NetFlow
NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface.
By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination traffic, class of service, and the causes of congestion.
The IP address of the NetFlow collector and the destination UDP port must be configured on the sending router.
For efficiency reasons, the router traditionally does not keep track of flow records already exported, so if a NetFlow packet is dropped due to network congestion or packet corruption, all contained records are lost forever.
This can be a real problem, especially with NetFlow v8 or v9 that can aggregate a lot of packets or flows into a single record.
That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol (SCTP) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported.
Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays.
SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment.
Simple stateless equipment can also filter or change the destination address of NetFlow UDP packets if necessary.
NetFlow version 9 can include all of these fields and can optionally include additional information such as Multiprotocol Label Switching (MPLS) labels and IPv6 addresses and ports, By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built.
But in some environments, e.g. on Internet backbones, that was too costly, due to the extra processing required for each packet, and large number of simultaneous flows.
NetFlow may be a prevalent name in the area of flow monitoring, because of Cisco dominant market share in the networking industry.
[6] Introduced with the launch of the Cisco ASA 5580 products, NetFlow Security Event Logging utilizes NetFlow v9 fields and templates in order to efficiently deliver security telemetry in high performance environments.
NetFlow collection from dedicated probes is well suited for observation of critical links, whereas NetFlow on routers provides a Network-wide view of the traffic that can be used for capacity planning, accounting, performance monitoring, and security.
[21] NetFlow switching soon turned out to be unsuitable for big routers, especially Internet backbone routers, where the number of simultaneous flows was much more important than those on local networks, and where some traffic causes many short-lived flows, like Domain Name System requests (whose source port is random for security reasons).
