Q: What is the difference between Cisco NetFlow v9 and Cisco NetFlow v5?
A: Four versions.

Heh heh, I slay me! Alright, sort of stupid I know. I’ll get serious about this.

NetFlow v5 is by far the most popular version of Cisco NetFlow. I would say over 90% of our customer base uses NetFlow v5.

The NetFlow v5 packet format is fixed and is always the same and ultimately is easy to decipher for most NetFlow collection and network traffic reporting packages. All flows are calculated when they come into an interface (i.e. inBound). OutBound traffic is reported using inBound flows from the other interfaces. Because of this, it is generally advised that NetFlow v5 be enabled on all interfaces of the device, else outBound utilization on some interfaces may be understated.

NetFlow v9 is gaining market share, albeit slowly, and isn’t as deterministic as NetFlow v5. NetFlow v9 templates are the big differentiators here. Read what happens when WireShark doesn’t receive a template before receiving the NetFlow v9 packets.

Anyway, the NetFlow v9 packet format is dynamic. Because of this, NetFlow v9 templates must be sent periodically to tell the NetFlow collector the format of the flows being exported. I fired up WireShark and caught a template below. Nothing like some NetFlow fishing:

netflow v9 template

After the above template, here comes the 2nd fish (i.e. actual flows):

netflow v9 flow

I know the above is IPv6 and everyone is still using IPv4, but it’s what I happened to be working with at the moment. Notice above the Direction ’01’. This means it is an Egress flow, which is something that NetFlow v5 can’t do. You need to read this blog on “NetFlow version 9: Egress Vs. Ingress” to understand the value of Egress flows. What I want to stress in this blog is that it’s the templates in NetFlow version 9 that makes it A LOT more powerful than NetFlow version 5. In fact, the templates allow NetFlow v9 to be Flexible, so that many more different exports are possible (e.g. CPU utilization). Ever heard of Flexible NetFlow?

Update: All the parts to this series have been published. See Part 2 here and Part 3 here.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply