The other day my counter part posted a response to a question posted on the networking forum regarding “Interpreting NetFlow Data, Pkts and Octets“. I thought it was a great post so today I would like to post his reply on this weeks blog as it answers some of the more frequently asked questions we receive about NetFlow traffic analysis.

Q:  What separates the 1st flow from the second flow?

A:  Flows are identified either ingress or egress by 5-7 fields (i.e. tuple):

  • IP source address
  • IP destination address
  • Source port
  • Destination port
  • Layer 3 protocol type
  • Class of Service
  • Router or switch interface

Q:  Are the octets an indicator of how much data is passed specifically in the direction of the source to destination for that flow, or is it how much data is passed back and forth?

A:  All packets that match the above tuple are added together. The octets and packets are totalled and exported as determined by the active timeout (e.g. 1 minute). Only the delta is sent off to the NetFlow Collector. Send flows (e.g. Y-> Z) are almost always kept separate from reply flows (i.e. Z -> Y).

NOTE:   Only the Cisco ASA totals the ingress/egress flows between host A and host B. The folks at Cisco call this bidirectional NetFlow, however it is not RFC 5103 compliant because the in/out bytes are not separated out. It causes problems when trying to understand who sent the traffic to who.


Q:  What if a flow has only 1 packet and a low number of Octets, does that indicate that a connection with the destination was not established?

A:  It could mean this. It could mean that host Y tried to TCP connect to host Z, but host Z didn’t respond. With UDP traffic, you will often not see reply traffic.

Q:  How can I tell exactly how much data was passed using the Pkts and Octets fields?

A:  If the connection lasted 7.5 minutes, and the active timeout was 1 minute, 8 flows were probably exported (i.e. 1 per minute). The sent octets and packets would have to be totalled for all 8 flows. The same would have to be done for the reply flows.

Q:  How does a router know if a flow has ended?

A:  For TCP, the router will see a FIN flag and export the flow. Also, the inactive timeout on the router is usually set for 15 seconds. If the router doesn’t see traffic for a flow for 15 seconds, it will send out the flow in the next NetFlow datagram and flush the entry from the cache.

I hope this helps. Please try Scrutinizer for NetFlow Analysis.

Scott Robertson author pic


Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply