NetFlow Records

NetFlow records, or flow records, are data structures that capture detailed information about network traffic flows. Each record represents a single flow, which is a continuous sequence of packets between a source and a destination. The data captured in these records can be used for various purposes such as network monitoring, performance analysis, and security auditing. Here’s a breakdown of the typical fields included in a NetFlow record:

1. Source IP Address: The IP address of the device that initiated the flow.

2. Destination IP Address: The IP address of the device that is receiving the flow.

3. Source Port: The port number on the source device used for the flow.

4. Destination Port: The port number on the destination device used for the flow.

5. Protocol: The transport layer protocol used for the flow (e.g., TCP, UDP, ICMP).

6. Type of Service (ToS): The 8-bit field in the IP header that specifies the desired quality of service for the flow.

7. Input Interface: The interface on the network device (e.g., router or switch) where the flow was received.

8. Output Interface: The interface on the network device where the flow was forwarded.

9. Flow Start Time: The timestamp indicating when the flow began.

10. Flow End Time: The timestamp indicating when the flow ended or was last observed.

11. Packet Count: The total number of packets that belong to the flow.

12. Byte Count: The total number of bytes that belong to the flow.

13. Flags: Various flags that indicate the status or characteristics of the flow, such as whether it was a new or end flow.

14. TCP Flags: For TCP flows, this field includes flags like SYN, ACK, FIN, etc., which provide additional detail about the connection state.

15. Network Layer and Transport Layer Information: Includes details about the type of IP version (IPv4 or IPv6) and transport layer details (e.g., TCP/UDP port numbers).

The structure and specific fields of a NetFlow record can vary depending on the version of NetFlow being used. For example:

• NetFlow v5: This version includes a fixed set of fields like source/destination IP addresses, ports, and packet/byte counts.

• NetFlow v9: This version is more flexible and allows for a more dynamic set of fields, supporting templates that define which fields are included in records.

• IPFIX (Internet Protocol Flow Information Export): An IETF standard that is based on NetFlow v9 but provides even greater flexibility and extensibility.