This is part 2 of a 3 part series.  Part 1 can be found here. In the second NetFlow lab we did a HTTP Comparison using my web browser and going to a common web site.  I wanted to see what kind of traffic occured when I visited the front page of without clicking on anything.  How many packets were transfered and how many flows were created?

Here are the steps I used in the study:

* I started WireShark
* I surfed to
* I went to another web site
* I stopped WireShark
* 2 Ingress Flows represents 11 packets going out from my PC
* 1 Ingress Flow represents 13 packets coming back from

Flows from my PC
First I looked at the traffic from my PC. The NetFlow received from the Cisco router was displayed with Scrutinizer NetFlow, sFlow and IPFIX Analyzer.  It displayed 11 packets and two flows from my PC. Why are there two flows?  You’ll need a packet trace to figure this out.  Click on the image below to enlarge.

Since the data went through our NetFlow capable switch ‘Enterasys’, I decided to take a look at the NetFlow data there as well with our NetFlow collector.  It still displayed 11 packets, but the octetDeltaCount was a bit higher as Enterasys counts things a bit differently.

Flows from
Second, I looked at the traffic from There was only 1 NetFlow datagram received, but since it was sending all of the content from the web site, the octetDeltaCount was over 5 times greater (12466) in the screen shot below.  It is the number next to the packetDeltaCount.

Lets take a look at the packet trace in Wireshark and compare it to the data that we see above from our NetFlow Analyzer.

Below you can see that the packet trace also revealed 13 packets from   Notice the big red arrow pointing at the domain.

A packet trace gives you the actual URL, traditional NetFlow does not export this.  However, I am seeing URLs exported from some up and coming hardware vendors supporting IPFIX.

This concluded the lab on  HTTP – NetFlow reporting. Now we are onto part 3 of this series.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply