Netflow: The Essential Network Monitoring Resource
NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow.
NetFlow works by enabling routers and switches to collect traffic statistics on all interfaces where NetFlow is enabled. The routers then export these statistics as NetFlow records to a NetFlow collector, typically a server that performs the actual traffic analysis.
A network flow in NetFlow is defined as a unidirectional sequence of packets that share the following values:
Ingress interface
Source IP address
Destination IP address
IP protocol number
Source port
Destination port
IP Type of Service
This definition is used for both IPv4 and IPv6 flows.
Routers export NetFlow records when a flow expires, either due to inactivity timeout or termination of a TCP session. Records can also be exported at fixed intervals.
NetFlow records are traditionally exported via UDP to a NetFlow collector. The collector then stores, prepares and analyzes the flow data to gain insights into network traffic.
NetFlow versions include:
Version 5: Most common, supports IPv4 flows
Version 9: Template-based, supports IPv6 and MPLS flows
IPFIX: Standardized version of NetFlow, on the IETF standards track
NetFlow provides visibility into network traffic flows which can be used for network management, security, troubleshooting and quality of service. By analyzing NetFlow data, you can determine the largest bandwidth consumers on your network.
NetFlow has become a de facto standard, with equivalent protocols from other vendors like Juniper Jflow, HP sFlow and Huawei NetStream. NetFlow collectors can gather data from a variety of sources.
NetFlow is a network protocol that provides valuable network visibility and insights. Some of the main benefits and use cases of NetFlow are:
Network Optimization
NetFlow data can be used to optimize network performance and throughput. By understanding network traffic patterns, bottlenecks can be identified and addressed. NetFlow can help:
Track top bandwidth consumers
Identify network applications in use
Detect network anomalies
This visibility helps maximize network efficiency and uptime.
Network Planning
NetFlow records provide insight into historical and current network traffic. This data can be used for:
Capacity planning to ensure adequate bandwidth for future growth
Network upgrades planning by determining port, routing and other hardware needs
Having accurate traffic flow data makes network planning more efficient.
Cybersecurity
NetFlow can be used as an anomaly detection tool to identify potential threats and security incidents:
Detect DDoS attacks based on sudden increases in traffic
Identify suspicious traffic to/from embargoed countries
Detect malware command and control communications
Detect data exfiltration via DNS tunneling
NetFlow records also provide valuable information for incident response and network forensics investigations.
Data Leak Prevention
NetFlow analytics can detect anomalous amounts of data leaving the network which could indicate data leaks or theft of intellectual property. Combined with identity management systems, NetFlow can identify:
Who initiated the data transfer
The source and destination hosts
The amount of data transferred
The services and protocols used
This visibility enables data leak detection and prevention.
Compliance
NetFlow can help organizations meet compliance requirements like PCI DSS that mandate adequate network monitoring. NetFlow provides the necessary network visibility to detect security incidents, anomalies and policy violations.
In summary, NetFlow offers a cost-effective way to gain valuable network visibility for purposes like optimization, planning, security and compliance. The traffic flow data extracted from NetFlow records provides insights that can improve network performance, security posture and compliance.
Use cases
NetFlow data can provide valuable insights for network troubleshooting in the following ways:
Identifying Traffic Anomalies
NetFlow collects data on network traffic flows such as source and destination IP addresses, ports, protocols, and bytes transferred. By analyzing this flow data over time, anomalies and deviations from normal traffic patterns can be identified. This could indicate issues like:
DDoS attacks
Malware infections
Network scans
Data leaks
Spotting these anomalies early can help troubleshoot and resolve network issues before they significantly impact users.
Tracking Top Bandwidth Consumers
NetFlow records show which source IP addresses are generating the most traffic and consuming the most bandwidth. This visibility helps network teams quickly identify potential issues related to bandwidth hogs. They can then investigate further to determine if it is normal usage or a sign of a problem.
Application Usage Monitoring
NetFlow collects port and protocol information which reveals which applications and services are in use on the network. Monitoring application usage over time provides a baseline that makes it easier to spot any abnormal application behavior that could indicate an issue.
Identifying Network Bottlenecks
By analyzing traffic patterns and volume between different parts of the network, NetFlow data can help identify potential bottlenecks. This could be due to congested links, misconfigured routers/switches, or other factors limiting network performance.
Incident Investigation and Forensics
During a network outage or performance issue, NetFlow records provide valuable historical data that can be analyzed to determine the root cause. The flow records show what hosts were communicating, what applications or services were impacted, and other details that aid troubleshooting and forensics efforts.
Optimization and Planning
Insights from NetFlow data also help optimize network performance by identifying unnecessary traffic, redundant links, and other inefficiencies. This visibility also aids capacity planning and network upgrades by providing accurate traffic trends and patterns.
Here are the top 10 most useful NetFlow tools:
SolarWinds NetFlow Traffic Analyzer - This is a leading NetFlow analysis tool that can analyze traffic from multiple NetFlow variants like sFlow, J-Flow, IPFIX, etc. It provides real-time bandwidth monitoring and troubleshooting.
SolarWinds Engineer's Toolset - This provides over 60 networking tools including NetFlow monitoring, traffic generation, and remote configuration.
ManageEngine NetFlow Analyzer - This tool provides real-time visibility into network bandwidth usage and traffic patterns. It supports multiple flow protocols like NetFlow, sFlow, J-Flow, etc.
Paessler PRTG Network Monitor - PRTG offers comprehensive network monitoring including NetFlow support. It has a user-friendly interface and auto-discovery of devices.
Kentik Detect - This is a cloud-based NetFlow analysis tool that provides real-time insights into network traffic and performance. It supports NetFlow, sFlow, IPFIX, and SNMP.
Nagios - This open-source network monitoring tool offers both free (Nagios Core) and paid (Nagios XI) versions. It can monitor bandwidth usage and detect network issues.
Wireshark - This is another free and open-source packet analyzer that can be used for NetFlow analysis. It offers powerful capture and display filters.
nProbe and ntopng - This is an open-source suite for NetFlow collection and analysis. nProbe collects the flow data which is then analyzed by ntopng.
NetVizura NetFlow Analyzer - This tool provides network traffic analysis, bandwidth monitoring, and customized alarms based on NetFlow data.
Plixer Scrutinizer - This tool provides comprehensive network visibility and security monitoring based on NetFlow data. It offers in-depth reporting and real-time flow analysis.