As a conversation is observed by a NetFlow-capable device, metadata about that conversation such as source and destination addresses, source and destination port numbers, and packet sizes are stored in a cache on the device until a timeout is reached, then exported to a NetFlow collector to be used for reporting later. I’d like to talk about the information collected and how long the device will hold that information in the cache.

Defining your record template

Let’s start with defining the information your NetFlow exporter will collect. For each conversation the device sees, the NetFlow template defines what information will be collected and stored in the NetFlow cache. Depending on the version of NetFlow used and the device you are collecting this information on, the configuration may be different. Please see the Plixer documentation for exact device configuration help.

Here is what I would define as a basic NetFlow record template:

match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match flow direction
match interface input
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags 

In this basic template, we are collecting data about the source and destination of the data stream, how many packets are in the conversation, and the total number of bytes.  

The “match” fields are used to determine if this current packet is part of a conversation that is already in the current NetFlow cache. If all the match statements seen from a packet match a conversation currently in the NetFlow cache, this packet’s “collect” fields will be updated to that entry. If there is no entry in the current cache, and new record is added. After the device holds the information for a set period of time, the cache will be exported to the defined NetFlow collector.

Template timeout

Now that we have the NetFlow record template defined, let’s talk about how often the device will send these template details to your NetFlow collector. This is controlled by the template timeout setting.

The NetFlow template is the decoder ring for your collector. This is how the collector will know what information is being sent. A setting between 5 and 30 minutes will be often enough so that if you make a change to the exporter or the NetFlow collector, the collector will not have to wait long to be able to resume collection and reporting on the data sent.

Plixer Scrutinizer is designed to collect and report on data from many different exporters, which all have different templates used. We can do this because we use the template data to create the tables to store and decode what data is being sent. This way, you can configure devices to send the data that’s important to you without having to worry if your collector can accept that data.

Active/inactive flow cache timeout

The active and inactive flow cache timeouts refer to how long the device will keep a conversation in the flow cache before packaging that data in a NetFlow packet and sending it to your collector.

Starting with inactive flows timeout, this refers to a situation where the exporter has not seen any new packets traverse the observation point for a set amount of time—so it will package that data up and send it off. There is no need to store data in the cache for an inactive flow for more than a few seconds, as that’s just wasted space. A setting of about 15 seconds should do just fine.

When it comes to active flows timeout, we want this to be set to something that makes sense for the collector used and how that data will be presented. The Scrutinizer collector displays data in 1-minute increments, so it expects the active flow timeout to be set to 60 seconds. For example, if one of your end users initiates a download of a file that is 10GB and that download takes 10 minutes, with a timeout of 60 seconds, a reporter on that conversation will show an average of 1GB/minute for 10 minutes. If your active flow timeout was set to 30 minutes, when that data is displayed in a Scrutinizer report, the minute that the collector receives that data will show 10GB/minute for 1 minute.

Conclusion

Most NetFlow-capable devices will have a different set of commands to set these values, but the concepts are the same. If you have questions on how to configure a specific device, please reach out to support today for help.

Happy monitoring!

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related