Netflow overview

Netflow classify packets arriving to device interface into the flows and once a flow has ended or reached maximum limit it is exported to the collector. So with flows you have a view of everything what is happening in your network. How the router classify the flows? Based on key attributes which are for example source/destination IP addresses, source/destination TCP/UPD ports, etc. These are called key attributes and based on them flows are identified. However router keeps more flow attributes from the packets like start time, end time, packet count, next hop address, source/destination AS number, etc.

When you configure netflow, router creates special cache where puts all the flows. He first looks into the cache if this is not first packet. If it is then the router creates the flow in its cache if its not then the specific attributes like packet count are updated.

I said that when flows expires, we export them to collectors. These are condition for exporting the flows:

  • Inactive timer expires in 15 sec by default – if we dont see a specific packet for that flow we believe flow has ended and export it to collector
  • Active timer expires in 30 min by default (security collectors advise us to change it to 1 min)
  • Netflow cache is full
  • RST or FIN TCP flag

Before we export the flows to the collectors we can aggregate them. If there is no aggregation we export the flow directly. But maybe we dont care about all the IP addresses, we care about prefixes  so we aggregate them based on prefixes and then we export them to the collector. Aggregated exports are supported with netflow version 8 and 9. Version 5 doesnt support aggregated exports. We speak more about netflow version further on.

We can export the flow by UDP or SCTP (stream control transport protocol). SCTP is kind of reliable transport, something like TCP. But here you can select level of reliability per each stream. So if one flow records require reliable transport you can select this one flow will be reliable while another stream is partially reliable. Hmmm but is there need at all for reliable netflow? Yes it is for example when netflow is used for billing.

As we spoke we got seven flow key fields/attributes. It is source destination IP addresses, source destination port numbers, L3 protocol type, input interface and type of service (DSCP). However with the aggregation we change the flow key fields. We no longer have IP addresses as a key fields but instead a prefixes. So what is my message here? We were telling that netflow got 7 fixed key fields. But with new version of Netflow this can be tweak and you can have different key fields. For example netflow for mpls got different key fields than netflow for security.