Logging basics: What is NetFlow

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow. It provides detailed data on network traffic, which is invaluable for network administrators to analyze and optimize network performance.

NetFlow works by capturing metadata about IP traffic flowing through a network device such as a router or switch. This data is then sent to a NetFlow collector for analysis. Here’s a breakdown of how NetFlow works and the type of data it collects:



  1. A network device configured for NetFlow captures flow data as packets pass through its interfaces.
  2. The captured flow data includes various fields such as source and destination IP addresses, source and destination ports, IP protocol, and the amount of data transferred.
  3. This flow data is exported from the network device to a NetFlow collector, typically using UDP on port 2055.
  4. The NetFlow collector aggregates and stores the data, making it available for analysis and reporting.



NetFlow captures a wealth of information about network traffic. Some of the key fields included in a NetFlow record are:



  • Source IP Address: The IP address of the device that sent the packets.
  • Destination IP Address: The IP address of the device that received the packets.
  • Source Port: The port number on the source device.
  • Destination Port: The port number on the destination device.
  • IP Protocol: The IP protocol (e.g., TCP, UDP, ICMP) used by the packets.
  • IP Type of Service (ToS): The quality of service (QoS) applied to the packets.
  • Input Interface: The interface on the network device where the packets entered.
  • Output Interface: The interface on the network device where the packets exited.
  • Packets and Bytes: The number of packets and bytes transferred in the flow.



NetFlow data is exported in packets containing multiple flow records. To capture and analyze NetFlow traffic, tools like tcpdump can be used. Here’s an example of how to capture NetFlow traffic with tcpdump:


# Capture NetFlow traffic on UDP port 2055
sudo tcpdump -i eth0 udp port 2055

A captured NetFlow packet might look something like this:


14:05:01.123456 IP router.2055 > collector.2055: UDP, length 456

This line shows a NetFlow packet sent from a router to a NetFlow collector on UDP port 2055. The packet contains multiple flow records with detailed information about the network traffic.

On the wire, a NetFlow packet consists of a header and multiple flow records. Each flow record includes fields such as source and destination IP addresses, ports, protocol, and other details.

Here’s a more detailed breakdown of a NetFlow v5 record structure:


struct netflow_v5_record {
    u_int32_t srcaddr; // Source IP address
    u_int32_t dstaddr; // Destination IP address
    u_int32_t nexthop; // IP address of next hop router
    u_int16_t input; // SNMP index of input interface
    u_int16_t output; // SNMP index of output interface
    u_int32_t dPkts; // Packets in the flow
    u_int32_t dOctets; // Bytes in the flow
    u_int32_t first; // SysUptime at start of flow
    u_int32_t last; // SysUptime at the time the last packet of the flow was received
    u_int16_t srcport; // TCP/UDP source port number or equivalent
    u_int16_t dstport; // TCP/UDP destination port number or equivalent
    u_int8_t pad1; // Unused (zero) bytes
    u_int8_t tcp_flags; // Cumulative OR of TCP flags
    u_int8_t prot; // IP protocol type (for example, TCP = 6; UDP = 17)
    u_int8_t tos; // IP type of service (ToS)
    u_int16_t src_as; // Autonomous system number of the source, either origin or peer
    u_int16_t dst_as; // Autonomous system number of the destination, either origin or peer
    u_int8_t src_mask; // Source address prefix mask bits
    u_int8_t dst_mask; // Destination address prefix mask bits
    u_int16_t pad2; // Unused (zero) bytes
};

NetFlow has evolved through several versions, each adding new features and capabilities:



  • NetFlow v1: The initial version, introduced in 1996, was limited in features and capabilities.
  • NetFlow v5: The most commonly used version, introduced enhancements such as additional fields and improved performance.
  • NetFlow v7: Specific to Cisco's Catalyst 6500 switches, adding features like Layer 2 support.
  • NetFlow v9: Introduced a template-based approach, allowing for greater flexibility and support for new fields and technologies. It is the basis for the IPFIX (IP Flow Information Export) standard.



NetFlow data can generate a substantial amount of information, and understanding the storage requirements is crucial for effective log management. The size of a single NetFlow v5 record is typically 48 bytes. Based on this, the storage requirements can be estimated as follows:



  • 1 million records: 48 bytes * 1,000,000 = 48 MB
  • 10 million records: 48 bytes * 10,000,000 = 480 MB
  • 100 million records: 48 bytes * 100,000,000 = 4.8 GB



When planning for NetFlow data storage, it’s essential to consider not only the raw data size but also the indexing and potential overhead for efficient querying and retrieval. Regular data pruning and summarization can help manage storage requirements effectively.

Understanding how NetFlow works and the data it collects is essential for effective network monitoring and analysis. NetFlow provides detailed insights into network traffic patterns, helping administrators optimize performance, detect anomalies, and troubleshoot issues.

If you are using Trunc, we automatically parse and handle NetFlow events, allowing you to seamlessly store, search, and analyze your network flow data without worrying about the complexities of data management and storage.





Posted in   netflow     by trunc_team

Simple, affordable, log management and analysis.

14 days free trial. No credit card required. Get started