NetFlow breaks down TCP/IP communications for statistical record keeping using the concept of a flow. A flow is a unidirectional stream of packets between a specific source system and a specific destination. The figure demonstrates the flow concept.
For NetFlow, which is built around TCP/IP, the source and destination are defined by their network layer IP addresses and their transport layer source and destination port numbers.
NetFlow technology has seen several generations that provide more sophistication in defining traffic flows, but “original NetFlow” distinguished flows using a combination of seven fields. Should one of these fields vary in value from another packet, the packets could be safely determined to be from different flows:
- Source IP address
- Destination IP address
- Source port number
- Destination port number
- Layer 3 protocol type
- Type of Service (ToS) marking
- Input logical interface
The first four of the fields NetFlow uses to identify a flow should be familiar. The source and destination IP addresses, plus the source and destination ports, identify the connection between source and destination application. The Layer 3 protocol type identifies the type of header that follows the IP header (usually TCP or UDP, but other options include ICMP). The ToS byte in the IPv4 header holds information about how devices should apply quality of service (QoS) rules to the packets in that flow.
Flexible NetFlow supports more options with flow data records. Flexible NetFlow enables an administrator to define records for a Flexible NetFlow flow monitor cache by specifying the user-defined optional and required fields to customize the data collection to suit specific requirements. When defining records for a Flexible NetFlow flow monitor cache, they are referred to as user-defined records. The values in optional fields are added to flows to provide additional information about the traffic in the flows. A change in the value of an optional field does not create a new flow.