Netflow
Encyclopedia : N : NE : NET : Netflow
NetFlow is a Cisco IOS software feature and also the name of an open (but proprietary) Cisco protocol for collecting IP traffic information.
Protocol description
Cisco routers with netflow enabled generate netflow records, which are exported from the router in UDP packets and collected using a netflow collector. Juniper Networks provides a similar feature, for its routers it is called cflowd, which is basically NetFlow 5.Network flows have been defined in [many ways]. In the case of NetFlow, Cisco uses the common 5-tuple definition, where a flow is defined as a unidirectional sequence of packets all sharing the same source and destination IP address, source and destination port, and IP protocol. (This is called a 5-tuple since it is a set of 5 values.) The router will output a flow record when it determines that the flow is finished - it does this by flow aging; when the router sees new traffic for an existing flow it resets the aging counter. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing.
A NetFlow record can contain a wide variety of information about the traffic in a given flow. NetFlow version 5, which is one of the most commonly used version of NetFlow followed by version 9, contains a version number, a sequence number, input and output interface snmp indices, timestamps for the flow start and finish time, the number of bytes and packets observed in the flow, and most of the fields from the layer3 headers: the flow's source & destination IP addresses, source and destination port numbers, IP protocol, ToS value, and in the case of TCP flows the union of all TCP flags observed over the life of the flow. Some routers will also include the source and destination AS number, though this information can be inaccurate. NetFlow version 9 can include all of these fields and can optionally include additional information such as Multiprotocol Label Switching (MPLS) labels and IPv6 addresses and ports,
By analyzing flow data, one can build a picture of traffic flow and traffic volume in a network. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.
NetFlow records are usually sent via a User Datagram Protocol (UDP), and for efficiency reasons, the router does not store flow records once they are exported. Therefore, if the NetFlow record is dropped due to network congestion, it is lost forever -- there's no way for the router to resend it. The IP address of the netflow collector and the port upon which it is listening must be configured on the sending router but is usually either 2055 or 9555. NetFlow is also enabled on a per-interface basis to avoid unnecessarily burdening of the router's processor. NetFlow is generally based on the packets input to interfaces where it is enabled. This avoids double counting and saves work for the router. It also allows the router to export NetFlow records for dropped packets.
Maintaining NetFlow data can be computationally expensive for the router and burden the router's CPU to the point where it runs out of capacity. To avoid problems caused by router CPU exhaustion, Cisco provides "Sampled NetFlow". Rather than looking at every packet to maintain NetFlow records, the router looks at every nth packet, where n can be configured. When Sampled NetFlow is used, the NetFlow records must be adjusted for the effect of sampling -- traffic volumes, in particular, are now an estimate rather than the actual measured flow volume.
Versions
| Version | Comment |
|---|---|
| v1 | First try |
| v5 | Most used version |
| v6 | Encapsulation information |
| v7 | Switch information |
| v8 | Several aggregation forms |
| v9 | Template Based, allowing many combinations |
| IPFIX | aka v10; IETF Standardized NetFlow 9 with Enterprise fields and other community input |
See also
- [RFC3954 - NetFlow Version 9]
- IP Flow Information Export (IPFIX) - IETF work to standardize flow export, based on NetFlow version 9
- MRTG
- PRTG
- Caligare Flow Inspector
External links
- [NetFlow: Best Practices for Cisco IOS Netflow based Analysis]
- [Basic Netflow information on the Cisco Site]
- [List of Freeware NetFlow Software on the Cisco Site]
- [List of Commercial NetFlow Software on the Cisco Site]
- Article [Detecting Worms and Abnormal Activities with NetFlow, Part 1]
- Article [Detecting Worms and Abnormal Activities with NetFlow, Part 2]
- Article "[Quick Netflow Configuration Guide]" by Crannog Software
- Article "[Monitoring Network Traffic with Netflow]" by Michael W. Lucas
- White paper [How to gather NetFlow statistics using flow-tools, analyze them with FlowScan and create reports with CUFlow]
Freeware and Open-source Applications
- [Cesnet - NetFlow Monitor]
- [Flow-tools - Open source NetFlow analysis software]
- [Flowd - Open Source NetFlow collector]
- [nProbe] is an open source stand-alone NetFlow probe
Commercial Applications
- [Arbor Networks - Peakflow SP & X] - NetFlow analysis, BGP routing correlation, worm and DDoS detection, user tracking and policy compliance
- [Caligare - Caligare Flow Inspector] - NetFlow v1/v5/v6/v7/v9 analysis and user tracking software for enterprises and providers.
- [Crannog Software - Netflow Tracker] - Dynamic network monitoring with NetFlow Tracker
- [Crannog Software - Netflow Monitor] - Dynamic network monitoring with NetFlow Monitor
- [IBM - Aurora] - A Flow-Based Network Profiling System
- Infosim - [StableNet]
- [IsarFlow] - Accounting, Capacity Planning, Troubleshooting, Security, QoS Monitoring
- [ManageEngine - ManageEngine NetFlow Analyzer]
- [Mercury Application Mapping] MAM from Mercury, Inc. can perform CMDB population from NetFlow data.
- [Netmon] - Network monitoring appliance with integrated NetFlow v1/v5/v7 collection and analysis engine.
- [NetQoS ReporterAnalyzer] - Netflow traffic monitoring
- [NetScout nGenius Performance Manager] - Netflow traffic monitoring
- [Netusage] - Netflow traffic monitoring, capacity planning, business justification and cost control
- [Paessler Router Traffic Grapher (Windows Software that supports Netflow)]
- [Plixer International] Scrutinizer - Free commercial grade NetFlow analyzer
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.