What is NetFlow?
NetFlow is the “Kleenex” of flows. Just as many of us still say “May I have a Kleenex,” instead of using its generic word tissue, so too do some of us say “NetFlow” when we mean one of the many other many flow versions.
NetFlow is a feature that was introduced on Cisco routers to provide the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion.
A typical flow monitoring setup (using NetFlow) consists of three main components:
- Flow exporter: aggregates packets into flows and exports flow records toward one or more flow collectors. Typically flow exporters are routers and switches, but they can also be firewalls and other devices.
- Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
- Analysis application: analyzes received flow data in the context of intrusion detection or network traffic profiling.
A NetFlow definition can be defined in many ways. Cisco NetFlow v5, the standard, defines a flow as the unidirectional sequence of packets that share the following values:
1. Ingress interface
2. Source IP address
3. Destination address
4. IP protocol
5. Source port for UDP or TCP
6. Destination port for UDP or TCP, type and code for ICMP
7. IP Type of Service
Cisco also offers NetFlow v7, v9 and v10, which expand on the v5 definition by adding more fields.
Other Flow Versions
IPFIX – is an IETF protocol that was created based on the need for a common, universal standard of export for IP flow information from routers, switches, and other devices that are used by performance management systems. The IPFIX standard defines how IP flow information is to be formatted and transported from a flow exporter to a flow collector. It is based on Cisco NetFlow v5.
sFlow is short for "sampled flow" and is an industry standard for IP flow information. It provides a means for exporting truncated packets, together with interface counters for the purpose of network monitoring. Maintenance of the protocol is performed by the sFlow.org consortium. The current version of sFlow is v5.
J-Flow provides network operators with access to IP flow information across Juniper Networks devices. With J-Flow, network devices such as routers, firewalls, and switches collect flow data and export that information to flow collectors. The collected data provides critical information about traffic in the network and aids in tasks such as billing, traffic engineering, capacity planning, and traffic analysis for policy decisions.
AppFlow collects flow and user-session level information valuable for application performance monitoring, analytics, and business intelligence applications from Citrix NetScaler appliances. It also collects web page performance data and database information. AppFlow transmits the information by using IPFIX. AppFlow defines new Information Elements to represent application-level information, web page performance data, and database information.
NetStream collects IP traffic and resource usage, and sends the statistics to a dedicated Huawei Flow collector or a network management system (NMS) that has NetStream software installed for further accounting, network monitor or user monitoring and analysis.
Cflowd is an Alcatel-Lucent tool used to sample IPv4, IPv6, MPLS, and Ethernet traffic data flows through a router. Cflowd enables traffic sampling and analysis by ISPs and network engineers to support capacity planning, trends analysis, and characterization of workloads in a network service provider environment.
Riverbed NPM NetFlow Capabilities
Flow Gateway is Riverbed’s flow collector. It gathers IP data flows from across the enterprise, and then collates and deduplicates it to provide a single view of the entire flow. Individual device-specific metrics are appended to the flow allowing other applications, such as Riverbed NetProfiler, to generate detailed reports.
Flow Gateway supports all popular flow metrics, from NetFlow (v5, v7, v9), IPFIX, Enhanced NetFlow, NBAR, sFlow, J-Flow, cFlowd, Packeteer FDR, Citrix AppFlow, Palo Alto Networks, Cisco NBAR2, MediaNet, ASA NSEL, AWS VPC Flow Logs, and Riverbed SteelFlow from SteelHead appliances.