Content deleted Content added
m →RFCs: Added spacing in between letters |
m →Support: HTTP to HTTPS for SourceForge |
||
| (16 intermediate revisions by 13 users not shown) | |||
Line 1:
{{
'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination
▲'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<ref name="Flow_Monitoring_Tutorial">{{cite journal
| last1 = Hofstede | first1 = Rick
| last2 = Čeleda | first2 = Pavel
Line 30 ⟶ 29:
== Protocol description ==
[[Router (computing)|Router]]s and switches that support NetFlow can collect [[Internet Protocol|IP]] traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—typically a server that does the actual [[traffic analysis]].
=== Network flows ===
Line 38 ⟶ 37:
# Source [[IP address]]
# Destination [[IP address]]
# [[IP protocol number]]
# Source port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], 0 for other protocols
# Destination port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], type and code for [[Internet Control Message Protocol|ICMP]], or 0 for other protocols
Line 102 ⟶ 101:
**Source & destination IP masks (prefix lengths in the [[Classless Inter-Domain Routing|CIDR]] notation)
For [[Internet Control Message Protocol|ICMP]] flows, the Source Port is zero, and the Destination Port number field codes ICMP message Type and Code (port = ICMP-Type * 256 + ICMP-Code) {{Citation needed|date=October 2022}}.
The source and destination [[autonomous system (Internet)|Autonomous System]] (AS) number fields can report the destination AS (last AS of AS-Path) or the immediate neighbor AS (first AS of AS-Path) depending on the router configuration. But the AS number will be zero if the feature is not supported, the route is unknown or not announced by BGP, or the AS is the local AS. There is no explicit way to distinguish between these cases.
Line 130 ⟶ 129:
* One packet randomly selected in an interval of ''n'' packet, in Random Sampled NetFlow, used on modern Cisco routers.
Some implementations have more complex methods to sample packets, like per-flow sampling on Cisco
The sampling rate is often the same for all interfaces, but can be adjusted per interface for some routers.
Line 189 ⟶ 188:
* Rflow for [[Ericsson]]
* AppFlow [[Citrix]]
* [[sFlow]] vendors include: [[Alaxala]], [[Alcatel Lucent]], [[Allied Telesis]], [[Arista Networks]], [[Brocade Communications Systems|Brocade]], [[Cisco Systems|Cisco]], [[Dell]], [[D-Link]], [[Enterasys]], [[Extreme Networks|Extreme]], [[F5 Networks|F5 BIG-IP]], [[Fortinet]], [[Hewlett-Packard]], [[Hitachi]], [[Huawei]], [[IBM]], [[Juniper Networks|Juniper]], [[LG-Ericsson]], [[Mellanox]], [[MRV Communications|MRV]], [[NEC]], [[Netgear]], [[Proxim Wireless]], [[Quanta Computer]], [[Vyatta]],
| url = http://www.sflow.org/products/network.php
| title = sFlow Products: Network Equipment
Line 289 ⟶ 288:
| | [[Linux]] [[FreeBSD]] [[NetBSD]] [[OpenBSD]]
| | v5, v9, IPFIX
| | Software like fprobe,<ref>{{cite web | title = fprobe | url=
*{{cite book |section=pflow — kernel interface for pflow data export |title=OpenBSD manual page server |url=http://mdoc.su/o/pflow.4}}</ref> flowd,<ref>{{cite web |url= http://ports.su/net/flowd |title= flowd-0.9.1.20140828 – NetFlow collector |work= [[OpenBSD ports]] |date= 2019-07-17 |access-date= 2019-08-09 }}</ref> [[Netgraph]] ng_netflow<ref>{{cite web |author= Gleb Smirnoff |url= http://bxr.su/f/share/man/man4/ng_netflow.4 |title= ng_netflow — Cisco's NetFlow implementation |website= BSD Cross Rererence |publisher= [[FreeBSD]] |date= 2005 |access-date= 2019-08-09}}
*{{cite book |section=ng_netflow -- Cisco's NetFlow implementation |title=FreeBSD Manual Pages |url=http://mdoc.su/f/ng_netflow.4}}</ref> or softflowd
Line 295 ⟶ 294:
|-
! | VMware servers
| | [[vSphere]] 5.x<ref>{{cite web |url=http://blogs.vmware.com/networking/2011/08/vsphere-5-new-networking-features-netflow.html |title = vSphere 5 New Networking Features - NetFlow - VMware vSphere Blog| date=15 August 2011 }}</ref>
| | v5, IPFIX (>5.1)<ref>{{cite web|url=http://www.vmware.com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.pdf
| | Software
| | IPv6 support is unknown
Line 333 ⟶ 332:
NetFlow was originally a Cisco packet switching technology for Cisco routers, implemented in [[Cisco IOS|IOS]] 11.x around 1996.
It was originally a software implementation for the Cisco 7000, 7200 and 7500,<ref name="netflow switching">{{cite web |url=http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html |title=NetFlow Switching Enhancements Feature Module
The idea was that the first packet of a flow would create a NetFlow switching record. This record would then be used for all later packets of the same flow, until the expiration of the flow. Only the first packet of a flow would require an investigation of the route table to find the most specific matching route. This is an expensive operation in software implementations, especially the old ones without [[Forwarding information base]]. The NetFlow switching record was actually some kind of route cache record, and old versions of IOS still refer to the NetFlow cache as '''ip route-cache'''.
This technology was advantageous for local networks. This was especially true if some of the traffic had to be filtered by an [[Standard Access Control List|ACL]] as only the first packet of a flow had to be evaluated by the ACL.<ref name="kentik">
NetFlow switching soon turned out to be unsuitable for big routers, especially Internet backbone routers, where the number of simultaneous flows was much more important than those on local networks, and where some traffic causes many short-lived flows, like [[Domain Name System]] requests (whose source port is random for security reasons).
Line 420 ⟶ 419:
[[Category:Internet Protocol based network software]]
[[Category:Cisco protocols]]
| |||