic.

History of The Protocol

IPFix protocol was created to be a common and universal protocol for Exporting IP flow information from network devices, including Switches, Routers, firewalls and such to a Collector or Network Management System.

It was a standard created by the IETF on how information would be exported, formatted and transferred from the agent to a collector/analzyer for further segmentation, analysis and logging.

Derived from Netflow Version 9, it uses many of the same procedures for Exporting a “flow” to a Collector, which operate in a many-to-many relationship – meaning that an Exporter (or network device) can send to multiple collectors and multiple collectors can collect information from any number of Exporters/Devices.

A flow consists of all traffic that belongs to the same communication context, which basically means all IP data packets that belong tot he same “connection”.

Flow information is Pushed to the collectors without the need to request anything from them, and can be customized to include any number of pre-defined or user-defined information/data types. This flexibility is one of the protocols strong suits, as vendors can create custom templates with custom information they wish to collect and analyze.

Whats the Difference between IPFIX vs Netflow?

So if IPFIX is similar to Cisco’s Netflow, then what are the major differences between Netflow vs. IPFix? Lets highlight some of the major differences between the two:

First off, IPFIX has the ability to integrate information that would normally be sent to Syslog or SNMP information directly in the IPFIX packet, thus eliminating the need for these additional services collecting data from each network device. This essentially allows hardware vendors to specify a Vender ID and put any proprietary information into a Flow and export it out of the collector/analyzer for further dissecting and monitoring.
IPFIX also allows fields that are “Variable” length, which means that there is no fixed length an ID has to conform to. Netflow does not allow this type of variable length fields. Variable length fields allow you to then save information such as URL’s (which differ from site to site), Messages, HTTP hosts, and more.
Netflow v9 now supports Flexible Netflow which is almost equal to IPFIX.

IPFIX Port Number is: 4739

Vendors who Support IPFIX

Soon after IPFIX standard came to fruiton, many network device and software vendors jumped on the bandwagon to support the protocol that has Netflow like capabilites.

Here's a list of some of the vendors that are now supported and manufacturing IPFix capable hardware and software.

Avaya
Barracuda Networks
Blue Coat
Cisco Systems
Citrix
Ecessa
Extreme Network
F5 Networks
Juniper Networks
NetASQ
Nortel
nProbe
Open vSwitch
Plixer
Solera
Saisei Networks
SonicWall
VMware
Xirrus
YAF
ZTE

This is a quick overview of “What is IPFIX” and what differences there are between it and Netflow.

If you get a chance, download one of these Netflow Analyzers that Support IPFIX to get a better understanding of how the protocol/standard is used and how it differs from Netflow and sFlow.