NetFlow is a network protocol developed by Cisco that allows network engineers to collect and analyze network traffic data in real time. NetFlow provides detailed information about network traffic, such as the source and destination IP addresses, the type of traffic, the amount of data transmitted, and the time of transmission.
NetFlow works by collecting flow data from network devices, such as routers and switches. A flow is a unidirectional sequence of packets that share seven parameters (key fields):
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol type
- Type of Service (ToS)
- Input interface
However, if a packet has one key field different from another packet, it is considered to belong to another flow. NetFlow-enabled devices use flow information to generate NetFlow records, which are sent to a central NetFlow collector for analysis.
The NetFlow collector aggregates the data from multiple NetFlow-enabled devices and provides a comprehensive view of the network traffic. Because NetFlow analysis can help network engineers to identify bandwidth utilization, monitor network performance, detect security threats, and optimize network configuration, it is widely used in enterprises.
As you can see in the image above, the NetFlow-enabled router creates two different traffic flows because the source and destination ports are different in the two communication sessions between the computer and the server.
Note: Because NetFlow is a resource-intensive tool, it does not need to be operational on all NetFlow-enabled devices in the network, but only on those devices on which you need to create traffic flows. Although there are several versions of NetFlow, it is recommended to use the latest version 9.