Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.
IP Packet attributes used by NetFlow:
• IP source address
• IP destination address
• Source port
• Destination port
• Layer 3 protocol type
• Class of Service
• Router or switch interface
All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.
This flow information is extremely useful for understanding network behavior
• Source address allows the understanding of who is originating the traffic
• Destination address tells who is receiving the traffic
• Ports characterize the application utilizing the traffic
• Class of service examines the priority of the traffic
• The device interface tells how traffic is being utilized by the network device
• Tallied packets and bytes show the amount of traffic
Additional information added to a flow includes
• Flow timestamps to understand the life of a flow; timestamps are useful for calculating packets and bytes per second
• Next hop IP addresses including BGP routing Autonomous Systems (AS)
• Subnet mask for the source and destination addresses to calculate prefixes
• TCP flags to examine TCP handshakes