Netflow

Netflow is a technique in which a device, usually a router or layer 3 switch , exports information about the IP data stream within the device via UDP . These UDP datagrams are received, stored and processed by a Netflow collector. The resulting data are used for traffic analysis , for capacity planning or QoS used analysis.

technology

Netflow architecture

Netflow was originally a Cisco technology, but is now supported by many manufacturers. In addition to Netflow, there is also jFlow ( Juniper ) and Netstream ( Huawei ). Both are technically identical to Netflow. There are different versions of Netflow. Netflow Version 9 is described as an open standard in RFC 3954 . Netflow version 5 is the most frequently used version in practice. sFlow ( RFC 3176 ) uses statistical sampling and is incompatible with Netflow. However, converters exist . The IPFIX standard ( RFC 3917 ) is developed independently of the manufacturer and represents an extension of Netflow Version 9.

A flow typically contains the following information:

• Version number and sequence number
• time stamp
• Byte and packet counters
• Source and destination IP addresses
• Source and destination IP ports
• Ingress - and egress - Port -Nummern
• TOS information
• AS numbers ( BGP 4 )
• TCP - Flags
• Protocol type (e.g. TCP, UDP or ICMP)

The content of the export datagrams differs slightly depending on the Netflow version. Detailed information can be found on the Cisco site.

application

Like SNMP , Netflow is a passive measurement method , i. H. one observes the traffic without influencing it. Like all passive measurement methods, Netflow also generates volume information, typically kBit / s .

In order to be able to analyze the netflow data, collector software is required. Two types of analysis are typically performed:

• Top-N analyzes
• Time analysis

In the case of Top-N analyzes, a freely definable period, e.g. B. 24 hours, those elements are searched that generate the most traffic. Criteria can be sender IP addresses ( Top Talker ), TCP ports ( Top Applications ) or other entries from the Netflow datagram. In some systems, this Top-N analysis is generated via SQL queries using "Group-By" at runtime, or special analysis databases are kept ready. These special databases are kept up-to-date by the collector during runtime. The advantage here is that the reporting front end can quickly access finished data sets, on the other hand, the need for storage grows.

Time analyzes show the volume of traffic components over a time axis .

Since the NetFlow datagrams are transmitted via UDP, the collector must be fast enough, the data to receive, process and store. Lost datagrams cannot be recovered. The transmission of Netflow data over WAN links is therefore particularly problematic . Distributed systems have proven themselves particularly well here. Some systems are able to hold evaluations in a central data mart . This has the advantage that data does not have to be transmitted repeatedly and multiple times over WAN routes.

From a technical point of view, manufacturers usually use an initial database as "raw data" in which the netflow datagrams are saved in raw form. Only a subsequent process normalizes the data and saves the result in a database - mostly a relational database, which the reporting front end then accesses. Since the data is saved once as raw data and then a second time in a normalized form, the transfer performance of the storage systems is one of the most important and limiting parameters. The storage is usually expanded locally as a hardware raid. Implementation via a software raid can lead to performance losses.

In the service provider environment, multi-client capability is an important property of Netflow systems. This ensures that participants can only see the data that is relevant to them. Customers then only have access to the flows of "their" interfaces and not to all interfaces of the flow sender.

Free software

• flowd NetFlow collector
• NetWork analysis software
• nfdump, collector and analysis tools and nfsen, web frontend to nfdump
• PMACCT Netflow, sFlow Collector. Uses libpcap
• Pandora FMS

Free software

• SevOne (trial version available)
• Solarwinds NetFlow Analyzer (Windows), limited to 60 minutes
• NetFlow Analyzer for Windows, (Trial version available)
• THB-Netflow flexible and high performance v5, v9 & IPFix receiver

Both of them have the option of purchasing a license key

Commercial software