NetFlow
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/netflow/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/netflow/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/netflow/)Use the native HTML custom element.
Tanım
Analiz için IP ağ trafiği akışları hakkında meta veri (kaynak/hedef IP, portlar, protokol, bayt sayısı) toplayan Cisco tarafından geliştirilen protokol. NetFlow verileri bant genişliği izleme, kapasite planlama ve güvenlik adli bilimi için gereklidir.
What NetFlow Captures
NetFlow, developed by Cisco, records metadata about every IP flow traversing a router or switch — not the packet payload, but the conversation summary: source and destination IPv4Internet Protocol version 4. The fourth revision of IP using 32-bit addresses (e.g., 192.168.1.1), providing approximately 4.3 billion unique addresses. Still the most widely used internet protocol despite address exhaustion./IPv6Internet Protocol version 6. The successor to IPv4 using 128-bit addresses (e.g., 2001:0db8::1), providing a virtually unlimited address space of 3.4 x 10^38 addresses. Designed to solve IPv4 address exhaustion. addresses, source and destination ports, protocol (TCPTransmission Control Protocol. A reliable, connection-oriented transport protocol that guarantees ordered, error-checked delivery of data through three-way handshakes, acknowledgments, and retransmission. The foundation of HTTP, SSH, and most internet services., UDPUser Datagram Protocol. A connectionless transport protocol that sends datagrams without establishing a connection or guaranteeing delivery. Faster than TCP, it is preferred for real-time applications like DNS queries, VoIP, gaming, and streaming., ICMPInternet Control Message Protocol. A network-layer protocol used for diagnostic and error-reporting purposes. Ping (echo request/reply) and traceroute both rely on ICMP messages.), bytes transferred, packet count, start and end timestamps, and ASNAutonomous System Number. A unique identifier (e.g., AS13335 for Cloudflare) assigned by a Regional Internet Registry to an autonomous system. ASNs are used in BGP routing to identify networks on the internet. routing information. A "flow" is defined as packets sharing the same 5-tuple within a session.
Flow Export Architecture
Network devices cache active flows in a flow table. When a flow ends (TCP FIN/RST, timeout, or cache eviction), the device exports a flow record to a NetFlow collector over UDPUser Datagram Protocol. A connectionless transport protocol that sends datagrams without establishing a connection or guaranteeing delivery. Faster than TCP, it is preferred for real-time applications like DNS queries, VoIP, gaming, and streaming.. The collector stores and indexes records for querying. NetFlow v5 is the most widely supported version for IPv4Internet Protocol version 4. The fourth revision of IP using 32-bit addresses (e.g., 192.168.1.1), providing approximately 4.3 billion unique addresses. Still the most widely used internet protocol despite address exhaustion.; v9 introduced template-based extensibility and IPv6Internet Protocol version 6. The successor to IPv4 using 128-bit addresses (e.g., 2001:0db8::1), providing a virtually unlimited address space of 3.4 x 10^38 addresses. Designed to solve IPv4 address exhaustion. support. IPFIXIP Flow Information Export. An IETF standard based on Cisco NetFlow v9 that defines a protocol for exporting flow records from routers and switches. IPFIX is the vendor-neutral successor to proprietary flow export protocols. (IP Flow Information Export) is the IETF-standardized successor to NetFlow v9, using the same template model.
Use Cases: Security and Capacity Planning
NetFlow data reveals traffic baselines: normal business hours show predictable flow patterns; an unexpected spike to an external IP at 3 AM stands out immediately. Security teams use NetFlow for DDoS detection, lateral movement analysis, and data exfiltration identification. Network engineers use it for BandwidthThe maximum data transfer rate of a network link, typically measured in bits per second (Mbps, Gbps). Bandwidth represents capacity, not actual speed; real-world transfer rates depend on latency, congestion, and protocol overhead. capacity planning — identifying which applications and which Subnet MaskA 32-bit number (e.g., 255.255.255.0) that divides an IP address into network and host portions. It determines which part of the address identifies the network and which part identifies individual devices. segments generate the most traffic. BGPBorder Gateway Protocol. The routing protocol that exchanges reachability information between autonomous systems, effectively determining how data traverses the internet. Often called the "postal service of the internet." route analysis paired with NetFlow AS-path data helps attribute traffic to upstream ISPInternet Service Provider. A company that provides internet access to consumers and businesses, assigning public IP addresses and routing traffic to the wider internet. Examples include Comcast, AT&T, and SK Broadband. relationships. Use IP Lookup to enrich NetFlow records with geolocation and ASN metadata during analysis.