Have you ever been drilling in on a host in your NetFlow or sFlow analyzer hoping to get the kind of juicy details you get with a packet analyzer like Wireshark? If so, you have felt the disappointment that comes about when the details simply aren’t there. Why does this happen and what can be done about it?
The Limitations of NetFlow
NetFlow is an aggregation of traffic. For example, if my PC sends 800 packets to John’s PC and John’s PC sends 20 back to me. This becomes two flows. A single NetFlow v5 packet can contain up to 30 flows (NetFlow v9 contains up to 24). It is easy to understand how a single NetFlow UDP datagram can represent over a dozen hosts communicating over the network with thousands of packets. NetFlows aggregation is pretty good. Alas, it has short comings as well.
What is in NetFlow v5
Because of NetFlow’s aggregation, we only get a few details. For example:
* Source and Destination Interfaces
* Source and Destination Ports
* Source and Destination Autonomous System
* Source and Destination Address Prefix Mask
* Protocol (UDP, TCP, etc.)
* Total Packets, Total Octets
* Start and end times of the flow
* TCP flags
* ToS (i.e. for DSCP)
See more on V5 & V9 NetFlow packet formats
Compare NetFlow to Wireshark
Q: What if you want the raw packets like you get in Wireshark. Can you get the details to and from a host using NetFlow?
A: You can’t get all of the same details but, if you are using Scrutinizer NetFlow & sFlow Analyzer you can get a list of all the flows to and from the host as shown below. This is about as good as it gets with NetFlow and Scrutinizer can do it.
This is just the beginning of what it takes to display NetFlow in HD (High Definition).