Most large organizations enable netflow in their network routers and switches as part of their application or network performance suite of tools.  It provides a high-level view of an interface’s overall throughput, very helpful for determining on congestion conditions and who’s using the link (bandwidth hog).

Netflow was originally introduced by Cisco for their routers where it collected IP network flow statistics at an interface.  That data can then be forwarded to a netflow collector for consolidation and analysis.  Since then, various network infrastructure vendors have come up with their own versions (i.e. Jflow from Juniper Networks) to help monitor their own equipment.  However, they all serve the same purpose which is to provide network engineers a high-level view of their network: throughput, applications, class of service, users (IP addresses).

While netflow help identify congestion and network bandwidth hogs, it does have limitations when it comes to troubleshooting network issues:

  • Data is summarized in 1 to 5 minute windows so granularity is lost
  • Most internet based apps are lumped under port 80 so any application running over HTTP can’t be identified or summarized
  • When network load is too high, sampling is used which translates to missed data.

So during network analysis, Netflow will point you to where to look but not the details.  A netflow deployment should be complemented with a full network recorder (packet capture) solution.  So, when detailed network analysis is required, packets are readily available   Packet visibility is important because:

  • Packets provide the most granular level of network data for fault analysis
  • Packets, when collected without loss, allows detailed analysis bit by bit, byte by byte) from header to payload.
  • Records of packets can be analyzed and re-analyzed.
  • Packets records can be used for validating fixes on network appliances (Security, APM/NPM,…etc).
  • NEMs,network engineers,application engineers will typically require packet records to analyze and fix network equipment or application issues.
  • Packet can be used for compliance (i.e. HIPPA).

Packet is King when full network analysis is required, something that non-packet based solutions like netflow can’t provide.

For more information

Angelo Bustos

Solutions Consultant Director