Configuring flow export: Difference between revisions

From wiki.comcert.com
Jump to navigation Jump to search
No edit summary
No edit summary
Line 7: Line 7:


This article is trying to decribe the idea behind network flow reporting and we hope it will help you to determine the correct procedure on how to confgure your FEDs.
This article is trying to decribe the idea behind network flow reporting and we hope it will help you to determine the correct procedure on how to confgure your FEDs.
For a complete overview of NetFlow or IPFIX, we recommend the reading of [https://tools.ietf.org/html/rfc3917 RFC 3917].


 
 
Line 16: Line 18:
==== FED ====
==== FED ====


A''Flow Enabled Device'' is any layer three and in some cases layer two device configured to send flow records to a collector.
A ''Flow Enabled Device'' is any L3 and in some cases L2 device sending flow records to a collector.


==== Flow ====
==== Flow ====


A ''flow'' is defined as a stream of packets between a given source and a given destination.
A ''flow'' is defined as a stream of packets between a given source and a given destination. For example, in client-server computing a TCP sessions consists of two flows: one flow from client to server and the second flow from server to client.
 
For example, in client-server computing a TCP sessions consists of two flows: one flow from client to server and the second flow from server to client.


==== Flow record ====
==== Flow record ====


A flow ''record ''is a protocol data unit that describes the flow. The most significant parameters are source and destination address, protocol and port, duration of the flow, class of service marking and the physical or virtual interface where the packets entered and exited the FED.
A flow record contains information about a specific flow that was metered at an observation point.  A flow record contains measured properties of the flow (e.g., the total number of bytes of all packets of the flow, flow duration and the physical or virtual interface where the packets entered and exited the FED) and usually characteristic properties of the flow (e.g., source/destination IP address, protocol, port, ToS/DiffServ marking, ...).


==== Sensor ====
==== Sensor ====


A flow ''sensor'' is deployed on an interface basis. A flow sensor will "read" the packets going accross the interface and "compose" the flow record.
A flow ''sensor'' is deployed on an interface basis. A flow sensor will "read" the packets going accross the interface and "compose" the flow record.

Revision as of 17:40, 14 January 2018

Introduction

Correct configuration of Flow Exporting Devices (FED) is key to Flow Based Network Analysis. In most cases, errors made during configuration will result in missing or duplicate data. It may be difficult to spot that because of this the flow data is compromized. Device vendors are not making it easy and most of them use different methods to enable network flow exports to the collector (in our case TVF or TVA).

Furthermore, some collectors require a special setting on FED in order to undersand its flow records correctly.

This article is trying to decribe the idea behind network flow reporting and we hope it will help you to determine the correct procedure on how to confgure your FEDs.

For a complete overview of NetFlow or IPFIX, we recommend the reading of RFC 3917.

 

Solution

Definitions

FED

Flow Enabled Device is any L3 and in some cases L2 device sending flow records to a collector.

Flow

flow is defined as a stream of packets between a given source and a given destination. For example, in client-server computing a TCP sessions consists of two flows: one flow from client to server and the second flow from server to client.

Flow record

A flow record contains information about a specific flow that was metered at an observation point.  A flow record contains measured properties of the flow (e.g., the total number of bytes of all packets of the flow, flow duration and the physical or virtual interface where the packets entered and exited the FED) and usually characteristic properties of the flow (e.g., source/destination IP address, protocol, port, ToS/DiffServ marking, ...).

Sensor

A flow sensor is deployed on an interface basis. A flow sensor will "read" the packets going accross the interface and "compose" the flow record.