Since NetFlow is template-based, how does a collector know one template from another? The answer is simple, Intelligent Template Recognition ™. In short, a collector receives flows with packets and uses templates to decode the information in the packets. With Intelligent Template Recognition ™ it automatically knows how to name the templates. But how does the collector know how to name the template?

 

Intelligent Template Recognition ™

A NetFlow / IPFIX template specifies element IDs and their lengths. The collector decodes these templates and looks for the template name in it’s table of pre-named templates. If an exact match is not found Intelligent Template Recognition ™ is used to name the template. For a detailed analysis on the difference between NetFlow and IPFIX information elements you can read Mike’s blog, it’s riveting!

 

Medianet NetFlow Template

When the collector does not have a matching pre-defined template definition, Intelligent  Template Recognition™ is used.  “Cisco: Medianet Custom Flows”  is an excellent example of that.

 

The collector identified that this template contains at least one element ID unique to Cisco Medianet exports. Therefore “Cisco: Medianet” is chosen as the first part.  The template also contains a basic flow 5-tuple (source IP, source port, protocol, destination port, destination IP) along with a byte counter, so it was labeled “Flows”.  The word “Custom” tells us that this was not a pre-defined description.

SonicWALL IPFIX Templates

SonicWALL is a great example of a vendor who takes matters into their own hands. They export IPFIX templates with information that is not normally found in standard v9 templates.

I love how Cisco coins NetFlow version 9 as “future-proofed” due to it’s flexibility. When a vendor wants to export new information through NetFlow or IPFIX they don’t have to reinvent the technology. They just add new element strings to a template to decode the new information. The job of a great NetFlow collector is to constantly work with vendors to bring you the latest information available in NetFlow.

If you have any other questions, please don’t hesitate to contact us.

Jamie Lee author pic

Jamie Lee

Jamie Lee is the west coast Regional Manager at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long-lasting relationships with his clients. Jamie loves the outdoors and his favorite hobbies include fishing, hiking, and football.

Related

Big Data

Sankey Flow Graph

Posted on - by Jeff Morrison

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply