Flow Monitoring & Traffic Analysis with NetFlow - Complete Guide

1. NetFlow Basics

Definition: NetFlow is a Cisco-developed protocol that gathers metadata about IP traffic as it enters or exits an interface. It provides deep insight into:

  • Source and destination IP addresses
  • Ports and protocols used (e.g., HTTP, DNS)
  • Traffic timestamps (start/end time)
  • Volume of data transferred

Key Benefits:

  • ✅ Bandwidth monitoring
  • ✅ Security threat detection
  • ✅ Capacity planning
  • ✅ Billing and usage-based accounting

What is a Flow?

A flow is defined as a unidirectional sequence of packets sharing common attributes.

5-Tuple (Basic Identification)

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • Protocol (TCP/UDP)

7-Tuple (Extended Identification)

  • Type of Service (ToS)
  • Input Interface

Example Flow: 192.168.1.10:52000 → 8.8.8.8:53 (UDP) = DNS query

NetFlow vs. Packet Capture

Feature NetFlow Packet Capture (Wireshark)
Data Flow metadata Full packet payload
Overhead Low High
Use Case Trends, top talkers Protocol-level inspection

NetFlow Terminologies

Term Role
Exporter Device (router/switch) generating flows
Collector Server receiving exported flow data
Analyzer Tool to visualize and report (e.g., PRTG, ntopng)
Flow Record Template defining exported fields

2. NetFlow Architecture

NetFlow Versions

Version Key Features
v1 Legacy, fixed fields, Cisco-only
v5 Most used, IPv4 support
v9 Template-based, supports IPv6, MPLS
IPFIX IETF standard of NetFlow v9

Data Flow:

Exporter (Router) → Collector (Server) → Analyzer (Dashboard/Alerts)

3. NetFlow Configuration (Cisco IOS)

Step 1: Enable NetFlow on Interfaces

Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress   # Optional for outbound traffic

Step 2: Define Flow Export

Router(config)# ip flow-export destination 192.168.1.100 2055
Router(config)# ip flow-export version 5
Router(config)# ip flow-export source GigabitEthernet0/0

Step 3: Verify Configuration

Router# show ip flow export
Router# show ip cache flow

4. Traffic Analysis Concepts

A. Bandwidth Usage by IP

192.168.1.10 → 45% of traffic (YouTube)
10.0.0.5 → 30% (Backup Server)

B. Protocol Breakdown

  • HTTP: 40%
  • DNS: 5%
  • Unknown Port: 1234 → Potential Malware

C. Anomaly Detection

Event: DoS Attack
Symptom: Sudden 10,000 flows/sec to 203.0.113.1

5. Security & Optimization

Use NetFlow for Security

  • Detect port scans: Multiple ports targeted in rapid succession
  • Botnet traffic: Repeated connections to suspicious destinations

Sampling (Performance Optimization)

Router(config)# samplerate 100   # 1 out of every 100 packets

SIEM Integration (Splunk Example)

index=netflow dest_ip="8.8.8.8" | stats sum(bytes) by src_ip

6. Comparison with Other Technologies

Protocol Vendor Key Difference
sFlow HP, Juniper Sampled, not full flow records
IPFIX IETF Standardized version of NetFlow v9
J-Flow Juniper Similar to NetFlow v5

7. Practical Example

Scenario: Network slowdowns reported by users.

NetFlow shows 192.168.1.20 using 60% bandwidth.
Protocol: TCP 443 (mostly YouTube traffic).
Action: Apply QoS to throttle streaming content.

8. Troubleshooting

Issue Fix
No flows exported Check if ip flow-export destination is configured
High CPU usage Enable sampling
Missing application details Use NetFlow v9 or IPFIX

9. Summary

  • NetFlow = Flow-based traffic visibility protocol.
  • ✅ Enable on router interfaces
  • ✅ Define collector IP and version
  • ✅ Analyze traffic patterns, top talkers, and anomalies
  • ✅ Use IPFIX or v9 for advanced visibility (Layer 7)

NetFlow Traffic Analysis Quiz

1. What is the primary purpose of NetFlow?

Correct answer is B. NetFlow collects and analyzes flow data to provide visibility into network usage and traffic patterns.

2. Which 5-tuple is used by NetFlow to identify a basic flow?

Correct answer is D. The 5-tuple includes source IP, destination IP, source port, destination port, and protocol.

3. What is the default UDP port used by NetFlow exporters to send flow data?

Correct answer is A. NetFlow typically uses UDP port 2055 for exporting flow data.

4. Which NetFlow version is the most commonly used with fixed fields?

Correct answer is C. NetFlow v5 is the most common version with fixed fields for flow data.

5. What Cisco IOS command enables NetFlow ingress monitoring on an interface?

Correct answer is B. "ip flow ingress" enables monitoring of inbound traffic on the interface.

6. What is a 'Top Talker' in NetFlow terminology?

Correct answer is D. 'Top Talkers' are IP addresses generating the highest traffic volume.

7. How does NetFlow help in security?

Correct answer is A. NetFlow can detect suspicious activities like port scans and botnet communication.

8. Which tool is an example of a NetFlow collector?

Correct answer is C. SolarWinds is a popular NetFlow collector and analyzer.

9. What is the advantage of using sampling in NetFlow?

Correct answer is B. Sampling reduces CPU overhead by analyzing only a subset of packets.

10. What does IPFIX stand for in relation to NetFlow?

Correct answer is D. IPFIX is the IETF standardized version of NetFlow version 9.

← Back to Home