IPFIX

IPFIX as the Standardized Evolution of NetFlow

IP Flow Information Export (IPFIX, RFC 7011) is the IETF standard that formalizes and extends Cisco's NetFlowA Cisco-developed protocol that collects metadata about IP network traffic flows (source/destination IP, ports, protocol, byte count) for analysis. NetFlow data is essential for bandwidth monitoring, capacity planning, and security forensics. v9 model. Where NetFlow is a proprietary protocol with vendor variations, IPFIX provides a vendor-neutral specification that all network equipment vendors can implement consistently. The core mechanism is identical — flow records exported from observation points to collectors — but IPFIX adds a formal information model (RFC 7012) defining hundreds of standardized data elements.

Template-Based Flexibility

IPFIX uses a template record system: the exporter first sends a template describing which data fields it will include in subsequent data records. Collectors decode records using the matching template. This allows exporters to include custom enterprise-specific fields (encoded as Private Enterprise Numbers) alongside standard elements — useful for application-aware networking, SSL/TLSSecure Sockets Layer / Transport Layer Security. Cryptographic protocols that provide encrypted, authenticated communication over a network. SSL is deprecated; modern implementations use TLS 1.2 or TLS 1.3. metadata, or HTTPHypertext Transfer Protocol. The application-layer protocol for transmitting web pages, APIs, and other resources. HTTP defines methods (GET, POST, PUT, DELETE) and status codes for client-server communication. URL information when deep packet inspection is available.

Mediators and the Collection Architecture

IPFIX defines mediators — intermediate devices that can aggregate, filter, or anonymize flow records before forwarding to a final collector. A mediator at an ISPInternet Service Provider. A company that provides internet access to consumers and businesses, assigning public IP addresses and routing traffic to the wider internet. Examples include Comcast, AT&T, and SK Broadband. might anonymize source IP addresses for privacy compliance before sending records downstream. Multiple observation points (routers, FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. appliances, virtual switches in MicroservicesAn architectural style that structures an application as a collection of loosely coupled, independently deployable services, each responsible for a specific business function and communicating over APIs. clusters) export to mediators that merge records into a unified view. IPFIX complements SyslogA standard protocol (RFC 5424) for transmitting log messages from network devices, servers, and applications to a central log collector. Syslog messages include severity levels from emergency (0) to debug (7). (event narratives) and SNMP TrapAn unsolicited notification sent by an SNMP agent on a network device to a management station when a significant event occurs (e.g., link down, high CPU). Unlike SNMP polling, traps provide immediate event-driven alerts. (device state alerts) to form a complete network observability stack. IPFIX collectors listen on UDPUser Datagram Protocol. A connectionless transport protocol that sends datagrams without establishing a connection or guaranteeing delivery. Faster than TCP, it is preferred for real-time applications like DNS queries, VoIP, gaming, and streaming. or TCPTransmission Control Protocol. A reliable, connection-oriented transport protocol that guarantees ordered, error-checked delivery of data through three-way handshakes, acknowledgments, and retransmission. The foundation of HTTP, SSH, and most internet services. port 4739 by default.