In this blog we take a look at NetFlow and other network packet analytics; what they are; how they work; and most importantly, should you be monitoring it.
NetFlow is a catch all term for an output of network packet flow data, from a network device such as a layer 3 switch or a router. Netflow provides a view of bandwidth on the network devices connected interfaces; and the types of traffic it is sending or in receipt of.
Originally developed by Cisco for their range of network devices, starting with IOS 11.1. Today many other network device vendors either support NetFlow or use alternative flow specifications, such as S-Flow or jFlow.
Numerically they are ten official versions of NetFlow with only seven of those being available commercially.
Version 1 | Now obsolete |
Version 2 | Not commercially available |
Version 3 | Not commercially available |
Version 4 | Not commercially available |
Version 5 | Still commonly used today |
Version 6 | No longer available |
Version 7 | Added support for Cisco Catalyst |
Version 8 | Supports router-based flow aggregation |
Version 9 | Current version |
Version 10 | Used for identifying IPFIX |
Version 9 is the most common version of NetFlow available today. It is templated based and therefore can be expanded without having to change the record format.
IPFIX is often referred to as Netflow version 10, however it is not an official release of NetFlow. Instead it is an IETF standardised format for flow information, which can be used to format NetFlow version 9.
Did you know that Ipswitch WhatsUp Gold supports NetFlow data through its Network Traffic Analysis feature? - Read more here.
Almost all Cisco network devices support Netflow, with the exception of a few. Netflow is also available on a number of other switches and routers from other vendors.
Vendor | Model | NetFlow Version |
Alcatel-Lucent | 7750SR | v5, IPFIX |
Juniper Legacy | M-Series, T-Series, MX-Series with DPC | v5, v8, v9 |
Juniper | MX-Series, FPC5 for T4000 | v5, IPFIX |
Entrasys | S-Serie, N-Serie | v5, v9 |
Flowmon Probe | 1000, 2000, 4000, 6000, 10000, 20000, 40000, 80000, 100000 | v5, v9, IPFIX |
Nortel | ERS5510, ERS5520, ERS5530, 8600 | v5, v9, IPFIX |
Huawei | NE5000E, NE40E/X, NE80E | v5, v9 |
A flow is a group of packets based on a set. Sets can be configured based on packet attributes, such as:
As each packet passes through the network device, the above listed attributes are examined. A flow begins when the first packet matching a condition is identified, each subsequent packet matching the same set will be placed into a flow.
Each flow recorded is stored in a NetFlow cache on the network device. Once that flow has expired and there is no further data to be added to that flow, it is moved to a NetFlow export process which creates a datagram of up to 30 flows.
The export process can then be configured to send flow datagrams to a NetFlow Collector.
A good example of a NetFlow Collector is Ipswitch WhatsUp Gold. A very popular and well-known network monitoring solution which accept NetFlow datagrams and aggregates them into graphs and other useful metrics.
NetFlow Collectors must be configured to accept NetFlow datagrams from a NetFlow source and must support the same version of NetFlow being used on the source.
It is typical to see NetFlow datagrams being sent on UDP port 2055, however this is customisable and often changed to match the incoming port on the NetFlow Collector.
NetFlow provides a depth of information about network traffic which is not achievable using any other protocol. As a result it is a very popular with network monitoring solutions, to report on bandwidth utilisation and identify bottlenecks.
Over a period of time collecting and aggregating NetFlow data, patterns can also be found which might highlight undesirable behaviour, their source and when they typically take place.
Similarly, NetFlow is a useful tool when planning network expansion. It can highlight areas which may need greater bandwidth or where switches and routers are currently overburdened.
Finally, NetFlow when paired with IP reputation services, can be used to identify malicious communication in your network. For example, should a device in the network be compromised and communicating with a known command and control IP address - it can be flagged to an administrator for investigation.
NetFlow and other flow recording standards can be exported to Ipswitch WhatsUp Gold for analysis and aggregation. If you would like to learn more about WhatsUp Gold, why not book a demo with one of our solution specialists today?