Flow Monitoring & Traffic Analysis with NetFlow - Complete Guide

1. NetFlow Basics

Definition: NetFlow is a Cisco-developed protocol that gathers metadata about IP traffic as it enters or exits an interface. It provides deep insight into:

  • Source and destination IP addresses
  • Ports and protocols used (e.g., HTTP, DNS)
  • Traffic timestamps (start/end time)
  • Volume of data transferred

Key Benefits:

  • ✅ Bandwidth monitoring
  • ✅ Security threat detection
  • ✅ Capacity planning
  • ✅ Billing and usage-based accounting

What is a Flow?

A flow is defined as a unidirectional sequence of packets sharing common attributes.

5-Tuple (Basic Identification)

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • Protocol (TCP/UDP)

7-Tuple (Extended Identification)

  • Type of Service (ToS)
  • Input Interface

Example Flow: 192.168.1.10:52000 → 8.8.8.8:53 (UDP) = DNS query

NetFlow vs. Packet Capture

FeatureNetFlowPacket Capture (Wireshark)
DataFlow metadataFull packet payload
OverheadLowHigh
Use CaseTrends, top talkersProtocol-level inspection

NetFlow Terminologies

TermRole
ExporterDevice (router/switch) generating flows
CollectorServer receiving exported flow data
AnalyzerTool to visualize and report (e.g., PRTG, ntopng)
Flow RecordTemplate defining exported fields

2. NetFlow Architecture

NetFlow Versions

VersionKey Features
v1Legacy, fixed fields, Cisco-only
v5Most used, IPv4 support
v9Template-based, supports IPv6, MPLS
IPFIXIETF standard of NetFlow v9

Data Flow:

Exporter (Router) → Collector (Server) → Analyzer (Dashboard/Alerts)

3. NetFlow Configuration (Cisco IOS)

Step 1: Enable NetFlow on Interfaces

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress   # Optional for outbound traffic

Step 2: Define Flow Export

Router(config)# ip flow-export destination 192.168.1.100 2055
Router(config)# ip flow-export version 5
Router(config)# ip flow-export source GigabitEthernet0/0

Step 3: Verify Configuration

Router# show ip flow export
Router# show ip cache flow

4. Traffic Analysis Concepts

A. Bandwidth Usage by IP

192.168.1.10 → 45% of traffic (YouTube)
10.0.0.5 → 30% (Backup Server)

B. Protocol Breakdown

  • HTTP: 40%
  • DNS: 5%
  • Unknown Port: 1234 → Potential Malware

C. Anomaly Detection

Event: DoS Attack
Symptom: Sudden 10,000 flows/sec to 203.0.113.1

5. Security & Optimization

Use NetFlow for Security

  • Detect port scans: Multiple ports targeted in rapid succession
  • Botnet traffic: Repeated connections to suspicious destinations

Sampling (Performance Optimization)

Router(config)# samplerate 100   # 1 out of every 100 packets

SIEM Integration (Splunk Example)

index=netflow dest_ip="8.8.8.8" | stats sum(bytes) by src_ip

6. Comparison with Other Technologies

ProtocolVendorKey Difference
sFlowHP, JuniperSampled, not full flow records
IPFIXIETFStandardized version of NetFlow v9
J-FlowJuniperSimilar to NetFlow v5

7. Practical Example

Scenario: Network slowdowns reported by users.

NetFlow shows 192.168.1.20 using 60% bandwidth.
Protocol: TCP 443 (mostly YouTube traffic).
Action: Apply QoS to throttle streaming content.

8. Troubleshooting

IssueFix
No flows exportedCheck if ip flow-export destination is configured
High CPU usageEnable sampling
Missing application detailsUse NetFlow v9 or IPFIX

9. Summary

  • NetFlow = Flow-based traffic visibility protocol.
  • ✅ Enable on router interfaces
  • ✅ Define collector IP and version
  • ✅ Analyze traffic patterns, top talkers, and anomalies
  • ✅ Use IPFIX or v9 for advanced visibility (Layer 7)

NetFlow Traffic Analysis Quiz

1. What is the primary purpose of NetFlow?

Correct answer is B. NetFlow collects and analyzes flow data to provide visibility into network usage and traffic patterns.

2. Which 5-tuple is used by NetFlow to identify a basic flow?

Correct answer is D. The 5-tuple includes source IP, destination IP, source port, destination port, and protocol.

3. What is the default UDP port used by NetFlow exporters to send flow data?

Correct answer is A. NetFlow typically uses UDP port 2055 for exporting flow data.

4. Which NetFlow version is the most commonly used with fixed fields?

Correct answer is C. NetFlow v5 is the most common version with fixed fields for flow data.

5. What Cisco IOS command enables NetFlow ingress monitoring on an interface?

Correct answer is B. "ip flow ingress" enables monitoring of inbound traffic on the interface.

6. What is a 'Top Talker' in NetFlow terminology?

Correct answer is D. 'Top Talkers' are IP addresses generating the highest traffic volume.

7. How does NetFlow help in security?

Correct answer is A. NetFlow can detect suspicious activities like port scans and botnet communication.

8. Which tool is an example of a NetFlow collector?

Correct answer is C. SolarWinds is a popular NetFlow collector and analyzer.

9. What is the advantage of using sampling in NetFlow?

Correct answer is B. Sampling reduces CPU overhead by analyzing only a subset of packets.

10. What does IPFIX stand for in relation to NetFlow?

Correct answer is D. IPFIX is the IETF standardized version of NetFlow version 9.

← Back to Home