Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX

Flow monitoring has become a prevalent method for monitoring traffic in high-speed networks. By focusing on the analysis of flows, rather than individual packets, it is often said to be more scalable than traditional packet-based traffic analysis. Flow monitoring embraces the complete chain of packet observation, flow export using protocols such as NetFlow and IPFIX, data collection, and data analysis. In contrast to what is often assumed, all stages of flow monitoring are closely intertwined. Each of these stages therefore has to be thoroughly understood, before being able to perform sound flow measurements. Otherwise, flow data artifacts and data loss can be the consequence, potentially without being observed. This paper is the first of its kind to provide an integrated tutorial on all stages of a flow monitoring setup. As shown throughout this paper, flow monitoring has evolved from the early 1990s into a powerful tool, and additional functionality will certainly be added in the future. We show, for example, how the previously opposing approaches of deep packet inspection and flow monitoring have been united into novel monitoring approaches.

[1]  Lillian N. Cassel,et al.  Management of sampled real-time network measurements , 1989, [1989] Proceedings. 14th Conference on Local Computer Networks.

[2]  Gregory R. Ruth,et al.  Internet Accounting: Background , 1991, RFC.

[3]  George C. Polyzos,et al.  A Parameterizable Methodology for Internet Traffic Flow Profiling , 1995, IEEE J. Sel. Areas Commun..

[4]  B. Briscoe Internet Engineering Task Force , 1995 .

[5]  Benoit Claise,et al.  Exporting MIB Variables using the IPFIX Protocol , 1998 .

[6]  Luca Deri,et al.  Ntop: Beyond ping and traceroute , 1999, DSOM.

[7]  Nevil Brownlee RTFM: Applicability Statement , 1999, RFC.

[8]  Georg Carle,et al.  Requirements for {IP} Flow Information Export , 2001 .

[9]  Ian Graham,et al.  Precision timestamping of network packets , 2001, IMW '01.

[10]  Rolf Stadler,et al.  Active Technologies for Network and Service Management , 1999, Lecture Notes in Computer Science.

[11]  Luca Deri,et al.  nProbe: an Open Source NetFlow Probe for Gigabit Networks , 2003 .

[12]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[13]  D. Moore,et al.  Building a better NetFlow , 2004, SIGCOMM '04.

[14]  Loris Degioanni,et al.  Introducing scalability in network measurement: toward 10 Gbps with commodity hardware , 2004, IMC '04.

[15]  Carrie Gates,et al.  More Netflow Tools for Performance and Security , 2004, LISA.

[16]  Simon Leinen Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX) , 2004, RFC.

[17]  Mostafa H. Ammar,et al.  Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme , 2004, Comput. Networks.

[18]  Nick Duffield,et al.  Sampling for Passive Internet Measurement: A Review , 2004 .

[19]  Michael A. Ramalho,et al.  Stream Control Transmission Protocol (SCTP) Partial Reliability Extension , 2004, RFC.

[20]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2005, TNET.

[21]  Angela Orebaugh,et al.  Wireless Sniffing with Wireshark , 2006 .

[22]  Falko Dressler,et al.  Vermont - A Versatile Monitoring Toolkit for IPFIX and PSAMP , 2006 .

[23]  A. Oslebo Stager A Web Based Application for Presenting Network Statistics , 2006 .

[24]  Arne Øslebø Stager A Web Based Application for Presenting Network Statistics , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[25]  Randall R. Stewart,et al.  Stream Control Transmission Protocol , 2000, RFC.

[26]  Jian Zhang,et al.  Traffic Trace Artifacts due to Monitoring Via Port Mirroring , 2007, 2007 Workshop on End-to-End Monitoring Techniques and Services.

[27]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[28]  Jürgen Quittek,et al.  Flow Information Export ( IPFIX ) Implementation Guidelines Status of This Memo , 2008 .

[29]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[30]  Brian Trammell,et al.  Bidirectional Flow Export Using IP Flow Information Export (IPFIX) , 2008, RFC.

[31]  Jürgen Quittek,et al.  Information Model for IP Flow Information Export , 2008, RFC.

[32]  Nick G. Duffield,et al.  Sampling and Filtering Techniques for IP Packet Selection , 2009, RFC.

[33]  Benoit Claise,et al.  Ip Flow Information Export (ipfix) Applicability , 2009 .

[34]  Aiko Pras,et al.  Hidden Markov Model Modeling of SSH Brute-Force Attacks , 2009, DSOM.

[35]  Jürgen Quittek,et al.  Packet Sampling (PSAMP) Protocol Specifications , 2009, RFC.

[36]  Ítalo S. Cunha,et al.  Uncovering Artifacts of Flow Measurement Tools , 2009, PAM.

[37]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[38]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[39]  Tiago Fioreze,et al.  SURFmap: A network monitoring tool based on the Google Maps API , 2009, 2009 IFIP/IEEE International Symposium on Integrated Network Management.

[40]  Luca Deri,et al.  Collection and Exploration of Large Data Monitoring Sets Using Bitmap Databases , 2010, TMA.

[41]  Tomas Olovsson,et al.  Passive internet measurement: Overview and guidelines based on experiences , 2010, Comput. Commun..

[42]  Luca Deri,et al.  High speed network traffic analysis with commodity multi-core systems , 2010, IMC '10.

[43]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[44]  Bernhard Plattner,et al.  The role of network trace anonymization under attack , 2010, CCRV.

[45]  Aiko Pras,et al.  Report of the Second Workshop on the Usage of NetFlow/IPFIX in Network Management , 2010, Journal of Network and Systems Management.

[46]  Brian Trammell,et al.  YAF: Yet Another Flowmeter , 2010, LISA.

[47]  Roberto Vinaja Integrated Management of Systems, Services, Processes and People in IT. , 2010 .

[48]  Burkhard Stiller,et al.  SCRIPT: A framework for Scalable Real-time IP Flow Record Analysis , 2010, 2010 IEEE Network Operations and Management Symposium - NOMS 2010.

[49]  Aiko Pras,et al.  The Network Data Handling War: MySQL vs. NfDump , 2010, EUNICE.

[50]  Georg Carle,et al.  Comparing and improving current packet capturing solutions based on commodity hardware , 2010, IMC '10.

[51]  Aiko Pras,et al.  Report of the Third Workshop on the Usage of NetFlow/IPFIX in Network Management , 2011, Journal of Network and Systems Management.

[52]  Jochen Kögel,et al.  One-way delay measurement based on flow data: Quantification and compensation of errors by exporter profiling , 2011, The International Conference on Information Networking 2011 (ICOIN2011).

[53]  Benoit Claise,et al.  Export of Structured Data in IP Flow Information Export (IPFIX) , 2011, RFC.

[54]  Nonmember,et al.  Flow-Based Measurement: IPFIX Development and Deployment , 2011 .

[55]  Aiko Pras,et al.  Flow Monitoring Experiences at the Ethernet-Layer , 2011, EUNICE.

[56]  Luca Deri,et al.  Increasing data center network visibility with cisco NetFlow-Lite , 2011, 2011 7th International Conference on Network and Service Management.

[57]  Brian Trammell,et al.  Peeling Away Timing Error in NetFlow Data , 2011, PAM.

[58]  Wolfgang Mühlbauer,et al.  FACT: Flow-Based Approach for Connectivity Tracking , 2011, PAM.

[59]  Brian Trammell,et al.  An introduction to IP flow information export (IPFIX) , 2011, IEEE Communications Magazine.

[60]  Dario Rossi,et al.  Experiences of Internet traffic monitoring with tstat , 2011, IEEE Network.

[61]  Xenofontas A. Dimitropoulos,et al.  RasterZip: compressing network monitoring data with support for partial decompression , 2012, Internet Measurement Conference.

[62]  Radek Krejcí,et al.  Flow Information Storage Assessment Using IPFIXcol , 2012, AIMS.

[63]  Aiko Pras,et al.  The effects of DDoS attacks on flow monitoring applications , 2012, 2012 IEEE Network Operations and Management Symposium.

[64]  Paulo Gonçalves,et al.  Survey of Network Metrology Platforms , 2012, 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet.

[65]  S. Seetharaman OpenFlow/SDN tutorial OFC/NFOEC , 2012, OFC/NFOEC.

[66]  Richard Nelson,et al.  Libtrace: a packet capture and analysis library , 2012, CCRV.

[67]  Aiko Pras,et al.  SSHCure: A Flow-Based SSH Intrusion Detection System , 2012, AIMS.

[68]  Gerhard Münz,et al.  IP Flow Information Export (IPFIX) Per Stream Control Transmission Protocol (SCTP) Stream , 2012, RFC.

[69]  George Bebis,et al.  A survey of network flow applications , 2013, J. Netw. Comput. Appl..

[70]  Aiko Pras,et al.  Measurement Artifacts in NetFlow Data , 2013, PAM.

[71]  Harsha V. Madhyastha,et al.  FlowSense: Monitoring Network Utilization with Zero Measurement Cost , 2013, PAM.

[72]  Benoit Claise,et al.  Guidelines for Authors and Reviewers of IP Flow Information Export (IPFIX) Information Elements , 2013, RFC.

[73]  M. Irfan,et al.  Optical Fiber Communication Conference and Exposition (OFC/NFOEC) , 2013 .

[74]  Petr Velan,et al.  Practical experience with IPFIX flow collectors , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[75]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[76]  Salvatore D'Antonio,et al.  Flow Selection Techniques , 2013, RFC.

[77]  Benoit Claise,et al.  Internet Engineering Task Force (ietf) Flow Aggregation for the Ip Flow Information Export (ipfix) Protocol , 2022 .

[78]  José Luis García-Dorado,et al.  High-Performance Network Traffic Processing Systems Using Commodity Hardware , 2013, Data Traffic Monitoring and Analysis.

[79]  Sebastian Abt,et al.  Anomaly Detection and Mitigation at Internet Scale: A Survey , 2013, AIMS.

[80]  Aiko Pras,et al.  Towards real-time intrusion detection for NetFlow and IPFIX , 2013, Proceedings of the 9th International Conference on Network and Service Management (CNSM 2013).

[81]  Benoit Claise,et al.  Operation of the IP Flow Information Export (IPFIX) Protocol on IPFIX Mediators , 2014, RFC.

[82]  Byrav Ramamurthy,et al.  Network Innovation using OpenFlow: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[83]  P. Lucente pmacct: steps forward interface counters , .