is a Cisco standard IP traffic reporting format, summarizing network sessions in terms of endpoints, port/protocol, bytes transferred, and other data.
NetFlow is a standard network session reporting format, developed by Cisco to summarize network communications between hosts. This data generally includes:
- endpoint IP addresses, including the initiator
- IP protocol (by IANA number)
- port where applicable (generally only TCP or UDP)
- bytes transferred according to direction
and other data. (A fuller listing can be found at the Wikipedia article on NetFlow)
A NetFlow exporter (which may include a router, switch, or other device; or a software exporter sniffing local traffic) maintains a list of tracked connections by analyzing the headers of packets visible to it. NetFlow does not require deep packet inspection; by default it summarizes only IP header and protocol header information. The exporting device periodically exports information on these connections to "collector" software, usually via UDP at the default port 2055. Such a collector may receive updates from multiple exporters on a push basis, with each datagram reporting identifying information for its exporter. Each datagram can include multiple sets of NetFlow sessions.
A number of free/OSS and commercial products are available to collect and analyze NetFlow data, as well as similar data sources such as sFlow and JFlow. Such products may support storage and search, monitoring for security purposes, traffic visualizations, network-based forensic procedures, or statistical analysis. For development, flowd is an open source flow collector implementation.
There are multiple versions of NetFlow, but NetFlow 5 and NetFlow 9 are the predominant ones. NetFlow 5 is a fixed format, with the same fields in the same position for every export. NetFlow 9 has a range of optional fields, some of which are vendor-specific. In order to decode a NetFlow 9 datagram, it is necessary to match the datagram to a numbered template (templates are exported in the datagram stream periodically). Each template will contain an in-order listing of the items to be found in NetFlow records exported according to that template. The NetFlow 9 standard is described in RFC 3954.
NetFlow 9 is the basis of the IPFIX standard, and has been adapted as the basis for formats such as NSEL (NetFlow Security Event Logging). Because IPFIX is built on NetFlow 9, libipfix may be useful to NetFlow developers.
