What is NetFlow?

What is NetFlow - Cisco NetFlow

What is NetFlow?

NetFlow was initially developed by Cisco in its Quality of Service (QoS) program. It is a switching method that allows more efficient switching of packets according to the type of packet.

How NetFlow Works?

When a packet enters an interface that the router hasn’t seen before, it will decide whether or not to route the Datagram and if it forwards the Datagram it will make an entry in the flow cache on the router based on matching criteria in the packet.

The flow cache entry contains things like destination and source IP addresses, destination and source ports, source interface, protocol bytes and some other details are all entered into the flow cache.

The packet is then routed out the destination interface. As the following packets that match an existing flow entry come into the router, the byte and packet counters keep incrementing for each additional Datagram until the connection between the hosts involved in a flow is torn down.

So packets that enter the router that don’t have a matching flow entry are first determined to be routable, and if they are accepted they are then forwarded after a flow cache entry is made.

A flow cache can contain hundreds of thousands of entries and in some cases into the millions. Now when the flow is expiring they are exported off to the Net Flow collector such as Cisco Stealthwatch which will constantly analyze and archive the flows for future reference.

The net flow collector can then provide details on things like the threats detected, the network topology, top interfaces and of course graphical trends. Cisco Net Flow is used for finding bandwidth hogs, hunting down network threats, isolating applications slowness issues and even for usage based billing by some service providers.

You should know that many hardware vendors are now adopting IPFIX which is the official standard for all flow technologies. Both the Net Flow and IPFIX can be performed in hardware or software, they can be used to export information real-time right down to the second and they can be used for both flow and packet sampling.

NetFlow v5 uses a static packet format (and is in this way very similar to v7), defining IPv4 IPs, protocols, ports, and millisecond precision on flow start and flow end times. Version 9 uses a dynamic format which is parsed based on a template which is sent around first.

A typical flow monitoring setup (using NetFlow) consists of three main components:

  • Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.
  • Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
  • Analysis application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example.


Also there are other flows with different types which are developed by vendors. InMon has sFlow, Juniper uses JFlow, and there are several others. Also, JFlow and CFlow are the same as Cisco NetFlow v5.

Leave a Reply

Related Post
error: Alert: Content is protected !!