NetFlow, or IP Flow Information Export, is a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface. Then, it aggregates these packets into flows based on IP, port, class of service, protocol, and source interface. These flows provide insight into bandwidth usage monitoring, congestion, potential DoS attacks, and more.
It’s a powerful tool that gives complete visibility on network traffic by providing a granular picture of what is happening across your network. It helps with network troubleshooting and lets you quickly identify security threats and traffic patterns like application performance, which can help improve your overall network performance.
Two primary components comprise the system – the flow exporter and the flow collector. The flow exporter aggregates packets into flows and exports them to the flow collector, which stores and pre-processes the data for analysis. The flow exporter’s data is called a netflow record, which can contain several types of information. The following are some everyday data items that can be found in a NetFlow record:
Time
A NetFlow record has an absolute timestamp of the last packet it received. This is important for comparing flows to others and ensuring they’re the same. It also enables network administrators to track time-of-day trends and identify any changes in traffic volumes.
Bandwidth Volume
Each flow is assigned a bandwidth volume, which can be measured as a percentage of the total network bandwidth used. This can be used to calculate average bandwidth usage and average latency or even to identify network bottlenecks in the event of an attack or outage.
Flow Cache
Once the NetFlow data is collected, it’s stored in a flow cache within the router. This can be large, and the cache can contain thousands or millions of entries. This helps troubleshoot a network because it can show which interfaces consume the most bandwidth and when.
In a traditional NetFlow implementation, the flow data is only collected on interfaces where NetFlow has been enabled. It is then sent to a flow collector, an application, or a server that does the actual flow analysis.
The flow records generated by NetFlow can be viewed in real-time with some NetFlow tools, but to gain insights and create reports, you will need an analysis application. The analysis application can be a dedicated system or network monitoring solution that supports NetFlow.
