NetFlow: Difference between revisions

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Revision as of 01:37, 15 March 2022 edit Rlink2 (talk \| contribs) Extended confirmed users 309,868 edits m →History: Archiving dead bare references Tag: AWB ← Previous edit		Revision as of 22:45, 9 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m →Support: HTTP to HTTPS for SourceForge Tag: AWB Next edit →
(19 intermediate revisions by 14 users not shown)
Line 1: {{~~short~~Short description\|Communications protocol}} '''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<ref name="Flow_Monitoring_Tutorial">{{cite journal▼ ~~[[File:NetFlow Architecture 2012.png\|thumb\|right\|512px\|NetFlow architecture]]~~ ▲'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<ref name="Flow_Monitoring_Tutorial">{{cite journal \| last1 = Hofstede \| first1 = Rick \| last2 = Čeleda \| first2 = Pavel Line 30 ⟶ 29: == Protocol description == [[Router (computing)\|Router]]s and switches that support NetFlow can collect [[Internet Protocol\|IP]] traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—typically a server that does the actual [[traffic analysis]]. === Network flows === Line 38 ⟶ 37: # Source [[IP address]] # Destination [[IP address]] # [[IP protocol number]] # Source port for [[User Datagram Protocol\|UDP]] or [[Transmission Control Protocol\|TCP]], 0 for other protocols # Destination port for [[User Datagram Protocol\|UDP]] or [[Transmission Control Protocol\|TCP]], type and code for [[Internet Control Message Protocol\|ICMP]], or 0 for other protocols Line 69 ⟶ 68: That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol ([[Stream Control Transmission Protocol\|SCTP]]) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays. The problem with SCTP is that it requires interaction between each NetFlow collector and each ~~routers~~router exporting NetFlow. There may be performance limitations if a router has to deal with many NetFlow collectors, and a NetFlow collector has to deal with many routers, especially when some of them are unavailable due to failure or maintenance. SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment. Line 102 ⟶ 101: *Source & destination IP masks (prefix lengths in the [[Classless Inter-Domain Routing\|CIDR]] notation) For [[Internet Control Message Protocol\|ICMP]] flows, the Source Port is zero, and the Destination Port number field codes ICMP message Type and Code (port = ICMP-Type 256 + ICMP-Code) {{Citation needed\|date=October 2022}}. The source and destination [[autonomous system (Internet)\|Autonomous System]] (AS) number fields can report the destination AS (last AS of AS-Path) or the immediate neighbor AS (first AS of AS-Path) depending on the router configuration. But the AS number will be zero if the feature is not supported, the route is unknown or not announced by BGP, or the AS is the local AS. There is no explicit way to distinguish between these cases. Line 130 ⟶ 129: * One packet randomly selected in an interval of ''n'' packet, in Random Sampled NetFlow, used on modern Cisco routers. Some implementations have more complex methods to sample packets, like per-flow sampling on Cisco ~~Martinez~~ Catalysts. The sampling rate is often the same for all interfaces, but can be adjusted per interface for some routers. Line 189 ⟶ 188: * Rflow for [[Ericsson]] * AppFlow [[Citrix]] * [[sFlow]] vendors include: [[Alaxala]], [[Alcatel Lucent]], [[Allied Telesis]], [[Arista Networks]], [[Brocade Communications Systems\|Brocade]], [[Cisco Systems\|Cisco]], [[Dell]], [[D-Link]], [[Enterasys]], [[Extreme Networks\|Extreme]], [[F5 Networks\|F5 BIG-IP]], [[Fortinet]], [[Hewlett-Packard]], [[Hitachi]], [[Huawei]], [[IBM]], [[Juniper Networks\|Juniper]], [[LG-Ericsson]], [[Mellanox]], [[MRV Communications\|MRV]], [[NEC]], [[Netgear]], [[Proxim Wireless]], [[Quanta Computer]], [[Vyatta]], [[Telesoft ~~Technologies\|Telesoft]]~~, [[ZTE]] and [[ZyXEL]]<ref name="sFlow Vendors">{{cite web \| url = http://www.sflow.org/products/network.php \| title = sFlow Products: Network Equipment Line 289 ⟶ 288: \| \| [[Linux]] [[FreeBSD]] [[NetBSD]] [[OpenBSD]] \| \| v5, v9, IPFIX \| \| Software like fprobe,<ref>{{cite web \| title = fprobe \| url=~~http~~https://sourceforge.net/projects/fprobe/ }}</ref> ipt-netflow,<ref>{{cite web \| title = ipt-netflow \| url=~~http~~https://sourceforge.net/projects/ipt-netflow/ }}</ref> pflow,<ref>{{cite web \|author1= Henning Brauer \|author2= Joerg Goltermann \|url= http://bxr.su/o/share/man/man4/pflow.4 \|title= pflow — kernel interface for pflow data export \|website= BSD Cross Rererence \|publisher= [[OpenBSD]] \|date= 2014-03-29 \|access-date= 2019-08-09}} {{cite book \|section=pflow — kernel interface for pflow data export \|title=OpenBSD manual page server \|url=http://mdoc.su/o/pflow.4}}</ref> flowd,<ref>{{cite web \|url= http://ports.su/net/flowd \|title= flowd-0.9.1.20140828 – NetFlow collector \|work= [[OpenBSD ports]] \|date= 2019-07-17 \|access-date= 2019-08-09 }}</ref> [[Netgraph]] ng_netflow<ref>{{cite web \|author= Gleb Smirnoff \|url= http://bxr.su/f/share/man/man4/ng_netflow.4 \|title= ng_netflow — Cisco's NetFlow implementation \|website= BSD Cross Rererence \|publisher= [[FreeBSD]] \|date= 2005 \|access-date= 2019-08-09}} {{cite book \|section=ng_netflow -- Cisco's NetFlow implementation \|title=FreeBSD Manual Pages \|url=http://mdoc.su/f/ng_netflow.4}}</ref> or softflowd Line 295 ⟶ 294: \|- ! \| VMware servers \| \| [[vSphere]] 5.x<ref>{{cite web \|url=http://blogs.vmware.com/networking/2011/08/vsphere-5-new-networking-features-netflow.html \|title = vSphere 5 New Networking Features - NetFlow - VMware vSphere Blog\| date=15 August 2011 }}</ref> \| \| v5, IPFIX (>5.1)<ref>{{cite web\|url=http://www.vmware.com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.pdf ~~{{Bare~~\|title=vSphere ~~URL~~51 ~~PDF~~Network Technical Whitepaper\|website=vmware.com\|access-date=~~January~~1 July ~~2022~~2023}}</ref> \| \| Software \| \| IPv6 support is unknown Line 333 ⟶ 332: NetFlow was originally a Cisco packet switching technology for Cisco routers, implemented in [[Cisco IOS\|IOS]] 11.x around 1996. It was originally a software implementation for the Cisco 7000, 7200 and 7500,<ref name="netflow switching">{{cite web \|url=http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html \|title=NetFlow Switching Enhancements Feature Module [Cisco IOS Software Releases 11.1] - Cisco Systems \|website=www.cisco.com \|url-status=dead \|archive-url=https://web.archive.org/web/20091221041522/http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html \|archive-date=2009-12-21}} </ref> where it was thought as an improvement over the then current Cisco Fast Switching. Netflow was invented by Darren Kerr and Barry Bruin<ref>{{Cite web\|url=https://www.cisco.com/csite/~~dam~~us/en/~~us/products/collateral/security/ios-network-foundation-protection-nfp/prod_presentation0900aecd80311f49~~index.~~pdf~~html\|title=~~Cisco -~~ Networking, Cloud, and Cybersecurity Solutions\|website=Cisco\|accessdate=1 July 2023}}</ref> from Cisco (U.S. [https://patents.google.com/patent/US6243667B1/en patent # 6,243,667] ). The idea was that the first packet of a flow would create a NetFlow switching record. This record would then be used for all later packets of the same flow, until the expiration of the flow. Only the first packet of a flow would require an investigation of the route table to find the most specific matching route. This is an expensive operation in software implementations, especially the old ones without [[Forwarding information base]]. The NetFlow switching record was actually some kind of route cache record, and old versions of IOS still refer to the NetFlow cache as '''ip route-cache'''. This technology was advantageous for local networks. This was especially true if some of the traffic had to be filtered by an [[Standard Access Control List\|ACL]] as only the first packet of a flow had to be evaluated by the ACL.<ref name="kentik">[{{Cite web\|url=https://www.kentik.com/blog/netflow-sflow-and-flow-extensibility-part-1 /\|title=NetFlow, sFlow, and Flow Extensibility, Part 1]\|date=28 March 2016\|website=Kentik Blog\|accessdate=1 July 2023}}</ref> NetFlow switching soon turned out to be unsuitable for big routers, especially Internet backbone routers, where the number of simultaneous flows was much more important than those on local networks, and where some traffic causes many short-lived flows, like [[Domain Name System]] requests (whose source port is random for security reasons). Line 345 ⟶ 344: As of 2012, technologies similar to NetFlow switching are still in use in most firewalls and software-based IP routers. For instance the conntrack feature of the [[Netfilter]] framework used by [[Linux]]. ==~~See~~ ~~also~~RFCs == * [[Traffic flow (computer networking)]]▼ * [[IP Flow Information Export]] (IPFIX) - [[IETF]] standards-track flow export protocol, based on NetFlow version 9▼ * [[sFlow]] - alternative to NetFlow (mandatory sampling, no flow cache, no templates <ref name="sFlow Version 5">{{cite web▼ \| url = http://www.sflow.org/sflow_version_5.txt▼ \| title = sFlow Version 5▼ \| first1 = Peter \| last1 = Phaal \| first2 = Marc \| last2 = Lavine▼ \|date=July 2004▼ \| publisher = sFlow.org▼ \| access-date = 2010-10-23▼ }}</ref>)▼ ==References==▼ {{reflist}}▼ * [http://www.ietf.org/rfc/rfc3334.txt ~~RFC3334~~RFC 3334 - Policy-Based Accounting]▼ ==External links==▼ * [http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html NetFlow/FloMA: Pointers and Software Provided by SWITCH.] - One of the most comprehensive list including all the open source and research works.▼ * [http://www.cert.org/flocon/ FloCon] - The Annual Conference put on by CERT/CC dealing with network flow data and analysis.▼ * [http://www.cisco.com/go/netflow Basic NetFlow information on the Cisco Site]▼ ▲* [http://www.ietf.org/rfc/rfc3334.txt RFC3334 - Policy-Based Accounting] * [https://www.rfc-editor.org/info/rfc3917 RFC 3917 - Requirements for IP Flow Information Export (IPFIX)] * [http://www.ietf.org/rfc/rfc3954.txt ~~RFC3954~~RFC 3954 - NetFlow Version 9] * [https://www.rfc-editor.org/info/rfc3955 RFC 3955 - Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX)] * [http://www.ietf.org/rfc/rfc3917.txt ~~RFC3917~~RFC 3917 - Requirements for IP Flow Information Export (IPFIX)] * [http://www.ietf.org/rfc/rfc3955.txt ~~RFC3955~~RFC 3955 - Candidate Protocols for IP Flow Information Export (IPFIX)] * [https://www.rfc-editor.org/info/rfc5101 RFC 5101 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information] * [https://www.rfc-editor.org/info/rfc5102 RFC 5102 - Information Model for IP Flow Information Export] Line 406 ⟶ 389: * [https://www.rfc-editor.org/info/rfc8272 RFC 8272 - TinyIPFIX for Smart Meters in Constrained Networks] * [https://www.rfc-editor.org/info/rfc8549 RFC 8549 - Export of BGP Community Information in IP Flow Information Export (IPFIX)] ==See also== ▲* [[Traffic flow (computer networking)]] ▲* [[IP Flow Information Export]] (IPFIX) - [[IETF]] standards-track flow export protocol, based on NetFlow version 9 ▲* [[sFlow]] - alternative to NetFlow (mandatory sampling, no flow cache, no templates <ref name="sFlow Version 5">{{cite web ▲ \| url = http://www.sflow.org/sflow_version_5.txt ▲ \| title = sFlow Version 5 ▲ \| first1 = Peter \| last1 = Phaal \| first2 = Marc \| last2 = Lavine ▲ \|date=July 2004 ▲ \| publisher = sFlow.org ▲ \| access-date = 2010-10-23 ▲}}</ref>) ▲==References== ▲{{reflist}} ▲==External links== ▲* [http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html NetFlow/FloMA: Pointers and Software Provided by SWITCH.] - One of the most comprehensive list including all the open source and research works. ▲* [http://www.cert.org/flocon/ FloCon] - The Annual Conference put on by CERT/CC dealing with network flow data and analysis. ▲* [http://www.cisco.com/go/netflow Basic NetFlow information on the Cisco Site] * [https://www.paessler.com/it-explained/netflow Paessler IT Explained - NetFlow] * [https://web.archive.org/web/20181013055019/http://www.znets.net/ Using Netflow to store re-aggregated inbound and outbound flows]