Bidirectional NetFlow / IPFIX: RFC 5103

Posted in ASA, NetFlow, NetFlow Analyzer on October 24th, 2010 by
Bidirectional NetFlow / IPFIX: RFC 5103

Are you looking for an application that will do your RFC 5103 collecting?  Since Scrutinizer v8 we have supported RFC 5103 via IPFIX. Depending on how the RFC 5103 exporter delivers the IPFIX datagrams, you may need to call us.  Sometimes we have to tweak our IPFIX collector to understand different implementations of the bidirectional exports.  What is IPFIX?  It is the proposed standard for Cisco NetFlow.

In short, a RFC 5103 IPFIX export delivers the octetDeltaCount for a flow in both directions.  This means that a 2nd flow does not need to be generated and exported by the exporter.  See below:

rfc5103 bidirectional Netflow

The octetDeltaCount is the traffic from host A to host B.  The octetDeltaCount_rev is the traffic coming back from host B to host A.  This is very cool and ultimately leads to less exports, less traffic on the network and less overhead for the IPFIX collection server.

The above is very different from how the Cisco ASA exports what it calls bidirectional NetFlow which is not RFC 5103 compliant. We posted a video detailing the differences in the Cisco ASA NetFlow exports. When it comes to firewall exports of NetFlow, I’ll take it regardless of the short comings!

Contact our team if you need to learn more about this technology.  The early implementation of RFC 5103 is another reason why we are one of the leaders in NetFlow Analysis.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Tags: , ,