What Good is NetFlow?
What is NetFlow?
Netflow is protocol that gives information about the senders, receivers, and types of traffic flowing in a network. As traffic passes through a router or switch (called an "exporter" for reasons that will be clear in a moment) on the network, the exporter keeps a cache of information about the packets, including the source and destination address and port, the length of the packet, certain information about its type of service, and more.
Periodically, the router or switch flushes its cache of information by sending it ("exporting" it) to a separate program called a NetFlow collector. The NetFlow collector can then save all this data into some kind of database and then analyze and present information about what kinds of data are flowing in the network.
What Good is NetFlow?
Using the data from one or more NetFlow exporters, the NetFlow collector can then piece together what sessions or conversations have occurred. For example, it can show that:
HostA sent 1kbyte to HostB from port 32123 to port 80
HostB sent 235KBytes back to HostA on the same ports
HostC sent 2kbytes to HostB from port 42714 to port 80
HostB sent 23kbytes back to host C using the same ports
... etc...
From this simplified example, it seems likely that HostB is a web server, receiving (small) requests on port 80, and sending back longer responses.
Of course, on production networks there can be hundreds, or even thousands, of these sessions (also called "flows", as in "flows of data") per second, and you need a tool for making sense of all this flow information. Dartware's InterMapper Flows is a NetFlow collector that does just this.
The InterMapper Flows Window
InterMapper Flows window presents information about the traffic flowing through the network. Its main stack chart shows the top talkers, listeners, ports, etc. This makes it easy to see which devices or protocols are the major contributors to the traffic.
(image)
The table at the lower right shows more quantitative information about the traffic sources: Device address, volume (in bytes) of traffic, relative percentages, fraction in and out, as well as whether the device is acting as a server or client. (Servers are determined from a list of well-known ports.) The InterMapper Flows window shows lots more: you can read the InterMapper Flows Tech Note (link) for additional information.
Why NetFlow is Better than SNMP
Most network monitoring software can retrieve lots of data about a device using SNMP. In particular, it's quite easy to get the volume of traffic flowing through various interfaces by reading the statistics from MIB-II. This shows total bits/bytes per second flowing on that port. This is extremely valuable for looking for overloaded links and for other kinds of trouble.
However, these SNMP stats won't answer the big questions, "How is the link being used?" or "Who's hogging the bandwidth?" For that, you need a more detailed look at the actual sessions, which is exactly what NetFlow is designed to do.
Why NetFlow is Better than tcpdump
Tcpdump, and its graphical kin "sniffer" programs (such as Wireshark, OmniPeek, Ethereal, etc.), can give very deep view into the network traffic, showing the details of every packet. These tools are essential for debugging low-level interactions between devices.
Although it would be possible (but laborious) to sum up the traffic from each packet in a tcpdump. NetFlow systems automatically collect this information and display it.
Another concern is that a packet-snffing tool such as tcpdump typically must be attached to the same network that you are monitoring. To view traffic on a remote network, you would have to install the tcpdump on a machine connected there, and contrive to have its results passed to your central location. With NetFlow, on the other hand, the router/switch involved in handling the data also collects and exports the flow records to the central NetFlow collector.
What if I don't have Cisco/NetFlow-compatible Equipment?
Not all routers and switches support NetFlow. For example, only certain models of Cisco equipment (link) provide NetFlow data; many other manufacturer's gear will not export NetFlow records, either. If you use non-NetFlow capable equipment, there are a few alternatives/workarounds:
- Use a software exporter on a span or mirror port of a switch. If you have a managed switch, you can usually configure it to send all the traffic to a single span or mirror port. You can then install a software exporter (link) on a computer and attach it to the span port. The software exporter will then send flow records to your NetFlow collector (such as InterMapper Flows).
- Use a software exporter attached to a hub port. If you don't have a managed switch, you can still monitor NetFlow data by placing an unmanaged hub (not a switch) in the link whose traffic you want to monitor. For example, you might install the hub between your external router and your backbone equipment. The hub will pass all the traffic that flows through the link to the software exporter, as described above.
- Use sFlow. Many prominent router and switch manufacturers (such as HP, Foundry, Extreme, Force10, and others) instead support the sFlow (sampled flow) protocol (link). Their equipment sends a copy of the header of one-in-N packets to an sFlow collector, which then performs much the same processing as a NetFlow collector. Watch this blog for information about an upcoming release of InterMapper Flows that handles sFlow.
Netflow is protocol that gives information about the senders, receivers, and types of traffic flowing in a network. As traffic passes through a router or switch (called an "exporter" for reasons that will be clear in a moment) on the network, the exporter keeps a cache of information about the packets, including the source and destination address and port, the length of the packet, certain information about its type of service, and more.
Periodically, the router or switch flushes its cache of information by sending it ("exporting" it) to a separate program called a NetFlow collector. The NetFlow collector can then save all this data into some kind of database and then analyze and present information about what kinds of data are flowing in the network.
What Good is NetFlow?
Using the data from one or more NetFlow exporters, the NetFlow collector can then piece together what sessions or conversations have occurred. For example, it can show that:
HostA sent 1kbyte to HostB from port 32123 to port 80
HostB sent 235KBytes back to HostA on the same ports
HostC sent 2kbytes to HostB from port 42714 to port 80
HostB sent 23kbytes back to host C using the same ports
... etc...
From this simplified example, it seems likely that HostB is a web server, receiving (small) requests on port 80, and sending back longer responses.
Of course, on production networks there can be hundreds, or even thousands, of these sessions (also called "flows", as in "flows of data") per second, and you need a tool for making sense of all this flow information. Dartware's InterMapper Flows is a NetFlow collector that does just this.
The InterMapper Flows Window
InterMapper Flows window presents information about the traffic flowing through the network. Its main stack chart shows the top talkers, listeners, ports, etc. This makes it easy to see which devices or protocols are the major contributors to the traffic.
(image)
The table at the lower right shows more quantitative information about the traffic sources: Device address, volume (in bytes) of traffic, relative percentages, fraction in and out, as well as whether the device is acting as a server or client. (Servers are determined from a list of well-known ports.) The InterMapper Flows window shows lots more: you can read the InterMapper Flows Tech Note (link) for additional information.
Why NetFlow is Better than SNMP
Most network monitoring software can retrieve lots of data about a device using SNMP. In particular, it's quite easy to get the volume of traffic flowing through various interfaces by reading the statistics from MIB-II. This shows total bits/bytes per second flowing on that port. This is extremely valuable for looking for overloaded links and for other kinds of trouble.
However, these SNMP stats won't answer the big questions, "How is the link being used?" or "Who's hogging the bandwidth?" For that, you need a more detailed look at the actual sessions, which is exactly what NetFlow is designed to do.
Why NetFlow is Better than tcpdump
Tcpdump, and its graphical kin "sniffer" programs (such as Wireshark, OmniPeek, Ethereal, etc.), can give very deep view into the network traffic, showing the details of every packet. These tools are essential for debugging low-level interactions between devices.
Although it would be possible (but laborious) to sum up the traffic from each packet in a tcpdump. NetFlow systems automatically collect this information and display it.
Another concern is that a packet-snffing tool such as tcpdump typically must be attached to the same network that you are monitoring. To view traffic on a remote network, you would have to install the tcpdump on a machine connected there, and contrive to have its results passed to your central location. With NetFlow, on the other hand, the router/switch involved in handling the data also collects and exports the flow records to the central NetFlow collector.
What if I don't have Cisco/NetFlow-compatible Equipment?
Not all routers and switches support NetFlow. For example, only certain models of Cisco equipment (link) provide NetFlow data; many other manufacturer's gear will not export NetFlow records, either. If you use non-NetFlow capable equipment, there are a few alternatives/workarounds:
- Use a software exporter on a span or mirror port of a switch. If you have a managed switch, you can usually configure it to send all the traffic to a single span or mirror port. You can then install a software exporter (link) on a computer and attach it to the span port. The software exporter will then send flow records to your NetFlow collector (such as InterMapper Flows).
- Use a software exporter attached to a hub port. If you don't have a managed switch, you can still monitor NetFlow data by placing an unmanaged hub (not a switch) in the link whose traffic you want to monitor. For example, you might install the hub between your external router and your backbone equipment. The hub will pass all the traffic that flows through the link to the software exporter, as described above.
- Use sFlow. Many prominent router and switch manufacturers (such as HP, Foundry, Extreme, Force10, and others) instead support the sFlow (sampled flow) protocol (link). Their equipment sends a copy of the header of one-in-N packets to an sFlow collector, which then performs much the same processing as a NetFlow collector. Watch this blog for information about an upcoming release of InterMapper Flows that handles sFlow.
Views: 18
Comments are closed for this blog post
© 2012 Created by Community Admin.
