Collecting Netflow. How does it work?

Siniša Antunović

BDM for Data Centre Solutions

sinisa.antunovic@alef.com

    NetFlow is the most widely used standard for flow data statistics in network communication. In the language of a data network environment, one flow represents a network communication with the same source IP address, source port, L4 protocol, destination IP address and destination port. 

    NetFlow is available in different versions that significantly vary so that understanding the NetFlow version is important when choosing the right solutions for particular needs:

    • NetFlow v5 – the most common version available on various routers and active network components. However, this version does not meet current needs. NetFlow v5 does not support IPv6 traffic, MAC addresses, VLANs or other extension fields.
    • NetFlow v9 – template based standard described in RFC 3954 known also as flexible NetFlow. It supports IPv6 as well as the fields missing in NetFlow
    • NetFlow v10 aka IPFIX – standardized by IETF, extended version of NetFlow v9 that supports variable length fields (e.g. HTTP hostname or HTTP URL) as well as Enterprise-defined fields.
    • Currently, the most used versions are NetFlow v5 (fixed format) and NetFlow v9 (template-based, flexible). Another commonly used protocol is called IPFIX, also known as NetFlow v10. Internet Protocol Flow Information Export (IPFIX) was created by the IETF working group from the need for a common, universal standard of export for IP flow information. The IPFIX standard defines how IP flow information is formatted and transferred from an exporter to a collector. Previously many data network operators relied on the proprietary Cisco NetFlow standard for traffic flow information export. The IPFIX is a much more flexible successor of the NetFlow format and allows us to extend flow data with more information about network traffic.

      Here you can check Understanding Netflow Principle Animation

      The principle of NetFlow is described by the video. When a request from a client to the server is sent (green envelope), the active device with NetFlow export capability looks into the packet header and creates a flow record. The flow record contains information about the source & destination IP addresses and ports, protocol number, number of bytes and packets and all other information from layer 3 and 4. Individual data network communications are identified by five attributes: source & destination IP addresses, ports and protocol number. So when the server responds to the client IP addresses and ports in the packet header are reversed and another flow record is created – NetFlow is one way traffic technology. The subsequent packets with the same attributes update the previously created flow records (e.g.: number of bytes, duration of communication). When the communication is over, flow records are sent to the collector, where data is ready to be stored and analysed for different reasons.

      For more information about most effective and easiest way to gather NetFlow and analyse network traffic check out this link