Netflow, a protocol developed by Cisco, is used to collect and record all IP Traffic going to and from a Cisco router or switch that is Netflow enabled.
It allows you to collect traffic and analyze it through a program (Usually called a Netflow Collector or Analyzer) which then organizes the flow records into a format that allows the IT administrator or Network engineer to further analyze the traffic (Source, destination, etc).
The protocol allows you to really drill down into your network traffic to see where the traffic source is coming from and to where it is destined too when troubleshooting slow LAN or WAN network connections.
The protocol itself does not analyze the traffic, but as mentioned previous, when configured properly it sends traffic to a Collector or Analyzer, which is either a hardware device or more often than not, a software program.
Cisco originally developed the protocol for its products and soon after it has been the standard that many other manufacturers are implementing into their products as well, including Juniper (which has “JFlow”), 3Com/HP, Dell and Netgear (SFlow), Ericsson (RFlow), Huawei (NetStream) and Alcatel-Lucent (which uses CFlow).
Basics of the Protocol
Netflow is made up of a couple components:
NetFlow Cache (sometimes referred to as Data source or Flow Cache) – Stores the IP Flow information.
Netflow Export or Transport Mechanism – This sends data to the Collector to further data reporting and analyzing.
When a packet enters an interface that the router/switch hasn't seen before, it will decide whether or not to route the datagram, and if it forwards the datagram it will make an entry in the Flow Cache (in the router or switch) based on matching criteria in the packet.
Each packet within a Switch/Router that is forwarded is examined for a certain set of IP packet attributes that identify the packet and amongst others (you can think of this as a fingerprint of sorts.
An Ip Flow is made up of a Set of 5 attributes and can have up to 7 total.
The Attributes1 of each IP Packet are as follows:
- IP source address
- IP destination address
- Source port
- Destination port
- Layer 3 protocol type
- Class of Service
- Router or switch interface
Packets the have the following attributes that are the SAME, are grouped into whats called a FLOW, which are then tallied: Source/Destination IP address, Source/Destination ports, Protocol interface and Class of Service.
Determining a Flow is scalable because this data and information is organized into a Database of Netflow information called the Netflow Cache, or Flow Cache.
The Flow Cache entry contains information about the Flow including the following:
- Destination IP Addresses
- Source IP Addresses
- Destination Port Number
- Source Port Number
- Source interface,
- Layer 3 Protocol Type,
- ToS Byte – (means Type of Service Byte and takes into account the Precedence, Speed, Throughput Levels and Reliability
- Input Logical Interface (ifIndex) (The interface of the Router or Switch)
The packet is then routed out the destination interface. As the following packets that match an existing flow entry come into the router, the byte and packet counters keep increment through each additional data-gram until the connection between the host involved in the flow is torn down.
So packets that enter the Router that don't have a matching flow entry are first determined to be routeable and if they're accepted, they're then forwarded after a flow cache entry is made.
A Flow Cache can contain hundreds of thousands of entries, and in some cases, into the Millions of entries.
When the flows expire, they're exported off to the Netflow Collector, which will constantly analyze and archive the flows for future reference.
The Netflow Collector can then provide details on things like, the threats detected, the network topology, top interfaces and graph those trends.
Netflow is used for finding bandwidth hogs, hunting down network threats, isolating application slowness issues and even for usage based billing by some ISP's.
Many hardware vendors are now adopting IPFIX, which is the official standard for all flow technologies.
Both Netflow and IPFIX can be performed in hardware or software, they can be used to export information in real-time, right down to the second, and they can be used for both flow and packet sampling, much like SFLOW.
History of Netflow
As mentioned previously, Netflow was conceived at Cisco Systems, and is now a major standard that is included in almost every business grade router and switch that Cisco and other manufacturers produced.
SNMP is great for monitoring networked devices and capacity planning, but it lacks in more granular and in-depth traffic and bandwidth usage and utilization.
Roland Dobbins, a network engineer in the Internet Services group at Cisco said, “We needed a more granular understanding of how Cisco bandwidth is used,”1.
Soon after, Cisco introduced its Netflow Technology in 1996 which allowed for deeper insight, characterization and the ability to further analyze network traffic flows using a specialized Application-Specific Integrated Circuit (ASIC) coupled with features within the Cisco IOS Firmware and Catalyst OS Software.
By 2003, Cisco's Netflow Version 9 would be chosen to become a IETF (Internet Engineering Task Force which proposes Standards for the Internet, primarily TCP/IP) standard formally called IPFIX, or IP Flow Information Export.
How do I use NetFlow to monitor network traffic?
To use NetFlow to monitor network traffic, you need to configure NetFlow on network devices and export the data to a NetFlow collector. You can then use a NetFlow analyzer to process the data and generate reports and alerts.
How do I use NetFlow to improve network security?
NetFlow can be used to improve network security by providing visibility into network traffic, enabling organizations to detect and respond to security incidents more quickly. Additionally, NetFlow data can be integrated with security solutions, such as firewalls and intrusion detection systems, to provide more comprehensive protection.
How do I use NetFlow to troubleshoot network performance issues?
NetFlow can be used to troubleshoot network performance issues by providing detailed information about network traffic, including information about the volume, type, and destination of traffic. This information can help network administrators identify bottlenecks and other performance issues, and take action to resolve them.
What are some common challenges with using NetFlow?
Some common challenges with using NetFlow include ensuring that the technology is configured correctly on network devices, integrating NetFlow data with other security and network management solutions, and managing the volume of data generated by NetFlow.
What is the difference between NetFlow and sFlow?
NetFlow and sFlow are both technologies for collecting network traffic data, but they differ in their implementation and the type of data they collect. NetFlow is a proprietary technology developed by Cisco, while sFlow is an open standard supported by multiple vendors.
What is the difference between NetFlow v5 and v9?
NetFlow v5 and v9 are different versions of the NetFlow protocol, with v9 being the more recent and advanced version. NetFlow v9 provides more detailed information about network traffic, including support for IPv6 and MPLS, compared to v5.
For additional Reading on What Netflow is and How you can use it to monitor and analyze your Network, check out the following Whitepapers for more in-depth reading: