NetFlow Guide: Types of Network Flow Analysis
NetFlow is a protocol that Cisco developed. It is used to record metadata about IP traffic flows traversing a network device such as a router, switch, or host. A NetFlow-enabled device generates metadata at the interface level and sends this information to a flow collector, where the flow records are stored to enable network traffic analytics. A network operator can use NetFlow data to determine network throughput, packet loss, and traffic congestion at a specific interface level.
While the term “NetFlow” is commonly used to refer to all types of flow records, there are actually three other important variants in regular use:
- IPFIX is an IETF standard flow record format that is very similar in approach and structure to NetFlow. (You can get a deeper dive on the differences here.)
- J-Flow from Juniper Networks, which essentially conforms to NetFlow v5.
- sFlow was introduced and promoted by InMon Corp but unlike NetFlow it relies on statistical sampling methods for documenting flows.
The term xFlow while not a variant, is the generic term often used to refer collectively to all flow record variants⎯NetFlow, IPFIX, J-Flow, sFlow, etc. You can read more about flow protocols here.
NetFlow monitoring solutions are typically comprised of three main components:
- Exporter: A NetFlow-enabled device generates flow records and periodically exports them to a flow collector. The Exporter identifies a flow as a unidirectional stream of packets having in common (at least) the following attributes: IP source address, IP destination address, Source port number, Destination port number, Layer 3 protocol field, and Type of Service.
- Collector: A program running on a server or cloud infrastructure that receives, stores, and pre-processes flow records from NetFlow-enabled devices.
- Application: An analysis application that processes flow records collected by the flow collector into reports, alerts, dashboards, and other results.
A given set of packets is defined as a flow, which makes up the core metadata (i.e. information about the flow rather than the information that’s actually in the packets) that is included in a NetFlow “flow record.” When a new unidirectional IP traffic flow starts traversing a device, a new NetFlow flow record is created and tracked via the device’s on-board cache. Time analysis of the flow records enables performance monitoring across the network between various network elements, as NetFlow devices in total continuously export their information for processing by an analysis application.
Using NetFlow offers insight to overcome many common challenges encountered by network operators including:
- Monitoring major contributors of network traffic
- Understanding application traffic and its network impact
- Optimizing internet peering relationships
- Troubleshooting and understanding network congestion points
- Detecting unauthorized WAN traffic
- DDoS and anomaly detection
- Validating QoS parameters
This enables various internal organizations such as network operations, engineering, planning, architecture, and security to use NetFlow analysis as a primary source of network intelligence. Consolidated NetFlow traffic analysis can reduce the number of hardware and software technologies needed to manage networks, reduce network administration costs, and enhance cross-organizational collaboration and communications.