What is an IP Flow?

This area will help fast track you in planning, setting up and managing NetFlow in your environment. NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation.

Network specialists of various levels within an organization need to be able to report on traffic traversing sites, key links and data centers without deploying probes. They use CySight powered by unique NetFlow Auditor methods of scalable collection, retention and Predictive AI Baslining to capture and analyze every NetFlow record with aggregation options and small footprint real-time and long-term storage. From Telco to SME you will recognize the superior reliability and performance of the CySight NetFlow Auditing solutions, as well as the management benefits offered.

What is an IP Flow?

Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.

IP Packet attributes used by NetFlow:

• IP source address
• IP destination address
• Source port
• Destination port
• Layer 3 protocol type
• Class of Service
• Router or switch interface

All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.

This flow information is extremely useful for understanding network behavior

• Source address allows the understanding of who is originating the traffic
• Destination address tells who is receiving the traffic
• Ports characterize the application utilizing the traffic
• Class of service examines the priority of the traffic
• The device interface tells how traffic is being utilized by the network device
• Tallied packets and bytes show the amount of traffic

Additional information added to a flow includes

• Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second
• Next hop IP addresses including BGP routing Autonomous Systems (AS)
• Subnet mask for the source and destination addresses to calculate prefixes
• TCP flags to examine TCP handshakes