How to Monitor Network Traffic With NetFlow

LogicMonitor Adds AIS Advanced Information Systems to Global Partner Network Merlin Robot graphic

Troubleshooting Network problems in a timely manner is extremely critical for maintaining network performance and delivering advanced network services within an organization. 

For network engineers and administrators, troubleshooting network bandwidth related issues can be achieved by taking advantage of existing flow technologies within the routers and switches. By using NetFlow, monitoring network traffic not only becomes much simpler but also provides broader visibility within the network.

This article will touch base on the following areas:

What Is NetFlow?

NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information, which eventually became the globally accepted standard for traffic monitoring. The NetFlow data carries information like the source and destination ports, source IP addresses, destination IP addresses, IP protocol, and the IP service type. Based on this information, one can have insights on:

  • Who uses the Bandwidth (users)
  • What uses the Bandwidth (applications)
  • How Bandwidth is getting consumed (Top Talkers)
  • When the Bandwidth is used at maximum capacity (Top Flows)
  • Where is the Bandwidth hogging (Interface)

History of NetFlow Versions and Flow Record

Since the inception of NetfFlow, multiple versions of the protocol have been released, out of which Netflow v5 and v9 are the most commonly used ones across various devices. NetFlow v5 has a fixed packet format, whereas v9 offers more flexibility through optional templates for sending additional details of the device. IPFIX is referred to as NetFlow v10, which is an industry-regulated version of NetFlow.

The primary output of all these NetFlow versions is a Flow Record, which gets generated by identifying the packet’s key fields such as source and destination IPs, source and destination ports, etc. This flow is exported to the collector for further processing.

Netflow's Flow Record output diagram.

Monitoring NetFlow Data

To monitor NetFlow data, a device operating as a flow exporter accumulates data packets into flows and sends flow records to the NetFlow collectors. These Collectors store and prepare the data records for further analysis.

Monitoring NetFlow mainly consists of three components:

  1. Flow Exporter: a network device (a router or firewall) that obtains the flow data and sends it to a flow collector through UDP packets.
  2. Flow Collector: a device (LogicMonitor’s Collector) that collects the exported flow data. It resides within the router network.
  3. Flow Analyzer: an application (LogicMonitor Cloud Server) that examines and analyses the flow data collected by the flow collector.
A diagram showing how Netflow is collected and monitored in LogicMonitor

Why Should You Use NetFlow?

Below are some of the key objectives/benefits gained from NetFlow Monitoring:

  1. Clear Network Visibility:

From the NetFlow data, network administrators can correlate IP addresses with users who accessed them. They can quickly predict QoS (Quality Of Service) and allocate resources per user. They can also prevent exposure of the network to a risk of malware and compromise, thereby getting a clear view of which user communicated with which IP address, which application the user accessed, etc.

  1. Root Cause Analysis of Network Issues:

NetFlow monitoring facilitates root cause analysis. Whenever someone reports slowness in accessing applications within the network, network administrators can understand the impact of the action over the network and see if there are any packet drops or response time issues causing the particular application access to be slow and helps in determining/eliminating issues within the network.

  1. Improving Bandwidth Utilization and Capacity Planning

NetFlow data allows network administrators to get the entire picture of the traffic by specific interfaces in the network, specific protocols, and specific applications. 

By identifying the top talkers on the network, network administrators can also see who the top consumers of bandwidth are, validate if that is relevant traffic, plan to optimize usage, and help in capacity planning. 

  1. Identification of Security Breach

Network security is another important objective of NetFlow. Various security attacks consume network resources, so if some spikes (sudden rise in the bandwidth usage) occur in a particular time or a location, those can be identified and investigated for a security breach. With advanced NetFlow analysis, these issues can be monitored, alerted, and mitigated in quick time.

Insights Gained Through LogicMonitor’s NetFlow Monitoring

Using LogicMonitor’s NetFlow Monitoring, one can get valuable insights on the below data points:

  1. Bandwidth Utilization

Identify the network conversation from the source and destination IP addresses, and traffic path in the network from the Input and Output interface information.

A pie chart showing Netflow's top flows
  1. Top Flows and Top Talkers 

Identify Top N applications, Top Source/Destination Endpoints, and protocols consuming the network bandwidth.

Netflow chart showing top talkers
  1. Consumers of the Bandwidth 

Keep track of interface details and statistics of top talkers and users, which can help determine the origin of an issue when a problem is reported.

A pie graph of the most bandwidth used in Netflow
  1. Bandwidth Hogging 

Analyze historical data to examine the patterns of the incidents and its impact on the total network traffic through the packet and octet count.

A chart showing bandwidth hogging from a historical view.
  1. ToS and QoS Analysis 

Ensure the right priorities are provided to the right applications using ToS (Type of Service). Verify Quality of Service (QoS) levels achieved to optimize network bandwidth for the specific requirements.

A QoS table for Netflow in LogicMonitor
  1. IPv6 Traffic Monitoring

LogicMonitor’s NetFlow Monitoring provides out-of-the-box support for a mix of IPv4 and IPv6 environments, and the flexibility to differentiate TopN flows in each of these protocols. IPv6 adoption is gaining significant traction in the public sector, large-scale distribution systems, and companies working with IoT infrastructures. 

  1. Applications Classification through NBAR2 

Network-Based Application Recognition (NBAR) provides an advanced application classification mechanism using application signatures, database, and deep packet inspection. This is all done directly within the network by enabling NBAR on the specific devices.

A pie graph showing the top applications used in LogicMonitor via Netflow integration.
Top applications used sorted by name in LogicMonitor via Netflow.

Effective NetFlow Monitoring With LogicMonitor

We have seen so far the basics of NetFlow and how NetFlow Monitoring can be beneficial for network administrators to get valuable insights on the traffic behavior and helps them to keep Network uptime high.

With a dedicated NetFlow collector and analyzer built-in, LogicMonitor’s NetFlow Monitoring enables network administrators to clearly identify the culprit and smoothen the process of examining traffic patterns from specific IP addresses, ports, and users to quickly identify the cause of bottlenecks and to support quality of service (QoS) validation.Curious to know more about LogicMonitor’s NetFlow offering? Then check out the details about recently added features like NBAR2 support and enhanced filtering for the NetFlow Data.

Kedar Joshi

Manager, Engineering

Kedar Joshi is an employee at LogicMonitor.