Stack Overflow
Stack Overflow

Questions tagged [netflow]

is a Cisco standard IP traffic reporting format, summarizing network sessions in terms of endpoints, port/protocol, bytes transferred, and other data.

NetFlow is a standard network session reporting format, developed by Cisco to summarize network communications between hosts. This data generally includes:

  • endpoint IP addresses, including the initiator
  • IP protocol (by IANA number)
  • port where applicable (generally only TCP or UDP)
  • bytes transferred according to direction

and other data. (A fuller listing can be found at the Wikipedia article on NetFlow)

A NetFlow exporter (which may include a router, switch, or other device; or a software exporter sniffing local traffic) maintains a list of tracked connections by analyzing the headers of packets visible to it. NetFlow does not require deep packet inspection; by default it summarizes only IP header and protocol header information. The exporting device periodically exports information on these connections to "collector" software, usually via UDP at the default port 2055. Such a collector may receive updates from multiple exporters on a push basis, with each datagram reporting identifying information for its exporter. Each datagram can include multiple sets of NetFlow sessions.

A number of free/OSS and commercial products are available to collect and analyze NetFlow data, as well as similar data sources such as sFlow and JFlow. Such products may support storage and search, monitoring for security purposes, traffic visualizations, network-based forensic procedures, or statistical analysis. For development, flowd is an open source flow collector implementation.

There are multiple versions of NetFlow, but NetFlow 5 and NetFlow 9 are the predominant ones. NetFlow 5 is a fixed format, with the same fields in the same position for every export. NetFlow 9 has a range of optional fields, some of which are vendor-specific. In order to decode a NetFlow 9 datagram, it is necessary to match the datagram to a numbered template (templates are exported in the datagram stream periodically). Each template will contain an in-order listing of the items to be found in NetFlow records exported according to that template. The NetFlow 9 standard is described in RFC 3954.

NetFlow 9 is the basis of the IPFIX standard, and has been adapted as the basis for formats such as NSEL (NetFlow Security Event Logging). Because IPFIX is built on NetFlow 9, libipfix may be useful to NetFlow developers.

101 questions
0
votes
0 answers

C# - Listening to Netflow Routers

I have created a simple UDP Listener console application using C# in order to capture data packets sent from a Netflow v5 router. I have used this Netflow simulator (http://sourceforge.net/projects/netflowsim/) for my application testing. The…
Thanushka
  • 1,395
  • 5
  • 25
  • 54
0
votes
1 answer

NetFlow v5 - exporting flow records missing fields

I am implementing my own NetFlow v5 offline exporter and I am struggling with a couple of fields there: 8-11 nexthop IP address of next hop router 12-13 input SNMP index of input interface 14-15 output SNMP index of output interface - no idea what…
Petr
  • 92
  • 1
  • 8
0
votes
0 answers

Best way to speed up the process of creating dictionaries when dealing with a large amount of netflow data in a .json file in Python?

I'm currently working on sorting netflow data in a json file based on end time. I'm placing all of this data into dictionaries in which keys are the end time (but only the hour and minute, so that multiple data values fall under one time). However,…
Ria
  • 1
  • 3
0
votes
3 answers

Netflow column manipulation bash

I have a netflow output in which certain lines are showing 'M' after bytes: 2014-05-10 14:26:49.231 10.335 UDP 114.31.254.227:24874 -> 56.213.85.253:13617 9 1139 1 2014-05-10 14:26:59.494 0.222 UDP …
user3770935
  • 298
  • 1
  • 3
  • 17
0
votes
1 answer

How to retrieve information from Netflow to be processed by my web application?

I have been given a project to create a web application which presents traffic information to clients. It is to be used with Cisco equipment which has Netflow installed. I have a lot of experience with web development, so no problems there (yet!),…
Neurion
  • 379
  • 6
  • 15
0
votes
2 answers

Reading Netflow Packet Content using MySQL

I'm developing a software that capture every udp packet that pass by my firewall (a 5.4 OpenBSD virtual machine) from a virtual machine that I have and save the packet in a MySQL database. My code is basically: try { DatagramSocket serverSocket =…
Ganso
  • 1
  • 2
0
votes
1 answer

Confusion regarding Netflow data

I am collecting data from netflow using nfcapd. Also, we are monitoring all the devices for In traffic and Out traffic. I am confused as in which data is sent to me by netflow. For example, In a 5 mins span, I receive netflow data which give…
unbesiegbar
  • 471
  • 2
  • 7
  • 19
0
votes
1 answer

datastructure to keep aggregated netflow data

Is any standard way to keep netflow data (aggregated by ports and destination IP, distinguished by source IP)? Data input: netflow data (source IP, timestamp, octets), updates are very often Request input: IP, range (two timestamps) Request output:…
George Shuklin
  • 6,952
  • 10
  • 39
  • 80
0
votes
0 answers

Can't retrieve correct time and date from netflow records.

I used jflow-0.3[1] to collect and decode netflow records which I receive from a router. nettrack.net.netflow.Flow.java class contains the code for decoding necessary data from records received. I called getFirst() function of it which returns "The…
Chamila Wijayarathna
  • 1,815
  • 5
  • 30
  • 54
0
votes
1 answer

SQL add up rows in a column

I'm running SQL queries in Orion Report Writer for Solarwinds Netflow Traffic Analyzer and am trying to add up data usage for specific conversations coming from the same general sources. In this case it is netflix. I've made some progress with my…
mateikav
  • 93
  • 3
  • 9
0
votes
1 answer

How can I recognize different applications in NetFlow dumps?

I try to discover what kind of applications work in my network (e.g. Facebook, Youtube, Twitter etc.) . Unfortunatelly I can't do Deep Packet Inspection, everything I have are NetFlow traces. I was thinking about resolving ip addresses using DNS…
kozooh
  • 2,035
  • 1
  • 21
  • 31
0
votes
1 answer

Usage of "time" as a rowkey in Cassandra for storing network packets

I am trying to store netflow packets that I receive from a netflow probe into Cassandra. I want to store each packet in a separate row for efficiency purposes. Can someone suggest a rowkey that I can use that has enough precision for storing netflow…
bnsk
  • 131
  • 9
0
votes
1 answer

NBAD, Netflow on layer 7

I'm developing Network Behavior Anomaly Detection and I'm using Cisco protocol NetFlow for collecting traffic information. I want to collect information about layer 7 of ISO OSI Reference Model, especially https protocol. What is the best way to…
akuzma
  • 1,592
  • 6
  • 22
  • 49
0
votes
1 answer

How to calculate bandwidth requirments based upon flows per minute (fpm)?

I want to know how can one calculate bandwidth requirements based upon flows and viceversa. Meaning if I had to achieve total of 50,000 netflows what is the bandwidth requirement to produce this number? Is there a formula for this. I'm using this to…
iloveyouga
  • 25
  • 1
  • 5
0
votes
2 answers

facing /usr/lib/libpcap.so: undefined reference to `pcap_lex' while running make command nprobe

I am trying to install nprobe on my system when i followed the following steps git clone https://github.com/xrl/nprobe.git sudo apt-get install libpcap-dev cd nprobe/plugsins ./buildMakefile.sh >Makefile.in cd .. ./autogen.sh ./configure …
Shoaib Ahmed
  • 157
  • 3
  • 15
1 2 3 4 5
6
7