Technology: NetFlow / IPFIX

 

NetFlow

NetFlow is de facto standard introduced originally by Cisco for traffic measurement and statistics. NetFlow can be compared to phone call listing. You know the calling parties but their conversation remain undisclosed.

In terms of IT NetFlow provides information from layer 3 and layer 4 which means IP addresses, ports, protocol, timestamps, number of bytes, packets, flags and several other technical details. NetFlow is available in different versions that significantly vary and understanding NetFlow version is important when choosing right solutions for your needs:

  • NetFlow v5 – most common version available on various routers and active network components, however this version does not meet current needs. NetFlow v5 does not support IPv6 traffic, MAC addresses, VLANs or other extension fields.
  • NetFlow v9 – template based standard described in RFC 3954 known also as flexible NetFlow. It supports IPv6 as well as the fields missing in NetFlow v5.
  • NetFlow v10 aka IPFIX – standardized by IETF, extended version of NetFlow v9 that supports variable length fields (e.g. HTTP hostname or HTTP URL) as well se Enterprise-defined fields.

You can generate NetFlow with specific devices called probes that receive copy of the network traffic from mirror port or network TAP and produce network traffic statistics. Another way how to get flows is directly from network switch, router or event firewall. Check NetFlow support with the particular models and firmware versions that you use.

 

princip.PNG

 More information can be found on the following link: http://www.cisco.com/go/netflow.

 

IPFIX

Internet Protocol Flow Information Export (IPFIX) was created by IETF working group from the need for a common, universal standard of export for IP flow information. The IPFIX standard defines how IP flow information is formatted and transferred from an exporter to a collector. Previously many data network operators were relying on the proprietary Cisco NetFlow standard for traffic flow information export. The IPFIX is a much more flexible successor of NetFlow format.