Network traffic monitoring
Traditionally health monitoring of a network infrastructure has been performed by using SNMP (Simple Network Management Protocol) to regularly poll systems, to provide an overview of the environment, and an insight into individual network elements.
NetFlow is generated from Layers 3 and 4 of the IP stack, and is best described as being data specific to the communications flow, i.e. what system is talking to what system(s), when, for how long, and how often (other metrics can also potentially be gathered).
This information is then exported to a Collector (flows and Collectors operate in a many-to-many relationship – the Exporter can send to multiple Collectors, and Collectors can receive from multiple Exporters.
NetFlow can therefore be used (amongst other things) for:
- An instant picture of network status
- Understanding trends on the network
- Assisting with planning
- Historical information relating to:
- Identifying threats
- Billing
- Troubleshooting the network
- Reporting on faults, and network usage
Common versions of NetFlow are NetFlow v5, and NetFlow v9. However, these versions can be somewhat limited for current requirements, which is why businesses should be looking at IPFIX.
IPFIX (Internet Protocol Flow Information Export), is effectively NetFlow v10, which allows for much more granularity of flow information to be generated and reported upon. This standard defines how the IP flow information should be formatted and exported to flow Collectors.
IPFIX, as well as being an industry standard (rather than proprietary), is much more flexible, allowing the flow data to present additional information (through the use of variable length fields) such as HTTP hostname, or HTTP URL.
IPFIX also allows vendor IDs to be specified, permitting the exporting of proprietary information. This may be information which traditionally has been sent using SNMP, or syslog, or indeed anything else. This, in turn, allows IPFIX analysers much more flexibility around reporting capabilities.
