Search by DuckDuckGo

Getting Started with Netflow

2022-07-21

Some notes about getting started with Cisco Netflow.

Netflow

Overview

NetFlow is a feature that was introduced on Cisco routers in the mid-1990s.

Routers and switches that are Netflow enabled can collect IP traffic statistics about interfaces. This Netflow data is forwarded as soon as its generated to a Netflow collector, usually a server running analysis code.

Version 5 is supported across the Cisco router range. In addition, Version 5 uses bandwidth the most efficiently of all Netflow versions.

Flows

A flow is a sequence of similar network packets all going in the same direction. Packets in a flow are similar in that the values for seven important packet descriptors are the same. The seven descriptors make up a tuple - a list of the seven descriptors - that identifies the flow.

The seven descriptors are: (i) the ingress interface, i.e. the SNMP ifIndex, (ii) the source IP address, (iii) the destination IP address, (iv) the IP protocol, (v) the source port for UDP or TCP, or 0 for other protocols, (vi) the destination port for UDP or TCP. Type and code for ICMP and 0 for other protocols, (vii) the IP Type of Service. This is the second byte of the IPV4 header.

IBM has detail on the Version 5 data formats.

Packet Tracer

Cisco's free Packet Tracer software allows you to create a simulated network and to experiment with configuring infrastructure devices (routers, switches etc.) for Netflow logging. You can learn how to set up a Netflow generator that will export Netflow to a collector. This is super.

There are limitations:

• The built-in collector software does not seem to allow access to the raw Netflow data.
• It does not seem possible to export data from Packet Tracer.
• The Python version running within Packet Tracer is missing libraries and runs only a subset of Python code.
• You must register for Cisco's training programme to download the software.

Still, Packet Tracer allows you to understand how to set up a network and to get a Netflow collection system working.

Netflow Generator

• Paessler has an old but working spoof Netflow 5 generator. Install this and start sending Netflow to a collector.

Netflow Collector

• There is a nice Python Netflow 5 collector code at codestacking.blogspot.com. The first program on this page works well. For testing, you can create a UDP socket at 127.0.0.1 and port 9001, for example.

Datasets

Netflow datasets for testing:

• NetFlow Datasets for Machine Learning-based Network Intrusion Detection Systems. This is a very nice paper that makes use of large open Netflow datasets. The .pdf is here.
• Machine Learning-Based NIDS (Network Intrusion Detection Systems) Datasets. The NetFlow V1 Datasets are a good starting point, in particular NF-UNSW-NB15; this NetFlow-based format of the UNSW-NB15 dataset is labelled with its respective attack categories. You can download the NF-UNSW-NB15 dataset here.

References

• Wikipedia Netflow Article.
• Cisco's Netflow website.
• Cisco's note about routers.
• Godfred Fairhurst's note about how routers work.
• SolarWinds note about Netflow Version 5.
• Netflow Version 5 data format from IBM.
• Cisco Packet Tracer.
• Paessler spoof Netflow 5 generator.
• Netflow version 5 collector in Python.
• NetFlow Datasets for Machine Learning-based Network Intrusion Detection Systems.
• Machine Learning-Based NIDS (Network Intrusion Detection Systems) Datasets. The UNSW-NB15 dataset is labelled with attack categories.

This page was last rendered on June 29, 2023.