08-27-2013 07:47 AM - edited 03-10-2019 12:06 AM
Hi Gurus,
Let me know, if you have a link will be excelent, the different if we capture traffic in Real Time (using Spam Port) or export traffic by Netflow protocol.
When I capture traffic and analysis it (using Wireashark or TCPDump) in Real Time I see in detail all data, but in Netflow I see statistic?
Any other tip or link where could explian in detail, please?
09-02-2013 07:41 AM
Hi there,
Netflow is typically used to sample network streams, ie taking 1 out of ever 100 packets. As the name suggests it is interested in flows of data: source and destination. What protocol is being used and for how long and how much data was passed.
It is good to provide an overview on what exactly your network is being used for and to highlight possible chokepoints; popular destinations or sources which attribute for a high volume of data and whihc are all accessible via a particular uplink.
Realtime packet capture as you note is interested in each and every packet on the wire as it goes past, including the data payload. It can be used for troubleshooting network services as you have the ability (dependant on protocol being used) to inspect what exactly is being requested and what is being sent.
cheers,
Seb.
09-05-2013 01:49 AM
Capturing packets via a span port and inspecting with Wireshark or any pcap analysis tools is looking at actual datagrams - the details are much more indepth and detailed and you are not missing anything. You see the actual IP conversations.
NetFlow captures the header information from each of the IP conversations traversing your networking device and allows for flow analysis tools to decipher them and display the results. With NetFlow, each IP conversation is represented in a flow with information about its source and destination IP Address, port numbers, protocol, ToS, etc. Now remember, NetFlow is not all sampled - It captures all the IP conversation information. There is also sampled NetFlow like Seb stated in the previous reply, but not all NetFlow is sampled. You can enable sampling to capture 1 in 100 packets or 1 in x packets.
A simpler way to put it is, consider a phone call. Packet capture is like knowing who called whom, how did they call, what did they use, when did they call and also get to know what did they talk about.
NetFlow is like your phone bill - you know who called whom, when it happened, how long they talked, etc., but you do not know what did they talk about.
If you have a resource intensive network, capture NetFlow from all the nodes and do spanning from the most important interfaces.
Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx
NOTE: Please rate and close questions if you found any of the answers helpful.
09-11-2013 11:13 AM
Hi,
Following links regarding Netflow information might be helpful,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide