The NetFlow, sFlow, Cflow, Jflow, IPFIX-Flow Dilemma

The NetFlow, sFlow, Cflow, Jflow, IPFIX-Flow Dilemma Vincent Berk, October 27, 2009 It seems these days that the marketplace is saturated with flow export formats. CISCO has NetFlow, InMon has sFlow®, Juniper uses JFlow, and there are several others. Few... More

The NetFlow, sFlow, Cflow, Jflow, IPFIX-Flow Dilemma Vincent Berk, October 27, 2009 It seems these days that the marketplace is saturated with flow export formats. CISCO has NetFlow, InMon has sFlow®, Juniper uses JFlow, and there are several others. Few of these manufacturers seem to release details on the inner workings of their protocols, and their subsequent benefits. What follows is an overview of flow technologies. For the NetFlow suite of protocols we most often see version 5 (supported by the majority of devices), some combined v5/v7 (the Catalysts), and some version 9 on the newer devices. Don’t be fooled by the ASA series of firewalls; they do not actually support version 9 flow exporting. Instead, these CISCO devices use NetFlow 9 to export log lines: no traffic info there! NetFlow v5 uses a static packet format (and is in this way very similar to v7), defining IPv4 IPs, protocols, ports, and millisecond precision on flow start and flow end times. Version 9 uses a dyn Less