Netflow
From Wikipedia, the free encyclopedia
NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information.
Contents |
[edit] Protocol description
Cisco routers that have the Netflow feature enabled generate netflow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Juniper Networks provides a similar feature for its routers called cflowd, which is NetFlow 5 and Netflow 8. Huawei Technology routers also support the same technology, but call it NetStream.
[edit] Network Flows
Network flows have been defined in many ways. In the case of NetFlow, Cisco uses the common 5-tuple definition, where a flow is defined as a unidirectional sequence of packets all sharing all of the following 5 values:
- Source IP address
- Destination IP address
- Source TCP port
- Destination TCP port
- IP protocol
The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, TCP session termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. In Flexible NetFlow (FNF) an administrator could actually define flow properties on the router.
[edit] Netflow Record
A NetFlow record can contain a wide variety of information about the traffic in a given flow. NetFlow version 5 (one of the most commonly used versions, followed by version 9) contains the following:
- Version number
- Sequence number
- Input and output interface snmp indices
- Timestamps for the flow start and finish time
- Number of bytes and packets observed in the flow
- Layer 3 headers:
- Source & destination IP addresses
- Source and destination port numbers
- IP protocol
- Type of Service (ToS) value
- In the case of TCP flows, the union of all TCP flags observed over the life of the flow.
Some routers will also include the source and destination Autonomous System (AS) number, though this information can be inaccurate. NetFlow version 9 can include all of these fields and can optionally include additional information such as Multiprotocol Label Switching (MPLS) labels and IPv6 addresses and ports,
By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.
NetFlow records are usually sent via a UDP or SCTP in newer software, and for efficiency reasons, the router does not store flow records once they are exported. Therefore, if the NetFlow record is dropped due to network congestion, it is lost forever -- there's no way for the router to resend it (this is correct for UDP NetFlow only). The IP address of the netflow collector and the port upon which it is listening must be configured on the sending router but is usually either on ports 2055, 9555, or 9995. NetFlow is also enabled on a per-interface basis to avoid unnecessarily burdening of the router's CPU. NetFlow is generally based on the packets input to interfaces where it is enabled. This avoids double counting and saves work for the router. It also allows the router to export NetFlow records for dropped packets.
[edit] Cisco's Sampled NetFlow
Maintaining NetFlow data can be computationally expensive for the router and burden the router's CPU to the point where it runs out of capacity. To avoid problems caused by router CPU exhaustion, Cisco provides "Sampled NetFlow". Rather than looking at every packet to maintain NetFlow records, the router looks at every nth packet, where n can be configured (as in Deterministic NetFlow, used on Cisco's GSRs) or it is a randomly selecting interval (as used in Random Sampled Netflow, used on all other Cisco platforms). When Sampled NetFlow is used, the NetFlow records must be adjusted for the effect of sampling - traffic volumes, in particular, are now an estimate rather than the actual measured flow volume.
[edit] Versions
| Version | Comment |
|---|---|
| v1 | First try |
| v5 | Most used version |
| v6 | Encapsulation information |
| v7 | Switch information |
| v8 | Several aggregation forms |
| v9 | Template Based, allowing many combinations |
| IPFIX | aka v10; IETF Standardized NetFlow 9 with Enterprise fields and other community input |
[edit] See also
- IP Flow Information Export (IPFIX) - IETF work to standardize flow export, based on NetFlow version 9
- SFlow
