There may be performance limitations if a router has to deal with many NetFlow collectors, and a NetFlow collector has to deal with many routers, especially when some of them are unavailable due to failure or maintenance. The problem with SCTP is that it requires interaction between each NetFlow collector and each router exporting NetFlow. Note that TCP would not be suitable for NetFlow because a strict ordering of packets would cause excessive buffering and delays. That is why some modern implementations of NetFlow use the Stream Control Transmission Protocol ( SCTP) to export packets so as to provide some protection against packet loss, and make sure that NetFlow v9 templates are received before any related record is exported. A single UDP packet loss can cause a huge impact on the statistics of some flows.
This can be a real problem, especially with NetFlow v8 or v9 that can aggregate a lot of packets or flows into a single record. The UDP protocol does not inform the router of the loss so it can send the packets again.
can also be used.įor efficiency reasons, the router traditionally does not keep track of flow records already exported, so if a NetFlow packet is dropped due to network congestion or packet corruption, all contained records are lost forever. A common value is UDP port 2055, but other values like 9555 or 9995, 9025, 9026 etc. The IP address of the NetFlow collector and the destination UDP port must be configured on the sending router. NetFlow records are traditionally exported using User Datagram Protocol ( UDP) and collected using a NetFlow collector. Routers can also be configured to output a flow record at a fixed interval even if the flow is still ongoing. Also, TCP session termination in a TCP flow causes the router to expire the flow. It does this by flow aging: when the router sees new traffic for an existing flow it resets the aging counter. The router will output a flow record when it determines that the flow is finished. This definition of flows is also used for IPv6, and a similar definition is used for MPLS and Ethernet flows.Īdvanced NetFlow or IPFIX implementations like Cisco Flexible NetFlow allow user-defined flow keys.Ī typical output of a NetFlow command line tool ( nfdump in this case) when printing the stored flows may look as follows:ĭate flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Note that the Egress interface, IP Nexthop or BGP Nexthops are not part of the key, and may not be accurate if the route changes before the expiration of the flow, or if load-balancing is done per-packet.
#Ntopng export flows code
Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols.Source port for UDP or TCP, 0 for other protocols.Routers and switches that support NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records toward at least one NetFlow collector-typically a server that does the actual traffic analysis.Ĭisco standard NetFlow version 5 defines a flow as a unidirectional sequence of packets that all share seven values which define a unique key for the flow: 3.2 Monitoring based on standalone probes.3.1 Cisco's NetFlow Security Event Logging.
0 kommentar(er)
