Netflow Traffic Analysis with Traffic Explorer

	Netflow Traffic Analysis with Traffic Explorer
Download Netflow traffic analysis white papers here	Introduction to Netflow Traffic Analysis Netflow is a protocol developed by Cisco that records and communicates information about IP traffic flows. Netflow runs on Cisco routers and other routers that support flow record export in a Netflow-compatible format. Netflow is utilized in analysis of end to end traffic flows for network troubleshooting, engineering, security and planning. A form of Netflow is being adopted as an IETF standard called IPFIX. Many Service Providers, enterprises, government agencies and educational institutions have adopted Netflow as a key source of traffic analysis and network management data for operating their IP networks. IP Flows--What Netflow Reports On IP traffic flows are defined as a series of unidirectional packets travelling from one IP address to another. Complementing interface packet statistics captured from routers and switches via SNMP, Netflow captures a variety of statistics about these end to end IP traffic flows. From RMON to Netflow Before Netflow, RMON probes were the primary way of capturing data about IP flows. However, unlike Netflow which is simply turned on at a router's interface, RMON probes are separate hardware products, which can be expensive to own and maintain discretely from the routers that they are monitoring. One of the major benefits of Netflow is its relatively low cost of ownership, when compared to RMON probe-based approaches in particular. Nonetheless, Netflow deployment doesn't come for free. Netflow exported records do generate network overhead equivalent to a very low percentage of actual traffic flows they are reporting on. Sampling methodologies have improved Netflow's overhead ratio, but like any network management communications, network engineering organizations must be careful when deciding how much Netflow to enable in their network in order to not create too much network management traffic overhead. In addition, Netflow is best deployed on relatively newer routers that perform IP packet forwarding in hardware as opposed to software, since older, software/CPU-based router platforms can in some cases suffer performance degradations when large amounts of Netflow records are being exported. How Netflow Works Netflow exports flow records that summarize the statistics on individual flows in a UDP-based protocol. Netflow records are sent via unicast IP transmission to a server that can minimally store the raw Netflow record data in a log for later analysis. Many Netflow products have been produced to act as Netflow servers and to provide statistical reports and other analyses based on collected Netflow recorded data. Security-oriented Netflow products utilize its visibility into end to end flows to notice and alert on anomalous traffic patterns that may indicate an emerging security outbreak. Network troubleshooting and planning products focus on providing in-depth reporting for Netflow data, in summary formats (such as the top-N flows, talkers, listeners, etc.) as well as per-interface reports. Typical Netflow Deployment Architecture Due to the overhead issues of turning Netflow on widely in a network, the typical deployment architecture for Netflow is to enable Netflow exporting from interfaces primarily at key points in the network where a large percentage of traffic is flow into or out of the network. For example, router interfaces connected to major data centers, Internet peering, and WAN backbone links are typical places where Netflow is enabled. Since these points are the source of most of the traffic traveling to the rest of the network, enabling Netflow on the associated routers provides the greatest coverage of the network's traffic with the least overhead. Netflow's Limitation--Its Still an Interface-Centric View of the World One limitation to Netflow is its interface-centric nature. Netflow is enabled on an interface-by-interface basis. This means that Netflow products that analyze Netflow data primarily do so by presenting per-interface reports. While these per-interface Netflow reports are quite useful in and of themselves, often times when troubleshooting or planning the network, engineers need to understand how the network actually carries the traffic between the two end points of the flow reported by Netflow. Since traffic may pass through many hops in its routed path from one end point to another, and since routing may change that path dynamically over time, understanding the routed network's role in delivering the end to end traffic reported by Netflow is often very difficult, and many times impossible, since Netflow may not be enabled broadly enough to know which flows crossed which interfaces. Even if all interfaces were enabled with Netflow, the amount of manual searching and correlation makes interface-specific Netflow reporting very limited. What is needed is not only to see Netflow data from an individual exporting interface's point of view, but also from the global routed network's point of view. Traffic Explorer--Network-Wide Netflow Traffic and Routing Analysis Packet Design's Traffic Explorer provides engineers with the network-wide Netflow traffic visibility they've been missing, by combining two previously distinct management technologies – route analytics and Netflow traffic analysis – to deliver the first integrated, real-time view of network-wide routing and traffic behavior. This groundbreaking Netflow tool helps the world’s largest enterprises, service providers, government agencies and educational institutions to use Netflow more intelligently and operate, troubleshoot, plan and optimize their networks with unprecedented accuracy, confidence and speed. For the first time, network engineers and operators are able to use Netflow to view complex IP networks as integrated systems rather than collections of discrete devices and links, enabling them to maximize IT efficiency and productivity while reducing the capital and operational expenses required to maintain top network service quality. Get More Information on Network-Wide Netflow Visibility Download the Traffic Explorer white paper explaining how network-wide Netflow traffic visibility can be achieved with low overhead and routing-awareness here © 2007 Packet Design Inc., All Rights Reserved - Privacy Policy

Download Netflow traffic analysis white papers here

Introduction to Netflow Traffic Analysis
Netflow is a protocol developed by Cisco that records and communicates information about IP traffic flows. Netflow runs on Cisco routers and other routers that support flow record export in a Netflow-compatible format. Netflow is utilized in analysis of end to end traffic flows for network troubleshooting, engineering, security and planning. A form of Netflow is being adopted as an IETF standard called IPFIX. Many Service Providers, enterprises, government agencies and educational institutions have adopted Netflow as a key source of traffic analysis and network management data for operating their IP networks.

IP Flows--What Netflow Reports On
IP traffic flows are defined as a series of unidirectional packets travelling from one IP address to another. Complementing interface packet statistics captured from routers and switches via SNMP, Netflow captures a variety of statistics about these end to end IP traffic flows.

From RMON to Netflow
Before Netflow, RMON probes were the primary way of capturing data about IP flows. However, unlike Netflow which is simply turned on at a router's interface, RMON probes are separate hardware products, which can be expensive to own and maintain discretely from the routers that they are monitoring. One of the major benefits of Netflow is its relatively low cost of ownership, when compared to RMON probe-based approaches in particular. Nonetheless, Netflow deployment doesn't come for free. Netflow exported records do generate network overhead equivalent to a very low percentage of actual traffic flows they are reporting on. Sampling methodologies have improved Netflow's overhead ratio, but like any network management communications, network engineering organizations must be careful when deciding how much Netflow to enable in their network in order to not create too much network management traffic overhead. In addition, Netflow is best deployed on relatively newer routers that perform IP packet forwarding in hardware as opposed to software, since older, software/CPU-based router platforms can in some cases suffer performance degradations when large amounts of Netflow records are being exported.

How Netflow Works
Netflow exports flow records that summarize the statistics on individual flows in a UDP-based protocol. Netflow records are sent via unicast IP transmission to a server that can minimally store the raw Netflow record data in a log for later analysis. Many Netflow products have been produced to act as Netflow servers and to provide statistical reports and other analyses based on collected Netflow recorded data. Security-oriented Netflow products utilize its visibility into end to end flows to notice and alert on anomalous traffic patterns that may indicate an emerging security outbreak. Network troubleshooting and planning products focus on providing in-depth reporting for Netflow data, in summary formats (such as the top-N flows, talkers, listeners, etc.) as well as per-interface reports.

Typical Netflow Deployment Architecture
Due to the overhead issues of turning Netflow on widely in a network, the typical deployment architecture for Netflow is to enable Netflow exporting from interfaces primarily at key points in the network where a large percentage of traffic is flow into or out of the network. For example, router interfaces connected to major data centers, Internet peering, and WAN backbone links are typical places where Netflow is enabled. Since these points are the source of most of the traffic traveling to the rest of the network, enabling Netflow on the associated routers provides the greatest coverage of the network's traffic with the least overhead.

Netflow's Limitation--Its Still an Interface-Centric View of the World
One limitation to Netflow is its interface-centric nature. Netflow is enabled on an interface-by-interface basis. This means that Netflow products that analyze Netflow data primarily do so by presenting per-interface reports. While these per-interface Netflow reports are quite useful in and of themselves, often times when troubleshooting or planning the network, engineers need to understand how the network actually carries the traffic between the two end points of the flow reported by Netflow. Since traffic may pass through many hops in its routed path from one end point to another, and since routing may change that path dynamically over time, understanding the routed network's role in delivering the end to end traffic reported by Netflow is often very difficult, and many times impossible, since Netflow may not be enabled broadly enough to know which flows crossed which interfaces. Even if all interfaces were enabled with Netflow, the amount of manual searching and correlation makes interface-specific Netflow reporting very limited. What is needed is not only to see Netflow data from an individual exporting interface's point of view, but also from the global routed network's point of view.

Traffic Explorer--Network-Wide Netflow Traffic and Routing Analysis
Packet Design's Traffic Explorer provides engineers with the network-wide Netflow traffic visibility they've been missing, by combining two previously distinct management technologies – route analytics and Netflow traffic analysis – to deliver the first integrated, real-time view of network-wide routing and traffic behavior. This groundbreaking Netflow tool helps the world’s largest enterprises, service providers, government agencies and educational institutions to use Netflow more intelligently and operate, troubleshoot, plan and optimize their networks with unprecedented accuracy, confidence and speed. For the first time, network engineers and operators are able to use Netflow to view complex IP networks as integrated systems rather than collections of discrete devices and links, enabling them to maximize IT efficiency and productivity while reducing the capital and operational expenses required to maintain top network service quality.

Get More Information on Network-Wide Netflow Visibility
Download the Traffic Explorer white paper explaining how network-wide Netflow traffic visibility can be achieved with low overhead and routing-awareness here