Content deleted Content added
mNo edit summary |
m →Support: HTTP to HTTPS for SourceForge |
||
| (34 intermediate revisions by 25 users not shown) | |||
Line 1:
{{
'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination
▲'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<ref name="Flow_Monitoring_Tutorial">{{cite journal
▲| last = Hofstede | first = Rick
| last2 = Čeleda | first2 = Pavel
| last3 = Trammell | first3 = Brian
Line 21 ⟶ 20:
| doi = 10.1109/COMST.2014.2321898
| year = 2014
| s2cid = 14042725
}}</ref>
Line 29:
== Protocol description ==
[[Router (computing)|Router]]s and switches that support NetFlow can collect [[Internet Protocol|IP]] traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—typically a server that does the actual [[traffic analysis]].
=== Network flows ===
Cisco standard NetFlow version 5 defines a ''flow'' as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:<ref>{{cite web |url=https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |url-status=dead |archive-url=https://web.archive.org/web/20170222053806/https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |archive-date=2017-02-22 |title=InterProjektWiki: NetFlow}}</ref>
# Ingress interface ([[Simple Network Management Protocol|SNMP]] ifIndex)
# Source [[IP address]]
# Destination [[IP address]]
# [[IP protocol number]]
# Source port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], 0 for other protocols
# Destination port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], type and code for [[Internet Control Message Protocol|ICMP]], or 0 for other protocols
# IP [[Type of Service]]
Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of
This definition of flows is also used for IPv6, and a similar definition is used for [[MPLS]] and [[Layer 2|Ethernet]] flows.
Line 68:
That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol ([[Stream Control Transmission Protocol|SCTP]]) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays.
The problem with SCTP is that it requires interaction between each NetFlow collector and each
SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment.
Line 101:
**Source & destination IP masks (prefix lengths in the [[Classless Inter-Domain Routing|CIDR]] notation)
For [[Internet Control Message Protocol|ICMP]] flows, the Source Port is zero, and the Destination Port number field codes ICMP message Type and Code (port = ICMP-Type * 256 + ICMP-Code) {{Citation needed|date=October 2022}}.
The source and destination [[autonomous system (Internet)|Autonomous System]] (AS) number fields can report the destination AS (last AS of AS-Path) or the immediate neighbor AS (first AS of AS-Path) depending on the router configuration. But the AS number will be zero if the feature is not supported, the route is unknown or not announced by BGP, or the AS is the local AS. There is no explicit way to distinguish between these cases.
Line 129:
* One packet randomly selected in an interval of ''n'' packet, in Random Sampled NetFlow, used on modern Cisco routers.
Some implementations have more complex methods to sample packets, like per-flow sampling on Cisco
The sampling rate is often the same for all interfaces, but can be adjusted per interface for some routers.
Line 188:
* Rflow for [[Ericsson]]
* AppFlow [[Citrix]]
* [[sFlow]] vendors include: [[Alaxala]], [[Alcatel Lucent]], [[Allied Telesis]], [[Arista Networks]], [[Brocade Communications Systems|Brocade]], [[Cisco Systems|Cisco]], [[Dell]], [[D-Link]], [[Enterasys]], [[Extreme Networks|Extreme]], [[F5 Networks|F5 BIG-IP]], [[Fortinet]], [[Hewlett-Packard]], [[Hitachi]], [[Huawei]], [[IBM]], [[Juniper Networks|Juniper]], [[LG-Ericsson]], [[Mellanox]], [[MRV Communications|MRV]], [[NEC]], [[Netgear]], [[Proxim Wireless]], [[Quanta Computer]], [[Vyatta]],
| url = http://www.sflow.org/products/network.php
| title = sFlow Products: Network Equipment
Line 194:
}}</ref>
Also flow-tools collection of software<ref>{{Cite web|url=https://github.com/adsr/flow-tools|title = Adsr/Flow-tools|website = [[GitHub]]|date = 5 October 2021}}</ref> allows to process and manage NetFlow exports from Cisco and Juniper routers.<ref>{{Cite web|url=https://github.com/adsr/flow-tools/blob/master/README|title = Adsr/Flow-tools|website = [[GitHub]]|date = 5 October 2021}}</ref>
=== Support ===
Line 223:
| | Support for IPv6 on high-end models RSP720 and Sup720, but at most 128K or 256K flows per PCF card.<ref>{{cite web
| title=Cisco RSP720 Sup720 NetFlow characteristics | url=http://www.cisco.com/en/US/prod/collateral/routers/ps368/product_data_sheet0900aecd8057f3b6.html
|date=July 2010 |publisher = cisco.com |
|-
! | Cisco [[Cisco Nexus|Nexus]] switches
Line 244:
|-
! | [[Juniper Networks|Juniper]] routers
| | [[Juniper MX-Series|MX-series]] with MPC-3D,
| | v5, [[IP Flow Information Export|IPFIX]]
| | Hardware (trio chipset), called ''inline jflow''
| | IPv6 requires JUNOS 11.4R2 (back port target), MPLS support unknown, MPC3E excluded until 12.3, incorrect start time field causing incorrect data throughput result <ref>{{cite web | title=pps and bps incorrect on Juniper j-flow | url=https://sourceforge.net/p/nfdump/mailman/message/29665102/ |date=Aug 2012 |
|-
! | [[
| | 7750SR
| | v5, v8, v9, v10 [[IP Flow Information Export|IPFIX]]
Line 265:
| url=http://www.enterasys.com/company/literature/s-ds.pdf
|date=February 2012 | publisher = enterasys.com
|
| title = NetFlow on Enterasys N-Serie
| url= http://www.enterasys.com/company/literature/n-ds.pdf
|date=February 2012 | publisher = enterasys.com |
| | v5, v9
| | Dedicated hardware
Line 288:
| | [[Linux]] [[FreeBSD]] [[NetBSD]] [[OpenBSD]]
| | v5, v9, IPFIX
| | Software like fprobe,<ref>{{cite web | title = fprobe | url=
*{{cite book | *{{cite book |section=ng_netflow -- Cisco's NetFlow implementation |title=FreeBSD Manual Pages |url=http://mdoc.su/f/ng_netflow.4}}</ref> or softflowd
| | IPv6 support depend on the software used
|-
! | VMware servers
| | [[vSphere]] 5.x<ref>{{cite web |url=http://blogs.vmware.com/networking/2011/08/vsphere-5-new-networking-features-netflow.html |title = vSphere 5 New Networking Features - NetFlow - VMware vSphere Blog| date=15 August 2011 }}</ref>
| | v5, IPFIX (>5.1)<ref>{{cite web|url=http://www.vmware.com/files/pdf/techpaper/Whats-New-VMware-vSphere-51-Network-Technical-Whitepaper.pdf |title=vSphere 51 Network Technical Whitepaper|website=vmware.com|access-date=1 July 2023}}</ref>
| | Software
| | IPv6 support is unknown
|-
! | Mikrotik RouterOS
| | RouterOS 3.x, 4.x, 5.x, 6.x <ref>{{Cite web|url=http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow|title = Manual:IP/Traffic Flow - MikroTik Wiki}}</ref>
| | v1, v5, v9, IPFIX (>6.36RC3)
| | Software and Routerboard hardware
Line 330 ⟶ 332:
NetFlow was originally a Cisco packet switching technology for Cisco routers, implemented in [[Cisco IOS|IOS]] 11.x around 1996.
It was originally a software implementation for the Cisco 7000, 7200 and 7500,<ref name="netflow switching">{{cite web |url=http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html |title=NetFlow Switching Enhancements Feature Module [Cisco IOS Software Releases 11.1] - Cisco Systems |website=www.cisco.com |url-status=dead |archive-url=https://web.archive.org/web/20091221041522/http://www.cisco.com/en/US/docs/ios/11_2/feature/guide/netflow.html |archive-date=2009-12-21}} </ref> where it was thought as an improvement over the then current Cisco Fast Switching. Netflow was invented by Darren Kerr and Barry Bruin<ref>{{Cite web|url=https://www.cisco.com/site/us/en/index.html|title=Networking, Cloud, and Cybersecurity Solutions|website=Cisco|accessdate=1 July 2023}}</ref> from Cisco (U.S. [https://patents.google.com/patent/US6243667B1/en patent # 6,243,667] ).
The idea was that the first packet of a flow would create a NetFlow switching record. This record would then be used for all later packets of the same flow, until the expiration of the flow. Only the first packet of a flow would require an investigation of the route table to find the most specific matching route. This is an expensive operation in software implementations, especially the old ones without [[Forwarding information base]]. The NetFlow switching record was actually some kind of route cache record, and old versions of IOS still refer to the NetFlow cache as '''ip route-cache'''.
This technology was advantageous for local networks. This was especially true if some of the traffic had to be filtered by an [[Standard Access Control List|ACL]] as only the first packet of a flow had to be evaluated by the ACL.<ref name="kentik">
NetFlow switching soon turned out to be unsuitable for big routers, especially Internet backbone routers, where the number of simultaneous flows was much more important than those on local networks, and where some traffic causes many short-lived flows, like [[Domain Name System]] requests (whose source port is random for security reasons).
Line 341 ⟶ 343:
As of 2012, technologies similar to NetFlow switching are still in use in most firewalls and software-based IP routers. For instance the conntrack feature of the [[Netfilter]] framework used by [[Linux]].
== RFCs ==
* [
* [
* [http://www.ietf.org/rfc/
* [http://www.ietf.org/rfc/
* [
* [
* [
* [
* [https://www.rfc-editor.org/info/rfc5470 RFC 5470 - Architecture for IP Flow Information Export]
* [
* [https://www.rfc-editor.org/info/rfc5472 RFC 5472 - IP Flow Information Export (IPFIX) Applicability]
* [
* [https://www.rfc-editor.org/info/rfc5476 RFC 5476 - Packet Sampling (PSAMP) Protocol Specifications]
* [https://www.rfc-editor.org/info/rfc5477 RFC 5477 - Information Model for Packet Sampling Exports]
* [https://www.rfc-editor.org/info/rfc5610 RFC 5610 - Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements]
* [https://www.rfc-editor.org/info/rfc5655 RFC 5655 - Specification of the IP Flow Information Export (IPFIX) File Format]
* [https://www.rfc-editor.org/info/rfc5815 RFC 5815 - Definitions of Managed Objects for IP Flow Information Export]
* [https://www.rfc-editor.org/info/rfc5982 RFC 5982 - IP Flow Information Export (IPFIX) Mediation: Problem Statement]
* [https://www.rfc-editor.org/info/rfc6183 RFC 6183 - IP Flow Information Export (IPFIX) Mediation: Framework]
* [https://www.rfc-editor.org/info/rfc6235 RFC 6235 - IP Flow Anonymization Support]
* [https://www.rfc-editor.org/info/rfc6313 RFC 6313 - Export of Structured Data in IP Flow Information Export (IPFIX)]
* [https://www.rfc-editor.org/info/rfc6526 RFC 6526 - IP Flow Information Export (IPFIX) Per Stream Control Transmission Protocol (SCTP) Stream]
* [https://www.rfc-editor.org/info/rfc6615 RFC 6615 - Definitions of Managed Objects for IP Flow Information Export]
* [https://www.rfc-editor.org/info/rfc6645 RFC 6645 - IP Flow Information Accounting and Export Benchmarking Methodology]
* [https://www.rfc-editor.org/info/rfc6727 RFC 6727 - Definitions of Managed Objects for Packet Sampling]
* [https://www.rfc-editor.org/info/rfc6728 RFC 6728 - Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols]
* [https://www.rfc-editor.org/info/rfc6759 RFC 6759 - Cisco Systems Export of Application Information in IP Flow Information Export (IPFIX)]
* [https://www.rfc-editor.org/info/rfc7011 RFC 7011 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information]
* [https://www.rfc-editor.org/info/rfc7012 RFC 7012 - Information Model for IP Flow Information Export (IPFIX)]
* [https://www.rfc-editor.org/info/rfc7013 RFC 7013 - Guidelines for Authors and Reviewers of IP Flow Information Export (IPFIX) Information Elements]
* [https://www.rfc-editor.org/info/rfc7015 RFC 7015 - Flow Aggregation for the IP Flow Information Export (IPFIX) Protocol]
* [https://www.rfc-editor.org/info/rfc7119 RFC 7119 - Operation of the IP Flow Information Export (IPFIX) Protocol on IPFIX Mediators]
* [https://www.rfc-editor.org/info/rfc7125 RFC 7125 - Revision of the tcpControlBits IP Flow Information Export (IPFIX) Information Element]
* [https://www.rfc-editor.org/info/rfc7133 RFC 7133 - Information Elements for Data Link Layer Traffic Measurement]
* [https://www.rfc-editor.org/info/rfc7270 RFC 7270 - Cisco-Specific Information Elements Reused in IP Flow Information Export (IPFIX)]
* [https://www.rfc-editor.org/info/rfc7373 RFC 7373 - Textual Representation of IP Flow Information Export (IPFIX) Abstract Data Types]
* [https://www.rfc-editor.org/info/rfc8038 RFC 8038 - Exporting MIB Variables Using the IP Flow Information Export (IPFIX) Protocol]
* [https://www.rfc-editor.org/info/rfc8158 RFC 8158 - IP Flow Information Export (IPFIX) Information Elements for Logging NAT Events]
* [https://www.rfc-editor.org/info/rfc8272 RFC 8272 - TinyIPFIX for Smart Meters in Constrained Networks]
* [https://www.rfc-editor.org/info/rfc8549 RFC 8549 - Export of BGP Community Information in IP Flow Information Export (IPFIX)]
==See also==
Line 351 ⟶ 399:
|date=July 2004
| publisher = sFlow.org
|
}}</ref>)
Line 361 ⟶ 409:
* [http://www.cert.org/flocon/ FloCon] - The Annual Conference put on by CERT/CC dealing with network flow data and analysis.
* [http://www.cisco.com/go/netflow Basic NetFlow information on the Cisco Site]
▲* [http://www.ietf.org/rfc/rfc3334.txt RFC3334 - Policy-Based Accounting]
▲* [http://www.ietf.org/rfc/rfc3954.txt RFC3954 - NetFlow Version 9]
▲* [http://www.ietf.org/rfc/rfc3917.txt RFC3917 - Requirements for IP Flow Information Export (IPFIX)]
▲* [http://www.ietf.org/rfc/rfc3955.txt RFC3955 - Candidate Protocols for IP Flow Information Export (IPFIX)]
▲* [http://www.ietf.org/rfc/rfc5101.txt RFC5101 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information (IPFIX)]
▲* [http://www.ietf.org/rfc/rfc5102.txt RFC5102 - Information Model for IP Flow Information Export]
▲* [http://www.ietf.org/rfc/rfc5103.txt RFC5103 - Bidirectional Flow Export Using IP Flow Information Export]
▲* [http://www.ietf.org/rfc/rfc5153.txt RFC5153 - IPFIX Implementation Guidelines]
▲* [http://www.ietf.org/rfc/rfc5470.txt RFC5470 - Architecture for IP Flow Information Export]
▲* [http://www.ietf.org/rfc/rfc5471.txt RFC5471 - Guidelines for IP Flow Information Export (IPFIX) Testing]
▲* [http://www.ietf.org/rfc/rfc5472.txt RFC5472 - IP Flow Information Export (IPFIX) Applicability]
▲* [http://www.ietf.org/rfc/rfc5473.txt RFC5473 - Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports]
* [https://www.paessler.com/it-explained/netflow Paessler IT Explained - NetFlow]
* [https://web.archive.org/web/20181013055019/http://www.znets.net/ Using Netflow to store re-aggregated inbound and outbound flows]
| |||