NetFlow version 5 (one of the most commonly used versions, followed by version 9) contains the following: Number of records (v5 or v8) or list of templates and records (v9)Ī NetFlow record can contain a wide variety of information about the traffic in a given flow.Timestamps at the moment of export, as system uptime or absolute time.Sequence number to detect loss and duplication.If it happens, it will mostly be on the link between the network and the NetFlow collectors.Īll NetFlow packets begin with version-dependent header, that contains at least these fields: Since NetFlow export almost only use network backbone links, packet loss will often be negligible. Simple stateless equipment can also filter or change the destination address of NetFlow UDP packets if necessary.
UDP allows simple replication of NetFlow packets using Network taps or L2 or 元 Mirroring. SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment. There may be performance limitations if a router has to deal with many NetFlow collectors, and a NetFlow collector has to deal with many routers, especially when some of them are unavailable due to failure or maintenance. The problem with SCTP is that it requires interaction between each NetFlow collector and each routers exporting NetFlow. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays. That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol ( SCTP) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. A single UDP packet loss can cause a huge impact on the statistics of some flows. This can be a real problem, especially with NetFlow v8 or v9 that can aggregate a lot of packets or flows into a single record. The UDP protocol does not inform the router of the loss so it can send the packets again. can also be used.įor efficiency reasons, the router traditionally does not keep track of flow records already exported, so if a NetFlow packet is dropped due to network congestion or packet corruption, all contained records are lost forever. A common value is UDP port 2055, but other values like 9555 or 9995, 9025, 9026 etc. The IP address of the NetFlow collector and the destination UDP port must be configured on the sending router. NetFlow records are traditionally exported using User Datagram Protocol ( UDP) and collected using a NetFlow collector. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. Also, TCP session termination in a TCP flow causes the router to expire the flow. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. The router will output a flow record when it determines that the flow is finished. This definition of flows is also used for IPv6, and a similar definition is used for MPLS and Ethernet flows.Īdvanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.Ī typical output of a NetFlow command line tool ( nfdump in this case) when printing the stored flows may look as follows:ĭate flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.
#NETFLOW OPEN SOURCE CODE#
0 kommentar(er)
