A passive network monitoring protocol helps you understand how how much traffic an IP network forwards. A NetFlow collector acquires traffic statistics from switches and routers of the network infrastructure. NetFlow is one of the most well-known passive protocols used to analyze network traffic entering and leaving a router’s interface. Cisco first developed this protocol in 1996. The most recent version of NetFlow is 9. Along with NetFlow, there are both proprietary alternatives, like J-Flow (developed by Juniper Networks), and open ones, like sFlow.
What is a traffic flow? A traffic flow is a sequence of packets from a source computer to a destination one. More specifically, RFC 2722 defines a flow as “an artificial logical equivalent to a call or connection”. We will the architecture of NetFlow as a reference point for other passive protocols. I will first describe the content of a NetFlow packet, and the cover the components of a NetFlow solution. For each flow, a NetFlow packet records the following information:
- ingress interface,
- the source and destination IP addresses,
- the IP protocol,
- the source and destination TCP or UDP ports,
- and the Type of Service.
A flow exporter process runs on any NetFlow-enabled network device. Its function is to aggregate packets into flows, and then sends this information to a NetFlow collector. The NetFlow collector stores and pre-processes this data. A user can then analyze this aggregated data. Performance analysis can include reports about network utilization, top talkers, top applications. It can also include security analysis to identify improper behavior or unauthorized access.
To conclude, NetFlow or any other passive analysis protocols, is a must-have tool for network administrators. Such a tool delivers visibility into your network traffic, helping administrator identifying the users and applications that are sending the highest amount of traffic and consuming the most bandwidth.
NetFlow vs. NetBeez
So what’s the difference between NetFlow, or comparable protocols, and NetBeez?
These two tools are complementary, let me explain why:
- NetBeez performs continuous tests and measurements on network and application performance, verifying that users have connectivity and good performance to intranet or cloud applications
- NetFlow data can be analyzed to verify if this degradation is caused by oversubscription of network bandwidth
When NetBeez detects a performance degradation issue in the network, NetFlow helps identify the user or application that are saturating the network.
Let’s take for example the case where a PING test in NetBeez is alerting that the round trip time to one target has increased. The network administrator can immediately inspect the NetBeez traceroute data associated to that target and see on which segment of the network path between the source (the monitoring sensor) and the destination (the target) the performance degradation is occurring. Once the network administrator has individuated the trace-route data, the hop (router) that is introducing the increased round trip time of the PING test, the network administrator can then verify if the interfaces of that router are oversubscribed by user traffic. In that case, the network administrator could remedy this situation by implementing Quality of Service to prioritize business sensitive applications or decide to increase the link capacity of that specific network segment.
I hope that this article was helpful in explaining the difference between passive and active network monitoring tools. If you would like to learn more about NetBeez, feel free to request a demo.