If you are seeking a good understanding of NetFlow, or a better understanding of how it can be enabled, configured, and analyzed, the “Commercial NetFlow Applications” chapter from the book Digital Forensics for Network, Internet, and Cloud Computing can be a great resource.  Written by Mike Patterson of Plixer International, Inc., the chapter details NetFlow and explains how you can capitalize on its utilization.

The Need for NetFlow
“Commercial NetFlow Applications” explains that today’s networks often operate at multigigabit speeds that can often overwhelm traditional packet-based data capture tools and data analysis methods.  As a solution to this modern problem, Cisco created NetFlow.  Originally released in 1996, it has had multiple updates since.  NetFlow v5 is still widely utilized, but v9 is the most recent release.

But what is NetFlow?
According to the book, NetFlow likely already exists in your network infrastructure in supported devices (routers, etc.).  This technology collects and categorizes IP traffic as it passes through the device interfaces.  As these packets arrive, NetFlow scans them to determine the appropriate traffic flow.  Focusing on flows rather than packet captures allows NetFlow to keep up with the increasing speeds of business networks.

What’s the point?
Identifying suspicious traffic for future investigation is much simpler through analyzing flows than it is through packet capture.  Ultimately, the desired result of flow analytics is to understand and safeguard your network.

How is it generated?
NetFlow can be generated when traffic enters an interface.  For holistic results, NetFlow should be enabled on all interfaces of all supported devices that contain traffic you are interested in analyzing.  This should be done because outbound utilization is calculated by using ingress flows from other interfaces.  Otherwise, traffic coming in from one interface destined for another interface will be missing from NetFlow calculation.

Once NetFlow is enabled through a few straightforward and simple commands, the router will write records for every conversation going through it and will then export them to a NetFlow collector.

It is noted that the emerging standard for NetFlow called Internet Protocol Flow Information eXport (IPFIX) is largely based on NetFlow v9, and this should not be confused with the packet sampling technology called sFlow, although NetFlow can also perform it.

The chapter explains that NetFlow v5 only supports ingress flows, while v9 supports ingress and egress.  Generally speaking, ingress flows enabled on all the interfaces of the switch or router will deliver the information needed for an investigation.  However, there are multiple reasons you may be required to enable egress NetFlow in addition to ingress NetFlow.

More to Come
The information Mike Patterson provided in Digital Forensics for Network, Internet, and Cloud Computing elaborates further on NetFlow v9 benefits and uses.  He discusses Flexible NetFlow, sFlow, and how Scrutinizer handles both.  Check out Digital Forensics for more information.

Follow Us on Twitter!
Find Us on Facebook!

Patti Angers author pic


Patti is our International Partner Manager she assists International partners by driving marketing and sales plans from lead assignment through the sales cycle. Patti is also responsible to identify potential global markets to determine demand for partner management in those applicable areas. When Patti is not helping partners spread the Good news about how much Scrutinizer can help their customers she enjoys spending time with her children and grandchildren, evangelizing, hiking, fishing , beekeeping and gardening


Leave a Reply