Network traffic flows (flows) are useful for building a coarse-grained understanding of traffic on a computer network.
Following on from What is a Network Traffic Flow? and What is a Network Traffic Flow? (Part 2), this third post investigates flow metadata, how it adds value to flow analysis, and how to record and transport it. This is the good stuff, where flows become useful…
Figure 1 – What this blog post covers
Network traffic flows (flows) are useful for building a coarse-grained understanding of traffic on a computer network. Flows provide a convenient unit for the measurement and/or treatment of traffic.
Following on from What is a Network Traffic Flow?, this second post delves into Internet layer flow considerations. Previously, we found that the definition of a flow is mainly arbitrary, primarily driven by the capabilities of hardware/software, and the use cases. We now delve further into the considerations around specific features and behaviours of IP.
Figure 1 – Where this Blog Post fits in the Internet Protocol suite Continue reading
Network traffic flows (flows) are useful for building a coarse-grained understanding of traffic on a computer network, providing a convenient unit for the measurement and/or treatment of traffic.
Flows can be measured to understand what hosts are talking on the network, with details of addresses, volumes and types of traffic. This view of the network can be useful for troubleshooting, detecting security incidents, planning and billing
But what exactly is a flow, and how is it defined?
This question sounds trivial to answer, however when we dig deeper we find nuances and corner cases that make flows interesting, and ultimately difficult to define. Continue reading
This blog post is for network experimenters who want to export flow records from an Ubuntu Linux host bridging multiple network segments. Such a network might look like this:
An Ubuntu Linux host is bridges two network segments and traffic passing through the bridge is recorded as flow records. Continue reading
This blog post is for network experimenters who want to collect (receive) NetFlow or IPFIX flow records using the nfdump package (which includes nfcapd). An example use case, building on previous blog post NetFlow on OpenWRT, is shown in diagram below (highlighted boxes):
Flow records can be useful for various applications such as network visibility and security alerting. Continue reading
This blog post is for network experimenters who want to export flow records from a small network, such as a home network using an OpenWRT router. Such a network might look like this:
Flow records can be useful for various applications. Here is an example flow record:
Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2018-08-04 21:31:34.518 0.000 TCP 10.1.1.19:52465 -> 10.1.1.1:22 100 4600 1
Flow records give a coarse-grained view of what traffic is passing over a network, including flow source and destination addresses/protocols/ports, as well as volume information such as packets and bytes.
In this tutorial we use OpenWRT[1], a popular free and open source router operating system, and add the softflowd package to it to generate NetFlow flow records. There are however many other options to achieve the same outcome. Continue reading
Bits 'n Bytes 