The level or knowledge or even awareness of netflow is a mixed bag, in my experiences speaking with IT managers and network engineers. Those who have attended accredited courses for network equipment or those networking veterans will be very familiar with the technology. For others, it is a new and exciting technology which can reveal a vast wealth of insight into network traffic.
What is Netflow?
Netflow is a protocol, originally created by industry giant Cisco, is used to collect and record all IP Traffic going to and from a network device which has the netflow function enabled. This collected packet data is then usually forwarded to a netflow analyser or network monitoring solution where it is collated and presented.
Netflow is incredibly revealing. Whereas network device monitoring using SNMP can reveal hardware issues or network interface utlisation; netflow can reveal detailed information about data packets themselves, such as:
Class of service.
This data can then be presented in a format which highlights problem areas or trends. For example, spikes in traffic overnight to a cloud-based backup solution using HTTPS.
Due to its obvious advantages, other network device manufacturers were quick to produce netflow like features themselves, such as Juniper JFlow; and HP SFlow.
In the case of the cache, this is a temporary holding space in system memory where data flows are held before being handed to the exporter for delivery to your configured netflow analyser or network monitoring tool.
Netflow attempts to identify flows or strings of related network packets, rather than treat each individually. This helps to understand the context of network conversations.
Each time a packet is received on network device, its source, destination, port numbers, protocol, TOS byte and input are analysed to determine the flow it belongs to. Once identified, it is then added to its respective flow and stored in the netflow cache.
Once the netflow cache reaches its maximum size or its time to live value expires, the contents of the netflow cache are exported to a configured destination determined by you. This could be a dedicated netflow analyser tool or a full network management suite which accepts netflow as a complimenting feature.
Network monitoring solutions such as the widely acclaimed Ipswitch WhatsUp Gold includes an extension for netflow analysis. With drill-down reports and real-time dashboards, you have complete visibility of your network traffic.
While some free analysers do exist, they are limited in functionality and will often restrict the number of sources; and so you will be left asking whether or not paying for a solution or a plug-in for netflow is a nice to have or is a worthwhile investment.
A number of our customers use netflow analysing features and have cited different reasons, including:
Understanding why network speeds would slow at particular times in the day.
Discovering how much traffic related to internet browsing during working hours.
Monitoring large file transfers or cloud destined backups during the night.
Understanding the makeup of traffic in the network.
Discovering bottlenecks which need correcting.
Discovering outbound routes, some of which had been thought to have been disused.