Network traffic reporting in the past was largely performed with either the Simple Network Management Protocol (SNMP) or carried out with a packet analyzer, but today NetFlow Traffic Analysis is the practice most commonly utilized. To understand why flow technologies have become popular, we need to understand the limitations of the alternatives.


SNMP continues to be leveraged for two important primary purposes. The first is configuration. SNMP sets are used to make changes on many network appliances. For example, setting the location attribute for where the device is physically located. This is a tried and true technology for getting the job done even though it leverages the unreliable User Datagram Protocol (UDP). Most SNMP applications are written to verify changes made via SNMP. The second use for SNMP is for collecting massive amounts of data. Probably the most common counters collected by SNMP are ifInOctets and ifOutOctets which are basically the total in/out bytes on an interface. The problem with SNMP is that it lacks the detail that packet analysis provides and RMON created excessive traffic and lacked adoption.


RMON failed in the market for a few reasons. Gathering RMON statistics created unacceptable amounts of traffic over the network and still lacked important details now available through NetFlow traffic analysis. Get bulk was introduced to grab multiple instances of the same counter without causing excessive traffic over the network, but it wasn't enough to get vendors to embrace the technology. For these reasons RMONs value for forensic investigation in the network security software industry has gone relatively unnoticed.

Packet Analyzers

To this day, packet capture and analysis is often the only way to find out what is going on in the network. Having all the details at ones disposal to figure out a communication problem sounds ideal, but the problem is that it often leads to an overwhelming amount of data that is difficult to sift through and we often don't need 'everything'. The noise of details found when having access to the actual packets between hosts can lead to lost time due to the necessary filtering that needs to take place. Packet analysis also requires the investment in expensive-to-deploy and expensive-to-maintain probes. Netflow Traffic Analysis is the best solution.

NetFlow Traffic Analysis

NetFlow Traffic Analysis is a phrase that generally encompasses all things flow related. This includes IPFIX which is the IETF standard for NetFlow. J-Flow, NetStream, CascadeFlow, etc. are all NetFlow v5 or v9 derivatives. Although sFlow is often roped in with NetFlow, it's really not a flow technology at all. sFlow is a proprietary packet sampling and counter gathering technology. It has almost no resemblance to NetFlow other than the name it is marketed by.

What is NetFlow? A flow entry resides in a cache or table on a router or switch. The flow represents a tuple which is used to match on packets with the same unique attributes. These attributes are often user definable and most often include source and destination IP address, ports, protocols, interface, etc. Packets with the same attributes increase the counters for the matching flow entries else, a new flow entry is made. When the traffic dissipates, the flow entry is exported and remove from the cache.

Because NetFlow can be used to monitor internal traffic and as a network internet monitor, it is an ideal technology for network threat protection. In most environments, it is largely relied on for forensic analysis.

Internal Traffic: NetFlow and IPFIX reporting can be used to increase situational awareness by identifying top talkers, applications, etc. on the entire network or on specific links.

Network Threat Protection: NetFlow can be used to verify traffic that should or shouldn't be on the network. It can be used for IP Host reputation, comparing traffic to network baselines and for general odd behavior pattern monitoring.

Flow Replicator

Often times a company will invest in a flow replicator to forward flows to both the NetFlow collector and the network security system to optimize overall NetFlow Traffic Analysis.

Leader in NetFlow

If you have further questions on NetFlow or on how it can be used as a network internet monitor, reach out to Plixer, a leader in NetFlow reporting.