A flow is a set of packets with common characteristics within a given time frame and a
In packet switching networks, traffic flow, packet flow or network flow is a
sequence of packets from a source computer to a destination, which maybe
another host, a multicast group, or a broadcast domain.
RFC 2722 defines traffic flow as "A TRAFFIC FLOW is an artificial logical
equivalent to a call or connection, belonging to a (user-specified) METERED
NetFlow was introduced in Cisco routers first to get the traffic informationfrom one or
many source/s to one or many destination/s.
Also supported by Juniper, Mikrotiketc.
Jflow or cflowd for Juniper Networks
NetStream for 3Com/HP
NetStream for Huawei Technologies
Cflowd for Alcatel-Lucent
Rflow for Ericsson
Traffic Flow MikroTik
sFlow vendors include: AlcatelLucent, Cisco, Dell, D-Link, Fortinet, Hewlett-Packard,
Huawei, IBM, Juniper, NEC, Netgear, ZTE etc
First implementation, now obsolete, and restricted to IPv4 (without IP mask and
v2 Cisco internal version, never released.
v3 Cisco internal version, never released.
v4 Cisco internal version, never released.
Most common version, available on many routers from different brands, but
restricted to IPv4 flows.
v6 No longer supported by Cisco.
v7 Like version 5 with a source router field. Used on Cisco Catalyst switches.
Several aggregation form, but only for information that is already present in
version 5 records
Template Based, available on some recent routers. Mostly used to report flows like
IPv6, MPLS, or even plain IPv4 with BGP nexthop.
v10 Used for identifying IPFIX - IP Flow Information Export.
7. Cisco Configuration
ip flow-export version 5 origin-as
ip flow-export source Loopback0
ip flow-export destination[ServerIP] 3000
ip flow ingress
ip flow egress
8. Juniper Configuration
set firewallfilter test-flow term 1 then sample
set firewallfilter test-flow term 1 then accept
set interfaces ge-0/0/0 unit 0 family inet filter input test-flow
set interfaces ge-0/0/0 unit 0 family inet filter output test-flow
set forwarding-optionssampling input rate 1000
set forwarding-optionssampling familyinet output flow-server [ServerIp] port 3000
set forwarding-optionssampling familyinet output flow-server [ServerIp] version 5
First Check if you are receiving the flows or not
tcpdump -i eth0 port 3000
17:30:19.248072 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248079 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.248853 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248887 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248894 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.249385 IP InterfaceName.60532 > ServerName.3000: UDP, length 1416
10. Now What !!!
The Flow exporter is exporting the flows and the Flow Collector is receiving them.
So now we can start analyzingthem to understandthe traffic pattern of our network.
Can be done in many ways with many tools.
We will discuss one of the most basic tools which can be run on bash easily with little
resources and required output.
Flow-toolsis a library and a collection of programs used to collect, send, process, and
generate reports from NetFlow data.
Supports NetFlow version upto 8. Best output with NetFlow version 5.
Included Programs are flow-capture , flow-cat, flow-statsand many more.
1. Gives detailinformation on each & every particularconversationwithout sniffing.
2. No problem for encrypted data.For any incident,traffic source & Destinationsare
3. Historicaldata of Flows can help operator to improve quality.
4. Data can be fetched from anywhere in network as needed in a customized way.
5. If you are multihomed, these information are importantto make sure that your
clients are getting qualityservice.
6. NFSEN does the same work but needs bigger resources compared to Flow-Tools.
7. Ideal for startup ISPs, small enterprise, office IT network, campus network etc.
Edit the flow-capture.conf file at /etc/flow-tools/ , comment all and use the below line.
-V 5 -E 5G -N 3 -w /var/flows 0.0.0.0/ServerIP/3000
Which means –
NetFlow Version will be 5
Expire the totalstored flow files as per the given space – here we will set 5 G
Nesting level for sorting flow files
Working directory will be /var/flows
Allow any IP as analyzer and ServerIP as exporter with port 3000
We can now start capturing flows with the following command.
flow-capture -w /var/flows -E5G -S3 0/0/3000
Which means –
Flow capture will start with working directory /var/flows
Totalsize of all the flow files will not exceed 5 G
Emit a stat log message every 3 minutes
Allow any IP as analyzer and exporter with port 3000
Now if you go to /var/flows/2015/2015-10/2015-10-27/ to see the flow files.
Filenamesbegining with tmp which are typicallyin-progress flow files from flow-capture
are not processed.
cd /var/flows/2015/2015-10/2015-10-27/ [3 level nesting for sorting files]
drwxr-xr-x 2 root root 4.0K Oct 27 17:07 .
drwxr-xr-x 3 root root 4.0K Oct 27 15:24 ..
-rw-r--r-- 1 root root 36M Oct 27 16:43 ft-v05.2015-10-27.163000+0600
-rw-r--r-- 1 root root 1022K Oct 27 16:45 ft-v05.2015-10-27.164438+0600
-rw-r--r-- 1 root root 26M Oct 27 16:54 ft-v05.2015-10-27.164500+0600
-rw-r--r-- 1 root root 2.6M Oct 27 16:55 ft-v05.2015-10-27.165435+0600
-rw-r--r-- 1 root root 12M Oct 27 17:00 ft-v05.2015-10-27.165558+0600
-rw-r--r-- 1 root root 21M Oct 27 17:07 ft-v05.2015-10-27.170000+0600
-rw-r--r-- 1 root root 16M Oct 27 17:13 tmp-v05.2015-10-27.170753+0600
We are ready to see some outputs finally…
1 Average packet size distribution
2 Packets per flow distribution
3 Octets per flow distribution
4 Bandwidthper flow distribution
5 UDP/TCP destinationport
6 UDP/TCP source port
7 UDP/TCP port
9 Source IP
11 Source or DestinationIP
12 IP protocol
13 octets for flow durationplot data
14 packets for flow durationplot data
15 short summary
16 IP Next Hop
17 Input interface
18 Output interface
19 Source AS
22 IP ToS
24 Source Prefix
27 Exporter IP
28 Engine Id
29 Engine Type
30 Source Tag
To view output in bash we need to use the below command remaining at the flow files
directory which is /var/flows/2015/2015-10/2015-10-27/
flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f11 -P -p -S4 | head -30
Concatenateflow file named ft-v05.2015-10-27.170000+0600
The headers are preloaded for this file containingthe metadata.
Flow-stat will provide function 11 (Source or DestinationIP) with preloaded headers and
Percentage to the total amount for 4 minutes durationof flows.