Everything you didn’t want to know about Bidirectional and Unidirectional NetFlow

Posted in ASA on February 12th, 2010 by Josh
Everything you didn't want to know about Bidirectional and Unidirectional NetFlow

Hi there all! Another week is coming to close and I hope its been a good one. With the Cisco ASA being the hot topic for the past couple months, I wanted to share this blog with you.

This is a very important topic, since this will help you understand how the ASA reports conversations differently from other switch/router counterparts. Let’s take a look:

Undirectional NetFlow:

Traditionally, NetFlow is a unidirectional technology. As an example, when host A sends traffic to host B, this will create a single flow. When host B replies, a second flow is created within the router cache. So using that example, conversation A –> B creates a flow of 500kb. The return reply from B –> A will create a separate flow of 75kb.

Unidirectional Flows

Bidirectional NetFlow:

As of today, I’ve only ever seen bidirectional flows from the Cisco ASA. To summarize though: instead of getting two flows as illustrated above, you will only get one flow from the host who initiated the conversation. However, within that one flow, you will have the correct total of traffic for the connection and reply. So take the conversation I used in the example of Unidirectional Flows: A –>B = 500kb, B –> A = 75kb

Since there is only one flow created, this one flow will present the total of 575kb, A –> B = 575kb, instead of breaking into two summaries.

This is a strange way of rendering a flow, if you want my opinion. I’m not sure why Cisco decided to implement this, since it makes it tougher to figure out the flow direction.

“So this 575kb conversation, is this from A –> B or is this B –> A?”

Regardless,we should be grateful to have a firewall exporting NetFlow in the first place and I’m sure everyone else feels the same way…

If you would like more information regarding the unique properties of the ASA, please give us a call and we’ll be happy to help.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.
Tags: , , , ,

3 Responses to “Everything you didn’t want to know about Bidirectional and Unidirectional NetFlow”

  1. Mike Patterson Says:

    We have been getting a few calls with questions on the uniqueness of the NetFlows exported by the Cisco ASA. Check out this PDF:
    http://www.plixer.com/files/netflow-on-the-asa-11-18-09.pdf

  2. Saving Time: NetFlow v9 or IPFIX - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] had a customer this week asking me about the NF_F_EVENT_TIME_MSEC field which is kicked out in the bidirectional NetFlow exported by the Cisco ASA.  He couldn’t see it in FlowView of Scrutinizer NetFlow Analyzer.  [...]

  3. Scrutinizer NetFlow Glossary - NetFlow & sFlow Network Monitoring - Systrax Says:

    [...] Bidirectional Flows Flexible NetFlow Ingress vs. Egress Interface 0 ip-flow timeout active 1 IPFIX ip route-cache flow vs. ip flow ingress NBAR NetFlow Collector and Analyzer NetFlow Exporters NetFlow Options Templates NetFlow Probe NetFlow Replicator NetFlow v5 vs. v9 NSEL sFlow [...]

Leave a Reply