NetFlow Data Exported
认真 务实 敬业 求精
Netflow
Traffic Analysis and Monitoring for Network Planning
Usage Information
Router Feature Acceleration
• Empowers users with the ability to characterize their IP data flows • The who, what, where, when, and how much IP traffic questions are answered
Version 5
• Flow_sequesce • Engine_type • Engine_id • Sampling_interval Version 8 • Aggregation • Agg_version (=2) • Count(No. of FlowSet) • Source ID
•Aggregation: Aggregation method being used
Idle 4
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800
Netflow V1
the original format supported in the initial NetFlow releases.
Netflow V5
Adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.
Adds router-based aggregation schemes.

Netflow V9
Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
From/To
Time of Day Port Utilization
Application
QoS
• Next Hop Address(0) • Source AS Number (0) • Dest. AS Number (0) • Source Prefix Mask (0) • Dest. Prefix Mask (0)
1.
SrcIf Fa1/0 Fa1/0 Fa1/0 Fa1/0
Create and update flows in NetFlow Cache
SrcIPadd 173.100.21.2 173.100.3.2 173.100.20.2 173.100.6.2 DstIf Fa0/0 Fa0/0 Fa0/0 Fa0/0 DstIPadd 10.0.227.12 10.0.227.12 10.0.227.12 10.0.227.12 Protocol 11 6 11 6 TOS 80 40 80 40 Flgs 10 0 10 0 Pkts 11000 2491 10000 2210 SrcPort SrcMsk SrcAS 00A2 /24 5 15 /26 196 00A1 /24 180 19 /30 180 DstPort 00A2 15 00A1 19 DstMsk /24 /24 /24 /24 DstAS 15 15 15 15 NextHop 10.0.23.2 10.0.23.2 10.0.23.2 10.0.23.2 Bytes/Pkt Active 1528 1745 740 41.5 1428 1145.5 1040 24.5 Idle 4 1 3 14
• •
Netflow V7
exclusively supports Cisco Catalyst 5000 series switches with a NetFlow feature card (NFFC). Not compatible with Cisco routers.

• •
Netflow V8
• Router_sc
Routing and Peering
Short-cut Router
认真
务实
敬业
求精
Netflow Sampling Sampled – GSR only
For speeds higher than OC-3 strongly recommended
Only used in V5 and V9 Range from 10 to 16382 (packets) Default interval is 4 billion (to protect the router from being choked by a misconfiguration)
From/To
Time of Day Port Utilization
Application
QoS
Routing and Peering
认真
务实
敬业
求精
Netflow V7 Flow Record
Usage
• Packet Count • Byte Count • Start Timestamp • End Timestamp • Input Interface Port (0) • Output Interface Port • Type of Service(1st pkt) • TCP Flags(0) • Protocol
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
• Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask
Formats
• Version 1 (V1) • Version 5 (V5) • Version 7 (V7) • Version 8 (V8) • Version 9 (V9) • Versions 2, 3, 4, and 6 were not released
认真
务实
敬业
求精
NetFlow Sequence Router
2.
Expiration
• Inactive timer expired (15 sec is default) • Active timer expired (30 min (1800 sec) is default) • NetFlow cache is full (oldest flows are expired) •RST or FIN TCP Flag
认真
务实
敬业
求精
Netflow V9
A export format
Flexible and extensible
Still a push model
Sent the template regularly (configurable) Independent of the underlying protocol, it is ready for any reliable protocol (ie: TCP, SCTP)
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
From/To
Time of Day Port Utilization
Application
• Next Hop Address Routing and Peering
3.
Aggregation?
e.g. Protocol-Port Aggregation Scheme becomes
4. 5.
Export Version
Non-Aggregated Flows – export Version 5 or 9
Protocol Pkts SrcPort DstPort Bytes/Pkt 11 11000 00A2 00A2 1528
Aggregated Flows – export Version 8 or 9 Payload (flows)
Export Packet
认真
务实
敬业
求精
Heade r
Transport Protocol
Netflow Datagram
认真
务实
敬业
求精
Netflow Versions

• • •
认真
务实
敬业
求精
Netflow V1 Flow Record
Usage
• Packet Count • Byte Count • Start Timestamp • End Timestamp • Input Interface Port • Output Interface Port • Type of Service • TCP Flags(Cumulative OR) • Protocol