It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. The router will output a flow record when it determines that the flow is finished. This definition of flows is also used for IPv6, and a similar definition is used for MPLS and Ethernet flows.Īdvanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.Ī typical output of a NetFlow command line tool ( nfdump in this case) when printing the stored flows may look as follows:ĭate flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet. Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols.Source port for UDP or TCP, 0 for other protocols.Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector-typically a server that does the actual traffic analysis.Ĭisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values which define a unique key for the flow: Analysis application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example.Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.
A typical flow monitoring setup (using NetFlow) consists of three main components: By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and the causes of congestion. NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface.
0 kommentar(er)
