April 26, 2022

What is NetFlow and how is this protocol used in practise

Information about streams of data flowing through network devices is called NetFlow. switches and routers, as well as other components colle

Information about streams of data flowing through network devices is called NetFlow. Switches and routers, as well as other components, collect and store information about the data transmitted within the network. This information concerns both logical, comprehensive flows between the source and target servers and physical point-to-point flows between key network elements.

NetFlow is a protocol developed by Cisco Systems, which is currently also known as the IPFIX standard – a component of Cisco IOS. NetFlow runs on IP devices (routers, layer 3 switches) and provides IP traffic statistics. This standard has been adopted by a number of manufacturers, e.g. Juniper makes a similar solution available under the name of jFlow. Other companies, such as HP, Foundry and Extreme, apply the sFlow data flow technology.

Regardless of the name, the NetFlow scope of data is substantial and constitutes a rich source of information updated in real time, which is always accessible and provides extensive knowledge on network data traffic. The system visualizes not only the TCP/IP parameters in layers 3 and 4 (source, target IP address, protocol, port), but also additional traffic attributes, such as Type of Service, DSCP, source identifier and target AS areas in the BGP protocol, additional information about routing and traffic – next hop, input and output interfaces, source and target network address.

NetFlow makes it possible to create a relatively cheap and easy-to-handle network traffic monitoring system.

Pros and cons

Thanks to NetFlow technology, we are able to identify problems, bottlenecks in the network, verify the settings of traffic classes (CoS/ToS), identify the traffic sent and applications, with a possibility to associate them with a specific user in a given time. Moreover, as a technology integrated in Cisco IOS, NetFlow does not require any additional devices or licences. NetFlow is available on the majority of Cisco platforms, starting from Cisco ISR routers.

However, NetFlow has not much to offer without the appropriate tools to process the data provided. It is the manner in which IT personnel obtains data that decides about their usefulness and impact on the management of network performance. When we take the volume of available information into account, there is no point in analysing data in terms of their flow from each network element individually. In order to fully exploit the NetFlow protocol, we need to collect the data in an external database and make available an intuitive interface that will enable us to find interesting information, anomalies in the network, or help us in the planning

The system for processing information collected by NetFlow comprises:

  • A NetFlow agent which collects data on the traffic flowing through network devices and sends them to the central repository, the so-called collector. Virtually any Cisco router featuring IOS software (from 12.3T, NetFlow is available in the feature set of SP Services or higher) can act as an agent. NetFlow support is also implemented in Catalyst 6500 switches and is optional in the Catalyst 4500 switch.
  • A NetFlow collector which collects information from agents. Taking into account the large amount of data, the collector can usually filter, aggregate and delete the data prior to placing them in the database.
  • A visualisation module which makes it possible to present the data collected in the NetFlow collector. Various applications are available, e.g. facilitating network planning, carrying out settlements, or monitoring traffic.

The visualization module can answer a number of questions:

  • What applications are used? Are they all legal?
  • Who uses the applications?
  • What servers are the source of the traffic? Are these actually servers?
  • Which servers are reached by the traffic? Should they be reached?
  • What applications generate the highest traffic?
  • Who occupies all the available bandwidth?
  • Is the operator’s incoming traffic properly tagged?
  • Which interfaces show the highest load?
  • Which routers show the highest load?
  • Is own and transit traffic being properly routed?
  • Is a sufficient bit rate ensured by the connections?
  • Is the traffic being properly directed?
  • What applications run on the servers?
  • What ports are used by the servers?
  • Where does the traffic come from, and where does it go?
  • What servers generate the traffic? Is it legal?

Benefits

The first and most important advantage of NetFlow is the fact that when it is used skilfully, NetFlow makes it possible to create a relatively cheap and easy-to-handle network traffic monitoring system – the only cost is related to the purchase of an application enabling data visualization.

In addition, NetFlow makes it possible to monitor any link in a network. Due to the fact that NetFlow is configured on the router programmatically, we can selectively enable its monitoring on crucial devices, e.g. in the hub, on the router supporting the internet link, or in places where any problems with the network occur.

Furthermore, NetFlow is an open protocol – a number of third-party applications are available which enable network monitoring in real time, the creation of reports and the settlement of users of the network. Often, the applications are developed for specific customers and tailored to particular requirements.

The use of the NetFlow-based system offers the following benefits:

  • Increased network security – the monitoring of network activity is one of the key elements of ensuring security. Visualisation systems make it possible to identify port scanning, DoS attacks or recognise swapped IP addresses on the interface.
  • Full visibility of network traffic and its source helps to identify illegal activities and avoid costly fines, e.g. for the use of unlicensed software.
  • Planning network development – recognition of traffic trends and adaptation of link sizes before the network reaches its maximum capacity (e.g. capturing wrongly placed servers and moving them to another place to avoid an excessive load on the WAN network).
  • Faster problem resolution – e.g. through the possibility to optimise QoS settings in order to give appropriate priorities to important applications, which substantially contributes to faster response times

arrow_forward
Sycope Resources

Explore more

NetFlow as valuable data source for SecOps part 2

NetFlow as valuable data source for SecOps part 2

How to use inter-system correlations, optimizing work of SIEM systems and processing billions of flows in dedicated system.

Learn more
NetFlow as valuable data source for SecOps part 1/2

NetFlow as valuable data source for SecOps part 1/2

How to use inter-system correlations, optimizing work of SIEM systems and processing billions of flows in dedicated system.

Learn more

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept