Flow Monitor Sources

Flow Sources

Flow Monitor acts as a flow collector and analyzer, providing a central location for the collection, summarization, storage and analysis of network traffic data. This network traffic data is captured as flow data, and is provided by network monitoring protocols implemented on network devices throughout the network.

Flow sources use one of the following supported network monitoring protocols to send flow data to Flow Monitor.

• NetFlow. A network protocol developed by Cisco Systems and later adopted as an IETF informational standard for collecting IP traffic information. Flow Monitor supports NetFlow versions 1, 5, and 9 as well as Flexible NetFlow, which is based on NetFlow v9. Flexible NetFlow is often used to support Cisco's Network Based Application Recognition (NBAR) technology.
• sFlow. A network monitoring technology that provides IP traffic information using packet sampling. Flow Monitor supports sFlow versions 2 and 5.
• JFlow. A network protocol developed by Juniper to run on the JUNOSe for collecting IP traffic flow statistics.
• IPFIX. An IETF informational standard developed to create a non-proprietary network protocol that is compatible with NetFlow.

A network flow is a unidirectional sequence of packets that have the following characteristics in common:

• Source IP address and port number
• Destination IP address and port number
• IP Protocol
• Ingress interface
• IP Type of Service (ToS)

Flow sources that utilize these network protocols provide detailed data about individual flows to Flow Monitor using flow records. An example of the types of information that can be contained in a flow record are:

• Version numbers
• Sequence numbers
• Input and output interface indices
• Timestamps for the flow start and finish time, in milliseconds since the last boot.
• Number of bytes and packets observed in the flow
• Layer 3 headers including:
  • Source & destination IP addresses
  • Source and destination port numbers
  • IP protocol
  • Type of Service (ToS) value
• The union of all TCP flags observed over the life of the flow (TCP flows).
• Layer 3 Routing information, including:
  • IP address of the immediate next-hop along the route to the destination
  • Source and destination IP masks (prefix lengths in CIDR notation)

SNMP Polling

While Flow Monitor normally receives flow data from a flow source, it can also poll a source using SNMP to gather data from a network device. Flow Monitor can actively poll a source for the following data:

• Total interface traffic. Provides summary data for incoming and outgoing interface traffic.
• NBAR information. Provides summary data for each application identified using Cisco Systems Network Based Application Recognition (NBAR) technology.
• CBQoS information. Provides summary data for each class in the Quality of Service class map for the interface.

See Also Configuring WhatsUp Flow Monitor Monitoring traffic on non-standard ports Classifying traffic that is considered unclassified Configuring data roll-up intervals Managing users and user rights Setting the logging level Backing up and restoring the Flow Monitor databases Stopping or restarting the collector Using Flow Groups