About Netflow
NetFlow is the IP equivalent of a pen regsiter. NetFlow records provide the source and destination IP and port info as well as some data about the flow itself, but they don't contain any content. NetFlow was originally from Cisco and was commonly used in ISP's to determine how traffic was coming in and leaving the enterprise. Over the years it's utility has grown and now many tools use it for performance monitoring, security analysis, and network engineering.
Many modern routers can natively generate NetFlow records for traffic going through them. A record is made for each uni-directional flow of data through a router. For instance, a TCP session would have two flows, one for the data to the server, one for the data returning from the server. As the router collects and tracks flows, it can export the flow information to a collector that then does the analysis. The flows are periodically bundled up and sent as a group in one datagram to the collector. This prevents a flood of small packets needing to be continuously created and sent by the router. For those networks that can't enable NetFlow on their routers (for whatever reason) other means for generating flows exist including the FL/OSS softflowd and the Slimline from Gigafin.
Netflow Versions
There are a large number of network flow protocols available for use:
| Cisco NetFlow v5 | The least common denominator in network flow protocols. Very simple, and supported by most Cisco devices. Also the default that Psyche prefers |
|---|---|
| Cisco NetFlow v7 | Added switch info |
| Cisco NetFlow v9 | Complete overhaul of NetFlow. It is template based allowing you to control exactly what gets exported and how |
| IPFIX | The IETF basically picked up v9 and started making a real standard out of it. When they're done it will be IPFIX, and likely also known as NetFlow v10 |
| sflow | Juniper's flow-based protocol |
| qflow | QRadar's flow-based protocol |
