Solved: NetFlow Terms - Flow record

mirkobrodersen · ‎12-17-2023

Hello guys,

im studying NetFlow atm and I want to know if I understand the flow record correctly. Especially important for me to understand here, since im struggling with this a bit is the flow record "match" and "collect" statements.

Flow record: The Flow record is used to specify different flows to be matched and which data is collected from them.

The match statement: The match statement is used to match on a packet field, for example the ipv4 protocol field, which determines what the device should look for.

The collect statement: I think, the collect statement basically have two jobs. First it defines, which information we want to gather from the flow, and second it determines what NetFlow sees as a flow. That is the important part for me, since I have a problem here, getting my around this.

Example: If I have a collect statement, which matches on the destination ip address of a packet. And lets say a match statement, which matches on the protocol type. Lets say ICMP. Now here is the thing I struggle with: That basically means, NetFlow would see a packet from 10.0.0.1 to 172.16.0.1 as well as a packet from 10.1.1.10 to 172.16.0.1 as a single flow, right? Because the criterias are the same. Protocol Type is "1" and the destination IP doesn't change. Is my understanding correct here? If not, I would be happy to hear why it is not and how It actually is.

Thanks in advance!

Kind regards,

Mirko

David Ruess · ‎12-17-2023

Hello,

For Netflow it is used like this:

Flow record: The Flow record is used to specify different flows to be matched and which data is collected from them.

The match statement: The match statement is used to match on a packet field, for example the ipv4 protocol field, which determines what the device should look for. This also determines the flow. I will provide an example below.

The collect statement: Collects information from the various flows configured.

We will do 2 examples to help with my point.

PC1: 192.168.1.1/24

PC2: 192.168.1.2/24

Server: 8.8.8.8

Example 1:

Configuring a match ipv4 destination address

conf t

flow record FLOW1

match ipv4 destination address

collect counter packets long

This Netflow example will check the destination IP address in the packet configured on the interface (also configured for NetFlow) and create a separate flow ONLY if the destination IP is different. So in this example if PC1 and PC2 both sent packets to the Server at 8.8.8.8 Netflow would see this as 1 flow since the destination IP address is the same and only destination address is configured to match.

Example 2:

Configuring a match ipv4 source AND destination address

conf t

flow record FLOW2

match ipv4 source address

match ipv4 destination address

collect counter packets long

Now when PC1 and PC2 sent packets to 8.8.8.8 it would be seen as 2 different flows since the criteria in the match statements are different.

A good comparison I heard is its basically the router asking "How do YOU define a flow"? - configure it with match statements.

Hope this helps clear things up

-David

View solution in original post

M02@rt37 · ‎12-17-2023

Hello @mirkobrodersen

Your understanding is on the right track !

In NetFlow, a flow is a unidirectional sequence of packets that share common attributes, such as source and destination IP addresses, source and destination ports, and protocol type. The flow record is a set of specifications that define which attributes are used to identify and collect information about a flow.

- Match Statement :
The match statement is used to define the key fields that NetFlow uses to identify a flow. These are the criteria that NetFlow looks for to group packets into a flow.
For example, if you have a match statement that includes the destination IP address and protocol type, NetFlow will group packets with the same destination IP address and protocol type into the same flow.

- Collect Statement :
The collect statement is used to specify which attributes or fields of the packets within a flow should be recorded.
It does not influence how NetFlow defines a flow; instead, it determines what information about the flow is collected. In your example, if you have a collect statement that includes the destination IP address, NetFlow will record the destination IP address for each packet in the flow.

Now, addressing your specific example, if you have a match statement that includes the destination IP address and a collect statement that includes the destination IP address, and another match statement that includes the protocol type (e.g., ICMP), NetFlow would indeed consider packets from 10.0.0.1 to 172.16.0.1 and from 10.1.1.10 to 172.16.0.1 as separate flows.

The reason is that the match criteria for these two flows are different. One flow is based on the destination IP address and protocol type, and the other is based on a different source IP address and the same destination IP address but possibly a different protocol type.

To sum up, the match statement defines the criteria for grouping packets into flows, and the collect statement determines what information is recorded for each packet within those flows. If the match criteria are different, NetFlow considers them as separate flows, even if some attributes like the destination IP address are the same.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

mirkobrodersen · ‎12-17-2023

Hello M02@rt37.

The protocol type is the same. Also the match statement matches the protocol type, and the collect statement matches the destination address.

The config looks like this:

R1#sho run | s record
flow record FLOW_RECORD
description FLOW_RECORD
match ipv4 protocol
collect ipv4 destination address

M02@rt37 · ‎12-17-2023

@mirkobrodersen

Given this configuration, if you have packets with the same protocol type but different destination IP addresses, NetFlow will still consider them as separate flows. The match statement is used to define the criteria for grouping packets into flows, and the collect statement determines what information is recorded for each packet within those flows.

In your case, if you have a packet from 10.0.0.1 to 172.16.0.1 (let's say ICMP with protocol type 1) and another packet from 10.1.1.10 to 172.16.0.1 (also ICMP with protocol type 1), these packets will likely be considered as separate flows because the destination IP addresses are different.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

mirkobrodersen · ‎12-17-2023

I have the same destination ip address and the same protocol type. The only difference is the source ip address.

M02@rt37 · ‎12-17-2023

@mirkobrodersen

Given that you have the same destination IP address and the same protocol type but different source IP addresses, the flow record you provided with the match statement match ipv4 protocol and the collect statement collect ipv4 destination address will indeed treat these packets as separate flows. The match statement is focusing on the protocol type, and the collect statement is gathering the destination IP address for each flow.

If you're seeing unexpected behavior, where packets with the same destination IP address and protocol type but different source IP addresses are not being treated as separate flows, there might be something else in the NetFlow configuration or network traffic that needs to be examined.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

David Ruess · ‎12-17-2023

Hello,

For Netflow it is used like this:

Flow record: The Flow record is used to specify different flows to be matched and which data is collected from them.

The match statement: The match statement is used to match on a packet field, for example the ipv4 protocol field, which determines what the device should look for. This also determines the flow. I will provide an example below.

The collect statement: Collects information from the various flows configured.

We will do 2 examples to help with my point.

PC1: 192.168.1.1/24

PC2: 192.168.1.2/24

Server: 8.8.8.8

Example 1:

Configuring a match ipv4 destination address

conf t

flow record FLOW1

match ipv4 destination address

collect counter packets long

This Netflow example will check the destination IP address in the packet configured on the interface (also configured for NetFlow) and create a separate flow ONLY if the destination IP is different. So in this example if PC1 and PC2 both sent packets to the Server at 8.8.8.8 Netflow would see this as 1 flow since the destination IP address is the same and only destination address is configured to match.

Example 2:

Configuring a match ipv4 source AND destination address

conf t

flow record FLOW2

match ipv4 source address

match ipv4 destination address

collect counter packets long

Now when PC1 and PC2 sent packets to 8.8.8.8 it would be seen as 2 different flows since the criteria in the match statements are different.

A good comparison I heard is its basically the router asking "How do YOU define a flow"? - configure it with match statements.

Hope this helps clear things up

-David

mirkobrodersen · ‎12-17-2023

Hello @David Ruess,

perfect, thank you! Thats how I was thinking about it. I tought basically "a flow is determined certain components by default, in Traditional NetFlow". However the reason Flexible NetFlow exists, is exactly the thing, that the Network Engineer wants to determine what makes up a "flow" to either gather only general information or be as precise as possible, depending on the business needs.

The explanation helped a lot, in making my tought clearer. Thanks again!

Kind regards,

Mirko