Since NetFlow is template-based, how does a collector know one template from another? The answer is simple, Intelligent Template Recognition ™. In short, a collector receives flows with packets and uses templates to decode the information in the packets. With Intelligent Template Recognition ™ it automatically knows how to name the templates. But how does the collector know how to name the template?

 

Intelligent Template Recognition ™

A NetFlow / IPFIX template specifies element IDs and their lengths. The collector decodes these templates and looks for the template name in it’s table of pre-named templates. If an exact match is not found Intelligent Template Recognition ™ is used to name the template. For a detailed analysis on the difference between NetFlow and IPFIX information elements you can read Mike’s blog, it’s riveting!

 

When the collector does not have a matching pre-defined template definition, Intelligent  Template Recognition™ is used.  “Cisco: Medianet Custom Flows”  is an excellent example of that.

 

The collector identified that this template contains at least one element ID unique to Cisco Medianet exports. Therefore “Cisco: Medianet” is chosen as the first part.  The template also contains a basic flow 5-tuple (source IP, source port, protocol, destination port, destination IP) along with a byte counter, so it was labeled “Flows”.  The word “Custom” tells us that this was not a pre-defined description.

SonicWALL is a great example of a vendor who takes matters into their own hands. They export IPFIX templates with information that is not normally found in standard v9 templates.

I love how Cisco coins NetFlow version 9 as ”future-proofed” due to it’s flexibility. When a vendor wants to export new information through NetFlow or IPFIX they don’t have to reinvent the technology. They just add new element strings to a template to decode the new information. The job of a great NetFlow collector is to constantly work with vendors to bring you the latest information available in NetFlow.

If you have any other questions, please don’t hesitate to contact us.

Jimmy Wendler

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Tags: Cisco ASA netflow template, Cisco Medianet template, flexible netflow templates, ipfix template, netflow nbar template, NetFlow Templates, sonicwall ipfix, SonicWALL templates

This entry was posted on Wednesday, September 14th, 2011 at 5:02 pm and is filed under ASA, Cisco Medianet, IPFIX, NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor, Scrutinizer, SonicWALL. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.