The most surprising thing about NetFlow is that it doesn’t actually capture packets; it samples flows.
Let’s watch NetFlow in action. Imagine a router on your network edge. It sees millions of packets every second. Capturing all of them for analysis would overwhelm any system. Instead, NetFlow’s magic is in its aggregation. It looks at packets and groups them into "flows." A flow is defined by a unique set of key fields, typically the source IP address, destination IP address, source port, destination port, Layer 3 protocol, and the Type of Service (ToS) byte. When a packet arrives that matches an existing flow, its byte and packet counts are updated. When a packet arrives that doesn’t match any existing flow, a new flow record is created. When a flow has no further packets for a certain period (the "inactivity timeout"), the flow record is considered complete and exported to a NetFlow collector.
Here’s a simplified view of what a NetFlow record might look like:
{
"flow_start_time": "2023-10-27T10:00:00Z",
"flow_end_time": "2023-10-27T10:00:15Z",
"source_ip": "192.168.1.10",
"destination_ip": "8.8.8.8",
"source_port": 54321,
"destination_port": 53,
"protocol": 17, // UDP
"tos": 0,
"packets": 150,
"bytes": 12000,
"input_interface": "GigabitEthernet0/1",
"output_interface": "GigabitEthernet0/0"
}
This single record tells us that from 10:00:00 to 10:00:15 UTC, host 192.168.1.10 sent 150 UDP packets totaling 12,000 bytes to 8.8.8.8 on port 53, originating from interface GigabitEthernet0/1. This is incredibly powerful. Instead of analyzing millions of individual packets, you’re analyzing thousands of aggregated flows, each representing a distinct communication session.
The problem NetFlow solves is visibility. In complex networks, understanding who is talking to whom, what applications they’re using, and how much bandwidth they’re consuming is crucial for troubleshooting, security, and capacity planning. Traditional methods like SNMP provide high-level interface statistics, but they don’t offer per-application or per-host conversation details. NetFlow bridges this gap by providing a granular, flow-based view of network traffic.
Internally, NetFlow operates in several stages:
- Flow Creation: As mentioned, the router (or switch) observes packets and creates or updates flow records based on the defined key fields.
- Flow Expiration: Flows are expired either by an inactivity timeout (e.g., 15 seconds of no new packets in the flow) or by a long-lived timeout (e.g., 180 seconds, to ensure long connections are eventually exported).
- Flow Export: Completed flow records are packaged into UDP datagrams and sent to a designated NetFlow collector. This export process itself consumes some CPU and bandwidth on the exporting device.
- Flow Collection and Analysis: The NetFlow collector receives the UDP datagrams, reassembles the flow records, stores them in a database, and provides tools for querying, reporting, and visualizing the traffic data.
The exact fields exported can vary depending on the NetFlow version (v5, v9, IPFIX are common). v5 is a fixed format, while v9 and IPFIX are template-based, allowing for much greater flexibility and the export of more fields like VLAN IDs, BGP AS numbers, and even application IDs (with NBAR integration).
When configuring NetFlow on a Cisco IOS router, for instance, you typically enable it globally, then specify the collector’s IP address and UDP port, and finally enable NetFlow export on the interfaces you want to monitor.
! Enable NetFlow globally
ip flow-export version 9
ip flow-export destination 192.168.100.1 2055
! Enable NetFlow on an interface
interface GigabitEthernet0/1
ip route-cache flow
! Or for newer IOS versions:
! ip flow ingress
! ip flow egress
The ip route-cache flow command (or ip flow ingress/ip flow egress) tells the router to track flows passing through that interface. The ip flow-export destination command directs the collected flow data to your collector.
A key aspect of NetFlow that often surprises people is the concept of "sampled NetFlow." Because even exporting every single flow record can be resource-intensive on high-traffic devices, many routers support sampling. Instead of exporting every flow, they might export only 1 out of every 100 flows. This drastically reduces the export overhead but means your analysis is based on an approximation. The collector then extrapolates the data to estimate the total traffic. Understanding your sampling rate is critical for accurate analysis.
The next step in understanding network traffic analysis is diving into the specifics of flow record versions and their capabilities.