This is one of those times where I had to roll up my sleeves, dig into the RFCs and actually find out for myself.
A word about the RFCs
You probably already know that IPFIX RFC 5101 and RFC 5102 are derived from the NetFlow version 9 RFC, which was written by Benoit Clais, a business friend of mine. Actually, you’ll notice that Benoit worked on the IPFIX RFCs as well. Anyway and more to the point, what makes them different? I wanted some specifics!
The chicken or the egg?
NetFlow v9 came first. IPFIX made provisions for NetFlow v9 and added support for it. This is not a tough one to figure out if you look at the RFC numbers. 😕 heh heh Anyway, IPFIX lists an overview of the “Information Element identifiers” that are specified in Section 5 of the RFC and are compatible with the “field types” used by NetFlow v9. These are basically the juicy details of information that can be exported by NetFlow. Some things you will notice right away:
- The very first ID ‘1’ NetFlow v9 calls it ‘IN_BYTES’ and IPFIX calls it ‘octetDeltaCount’. This is a big deal because if we are talking about flows, is IN_BYTES really inbound data?
- Another thing I noticed is that NetFlow v9 defines 79 ‘field types’ and IPFIX defines the same 79, but goes on up to 238! Wow.
- Many of the Reserved Information Element identifiers are actually defined in NetFlow v9 (e.g. NetFlow v9 field type 3 is defined as ‘Flows’ and in IPFIX it is ‘Reserved’). This is common when comparing the RFCs. NetFlow v9 defines field types 33, 34, 38, 39, etc with values. The same field types are all defined as ‘Reserved’ in the IPFIX RFCs. It was likely done to keep IPFIX compatible with NetFlow v9 (i.e. the chicken).
- IPFIX allows a vendor ID to be specified whereby the vendor can stick proprietary information into NetFlow and export anything they want and this isn’t limited to just SNMP information. I MEAN ANYTHING!
- IPFIX allows for variable length fields and NetFlow doesn’t. This is useful if you want to export URLs like the nBox.
- NetFlow v9 on the other hand supports Flexible NetFlow which arguably is equally as flexible as IPFIX. More on this later.
So, there you have it (i.e. some meat and potatoes). I could really dig in and blog in detail about the differences even more, but maybe I will later. At first I have to digest the above. 🙂
Oh, here is the NetFlow v9 format.
FYI: Updated blog on 9/3/2011 that is related to this topic titled IPFIX Information Elements Vs. NetFlow Elements.
Founder and CEO
For a free 30 day trial of Scrutinizer, Download Now!