The (Net)Flow That Kentik Makes Go: Know Your Traffic Flow Data Protocols

Not Just for NetFlow, Kentik Detect’s Analytics Cover All Major Flow Protocols

In networking terms, a “flow” defines a uni-directional set of packets sharing common attributes such as source and destination IP, source and destination ports, IP protocol, and type of service. “NetFlow” may be the most common short-hand term for this network flow data, but that doesn’t mean it’s the only important protocol for the exchange of metadata related to flows transiting network infrastructure. In fact there are three primary flavors of flow data — NetFlow, sFlow, and IPFIX — as well as a variety of brand-specific names used by various networking vendors. This practice allows some vendors to provide NetFlow-equivalent functionality without invoking a Cisco-owned trade name, but it also creates a bit of confusion in the marketplace. So to help provide clarity, we’ve listed below names and descriptions for the main flow-data protocols supported by Kentik Detect.

• NetFlow: NetFlow is the trade name for a flow export protocol invented by Cisco Systems. NetFlow statefully tracks IP packets on a per-flow basis. The primary deployed versions, v5 and v9, are both supported by Kentik Detect. The main distinction is support in v9 for templating, which allows greater flexibility in content and interpretation of flow records.
• IPFIX: IPFIX is an IETF standards-based protocol that is largely modeled on NetFlow v9 and is sometimes referred to as NetFlow v10. Like NetFlow (as well as J-Flow, cflowd, and RFlow) IPFIX is generated by stateful monitoring of packets within flow. IPFIX, however, allows variable-length fields and can integrate into its flow records types of information that would otherwise be sent to syslog or SNMP.
• sFlow: sFlow is used to record statistical, infrastructure, routing, and other information about IP traffic traversing an sFlow-enabled router or switch. Unlike NetFlow, sFlow doesn’t statefully track packets within flows, but is derived instead from packet sampling. Created by InMon Corporation, sFlow is now a multi-vendor protocol that is supported by many vendors such as A10, Alaxala, Alcatel-Lucent, Allied Telesis, Arista, Aruba, Big Switch, Brocade, Cisco, Cumulus Networks, Dell, D-Link, Enterasys, Extreme Networks, F5, Fortinet, Hewlett-Packard, Huawei, IBM, Juniper Networks, NEC, Netgear, and ZTE.
• J-Flow: J-Flow is a flow monitoring implementation from Juniper Networks. It is functionally equivalent to NetFlow. J-Flow comes in v5, v8, and v9 variants, each of which is cross compatible with the corresponding version of NetFlow.
• cflowd: cflowd is used by vendors such as Alcatel-Lucent and Nokia to designate both flow monitoring functionality and the format (protocol) of the resulting data. It is functionally equivalent to NetFlow, with multiple versions corresponding to to v5, v8, v9, and IPFIX.
• RFlow: RFlow was the flow monitoring implementation of Redback Networks, now part of Ericsson. RFlow is based on NetFlow v5.

Flow Data Variations

Pretty much all flow data protocols support what we might call the “basic” flow fields in the following list:

• Source & dest IP
• Protocol
• Source & dest port
• TCP flags
• Input interface and output interface ID
• Byte and packet counts
• ToS/DSCP value
• Source and dest ASN
• Source and dest IP mask
• Next hop IP

Because of the variable functionality available in various protocol versions and implementations, however, there is much more to flow data than just the basics listed above. Some versions, but not all, support other data fields such as MAC address, VLAN ID, and IPv6. For example, NetFlow v9, IPFIX, and sFlow support IPv6 but NetFlow v5 and its equivalents don’t. For more details on some of these variations check out our Knowledge Base topic on Flow Protocols.

Flow Exporting Devices

Flow data is commonly associated with routers and switches, but devices such as load balancers, ADCs, network visibility switches, and security devices can also export flow data. There are some white box switches, however, that don’t support any flow protocol. What if you don’t have any network devices that can export flow? Fortunately, Kentik has partnered with ntop to provide Kentik-compatible host agent software called nProbe, which can be run either as a host agent or as a probe running on a data center appliance. nProbe sends IPFIX to Kentik Detect.

No matter which protocol you use, flow data adds up quickly, requiring an ingest, storage, and querying architecture that can handle massive volumes of traffic. Kentik Detect offers the ease of SaaS but also the power of big data, turning flow, performance, BGP, SNMP, and geolocation data into powerful, real-time insights for network traffic analysis, network performance monitoring, network planning, and DDoS protection. Ready to learn more? Contact us and we’ll be happy to walk you through a demo. Or try it for yourself by signing up for a free trial.