Netflow: The Essential Network Monitoring Resource

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow.

NetFlow works by enabling routers and switches to collect traffic statistics on all interfaces where NetFlow is enabled. The routers then export these statistics as NetFlow records to a NetFlow collector, typically a server that performs the actual traffic analysis.

A network flow in NetFlow is defined as a unidirectional sequence of packets that share the following values:

  • Ingress interface

  • Source IP address

  • Destination IP address

  • IP protocol number

  • Source port

  • Destination port

  • IP Type of Service

This definition is used for both IPv4 and IPv6 flows.

Routers export NetFlow records when a flow expires, either due to inactivity timeout or termination of a TCP session. Records can also be exported at fixed intervals.

NetFlow records are traditionally exported via UDP to a NetFlow collector. The collector then stores, prepares and analyzes the flow data to gain insights into network traffic.

NetFlow versions include:

  • Version 5: Most common, supports IPv4 flows

  • Version 9: Template-based, supports IPv6 and MPLS flows

  • IPFIX: Standardized version of NetFlow, on the IETF standards track

NetFlow provides visibility into network traffic flows which can be used for network management, security, troubleshooting and quality of service. By analyzing NetFlow data, you can determine the largest bandwidth consumers on your network.

NetFlow has become a de facto standard, with equivalent protocols from other vendors like Juniper Jflow, HP sFlow and Huawei NetStream. NetFlow collectors can gather data from a variety of sources.

NetFlow is a network protocol that provides valuable network visibility and insights. Some of the main benefits and use cases of NetFlow are:

Network Optimization

NetFlow data can be used to optimize network performance and throughput. By understanding network traffic patterns, bottlenecks can be identified and addressed. NetFlow can help:

  • Track top bandwidth consumers

  • Identify network applications in use

  • Detect network anomalies

This visibility helps maximize network efficiency and uptime.

Network Planning

NetFlow records provide insight into historical and current network traffic. This data can be used for:

  • Capacity planning to ensure adequate bandwidth for future growth

  • Network upgrades planning by determining port, routing and other hardware needs

Having accurate traffic flow data makes network planning more efficient.

Cybersecurity

NetFlow can be used as an anomaly detection tool to identify potential threats and security incidents:

  • Detect DDoS attacks based on sudden increases in traffic

  • Identify suspicious traffic to/from embargoed countries

  • Detect malware command and control communications

  • Detect data exfiltration via DNS tunneling

NetFlow records also provide valuable information for incident response and network forensics investigations.

Data Leak Prevention

NetFlow analytics can detect anomalous amounts of data leaving the network which could indicate data leaks or theft of intellectual property. Combined with identity management systems, NetFlow can identify:

  • Who initiated the data transfer

  • The source and destination hosts

  • The amount of data transferred

  • The services and protocols used

This visibility enables data leak detection and prevention.

Compliance

NetFlow can help organizations meet compliance requirements like PCI DSS that mandate adequate network monitoring. NetFlow provides the necessary network visibility to detect security incidents, anomalies and policy violations.

In summary, NetFlow offers a cost-effective way to gain valuable network visibility for purposes like optimization, planning, security and compliance. The traffic flow data extracted from NetFlow records provides insights that can improve network performance, security posture and compliance.

Use cases

NetFlow data can provide valuable insights for network troubleshooting in the following ways:

Identifying Traffic Anomalies

NetFlow collects data on network traffic flows such as source and destination IP addresses, ports, protocols, and bytes transferred. By analyzing this flow data over time, anomalies and deviations from normal traffic patterns can be identified. This could indicate issues like:

  • DDoS attacks

  • Malware infections

  • Network scans

  • Data leaks

Spotting these anomalies early can help troubleshoot and resolve network issues before they significantly impact users.

Tracking Top Bandwidth Consumers

NetFlow records show which source IP addresses are generating the most traffic and consuming the most bandwidth. This visibility helps network teams quickly identify potential issues related to bandwidth hogs. They can then investigate further to determine if it is normal usage or a sign of a problem.

Application Usage Monitoring

NetFlow collects port and protocol information which reveals which applications and services are in use on the network. Monitoring application usage over time provides a baseline that makes it easier to spot any abnormal application behavior that could indicate an issue.

Identifying Network Bottlenecks

By analyzing traffic patterns and volume between different parts of the network, NetFlow data can help identify potential bottlenecks. This could be due to congested links, misconfigured routers/switches, or other factors limiting network performance.

Incident Investigation and Forensics

During a network outage or performance issue, NetFlow records provide valuable historical data that can be analyzed to determine the root cause. The flow records show what hosts were communicating, what applications or services were impacted, and other details that aid troubleshooting and forensics efforts.

Optimization and Planning

Insights from NetFlow data also help optimize network performance by identifying unnecessary traffic, redundant links, and other inefficiencies. This visibility also aids capacity planning and network upgrades by providing accurate traffic trends and patterns.

Here are the top 10 most useful NetFlow tools:

  1. SolarWinds NetFlow Traffic Analyzer - This is a leading NetFlow analysis tool that can analyze traffic from multiple NetFlow variants like sFlow, J-Flow, IPFIX, etc. It provides real-time bandwidth monitoring and troubleshooting.

  2. SolarWinds Engineer's Toolset - This provides over 60 networking tools including NetFlow monitoring, traffic generation, and remote configuration.

  3. ManageEngine NetFlow Analyzer - This tool provides real-time visibility into network bandwidth usage and traffic patterns. It supports multiple flow protocols like NetFlow, sFlow, J-Flow, etc.

  4. Paessler PRTG Network Monitor - PRTG offers comprehensive network monitoring including NetFlow support. It has a user-friendly interface and auto-discovery of devices.

  5. Kentik Detect - This is a cloud-based NetFlow analysis tool that provides real-time insights into network traffic and performance. It supports NetFlow, sFlow, IPFIX, and SNMP.

  6. Nagios - This open-source network monitoring tool offers both free (Nagios Core) and paid (Nagios XI) versions. It can monitor bandwidth usage and detect network issues.

  7. Wireshark - This is another free and open-source packet analyzer that can be used for NetFlow analysis. It offers powerful capture and display filters.

  8. nProbe and ntopng - This is an open-source suite for NetFlow collection and analysis. nProbe collects the flow data which is then analyzed by ntopng.

  9. NetVizura NetFlow Analyzer - This tool provides network traffic analysis, bandwidth monitoring, and customized alarms based on NetFlow data.

  10. Plixer Scrutinizer - This tool provides comprehensive network visibility and security monitoring based on NetFlow data. It offers in-depth reporting and real-time flow analysis.