What Is NetFlow?
NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information.
Cisco routers that have the Netflow feature enabled generate netflow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector.
Network Flows
Network flows have been defined in many ways. In the case of NetFlow, Cisco uses the common 7-tuple definition, where a flow is defined as a unidirectional sequence of packets all sharing all of the following 7 values:
- Source IP address
- Destination IP address
- Source port (for example UDP or TCP port)
- Destination port (for example UDP or TCP port)
- IP protocol
- Ingress interface
- IP Type of Service
The router will output a flow record when it determines that the flow is finished. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. Also, TCP session termination in a TCP flow causes the router to expire the flow. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. In Flexible NetFlow (FNF) an administrator could actually define flow properties on the router.