Posted on

What is NetFlow?

In network monitoring, network engineers must be familiar with the term NetFlow. What is NetFlow? NetFlow is a protocol developed

In network monitoring, network engineers must be familiar with the term NetFlow. What is NetFlow? NetFlow is a protocol developed by Cisco Systems that is used to collect metadata on IP networks in switches and routers. NetFlow data can be used by network operators to determine network throughput, traffic congestion at a particular interface level and packet loss. Not only that, you can also drill down deeper into network traffic to find out where the network comes from and ends up.

NetFlow has several variants including IPFIX, sFlow and those owned by several vendors such as XFlow, J-Flow and NetStream. In NetFlow there are 3 important components, namely exporter, collector and application.

The following is the data that can be found in NetFlow records and their uses, namely:

  1. Input and output interface numbers
    Input and output interfaces provide a method for transferring information between internal storage and external I/O devices. The point is to provide a way to interact with computer hardware.
  2. Packet and byte counts
    In NetFlow data, packet and byte counts can also be found. What does that mean? Packet is a collection of data that has varying lengths while byte counts are where you can see the number of bytes.
  3. TCP flags and encapsulated protocol (TCP/UDP)
    To see how a network connection works in TCP (Transmission Control Protocol) transfer is the task of TCP flags. Not only that, TCP flags also provide additional information to users. So, TCP flags can also be used for troubleshooting purposes and how to handle certain connections.

Meanwhile, what is meant by encapsulated protocol? Encapsulated can be likened to a data translator. How does it work? When a process of taking data from a protocol is then translated into another protocol so that the data can be forwarded to the entire network.

  1. Source and destination TCP/User Datagram Protocol (UDP) ports
    The purpose of this fourth point is that in NetFlow data you can find out the source and destination of TCP/UDP ports. UDP is an alternative communication protocol to TCP that is used to build low latency and loss tolerance between applications on the internet.
  2. BGP routing information
    BGP stands for Border Gateway Protocol, a protocol that makes the internet work. It works similarly to postal services. What is meant by postal service? What is meant by postal service? It means that when you enter data into the internet, the one responsible for choosing the available, fast and efficient path so that the data can be processed immediately is BGP. The data is a letter while BGP is the postal service. Not only that, BGP also allows for fast and efficient internet access abroad.
  3. Source and destination IP address
    Source IP is the IP (Internet Protocol) address of the device sending the IP packet which is the IP unit of data transfer. While Destination IP is the IP address of the device receiving the packet that has been sent. The point is that Source IP is the sender while Destination IP is the recipient.
  4. Type of service (ToS)
  5. Start and end timestamps
    The data is metadata that has been collected and stored by the collector in the form of records specified by the protocol.

History of NetFlow

NetFlow was developed by Cisco Systems in 1996. This was based on Cisco’s own need to understand their bandwidth usage in detail, which was not owned by SNMP, which only monitors network devices without detailed traffic. Then in 2003, NetFlow version 9 was selected to be the Internet Engineering Task Force or IETF which proposed internet standards, especially TCP. Now, NetFlow is the main standard device in switches and routers produced by Cisco and other manufacturers. Before NetFlow, to monitor network and internet traffic on LANs and WANs, network administrators and network engineers still used SNMP.

Why NetFlow?

By using NetFlow, network monitoring becomes more detailed and clearer. As explained above, NetFlow is a protocol that has a better way of working in monitoring networks when compared to SNMP. For example, NetFlow can take data up to layer 3 while SNMP can only take data up to layer 2. The point is, NetFlow can take more data than SNMP. This makes it very easy for network engineers to know where the traffic is coming from and so on. This is proof that NetFlow’s performance is more sophisticated when compared to SNMP.

Sources and references:

https://www.kentik.com/kentipedia/netflow-overview/

https://www.pcwdld.com/what-is-netflow

http://www.pvpsiddhartha.ac.in/dep_it/lecturenotes/CSA/unit-5.pdf

https://www.technopedia.com/definition/24931/input-output-io

https://www.keycdn.com/support/tcp-flags

https://www.geeksforgeeks.org/user-datagram-protocol-udp/

https://www.cloudflare.com/learning/security/glossary/what-is-bgp/

https://www.quora.com/What-is-the-difference-between-source-ip-and-destination-ip

Gunakan NetMonk dan Dapatkan Konsultasi Gratis!

Konsultasi jaringan secara gratis dengan para engineer kami selama berlangganan NetMonk