- Netflow
-
NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information. NetFlow has become an industry standard for traffic monitoring and is supported by platforms other than Cisco IOS and NXOS such as Juniper routers, Enterasys Switches, vNetworking in version 5 of vSphere, Linux, FreeBSD, NetBSD and OpenBSD.
Contents
Protocol description
Cisco routers and Enterasys Switches that have the NetFlow feature enabled generate NetFlow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Other vendors provide similar features for their routers but with different names:
- Jflow or cflowd for Juniper Networks
- NetStream for 3Com/H3C|HP
- NetStream for Huawei Technology
- Cflowd for Alcatel-Lucent
- Rflow for Ericsson
- AppFlow Citrix
NetFlow and IPFIX
Although initially implemented by Cisco, NetFlow is described in an informational document: RFC 3954 – Cisco Systems NetFlow Services Export Version 9. The NetFlow protocol itself has been superseded by Internet Protocol Flow Information eXport (IPFIX). Based on the NetFlow Version 9 implementation, IPFIX is the industry standard with RFC 5101, RFC 5102, etc. Network infrastructure vendors are already adding IPFIX support to their devices.
Network Flows
Main article: Packet flowA network flow has been defined in many ways. The traditional Cisco definition is to use a 7-tuple key, where a flow is defined as a unidirectional sequence of packets all sharing all of the following 7 values:
- Source IP address
- Destination IP address
- Source port for UDP or TCP, 0 for other protocols
- Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
- IP protocol
- Ingress interface (SNMP ifIndex)
- IP Type of Service
Flexible NetFlow and IPFIX support user-defined flow keys.
The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, TCP session termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. In Flexible NetFlow (FNF) an administrator could actually define flow properties on the router.
NetFlow Record
A NetFlow record can contain a wide variety of information about the traffic in a given flow. NetFlow version 5 (one of the most commonly used versions, followed by version 9) contains the following:
- Version number
- Sequence number
- Input and output interface indices used by SNMP (ifIndex in IF-MIB).
- Timestamps for the flow start and finish time, in milliseconds since the last boot.
- Number of bytes and packets observed in the flow
- Layer 3 headers:
- Source & destination IP addresses
- Source and destination port numbers
- IP protocol
- Type of Service (ToS) value
- In the case of TCP flows, the union of all TCP flags observed over the life of the flow.
- Layer 3 Routing information:
- IP address of the immediate next-hop (not the BGP nexthop) along the route to the destination
- Source & destination IP masks (prefix lengths in the CIDR notation)
Some routers will also include the source and destination Autonomous System (AS) number. Depending on the router configuration, it can also be the immediate neighbor AS. That information is not always accurate, and the local AS will be indicated by the same value (zero) as any unknown AS.
NetFlow version 9 can include all of these fields and can optionally include additional information such as Multiprotocol Label Switching (MPLS) labels and IPv6 addresses and ports,
By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.
NetFlow records are usually sent via a UDP or SCTP in newer software, and for efficiency reasons, the router does not store flow records once they are exported. Therefore, if the NetFlow record is dropped due to network congestion, it is lost forever—there's no way for the router to resend it (this is correct for UDP NetFlow only). The IP address of the netflow collector and the port upon which it is listening must be configured on the sending router but is usually either on ports 2055, 9555, or 9995. NetFlow is also enabled on a per-interface basis to avoid unnecessary burdening of the router's CPU. NetFlow is generally based on the packets input to interfaces where it is enabled. This avoids double counting and saves work for the router. It also allows the router to export NetFlow records for dropped packets.
ICMP records use the Destination Port number field to define the ICMP Type and CODE in HEX. The type and code are concatenated before the conversion. An ICMP Host Unreachable message would be TYPE 3 with a CODE of 01 (301). NetFlow converts this value to a hex value of 769 when exported.
Sampled NetFlow
This variant was originally introduced by Cisco, but is now used in all high-end routers that implement NetFlow. Maintaining NetFlow data can be computationally expensive for the router and burden the router's CPU or hardware to the point where it runs out of capacity. To avoid problems caused by router CPU load, Cisco provides "Sampled NetFlow". Rather than looking at every packet to maintain NetFlow records, the router looks at every nth packet, where n can be configured (as in Deterministic NetFlow, used on Cisco's GSRs) or it is a randomly selecting interval (as used in Random Sampled NetFlow, used on all other Cisco platforms). The sampling is often the same for all interfaces, but can be adjusted per interface for some routers. When Sampled NetFlow is used, the NetFlow records must be adjusted for the effect of sampling - traffic volumes, in particular, are now an estimate rather than the actual measured flow volume.
The sampling rate is indicated in a header field of NetFlow version 5 (same sampling rate for all interfaces) or in option records of NetFlow version 9 (sampling rate per interface)
Cisco's NetFlow Security Event Logging
Introduced with the launch of the Cisco ASA 5580 products, NetFlow Security Event Logging utilizes NetFlow v9 fields and templates in order to efficiently deliver security telemetry in high performance environments. NetFlow Security Event Logging scales better than syslog while offering the same level of detail and granularity in logged events.[citation needed]
NetFlow Monitoring Based on Standalone Probes
NetFlow collection using standalone NetFlow probes is an alternative to flow collection from routers and switches. This approach can overcome some limitations of router-based NetFlow monitoring. The probes are transparently connected to the monitored link as a passive appliance using the TAP or SPAN port of the appliance.
Historically, Deep packet inspection is easier to implement in a dedicated probe than in a router. However, this approach also has some drawbacks:
- probes must be deployed on every link that must be observed, causing additional hardware, setup and maintenance costs.
- probes will not report separate input and output interface information like a report from a router would.
- probes may have problems reporting reliably the NetFlow fields related to routing, like AS Numbers or IP masks, because they can hardly be expected to use exactly the same routing information as a router.
NetFlow collection from dedicated probes is well suited for observation of critical links, whereas NetFlow on routers provides a Network-wide view of the traffic that can be used for capacity planning, accounting, performance monitoring, and security.
Versions
Version Comment v1 First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers). v2 Cisco internal version, never released. v3 Cisco internal version, never released. v4 Cisco internal version, never released. v5 Most common version, available (as of 2009) on many routers from different brands, but restricted to IPv4 flows. v6 No longer supported by Cisco. Encapsulation information (?). v7 Like version 5 with a source router field. Used (only?) on Cisco Catalyst switches. v8 Several aggregation form, but only for information that is already present in version 5 records v9 Template Based, available (as of 2009) on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop. IPFIX aka v10; IETF Standardized NetFlow 9 with several extensions like Enterprise-defined fields types, and variable length fields. See also
- Traffic flow (computer networking)
- IP Flow Information Export (IPFIX) - IETF work to standardize flow export, based on NetFlow version 9
- sFlow - alternative to NetFlow (mandatory sampling, no flow cache, no templates[1])
- nProbe - an extensible NetFlow v5/v9/IPFIX GPL probe for IPv4/v6
References
- ^ Phaal, Peter; Lavine, Marc (July 2004). "sFlow Version 5". sFlow.org. http://www.sflow.org/sflow_version_5.txt. Retrieved 2010-10-23.
External links
- NetFlow/FloMA: Pointers and Software Provided by SWITCH. - One of the most comprehensive list including all the open source and research works.
- FloCon - The Annual Conference put on by CERT/CC dealing with NetFlow and other flow analysis works.
- Basic NetFlow information on the Cisco Site
- RFC3334 - Policy-Based Accounting
- RFC3954 - NetFlow Version 9
- RFC3955 - Candidate Protocols for IP Flow Information Export (IPFIX)
- RFC5101 - Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information (IPFIX)
- RFC5102 - Information Model for IP Flow Information Export
- RFC5103 - Bidirectional Flow Export Using IP Flow Information Export
- RFC5153 - IPFIX Implementation Guidelines
- RFC5470 - Architecture for IP Flow Information Export
- RFC5471 - Guidelines for IP Flow Information Export (IPFIX) Testing
- RFC5472 - IP Flow Information Export (IPFIX) Applicability
- RFC5473 - Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports
- List of software related to flow accounting
- AppFlow specifications and standards track discussion
Categories:- Computer network analysis
- Internet Protocol based network software
- Cisco protocols
Wikimedia Foundation. 2010.