Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted.

 

Let’s take a quick tour on the basics of NetFlow technology in this first part of the Knowledge Series.


What is NetFlow?

 

NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information and monitoring network traffic.  While the term NetFlow has become a de-facto industry standard many other manufacturers support alternative flow technologies including; Juniper (Jflow); 3Com/HP, Dell and Netgear (s-flow); Huawei (NetStream); Alcatel-Lucent (Cflow); and Ericsson (Rflow).

 

Routers and switches that support NetFlow collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector – typically a server that does the actual traffic analysis. The NetFlow collector then processes the data to perform the traffic analysis and presentation in a user-friendly format.  NetFlow collectors can take the form of hardware based collectors or probes, or software based collectors. SolarWinds NetFlow Traffic Analyzer(NTA) is an example of a software based NetFlow collector that collects traffic data, correlates it into a useable format, and then presents it to the user in a web based interface for monitoring network traffic.

 

 

History of NetFlow

 

NetFlow v1 was originally introduced in 1990 and has since evolved to NetFlow version 9.  Today, the most common versions are v5 and v9.

 

 

Version

Comment

v1

First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers).

v2

Cisco internal version, never released.

v3

Cisco internal version, never released.

v4

Cisco internal version, never released.

v5

Most common version, available (as of 2009) on many routers from different brands, but restricted to IPv4 flows.

v6

No longer supported by Cisco. Encapsulation information.

v7

Like version 5 with a source router field. Used on Cisco Catalyst switches.

v8

Several aggregation form, but only for information that is already present in version 5 records

v9

Template Based, available (as of 2009) on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.

v10

aka IPFIX, IETF Standardized NetFlow 9 with several extensions like Enterprise-defined fields types, and variable length fields.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 









Benefits of Using NetFlow Technology for Monitoring Network Traffic

 

Monitoring and analyzing NetFlow will help obtain valuable information about network users and applications, peak usage times, and traffic routing.  In contrast with traditional SNMP-dependent systems, NetFlow-based network traffic monitoring has the ability to characterize traffic from applications and users, understand the traffic patterns, provide a holistic view for monitoring network bandwidth utilization and WAN traffic, support CBQoS validation and performance monitoring, be used for network traffic forensics, and aid in compliance reporting.


Understanding the Datagram

 

The NetFlow Export datagram consists of a header and a sequence of flow records. The header contains information such as sequence number, record count, and sysuptime.  The flow record contains flow information such as IP addresses, ports, and routing information.

 

Below is a simple datagram for NetFlow v9 that we will use throughout this knowledge series to provide a detailed breakdown of the details of the NetFlow Export Packet format.

 

NetFlow v9 Datagram.png

 

Part 2:  NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Learn more about how SolarWinds NetFlow Traffic Analyzer can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring, see for yourself with SolarWinds live on-line demo. or view this video:  How to Configure NetFlow on Cisco Routers.

 

 

NTA_Netflow_WP.png