NetFlow Basics

NetFlow and similar protocols are designed to deliver IP traffic information from observation points to collectors. An observation point is a location in the network where IP packets can be observed. For example, this can be an interface on a router. Packets entering an observation point are monitored by exporter. Exporter processes packets, accumulates traffic information and periodically sends it to a NetFlow collector. The collector receives traffic information, parses it and stores data for later usage by analytic tools. One collector can gather information from several exporters.

Exporter doesn't send information about every particular packet it observes. Instead, packets are aggregated into several IP flows. Each flow accumulates data (number of packets and bytes) for packets with certain common properties. For example, a flow usually include the following traffic information:

  • Source IP address and port number
  • Destination IP address and port number
  • IP protocol type
  • Type of Service (ToS) value
  • SNMP indices of input and output interfaces (see ifIndex in IF-MIB)
  • Number of packets and bytes (Layer 3 octets) observed in the flow
  • Timestamps for the moments when the first and the last packets in the flow were observed
  • TCP flags
  • Routing information
  • etc.

Exporter periodically sends accumulated flow data to collector. The flows to be sent are grouped together into export packets (datagrams). Export packet includes some basic information such as the NetFlow version, number of flows contained within the packet, and sequence numbering. Collector parses the export packets, extracts flow information and stores it. Now the traffic statistics can be used for analysis.

Iotellect Network Manager implements flow collector service, provides storage for NetFlow data, and offers out-of-the-box tools for network utilization analysis. Furthermore Iotellect Network Manager allows to build custom analytics and visualization tools for your specific needs.

In Iotellect Network Manager, all traffic decomposition features are supported by NetFlow plugin. It provides flow collector service and facilities for processing, aggregating, analyzing and visualizing IP traffic data.

Was this page helpful?