NetFlow v5/v9, Flexible NetFlow and IPFIX are the most popular IP flow formats. In this blog I would like to briefly talk about each of them, so that this information will allow you to better take advantage of everything flow technology has to offer. Features that could change your network traffic analysis experience forever.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

As network administrators are looking to use NetFlow for more visibility on their network, they often have to decide what NetFlow version they need enabled on routers/switches.  Several times, these past few weeks, I was asked the difference between NetFlow v5 and v9. That is why in this blog, I intend to give you just enough information to make your choice between the two versions quick and easy, especially if you are using our NetFlow and sFlow Analyzer. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

As the fall equinox quickly approaches us it brings with it the cool fall air and all the wonderful color changing (dying) leaves that us Mainers love so much. It’s the perfect time to grab a cup of joe and discuss some recent issues our customers have been experiencing with sending Cisco NetFlow over an encrypted IPsec Tunnel.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

You’ve installed Scrutinizer only to find out that your network hardware doesn’t support NetFlow or sFlow; what now? If you’re in this situation then you’ve come to the right place. I’ve put together a guide on how to configure a Windows nProbe to send NetFlow v5 to your favorite NetFlow collector and analyzer.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Most people collecting NetFlow use it in a very traditional fashion (i.e. NetFlow v5 with ingress flows). Ingress flow means that only inbound (i.e. received) traffic is collected and exported in NetFlow datagrams. This may sound like you won’t know what is going ‘out’ an interface, but have no fear. There is any easy way to calculate outbound traffic using ingress NetFlow.

Above, out bound utilization on interface 1 is determined by looking at the flows from interfaces 2,3 & 4 that are destined for interface 1. Since an ingress flow contains the source and destination interface (i.e. port of the router). Out bound traffic is determined by using ingress flows from the other interfaces. For this reason, it is important to enable NetFlow on all interfaces of the switch or router. This trick is common practice in all NetFlow reporting tools. But, what about NetFlow v9 and its support for ‘Egress’ NetFlow (i.e. traffic going out an interface)?

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

NSEL (NetFlow Security Event Logging) is the type of NetFlow exported from an ASA Firewall. The purpose of NSEL is to track firewall events via NetFlow and to have a summary of all conversations associated with that event type.

The three most popular event types that trigger a NetFlow record are:

                                            * flow-create
* flow-denied
* flow-teardown

Read more »

Q: What is the difference between Cisco NetFlow v9 and Cisco NetFlow v5?
A: Four versions.

Heh heh, I slay me! Alright, sort of stupid I know. I’ll get serious about this.

NetFlow v5 is by far the most popular version of Cisco NetFlow. I would say over 90% of our customer base uses NetFlow v5.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

This is article 3 of a 3-part series on the differences between Cisco NetFlow version 5 and v9.  Click here for the first and second articles.

Cisco enhances NetFlow v9 with Flexible NetFlow
As outlined in the prior blog post, one of the downfalls of Cisco NetFlow v9 is that very few collectors can report on all the new fields. With so few companies able to take advantage of the latest version, what does Cisco do? It comes out with Flexible NetFlow, but is it the McMonster?

Flexible NetFlow is NetFlow v9
Flexible NetFlow is an extension of version 9. It gives us more capabilities without coming out with a new version. It provides additional functionality that allows administrators to export even more information using the same NetFlow v9 datagram. Things like CPU utilization, packet captures, etc. It’s really nifty stuff without all of the information in NetFlow v5. You can read about Flexible NetFlow here.

Here’s what I think
After attending the Advanced NetFlow class at Cisco Networkers last year and meeting with Benoit Clais, a Cisco distinguished engineer and NetFlow visionary, I think Cisco’s attitude is that NetFlow is absolutely a much better way to export router information than any other known technology. I think Cisco is passionate with its vision and investments in NetFlow.

It’s McALaCart
It isn’t a McMonster It’s McALaCart. Flexible NetFlow isn’t about exporting tons more information, it’s about exporting exactly what you want without depending on legacy technologies such as SNMP that can cause tons of monitoring traffic. Why even collect NetFlow v5 when all you want is some basic table information? Sometimes all I want is a veggie wrap when I walk into McDonalds.

This is why I like drawing comparisons between NetFlow and hamburgers. BTW: Have you seen all the sandwiches McDonalds kicks out worldwide? It should have been the one that coined the phrase “Have it your way” ® and I think we are seeing the same mantra with Cisco Flexible NetFlow.

I’ll end with this
NetFlow v9 is where it’s at and Scrutinizer for NetFlow and sFlow Analsis is all over it.

Update: All the parts to this series have been published. See Part 1 here, Part 2 here, and Part 3 here.

BigMac® is a registered trade mark of McDonald’s Corporation.
“Have it your way” ® is a registered trade mark of Burger King Brands, Inc.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

This is article 2 of a 3 part series on the differences between NetFlow version 5 and v9. Read Cisco NetFlow v5 vs. NetFlow v9: Part 1.

The Big Mac
You expected it but Cisco NetFlow v9 is really more than a Big Mac®. To hold to the analogy, the Big Mac brings cheese, lettuce and a sesame seed bun to the traditional McDonald’s burger. It brings more substance, more meat! It brings the coveted “special sauce”.

If you haven’t already, take a look at the format of Cisco NetFlow v9.  At first you might think “wow, too much information”.  Let’s keep it all in perspective.   You can get tons of information using SNMP and most people only scratch the surface.

Hey, I need a template
With NetFlow v5, the collection software is usually hard coded with the decode information necessary to digest the incoming flows.  It is predetermined and never changes.  It is always the same old fields in the same order. Some call it deterministic, and therefore, collection can be fast.

With NetFlow v9, templates are periodically sent out (e.g. every minute) on how to decode the packets. The collector often must hold off on decoding datagrams until a template is received. This template architecture makes v9 very dynamic with what it can send. Some of the new features in v9 that some customers might be looking for include:
• Source and Destination MAC addresses
• IPv6 support
• Improved details on VLANs and MPLS connections
• Flow sampling, which is kind of like sFlow.  See NetFlow vs. sFlow
• Interface Name and Description (usually requires SNMP)
• Egress Flows which I’ll digress on in another blog (Important)
• Many more capabilities.  I’ll talk about Flexible NetFlow later.

NetFlow v9 downfalls
Version 9 is not without its weaknesses. First of all, most people turning it on are using it to collect the same data you can get with version 5. How come? Most NetFlow collection packages don’t provide a reporting interface to view the additional information provided by v9. What’s more, the advanced exports are more complicated to configure, and without a reporting package, it is more work to figure out if it is exporting correctly.

Like SNMPv2, NetFlow v9 will take time to roll out. Customers need to ask for the additional features. Where’s the ‘demand’?  Too bad I wasn’t drawing comparisons to Wendy’s Hamburgers.  Anyway, we need to hear from you! Vendors need to hear from more than one customer that a feature is needed and why. A business case can then be justified and software development can begin.

What is Cisco up to?
NetFlow v9 is Cisco’s attempt to let the Network Administrator export nearly any information he/she wants from the router. It is my guess that someone at Cisco took a class on Microeconomics and is trying to encourage the IOS software developers to write more features into NetFlow in hopes that the consumer will strive for more ‘utility’  and ultimately ‘Demand’ will follow.   We’ll discuss flexible NetFlow in my 3rd and final blog in this series.

Update: All the parts to this series have been published. See Part 1 here, Part 2 here, and Part 3 here.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

This is article 1 of a 3-part series on the differences between Cisco NetFlow versions 5 and 9.

Cisco NetFlow v5 is by far the most popular version of NetFlow being used on today’s networks. Some might ask why, when v9 is a newer version? I’ll take an answer from a Microeconomics class I took in my sophomore year in college; it’s called ‘utility’.

Burger #1
The professor told a story that went something like this:  Let’s say you have been working hard all day and for some reason, you desire a McDonald’s hamburger.  In fact, you mouth starts watering at 11AM in anticipation of covering all sensors in your mouth with the savory goodness of one of its tasty burgers. You have the demand and know where to find the supply.

When you order that first hamburger and eat it, you get a good deal of satisfaction because it alleviates your hunger pangs and tastes wonderful. Mmmm, this is called ‘utility’ and you just received a good deal of it from the consumption of that hamburger. On a scale of 1-10, with 1 being horrible and 10 being awesome, this burger could get a perfect 10.

Burger #2
Now, let’s say you are still hungry and liked the first burger so much that you ‘demand’ a second one.  Once again the thought of “mmmm so good” envelops you as supply meets your demand. Maybe you get nearly as much satisfaction and happiness (i.e. utility) from the 2nd burger. The burger gets a utility score of 9. You even sit back and think about a third.

Burger #3
Perhaps you are still a bit hungry.  Your demand pushes you to go up for a third hamburger.  You wash it down with a Coke, then sit back to reflect on the third burger and the utility you gained from it. It gets a utility rating of 7. Why not a 10 or 9 you ask? Because you are no longer as hungry and don’t have the demand. In fact, you probably didn’t have the strong devouring desire going into the third burger.

Burger #4
Let’s say it is going to be a long day and because of your work schedule, you know that you are not going to have dinner until 8PM that night. You probably don’t really care either way about eating a 4th burger, but you want to make sure you are tied over, and so you eat the fourth and the utility rating is a 5. See what is happening, your attitude toward the fourth burger was apathetic. You didn’t really care about it and certainly a 5th or 6th burger would bring lower utility ratings because you are becoming full and actually starting to loathe the thought of another burger in your belly.

NetFlow ain’t no Burger
Well, how does a McDonald’s hamburger compare to the utility gained from NetFlow v5 Vs. v9?  It’s simple.  NetFlow v5 gives you pretty much everything you demand to know about the traffic on a link without busting out a packet analyzer like WireShark. It gives a utility rating that probably reaches close to 9. With a good NetFlow analyzer, Version 5 delivers on:
•    Who is causing the most traffic?
•    What application are they talking and who are they talking with?
•    Where are they on the network, physically and subnet
•    How much data have they transferred and for how long?

With all the above information and the added value of a good reporting package like Scrutinizer, NetFlow v5 pretty much covers the gamut of what IT professionals are looking for in most trouble shooting situations. Take a minute to look at the NetFlow v5 format.

Because NetFlow v5 delivers on so much information, demand for additional features hasn’t been overly strong. It will take time before people desire what is available in NetFlow v9. The supply is waiting, but we need to gain further utility. We’ll continue with this thread in my next blog.

Update: All the parts to this series have been published. See Part 1 here, Part 2 here, and Part 3 here.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!