Content deleted Content added
Jimmy Olano (talk | contribs) Importing Wikidata short description: "Communications protocol" (Shortdesc helper) |
NapoliRoma (talk | contribs) -"NetFlow" from (most) section names (per WP:NOBACKREF); tag term "the key", which is used but not previously defined (do the seven values form the key?); other minor ce |
||
Line 1:
{{short description|Communications protocol}}
[[File:NetFlow Architecture 2012.png|thumb|right|512px|NetFlow
'''NetFlow''' is a feature that was introduced on [[Cisco]] routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. A typical flow monitoring setup (using NetFlow) consists of three main components:<ref name="Flow_Monitoring_Tutorial">{{cite journal
| last = Hofstede | first = Rick
Line 29:
== Protocol description ==
[[Router (computing)|Router]]s and switches that support NetFlow can collect [[Internet Protocol|IP]] traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow
=== Network
Cisco standard NetFlow version 5 defines a ''flow'' as a unidirectional sequence of packets that all share
# Ingress interface ([[Simple Network Management Protocol|SNMP]] ifIndex)
# Source [[IP address]]
Line 42:
# IP [[Type of Service]]
Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of {{what|text=the key|reason=this term not previously mentioned|date=June 2020}}, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.
Advanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.
Line 54:
2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 -> 127.0.0.1:24920 1 80 1
=== Export of
The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, [[TCP session]] termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing.
====
NetFlow records are traditionally exported using User Datagram Protocol ([[User Datagram Protocol|UDP]]) and collected using a NetFlow collector.
Line 73:
UDP allows simple replication of NetFlow packets using Network taps or L2 or L3 Mirroring. Simple stateless equipment can also filter or change the destination address of NetFlow UDP packets if necessary. Since NetFlow export almost only use network backbone links, packet loss will often be negligible. If it happens, it will mostly be on the link between the network and the NetFlow collectors.
====
All NetFlow packets begin with version-dependent header, that contains at least these fields:
Line 81:
*Number of records (v5 or v8) or list of templates and records (v9)
===
A NetFlow record can contain a wide variety of information about the traffic in a given flow.
Line 109:
By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.
===
NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported.
Line 136:
The sampling rate is indicated in a header field of NetFlow version 5 (same sampling rate for all interfaces) or in option records of NetFlow version 9 (sampling rate per interface)
==
{| class="wikitable" style="margin: 0 auto; text-align: left"
Line 178:
NetFlow was initially implemented by Cisco, and described in an "informational" document that was not on the standards track: RFC 3954 – Cisco Systems NetFlow Services Export Version 9. The NetFlow protocol itself has been superseded by Internet Protocol Flow Information eXport ([[IPFIX]]). Based on the NetFlow Version 9 implementation, IPFIX is on the IETF standards track with RFC 5101 (obsoleted by RFC 7011), RFC 5102 (obsoleted by RFC 7012), etc. which were published in 2008.
===
Many vendors other than [[Cisco Systems|Cisco]] provide similar network flow monitoring technology. NetFlow may be a prevalent name in the area of flow monitoring, because of [[Cisco Systems|Cisco]] dominant market share in the networking industry. NetFlow is thought to be a Cisco trademark (even though as of March 2012 it is not listed in Cisco Trademarks<ref>{{cite web | title=Cisco Trademarks | url=http://www.cisco.com/web/siteassets/legal/trademark.html}}</ref>):
Line 196:
Also flow-tools collection of software<ref>https://github.com/adsr/flow-tools</ref> allows to process and manage NetFlow exports from Cisco and Juniper routers.<ref>https://github.com/adsr/flow-tools/blob/master/README</ref>
===
{| class="wikitable" style="margin: 0 auto; text-align: left"
|-
Line 304:
|}
==
=== Cisco's NetFlow Security Event Logging===
Line 310:
Introduced with the launch of the [[Cisco ASA]] 5580 products, [http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html NetFlow Security Event Logging] utilizes NetFlow v9 fields and templates in order to efficiently deliver security telemetry in high performance environments. NetFlow Security Event Logging scales better than [[syslog]] while offering the same level of detail and granularity in logged events.{{Citation needed|date=February 2011}}
===
{{Original research|section|date=March 2009}}
| |||