Network flow monitoring is an essential tool for a lot of network administrators. Flow monitoring allows you to collect and record all IP traffic going to and from a network device. Network flow data can provide more detail than other common monitoring methods, like viewing interface utilization or SNMP-based polling. SNMP may be convenient, but it only reports the total amount of traffic and lacks information about the source and destination of the transmission. SNMP is a broad tool with many uses, but flow monitoring is explicitly designed for monitoring network traffic.
Flow monitoring allows you to dig deeper and can include the source, destination, application, and other attributes. This gives you visibility into causes of congestion, which applications are using the most resources, abnormal traffic patterns, or the ability to provide usage-based billing.
What is network flow?
Generally, you can think of a network flow as a unique combination of source and destination IP address, source and destination port, and protocol. Different standards define a flow differently, and you have options for how you define a flow in your network. Every time a NetFlow enabled network device sees a new flow, it starts counting packets and bytes, and will aggregate that information for collection, processing, and analysis.
There are many protocols for flow monitoring available, but one of the best known is NetFlow. Cisco originally developed NetFlow, but it has become the basis for many industry standards. Since then, there have been many revisions and other standards built on top of NetFlow.
Implementing NetFlow requires three main components:
- Flow exporter: Typically, a network device like a switch or router. Flow exporters aggregate packets into flows and export them to a collector.
- Flow collector: Typically, a server, which is responsible for receiving, storing, and preparing the data for analysis.
- Analysis application: The software that analyzes flow data, and allows you to view it.
NetFlow History and Version Differences
There are many versions of NetFlow, but the most important to know are 5 and 9 since they are the most commonly used versions. NetFlow was developed initially as a packet switching technology for Cisco routers, implemented in IOS 11 in 1996. It was supposed to be an improvement over Cisco Fast Switching. Cisco Express Forwarding proved to be a better fit for packet switching, and NetFlow v1 became the basis of the flow monitoring protocols we have today. Version 1 was limited to IPv4, without IP network masks or autonomous system numbers (ASNs). NetFlow version 1 is now obsolete. Versions 2 through 4 were Cisco’s internal versions, which were never released.
NetFlow v5 is the oldest version that is still commonly in use, and it’s still the most used version. NetFlow v5 has a fixed arrangement of fields that can be used, and v5 only works with IPv4, and only with ingress traffic flows. NetFlow v5 cannot modify the attributes it tracks. It also cannot export records based on L2 flows and lacks some L2 attributes, like MPLS labels.
NetFlow Version 5 Flow Record Format:
– Source and Destination IP address
– IP address of a next-hop router
– SNMP index of input and output interface
– Number of packets in the flow
– Number of Layer 3 bytes in the packets of the flow
– System Uptime at the start, and the time the last packet of the flow was received
– TCP/UDP source and destination port number
– Cumulative OR of TCP flags
– IP protocol type (for example, TCP = 6; UDP = 17)
– IP type of service (ToS)
– Autonomous system number of the source and destination, either origin or peer
– Source and destination address prefix mask bits
NetFlow v6 is another obsolete version, and v7 is nearly identical to v5. Version 7 adds a source router field and is mainly used in older Cisco Catalyst switches. NetFlow v8 is another uncommon version, which allows for the aggregation of several forms, but only for information that is already present in version 5 records.
NetFlow v9 switched to being template-based, rather than having a fixed set of fields which have to be used, like version 5. Depending on the type of data you are trying to capture, you can use different templates that track different attributes.
This allows NetFlow v9 to be much more flexible, which is why it is commonly referred to as Flexible NetFlow. Version 9 can be used for everything version 5 can be used for, but it also can be used for egress flows, IPv6, MPLS, and IPv4 with BGP next-hop. NetFlow v9 also served as the basis for the current industry standard, IPFIX. v10 isn’t a version of NetFlow but is instead used for identifying IPFIX.
IPFIX is based on the NetFlow v9 and uses a similarly flexible, template-based approach. IPFIX is an IETF standard which is described in RFC (https://tools.ietf.org/html/rfc7011) and (https://tools.ietf.org/html/rfc7012). Although IPFIX is heavily based on NetFlow, v10 does not have anything to do with NetFlow. NetFlow and its variations are still widely used, but IPFIX is now the open industry standard.
sFlow and Other options
Another popular version of network flow monitoring is sFlow, or sampled NetFlow. Since NetFlow keeps track of every flow in your network, during times of high utilization, this can have a negative impact on performance. A popular option to prevent this is only to sample a portion of network traffic. This limits the performance impact, with the downside being that not all data is captured.
sFlow has no notion of flows or packet aggregation but instead allows for exporting packet data chunks and interface counters, which are also possible with the latest versions of IPFIX. While typical flow export protocols like NetFlow use a 1:1 sampling rate, this is typically not possible with sFlow. sFlow is meant for capturing a random sample of network traffic, which makes it more scalable for network-wide monitoring. NetFlow works best if you want to capture all data on a few key interfaces, sFlow can be a better fit for capturing a sample of all traffic on all interfaces.
Which Protocol Should You Use?
Choosing the right protocol and version depends on what your network devices support and what you are trying to accomplish. If you only need IPv4 and the attributes available in NetFlow v5, that is still a viable option. NetFlow v5 still has broad support over many generations of devices from many manufacturers. If you need flexibility, MPLS, BGP next-hop, or IPv6 support, NetFlow v9 and IPFIX are probably a better fit.
No matter which you choose, it will require some testing and adjustment to get it tuned for your needs. Once correctly deployed, network flow monitoring will give you insight into your network that you didn’t have before. It is an excellent tool for network administrators that shouldn’t be overlooked.
The Future of Network Flow Monitoring
The future of network flow monitoring is full of potential. In the past, NetFlow and IPFIX could quickly overwhelm the amount of resources available on a network device, creating a bottleneck or running into limitations when utilization was high. As network devices become more capable, and more devices are designed with flow monitoring in mind, the benefits will only grow, and the limitations will be less of an issue. Whether you choose Netflow, JFlow, sFlow, IPFIX, or NetStream, Noction Flow Analyzer will support your network flow monitoring needs.
Read this article in French – L’évolution des méthodes de surveillance des flux réseau, de NetFlow à IPFIX