« Nice Toasty Office Thanks to Denika and SNMP
Plixer’s Flow Analytics installs »

NetFlow Vs. Wireshark. Get the raw flows!

Posted in General, Scrutinizer on December 23rd, 2008 by mike@plixer.com
netflow-vs-wireshark-get-the-raw-flows

Have you ever been drilling in on a host in your NetFlow or sFlow analyzer hoping to get the kind of juicy details you get with a packet analyzer like Wireshark?  If so, you have felt the disappointment that comes about when the details simply aren’t there.   Why does this happen and what can be done about it?

The Limitations of NetFlow
NetFlow is an aggregation of traffic.  For example, if my PC sends 800 packets to John’s PC and John’s PC sends 20 back to me.  This becomes two flows.  A single NetFlow v5 packet can contain up to 30 flows (NetFlow v9 contains up to 24).    It is easy to understand how a single NetFlow UDP datagram can represent over a dozen hosts communicating over the network with thousands of packets.   NetFlows aggregation is pretty good.  Alas, it has short comings as well.

What is in NetFlow v5
Because of NetFlow’s aggregation, we only get a few details.  For   example:

* Source and Destination Interfaces
* Source and Destination Ports
* Source and Destination Autonomous System
* Source and Destination Address Prefix Mask
* Protocol (UDP, TCP, etc.)
* Total Packets, Total Octets
* Start and end times of the flow
* TCP flags
* ToS (i.e. for DSCP)
See more on V5 & V9  NetFlow packet formats

Compare NetFlow to Wireshark

Q: What if you want the raw packets like you get in Wireshark.  Can you get the details to and from a host using NetFlow?
A: You can’t get all of the same details but, if you are using Scrutinizer NetFlow & sFlow Analyzer you can get a list of all the flows to and from the host as shown below. This is about as good as it gets with NetFlow and Scrutinizer can do it.

Raw NetFlow in Scrutinizer NetFlow & sFlow Analyzer

This is just the beginning of what it takes to display NetFlow in HD (High Definition).

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter
Share and Enjoy:
  • Digg
  • StumbleUpon
  • Reddit
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • Technorati
  • Twitter
  • email
  • Print
Tags: , , , ,

This entry was posted on Tuesday, December 23rd, 2008 at 2:42 pm and is filed under General, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “NetFlow Vs. Wireshark. Get the raw flows!”

  1. Scrutinizer 7.5 brings Matrix NetFlow Visualization, NBAR Traffic Inspection and Flow Expert Window - NetFlow & sFlow Network Monitoring - Systrax Says:
    January 19th, 2010 at 12:48 pm

    [...] NetFlow analyzers vs. packet analyzers- are really complementary technologies. For years NetFlow has been a valuable tool used to suppliment the use of packet analysis; and to a certain extend that is still the case. With the adoption of Flexible NetFlow and the new release of Scrutinizer 7.5, the value that NetFlow analysis brings to packet analysis becomes even more significant. [...]

Leave a Reply