I recently learned that Cisco is planning to have integration with DPI (Deep Packet Inspection).  What does this mean to your NetFlow collector and NetFlow Analyzer?  More good stuff!

Seriously, it means more information on the applications on your network.  What good is a NetFlow Reporting tool that only tells you the application is ‘HTTP’ (i.e. port 80)?  Many applications today are using port 80 and a whole slew of others use random ports. This is a real problem for NetFlow monitoring tools because there often isn’t enough information in the traditional NetFlow v5 tuple to determine the actual application (e.g. skype, BitTorrent, H.323, GoToMeeting, etc.).  It has to be done by the hardware or software that exports the IPFIX or NetFlow information.

Below is a screen capture of our BETA support for the SonicWALL IPFIX exports.  You can click on any of the applications below to find out who is sending this data.  When applicable, even the URLs involved with a flow can be accessed.

Application recognition requires deep packet inspection and hardware vendors like Cisco and SonicWALL are already exporting flows that are associated with layer 7.

Some of the information Cisco plans to export in NBAR2 includes:

•    HTTP Reports (e.g. Hostnames and URLs)
•    SIP Reports (e.g. Calling Id, Caller Id)

The above is expected to be available in 15.0(1)M on the Cisco ISR-G2.  This is an exciting advancement in the NetFlow industry.  I hope that the folks behind the sFlow technology are thinking about similar exports.  Below is a screen capture of the new SonicWALL VoIP report which includes Caller ID:

VoIP NetFlow Support with caller id

If you’re a hardware or software company looking to support Deep Packet Inspection, contact us for IPFIX consulting.  We want to work with you.

BTW: If you are a company that is going to implement DPI, export the data using IPFIX.  Even Cisco will eventually move away from NetFlow as the transport.  I can’t reveal my sources…

~FlowFest 2011 – Advanced NetFlow Training [Registration Closed]

Jake Bergeron author pic


Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply