What is a Netflow?

Question

I am a little confused with the definition of the "NetFlow" sense. Does NetFlow declare, the exchange of the total packets between two IPv4 addresses irrespective the network ports or describe the headers of the packets (Source IP, Dest IP, Source Port, Dest Port, Protocol, Time Info, TCP Flags, Byte Info, Packet Info, ICMP Info)?

Answer 1

NetFlow as a term encompasses a couple different approaches now, thanks to extensible fields, but basically it's this: A NetFlow record is a periodic summary of the number of bytes and packets sent from Host A to Host B on IP Protocol number C, and (where appropriate) from port D on Host A to port E on Host B. There is often more information than that (such as information on the router interfaces the traffic traversed) but that's more or less it.

A concrete example might help. Let's say I start an SSH session from 192.168.0.10 to 192.168.0.11. My local OS assigns me the ephemeral TCP port 50000, and of course I'm connecting to port 22.

Periodically (say, once a minute) my router will send a NetFlow datagram containing two updates. One will contain a timestamped count of the number of octets and packets sent from 192.168.0.10:50000 to 192.168.0.11:22, and the other will contain a count of the octets and packets sent from 192.168.0.11:22 to 192.168.0.1:50000. There may be additional information, like the TCP flags used, QoS, VLAN number, and other items. Some routers will also inspect the payloads to determine the application in use, or pull out URLs or usernames. These are put into additional fields, and usually do not result in whole new NetFlow records.

If I open a second connection between the same hosts, say to port 80, or another connection to port 22, then I will get separate updates for that connection, because I will have been assigned new source ports. So, if I have two SSH connections, one from port 50000, and another from port 50001, then NetFlow will distinguish those and I'll get two sets of updates. If I have twenty connections open, then I'll get twenty pairs (one for each direction) of NetFlow updates, according to the ports and hosts involved.

So, to more directly answer your question: it does take the header information into account when reporting, so that the reports are NOT irrespective of the ports used. But, as the other commenter said, it is not necessarily limited to JUST the header information.