Understanding Network Behaviour using NetFlow

20 Apr 2017

In briefest of terms NetFlow helps you understand who, what, where, when, and how network traffic is moving through the network. NetFlow is data generated by network devices – routers, switches, firewalls, etc. which contain information about ‘data in motion’ in a network. The term NetFlow is often used generally to refer to this type of information, but “NetFlow” is actually proprietary to Cisco. Other vendors have their own versions, such as J-Flow from Juniper, and sFlow. There are also different versions of NetFlow. The most commonly used are v5 and v9 (which includes some additional information not available in v5). IPFIX, which is also known as NetFlow v10, was created by the IETF as a common standard to enable different vendors to work together.

NetFlow was originally developed to help network administrators get a better handle on what their network traffic looks like and is an important metric in an effective network security strategy. Having the ability to construct a timeline of events is extremely valuable for monitoring and the speed with which an organisation can identify, diagnose, analyse, and respond to an incident will limit the damage and lower the cost of recovery from an attack.

In addition network operations teams often use NetFlow to identify performance issues, minimising resources and reaction time to incidents such as; Application and network usage, network productivity and utilisation of network resources, the impact of changes to the network,  network anomalies and security vulnerabilities and long term compliance issues.

Basic NetFlow Architechture

Now we know the what, let’s take a look at the how. Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes. IP Packet attributes used by NetFlow:



  Behaviour Indicator

   IP source address  


  Source address allows the understanding of who is originating the traffic

   IP destination address


  Destination address tells who is receiving the traffic 

   Source & Destination port   


  Ports characterize the application utilizing the traffic

   Layer 3 protocol type


  Tallied packets and bytes show the amount of traffic

   Class of Service


  Class of service examines the priority of the traffic 

   Router or switch interface


  The device interface tells how traffic is being utilized by the network device

All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache. Which is then sent to a collector (event management (SIEM) system) to process and apply forensics on the data collected.

In summary, IT and Network Managers are always under pressure to deliver mission critical applications and content. Quality of Service has become critical and the types of services being offered are only increasing. Under these circumstances, NetFlow has become a critical tool to ensure acceptable network security and application performance.





Source address allows the understanding of who is originating the traffic