Netflow and You!!

Recently, I've been working alot with Netflow trying to nail down a particular problem, so I thought it would be a good topic to discuss.

What is Netflow?

Cisco developed the Netflow protocol to provide a method of IP accounting. Although it began as a proprietary protocol, Netflow has been supported on other platforms such as Juniper's JunOS.

Multiple versions of the protocol are defined. Version 5 is the most common, and what most administrators would use.

So what exactly is a flow?

A flow is a unidirectional packet stream that all share common attributes. Those attributes are:

• Source and destination IP
• Source and destination port (Can also be 0 for non-TCP/UDP traffic, or type codes for ICMP)
• IP Protocol
• Ingress Interface
• Type of Service

If you think it through, it's not as complicated as it sounds. The important thing to remember is the unidirectional aspect of it. When you load up this site, there is a packet stream from you to the web server, and there is another packet stream from the web server to you. There is a distinct flow of data in each direction, and thus, two flows. Firewall and security junkies will instinctively think of this as a single connection, but don't let that trip you up.

So why is this useful?

Basic network monitoring tools will show you a link's utilization, but don't tell you much about what that traffic actually is. Netflow allows you to 'drill down' into the traffic, and see who is doing what, and where.

In future posts, I'll talk about the different ways to configure and use Netflow to help analyze and troubleshoot your networks.