2

I hear these terms used a lot but haven't found a decent explanation of what they are, how they are used, and what the data looks like (e.g. can you view this data in wireshark?)?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
5k1zk17
  • 23
  • 3

4 Answers4

4

Netflow is a protocol used by Cisco Routers/Switches that summarizes "seen" traffic and sends these summaries to a so-called Netflow Collector. IPFlow is a derivate which is independent of Cisco.

A Netflow Collector or Reporter (software) can then generate reports for this seen traffic.

Common answers given by this data are: - Which are the top protocols in my network (http, ftp,...) - Which hosts are talking the most to each other - Which are the overall top sending hosts - ...

See: - http://en.wikipedia.org/wiki/IP_Flow_Information_Export - http://en.wikipedia.org/wiki/Netflow

Also popular: sFlow. A technology by Juniper which has the same goal/motivation as Netflow but working slightly different (Forwarding samples to a collector).

Regarding Wireshark: Yes. You can see this traffic in Wireshark. Like any other traffic if it "passes" your capturing host.

Thorsten
  • 158
  • 5
1

Netflow is a protocol by Cisco to gather IP traffic information.

IPFlow is a netflow collector.

RFC for netflow 9 can be found at http://www.ietf.org/rfc/rfc3954.txt.

Wireshark has filter for Cisco NetFlow/IPFIX.

dunxd
  • 9,482
  • 21
  • 80
  • 117
Amirali Sanatinia
  • 344
  • 1
  • 4
1

Netflow is the name CISCO gave to the broader class of network traffic reporting formats, generally known as ‘flow reporting’. It is the equivalent of a ‘pen register’ for Internet traffic.

Flow analysis (reporting) allows one to see who communicated with whom, without digging into the content of the communication. This is helpful in many ways, as it helps pinpoint network bottlenecks, find the cause of slowdowns, and see the source of attacks or information leaks, all without doing extensive in-depth analysis.

It is also helpful to get a more macro-view of your network. Wireshark (and full packet capture) can be too much to handle on busy networks.

Vince Berk
  • 159
  • 2
0

I would read wikipedia on NetFlow as outlined above.

By IPFLOW do you mean IPFIX? Here is a blog on NetFlow Vs. IPFIX. http://www.plixer.com/blog/netflow/what-is-ipfix-vs-netflow-v9/

Jake

Jake Wilson
  • 1