Editing NetFlow (section)

== Protocol description ==

[[Router (computing)|Router]]s and switches that support NetFlow can collect [[Internet Protocol|IP]] traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector—typically a server that does the actual [[traffic analysis]].

=== Network flows ===

Cisco standard NetFlow version 5 defines a ''flow'' as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:<ref>{{cite web |url=https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |url-status=dead |archive-url=https://web.archive.org/web/20170222053806/https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |archive-date=2017-02-22 |title=InterProjektWiki: NetFlow}}</ref>
# Ingress interface ([[Simple Network Management Protocol|SNMP]] ifIndex)
# Source [[IP address]]
# Destination [[IP address]]
# [[IP protocol number]]
# Source port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], 0 for other protocols
# Destination port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], type and code for [[Internet Control Message Protocol|ICMP]], or 0 for other protocols
# IP [[Type of Service]]

Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.

This definition of flows is also used for IPv6, and a similar definition is used for [[MPLS]] and [[Layer 2|Ethernet]] flows.

Advanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.

A typical output of a NetFlow command line tool (<code>nfdump</code> in this case) when printing the stored flows may look as follows:

  Date flow start          Duration Proto   Src IP Addr:Port      Dst IP Addr:Port     Packets    Bytes Flows
  2010-09-01 00:00:00.459     0.000 UDP     127.0.0.1:24920   ->  192.168.0.1:22126        1       46     1
  2010-09-01 00:00:00.363     0.000 UDP     192.168.0.1:22126 ->  127.0.0.1:24920          1       80     1

=== Export of records ===

The router will output a flow record when it determines that the flow is finished.  It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, [[TCP session]] termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing.

==== Packet transport protocol ====

NetFlow records are traditionally exported using User Datagram Protocol ([[User Datagram Protocol|UDP]]) and collected using a NetFlow collector. 
The IP address of the NetFlow collector and the destination UDP port must be configured on the sending router. A common value is UDP port 2055, but other values like 9555 or 9995, 9025, 9026 etc. can also be used.

For efficiency reasons, the router traditionally does not keep track of flow records already exported, so if a NetFlow packet is dropped due to [[network congestion]] or packet corruption, all contained records are lost forever. The UDP protocol does not inform the router of the loss so it can send the packets again.
This can be a real problem, especially with NetFlow v8 or v9 that can aggregate a lot of packets or flows into a single record. A single UDP packet loss can cause a huge impact on the statistics of some flows.

That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol ([[Stream Control Transmission Protocol|SCTP]]) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays.

The problem with SCTP is that it requires interaction between each NetFlow collector and each router exporting NetFlow. There may be performance limitations if a router has to deal with many NetFlow collectors, and a NetFlow collector has to deal with many routers, especially when some of them are unavailable due to failure or maintenance.

SCTP may not be efficient if NetFlow must be exported toward several independent collectors, some of which may be test servers that can go down at any moment.
UDP allows simple replication of NetFlow packets using Network taps or L2 or L3 Mirroring. Simple stateless equipment can also filter or change the destination address of NetFlow UDP packets if necessary. Since NetFlow export almost only use network backbone links, packet loss will often be negligible. If it happens, it will mostly be on the link between the network and the NetFlow collectors.

==== Packet headers ====

All NetFlow packets begin with version-dependent header, that contains at least these fields:
*Version number (v1, v5, v7, v8, v9)
*Sequence number to detect loss and duplication
*Timestamps at the moment of export, as system uptime or absolute time.
*Number of records (v5 or v8) or list of templates and records (v9)

=== Records ===

A NetFlow record can contain a wide variety of information about the traffic in a given flow.

NetFlow version 5 (one of the most commonly used versions, followed by version 9) contains the following:
*Input interface index used by [[Simple Network Management Protocol|SNMP]] (ifIndex in IF-MIB).
*Output interface index or zero if the packet is dropped.
*Timestamps for the flow start and finish time, in milliseconds since the last boot.
*Number of bytes and packets observed in the flow
*[[Network Layer|Layer 3]] headers:
**Source & destination IP addresses
**[[Internet Control Message Protocol|ICMP]] Type and Code.
**IP protocol
**[[Type of Service]] (ToS) value
*Source and destination port numbers for TCP, UDP, SCTP
*For TCP flows, the union of all TCP flags observed over the life of the flow.
*Layer 3 [[Routing]] information:
**IP address of the immediate next-hop (not the BGP nexthop) along the route to the destination
**Source & destination IP masks (prefix lengths in the [[Classless Inter-Domain Routing|CIDR]] notation)

For [[Internet Control Message Protocol|ICMP]] flows, the Source Port is zero, and the Destination Port number field codes ICMP message Type and Code (port = ICMP-Type * 256 + ICMP-Code) {{Citation needed|date=October 2022}}.

The source and destination [[autonomous system (Internet)|Autonomous System]] (AS) number fields can report the destination AS (last AS of AS-Path) or the immediate neighbor AS (first AS of AS-Path) depending on the router configuration. But the AS number will be zero if the feature is not supported, the route is unknown or not announced by BGP, or the AS is the local AS. There is no explicit way to distinguish between these cases.

NetFlow version 9 can include all of these fields and can optionally include additional information such as [[Multiprotocol Label Switching]] (MPLS) labels and [[IPv6]] addresses and ports,

By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. The NetFlow record format has evolved over time, hence the inclusion of version numbers. Cisco maintains details of the different version numbers and the layout of the packets for each version.

=== Interfaces ===

NetFlow is usually enabled on a per-interface basis to limit load on the router components involved in NetFlow, or to limit the amount of NetFlow records exported.

NetFlow usually captures all packets received by an ingress IP interface, but some NetFlow implementations use IP filters to decide if a packet can be observed by NetFlow.

Some NetFlow implementations also allow the observation of packets on the egress IP interface, but this must be used with care: all flows from any ingress interface with NetFlow enabled to any interface with NetFlow enabled could be counted twice.

=== Sampled NetFlow ===

Standard NetFlow was designed to process all IP packets on an interface.  But in some environments, e.g. on Internet backbones, that was too costly, due to the extra processing required for each packet, and large number of simultaneous flows.

So Cisco introduced sampled NetFlow on Cisco [[Cisco 12000|12000]], and that is now used in all high-end routers that implement NetFlow.

Only one packet out of ''n'' is processed, where ''n'', the sampling rate, is determined by the router configuration.

The exact selection process depends on the implementation:
* One packet every ''n'' packet, in Deterministic NetFlow, as used on Cisco's [[Cisco 12000|12000]].
* One packet randomly selected in an interval of ''n'' packet, in Random Sampled NetFlow, used on modern Cisco routers.

Some implementations have more complex methods to sample packets, like per-flow sampling on Cisco Martinez Catalysts.

The sampling rate is often the same for all interfaces, but can be adjusted per interface for some routers.
When Sampled NetFlow is used, the NetFlow records must be adjusted for the effect of sampling - traffic volumes, in particular, are now an estimate rather than the actual measured flow volume.

The sampling rate is indicated in a header field of NetFlow version 5 (same sampling rate for all interfaces) or in option records of NetFlow version 9 (sampling rate per interface)