IT Security News & Blog

Everything You Wanted to Know About NetFlow and More

Posted: 28 August 2019

In this blog we take a look at NetFlow and other network packet analytics; what they are; how they work; and most importantly, should you be monitoring it.

 

What is NetFlow?

NetFlow is a catch all term for an output of network packet flow data, from a network device such as a layer 3 switch or a router. Netflow provides a view of bandwidth on the network devices connected interfaces; and the types of traffic it is sending or in receipt of.

Originally developed by Cisco for their range of network devices, starting with IOS 11.1. Today many other network device vendors either support NetFlow or use alternative flow specifications, such as S-Flow or jFlow.

 

Which Version of NetFlow is Current?

Numerically they are ten official versions of NetFlow with only seven of those being available commercially.

Version 1 Now obsolete
Version 2 Not commercially available
Version 3 Not commercially available
Version 4 Not commercially available
Version 5 Still commonly used today
Version 6 No longer available
Version 7 Added support for Cisco Catalyst
Version 8 Supports router-based flow aggregation
Version 9 Current version
Version 10 Used for identifying IPFIX
 

Version 9 is the most common version of NetFlow available today. It is templated based and therefore can be expanded without having to change the record format.

IPFIX is often referred to as Netflow version 10, however it is not an official release of NetFlow. Instead it is an IETF standardised format for flow information, which can be used to format NetFlow version 9.

Did you know that Ipswitch WhatsUp Gold supports NetFlow data through its Network Traffic Analysis feature? - Read more here.

 

Which Devices Support NetFlow?

Almost all Cisco network devices support Netflow, with the exception of a few. Netflow is also available on a number of other switches and routers from other vendors.

Vendor Model NetFlow Version
Alcatel-Lucent 7750SR v5, IPFIX
Juniper Legacy M-Series, T-Series, MX-Series with DPC v5, v8, v9
Juniper MX-Series, FPC5 for T4000 v5, IPFIX
Entrasys S-Serie, N-Serie v5, v9
Flowmon Probe 1000, 2000, 4000, 6000, 10000, 20000, 40000, 80000, 100000 v5, v9, IPFIX
Nortel ERS5510, ERS5520, ERS5530, 8600 v5, v9, IPFIX
Huawei NE5000E, NE40E/X, NE80E v5, v9

 

How Does NetFlow Work?

A flow is a group of packets based on a set. Sets can be configured based on packet attributes, such as:

  • IP Source
  • IP Destination
  • Source Port
  • Destination Port
  • Class of Service
  • Protocol
  • Interface

As each packet passes through the network device, the above listed attributes are examined. A flow begins when the first packet matching a condition is identified, each subsequent packet matching the same set will be placed into a flow.

Each flow recorded is stored in a NetFlow cache on the network device. Once that flow has expired and there is no further data to be added to that flow, it is moved to a NetFlow export process which creates a datagram of up to 30 flows.

The export process can then be configured to send flow datagrams to a NetFlow Collector.

A good example of a NetFlow Collector is Ipswitch WhatsUp Gold. A very popular and well-known network monitoring solution which accept NetFlow datagrams and aggregates them into graphs and other useful metrics.

NetFlow Collectors must be configured to accept NetFlow datagrams from a NetFlow source and must support the same version of NetFlow being used on the source.

It is typical to see NetFlow datagrams being sent on UDP port 2055, however this is customisable and often changed to match the incoming port on the NetFlow Collector.

 

What is NetFlow Used For?

NetFlow provides a depth of information about network traffic which is not achievable using any other protocol. As a result it is a very popular with network monitoring solutions, to report on bandwidth utilisation and identify bottlenecks.

Over a period of time collecting and aggregating NetFlow data, patterns can also be found which might highlight undesirable behaviour, their source and when they typically take place.

Similarly, NetFlow is a useful tool when planning network expansion. It can highlight areas which may need greater bandwidth or where switches and routers are currently overburdened.

Finally, NetFlow when paired with IP reputation services, can be used to identify malicious communication in your network. For example, should a device in the network be compromised and communicating with a known command and control IP address - it can be flagged to an administrator for investigation.

NetFlow and other flow recording standards can be exported to Ipswitch WhatsUp Gold for analysis and aggregation. If you would like to learn more about WhatsUp Gold, why not book a demo with one of our solution specialists today.

 

Network Monitoring Solution Buyers Guide

Topics: Network Monitoring, Incident Response, NetFlow

Chris Payne

Written by Chris Payne

Managing Director - Advanced Cyber Solutions