Editing NetFlow (section)

=== Network flows ===

Cisco standard NetFlow version 5 defines a ''flow'' as a unidirectional sequence of packets that all share seven values which define a unique key for the flow:<ref>{{cite web |url=https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |url-status=dead |archive-url=https://web.archive.org/web/20170222053806/https://pliki.ip-sa.pl/wiki/Wiki.jsp?page=NetFlow |archive-date=2017-02-22 |title=InterProjektWiki: NetFlow}}</ref>
# Ingress interface ([[Simple Network Management Protocol|SNMP]] ifIndex)
# Source [[IP address]]
# Destination [[IP address]]
# [[IP protocol number]]
# Source port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], 0 for other protocols
# Destination port for [[User Datagram Protocol|UDP]] or [[Transmission Control Protocol|TCP]], type and code for [[Internet Control Message Protocol|ICMP]], or 0 for other protocols
# IP [[Type of Service]]

Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.

This definition of flows is also used for IPv6, and a similar definition is used for [[MPLS]] and [[Layer 2|Ethernet]] flows.

Advanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.

A typical output of a NetFlow command line tool (<code>nfdump</code> in this case) when printing the stored flows may look as follows:

  Date flow start          Duration Proto   Src IP Addr:Port      Dst IP Addr:Port     Packets    Bytes Flows
  2010-09-01 00:00:00.459     0.000 UDP     127.0.0.1:24920   ->  192.168.0.1:22126        1       46     1
  2010-09-01 00:00:00.363     0.000 UDP     192.168.0.1:22126 ->  127.0.0.1:24920          1       80     1