« Survey: Only a matter of time before corporate networks are compromised by insiders
What’s new in Scrutinizer v7 Cisco NetFlow Analyzer – Part 1 »

NetFlow v9 vs. NetFlow v5: What are the differences?

Posted in NetFlow, Network Traffic Analysis on June 18th, 2009 by mike@plixer.com
netflow-v9-vs-netflow-v5-what-are-the-differences

Q: What is the difference between Cisco NetFlow v9 and Cisco NetFlow v5?
A: Four versions.

Heh heh, I slay me! Alright, sort of stupid I know. I’ll get serious about this.

NetFlow v5 is by far the most popular version of Cisco NetFlow. I would say over 90% of our customer base uses NetFlow v5.

The NetFlow v5 packet format is fixed and is always the same and ultimately is easy to decipher for most NetFlow collection and network traffic reporting packages. All flows are calculated when they come into an interface (i.e. inBound). OutBound traffic is reported using inBound flows from the other interfaces. Because of this, it is generally advised that NetFlow v5 be enabled on all interfaces of the device, else outBound utilization on some interfaces may be understated.

NetFlow v9 is gaining market share, albeit slowly, and isn’t as deterministic as NetFlow v5. NetFlow v9 templates are the big differentiators here. Read what happens when WireShark doesn’t receive a template before receiving the NetFlow v9 packets.

Anyway, the NetFlow v9 packet format is dynamic. Because of this, NetFlow v9 templates must be sent periodically to tell the NetFlow collector the format of the flows being exported. I fired up WireShark and caught a template below. Nothing like some NetFlow fishing:

netflow v9 template

After the above template, here comes the 2nd fish (i.e. actual flows):

netflow v9 flow

I know the above is IPv6 and everyone is still using IPv4, but it’s what I happened to be working with at the moment. Notice above the Direction ‘01′. This means it is an Egress flow, which is something that NetFlow v5 can’t do. You need to read this blog on “NetFlow version 9: Egress Vs. Ingress” to understand the value of Egress flows. What I want to stress in this blog is that it’s the templates in NetFlow version 9 that makes it A LOT more powerful than NetFlow version 5. In fact, the templates allow NetFlow v9 to be Flexible, so that many more different exports are possible (e.g. CPU utilization). Ever heard of Flexible NetFlow?

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter
Share and Enjoy:
  • Digg
  • StumbleUpon
  • Reddit
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • Technorati
  • Twitter
  • email
  • Print
Tags: , , , , , ,

This entry was posted on Thursday, June 18th, 2009 at 8:07 am and is filed under NetFlow, Network Traffic Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “NetFlow v9 vs. NetFlow v5: What are the differences?”

  1. NetFlow configs for Multicast traffic…You know you want to. - NetFlow & sFlow Network Monitoring - Systrax Blog Says:
    August 28th, 2009 at 7:48 am

    [...] solve this, we need to use NetFlow v9 and its ingress and egress monitoring [...]

  2. fran Says:
    October 6th, 2009 at 4:33 pm

    If I am using netflow version 9 and I want to see the IN and OUT traffic stats of the WAN interface of the CE router, can I just use ip flow ingress and ip flow egress on that interface on the WAN interface and avoid configuring the LAN interfaces ?

  3. Mike Patterson Says:
    October 6th, 2009 at 9:19 pm

    Yes, you can do this with NetFlow v9 and it will work fine. Scrutinizer looks for egress flows when displaying outbound traffic.

Leave a Reply