NetFlow

What is NetFlow?

NetFlow is a proprietary network protocol originally developed for Cisco routers by Cisco Systems. It is widely used to collect metadata about the IP traffic flowing across network devices such as routers, switches and hosts. By monitoring and analyzing NetFlow data, administrators can gain insights into network traffic flow and volume.

The NetFlow protocol’s datagram carries information such as the source and destination ports, source IP addresses, destination IP addresses, IP protocol, and the IP service type. If administrators collect flow records from all flow-enabled network devices — routers, switches, etc. — they gain visibility and an understanding of where network traffic data is coming from and going to, how much traffic is being generated, who is consuming most bandwidth, and more. These data points can be used for anomaly detection, monitoring bandwidth usage, capacity planning, and to validate the effectiveness of QoS (Quality of Service) policy.

How can NetFlow data be collected and analyzed?

Typically network administration teams employ NetFlow monitoring tools for flow data collection and analysis. A NetFlow monitoring tool uses a flow collector to gather network packets and export the flow data from flow-enabled devices. A NetFlow analyzer is then used to process the raw flow data into meaningful insights through visualizations, real-time alerts, and historical reports.

Monitoring NetFlow requires three components:

  • Flow exporter: a network device (a router or firewall) in charge of obtaining flow data and exports it to a flow collector
  • Flow collector: a device that collects the exported flow data
  • Flow analyzer: an application that examines and analyses the flow data collected by the flow collector

What monitoring tools are popular to collect and analyze NetFlow data?

Popular monitoring tools supporting NetFlow analysis include: SolarWinds NetFlow Traffic Analyzer (NTA), eG Enterprise NetFlow Analyzer, PRTG Network Monitor, ManageEngine NetFlow Analyzer, Scrutinizer by Plixer, Cisco Stealthwatch, Dynatrace and others.

Features and use cases vary greatly, particularly in the amount of human operator interaction and manual configuration needed. The more sophisticated AIOps based platforms such as eG Enterprise can provide automated deployment, metric thresholds and alerts out-of-the-box, so issues and anomalous behaviors are proactively and continuously monitored.

What are the differences between NetFlow versions (e.g., NetFlow v5, v9, IPFIX)?

The first NetFlow version 1 was supported in all the initial flow monitoring releases. Versions 2, 3, and 4 were only usable as internal releases. NetFlow V5 became widely used with its fixed packet format and is still supported by various routers. Versions 7 and 8 had a few improvements and they are no longer used in practice.

NetFlow v9 offers significant improvements over v5 and introduced template-based flow exporting, offering greater flexibility and extensibility. V9 allows export of customizable flow records using templates, which reduces the data export overhead and supports additional fields beyond the fixed ones in v5. NetFlow v9 also supports IPv6 flow records, MPLS (Multi-Protocol Label Switching) information, and additional Layer 2 information like VLAN ID. The template-based structure enables the inclusion of vendor-specific or custom fields, making it more adaptable to different network environments.

IPFIX (IP Flow Information Export) is an IETF standard (RFC 7011) that is based on the concepts of NetFlow v9. It is essentially NetFlow v9 with standardization. IPFIX is designed to be vendor-neutral, making it compatible with a wide range of network devices and flow analysis tools from different vendors. It supports various encodings for the flow data export, including binary and IPFIX Message Format (IPFIX over TCP and UDP). IPFIX is commonly used in environments where standardization and interoperability are important.

IPFIX is sometimes colloquially referred to as NetFlow v10 although Cisco do not release a “NetFlow v10”.

What insights can be gained from NetFlow data?

A NetFlow analyzer obtains different compositions of data from the incoming flow data. You can gain insights such as:

  • Data about flow records across all the flow-monitored systems
  • Traffic flows by specific protocol, application, domain, ports, Source, and destination IPs.
  • Top conversations, addresses, and independent systems
  • Sources and destinations by geographical location

This flow data can help you find out

  • Who is using forbidden applications?
  • Who is using significant bandwidth and slowing down the network?
  • What protocols are heavily used over the network?
  • Which end points are attacks originating from?

Key use cases and benefits of NetFlow

There are many good applications for which NetFlow is leveraged, key use cases and benefits include:

  • Optimizing Bandwidth Utilization and Capacity Planning: NetFlow data allows network administrators to view the complete report on the traffic by specific interfaces in the network, specific protocols, and specific applications, which allows them to understand where bandwidth is getting consumed. By identifying the top talkers on the network, network admins can also see who the top consumers of bandwidth are, validate if that is relevant traffic, plan to optimize usage, and help in capacity planning. When using cloud applications, such as Office 365, Internet usage is likely to go up in organizations. Analysis of network traffic will let network admins know which application access has contributed to increased bandwidth, so they can understand the impact of Office 365 and such cloud applications on network bandwidth.
  • Enhanced Network Observability: NetFlow provides complete visibility into the networks. You can specify the traffic sections you would like to monitor based on the tracks provided by flow data. For instance, you can classify Internet HTTP/S traffic by ports used or separate traffic by the protocol used. This gives network admins the ability to view the bandwidth usage (source and destination of traffic). Also, network admin teams can customize the data according to their need, be it for recording, detailed analysis or proper planning. From the NetFlow data, network admins can correlate IP addresses with users who accessed them. Using this data, they can quickly predict QoS and allocate resources per user. And they can also prevent exposure of the network to malware risks and security compromises, thereby getting a clear view of which user communicated with which IP address, which application the user accessed, and so on.
  • Enabling Root Cause Diagnosis: NetFlow monitoring facilitates root cause analytics. When a user complains that email is slow, it could be because of a variety of reasons — a problem in the mail server, capacity problem with the user’s mailbox, or even a problem in dropped packets over the wire. By analyzing NetFlow flow records, network admins can understand the impact of email over the network and see if there are any packet drops or response time issues causing emails or any application access to be slow. With AIOps enabled platforms such as eG Enterprise, monitoring and root cause analytics are automated and real time alerting is implemented that automatically alerts network issues causing application performance slowdowns or exhibiting abnormal usage patterns.
  • Security Awareness: Network security is another key application of NetFlow. By monitoring flow data, it’s simple to understand where most of your resources are being used. Many security attacks consume resources in an anomalous fashion, so if any spikes occur in a particular time or location, they can be identified and investigated for a security breach. With advanced NetFlow analysis, these issues are highlighted and can be intervened on.

Can NetFlow be used in cloud environments or with virtualized networks?

Often in cloud environments or virtualized environments provided by a third-party the network behavior and component metrics are deliberately obfuscated or abstracted from the IT administrator, usually for security reasons and because networking is assumed to be the responsibility of the platform (Cloud or virtualized infrastructure) provider. In these cases, administrators should take care to ensure their monitoring and observability tools have a solid and comprehensive integration with the platform vendors APIs and interfaces to ensure access to networking insights.

On-premises virtualized environments can usually retain full access to the raw NetFlow data and components and moreover correlate such data with monitoring data from the virtualization layers, applications and hardware too.  

Related Resources

WEB

Network monitoring with eG Enterprise

Read Page

Blog

What is NetFlow? - The complete guide to Cisco NetFlow monitoring

Read Blog

WEB

NetFlow analyzer and bandwidth monitoring tool

Read Page

PRODUCT

How It Works Key Features SaaS Deployment Supported Technologies Pricing Benefits Why Choose eG New! eG Enterprise v7 Application Performance Management Digital Workspace Tools Hybrid Cloud Monitoring IT Infrastructure Monitoring End User Experience Monitoring

Solutions

Citrix Monitoring VMware Horizon Monitoring Azure Virtual Desktop Monitoring AWS Workspaces Monitoring AWS Cloud Monitoring Azure Monitoring Java Application Monitoring .NET Monitoring SAP Monitoring VMware Hypervisor Monitoring Network Monitoring

Resources

Demos Webinars White Papers Case Studies Expert Reviews Alternatives Media Kit Glossary

Company

About Us Customers Partners Support Documentation Press Releases Awards Careers Blog Events Contact Us

eG Innovations, Inc.,
33 Wood Ave. South, Suite 600, Iselin,
NJ 08830, USA Phone: +1 (866) 526 6700

© 2024 eG Innovations. All rights reserved.

Privacy Policy  |  Terms of Use