How does the Flow Publisher work?

The Flow Publisher captures packets from network traffic using WinPcap, a packet capture utility. Once captured, the packet header is read and statistics are gathered about the packet. If the packet contains information about a flow that is not active, the gathered statistics are used to create an active flow. Each active flow is placed in the NetFlow Cache and is managed by the NetFlow Cache Manager until the flow expires. After the flow has expired, the flow record is sent to the Exporter for transmission to the NetFlow collector.

Packet capture and inspection

The Flow Publisher uses WinPcap to conduct packet capture and inspection. The WinPcap utility provides the Flow Publisher with the ability to capture raw packets and gather statistical information from these packets. The capture interface, the interface where the Flow Publisher captures the network traffic, can be placed in either Normal mode, where only the traffic associated with the interface will be available for capture, or Promiscuous mode, where all of the traffic in the network segment will be available for capture. The statistical information gathered during this process is then used to create flow records which are placed in the NetFlow cache.

Cache management

The NetFlow cache stores active flow records. A flow record is active once it has been created, and remains active until it has expired. While it is active, the flow record is updated with new statistical data as new packets associated with the specific flow are captured and inspected. A flow expires under the following circumstances; when the TCP connections have reached the end of the byte stream (FIN) or when they have been reset (RST); when the flow has been idle for a specified amount of time; or the flow has been active but is long lived (flows lasting more than 30 minutes). The timeout for active and long lived flows are configurable.

NetFlow record export

Once a NetFlow record has expired, it is placed in a NetFlow datagram for export to the Netflow collector. The Flow Publisher can export the record to several collectors using any of the formats in the supported NetFlow versions. The currently supported versions are NetFlow v1, v5, and v9.