IT Security News & Blog

What is Netflow and Why Should I Monitor It?

Posted: 24 July 2018

The level or knowledge or even awareness of netflow is a mixed bag, in my experiences speaking with IT managers and network engineers. Those who have attended accredited courses for network equipment or those networking veterans will be very familiar with the technology. For others, it is a new and exciting technology which can reveal a vast wealth of insight into network traffic.

 

What is Netflow?

Netflow is a protocol, originally created by industry giant Cisco, is used to collect and record all IP Traffic going to and from a network device which has the netflow function enabled. This collected packet data is then usually forwarded to a netflow analyser or network monitoring solution where it is collated and presented.

Netflow is incredibly revealing. Whereas network device monitoring using SNMP can reveal hardware issues or network interface utlisation; netflow can reveal detailed information about data packets themselves, such as:

  • Source.
  • Destination.
  • Size.
  • Port number.
  • Protocol.
  • Class of service.
  • Errors.

This data can then be presented in a format which highlights problem areas or trends. For example, spikes in traffic overnight to a cloud-based backup solution using HTTPS.

Due to its obvious advantages, other network device manufacturers were quick to produce netflow like features themselves, such as Juniper JFlow; and HP SFlow.

 

How Does Netflow Work?

Netflow consists of two main components. The netflow cache and the netflow exporter.

In the case of the cache, this is a temporary holding space in system memory where data flows are held before being handed to the exporter for delivery to your configured netflow analyser or network monitoring tool.

Do you use a network monitoring solution? Take a look at our blog entitled "Ten Reasons why Network Monitoring Software is a Must Have".

Netflow attempts to identify flows or strings of related network packets, rather than treat each individually. This helps to understand the context of network conversations.

Each time a packet is received on network device, its source, destination, port numbers, protocol, TOS byte and input are analysed to determine the flow it belongs to. Once identified, it is then added to its respective flow and stored in the netflow cache.

Netflow and Flow Cache Entry

Once the netflow cache reaches its maximum size or its time to live value expires, the contents of the netflow cache are exported to a configured destination determined by you. This could be a dedicated netflow analyser tool or a full network management suite which accepts netflow as a complimenting feature.

Ipswitch WhatsUp Gold Network Traffic Analysis

Network monitoring solutions such as the widely acclaimed Ipswitch WhatsUp Gold includes an extension for netflow analysis. With drill-down reports and real-time dashboards, you have complete visibility of your network traffic.

If you would like to see a demonstration of this solution, book a short call with one of our consultants today.

 

Benefits to Using Netflow

While some free analysers do exist, they are limited in functionality and will often restrict the number of sources; and so you will be left asking whether or not paying for a solution or a plug-in for netflow is a nice to have or is a worthwhile investment.

A number of our customers use netflow analysing features and have cited different reasons, including:

  • Understanding why network speeds would slow at particular times in the day.
  • Discovering how much traffic related to internet browsing during working hours.
  • Monitoring large file transfers or cloud destined backups during the night.
  • Understanding the makeup of traffic in the network.
  • Discovering bottlenecks which need correcting.
  • Discovering outbound routes, some of which had been thought to have been disused.

In all cases, our customers have been happy about the information which netflow analysis has revealed; and have been able to apply some corrective action where the result was undesired.

If you think your organisation could benefit from this level of insight into network traffic, consider netflow analysis or a network monitoring solution.

Want to learn more about network monitoring solutions? Take a look at our definitive guide to network monitoring and incident response

 

Network Monitoring Solution Buyers Guide

Topics: Network Monitoring, WhatsUp Gold, NetFlow

Chris Payne

Written by Chris Payne

Managing Director - Advanced Cyber Solutions