NetFlow architecture

NetFlow as a protocol provides a means of collecting flow data from a network device and forwarding that data to a collector. This flow data must be captured from the network traffic, converted to a standard NetFlow record format, exported to a collector for aggregation, and then analyzed by the proper application to provide information useful in the analysis, planning and management of the network.

To capture, transmit and analyze NetFlow data the following NetFlow enabled components must be in place:

• NetFlow exporter – observes packet data and creates records from the monitored network traffic and transmits that data to the NetFlow collector.
• NetFlow collector – collects the records sent from the exporter, stores them in a local database and forwards the records to an analyzer.
• NetFlow analyzer – analyzes the NetFlow records for information of interest, which may include bandwidth usage, policy adherence, and forensic research.

The exporter can be either an included function of the network device, such as the NetFlow export functionality on Cisco routers, or it can be an external publisher configured to monitor one or more interfaces on the device, such as the WhatsUp Flow Publisher.

The collector and analyzer can be a single product, or may be implemented by two or more products. An example of a collector and analyzer is the WhatsUp Flow Monitor coupled with Ipswitch WhatsUp Gold to provide real-time monitoring, alerting, and forensic analysis to flow data captured by the WhatsUp Flow Publisher.