Netflow is a Cisco IOS software feature and also the name of an open (but proprietary) Cisco protocol for collecting IP traffic information. Cisco routers with netflow enabled generate netflow records, which are exported from the router in UDP packets and collected using a netflow collector. Juniper Networks provides a similar feature for its routers called cflow.
A flow is defined as IP traffic with the same source IP, destination IP, source port and destination port. The router will only output a flow record when it determines that the flow is finished - it does this by flow aging; when the router sees new traffic for an existing flow it resets the aging counter. The flow record contains a version number, a sequence number, the IP address of the interface upon which the flow was observed, timestamps for the flow start and finish time, the volume of traffic in the flow, and its source & destination IP addresses and source and destination port numbers. By analyzing flow data, one can build a picture of traffic flow and traffic volume in a network. The netflow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.
Netflow records are sent via UDP, and for efficiency reasons, the router does not store flow records once they are exported. Therefore, if the netflow record is dropped due to network congestion, it is lost forever -- there's no way for the router to resend it. The IP address of the netflow collector and the port upon which it is listening must be configured on the sending router. Netflow is also enabled on a per-interface basis to avoid unnecessarily burdening of the router's processor.
Maintaining netflow data can be computationally expensive for the router and burden the router's CPU to the point where it runs out of capacity. To avoid problems caused by router CPU exhaustion, Cisco provides "sampled netflow". Rather than looking at every packet to maintain netflow records, the router looks at every nth packet, where n can be configured. When sampled netflow is used, the netflow records must be adjusted for the effect of sampling -- traffic volumes, in particular, are now an estimate rather than the actual measured flow volume.
See also
External links
- Basic Netflow information on the Cisco Site
- List of Freeware NetFlow Software on the Cisco Site
- List of Commercial NetFlow Software on the Cisco Site
- Article Detecting Worms and Abnormal Activities with NetFlow, Part 1
- Article Detecting Worms and Abnormal Activities with NetFlow, Part 2
- Article "Quick Netflow Configuration Guide" by Crannog Software
- Article "Monitoring Network Traffic with Netflow" by Michael W. Lucas
Freeware and Open-source Applications
Commercial Applications
- Caligare - NetFlow analysis and user tracking software
- Crannog Software Netflow Tracker
- Crannog Software Netflow Monitor
- Accounting, Capacity Planning, Troubleshooting, Security, QoS Monitoring
- ManageEngine NetFlow Analyzer
 | This software article is a stub. You can help Wikipedia by expanding it. |