Netflow

NetFlow is a technique in which a device, usually a router, or layer 3 switch, information about the IP data stream to the device using UDP exported. This UDP datagrams are received, stored and processed by a Netflow collector. The collected data are used for traffic analysis, capacity planning, or for QoS analysis.

Technology

Netflow was originally a Cisco technology, however, is now supported by many manufacturers. Besides Netflow there are also cFlow ( Juniper ) and Netstream ( Huawei ). Both are technically identical with Netflow. There are different versions of Netflow. NetFlow Version 9 is described as an open standard in RFC 3954. NetFlow Version 5 is the most commonly used in the practice version. sFlow (RFC 3176) used statistical sampling, and is incompatible with Netflow. However, there are converter. The IPFIX standard (RFC 3917) is independent of the manufacturer developed and represents an extension of NetFlow Version 9 dar.

A flow typically contains the following information:

  • Version number and sequence number
  • Timestamp
  • Byte and packet counters
  • Source and destination IP addresses
  • Source and destination IP port
  • Ingress and egress port number
  • TOS information
  • AS numbers (BGP 4)
  • TCP flags
  • Protocol type ( for example, TCP, UDP, or ICMP)

Depending on the Netflow version the contents of the export datagrams slightly different. Detailed information can be found on the Cisco side.

Application

Netflow is, such as SNMP, a passive measurement method. That is, we observe the traffic without influencing it. Like all passive measurement method, so also generates Netflow volume information, typically kbit / s

In order to analyze the Netflow data, a collector software is necessary. It will be conducted by analysis usually two ways:

  • Top-N analysis
  • Time analysis

With top-N analyzes those elements in a user-defined period, eg 24 hours, sought, which generate the most traffic. Criteria can source IP addresses ( top talkers ), TCP ports (Top Applications ) or other items from the Netflow datagram.

Time analyzes show the volume of traffic components on a time axis.

Since the NetFlow datagrams are sent via UDP, the collector must be fast enough to receive the data to process and store. Lost datagrams can not be recovered. Particularly problematic is therefore the transfer of Netflow data over WAN links. Distributed systems have proven themselves particularly well here. Some systems are able vorzuhalten evaluations in a central data mart. This has the advantage that information need not be repeated and transmitted several times over WAN links.

In the service provider environment, multi-tenancy is an important property of Netflow systems. This ensures that participants can view only the data they need.

Free Software

  • Flowd NetFlow collector
  • Nfdump, Kollector and analysis tools and nfsen to nfdump Webfrontend
  • Stager, analysis tool for Netflow data
  • Pmacct Netflow, sFlow Collector. Uses libpcap

Free software

  • SevOne free VPAs (3 Netflow interfaces active reports )
  • SolarWinds NetFlow Analyzer ( Windows)

Commercial Software

  • TCP / IP
Multilayer switch Cisco Systems Juniper Networks Data conversion Ingress filtering Autonomous System (Internet) Flag word Simple Network Management Protocol Arrow of time Data-Mart
598370
de