To save space, the engine can consolidate similar flow records and filter out irrelevant data.
A flow is defined as a unidirectional sequence of packets sharing the same key fields. The standard 5-tuple key includes:
It translates binary flow data into readable text or numeric formats. netflow collection engine
Raw flow records can be noisy. Ingest filters discard unwanted traffic (e.g., internal ICMP). Aggregation merges multiple consecutive flows with identical key fields into a single "binned" record (e.g., 5-minute aggregates), drastically reducing storage needs.
Raw flow data grows at petabytes per year in large enterprises. Collection engines employ several techniques to stay lean: To save space, the engine can consolidate similar
| Protocol | Typical Export | Key Characteristics | |----------|----------------|----------------------| | | UDP | Fixed format, IPv4 only. Still widely used on legacy hardware. Lacks templates. | | NetFlow v9 | UDP | Template-based, supports IPv6, MPLS, and custom fields. Foundation for IPFIX. | | IPFIX | UDP/TCP/SCTP | IETF standard (RFC 7011-7015). Essentially NetFlow v9 with enterprise-specific extensions and reliable transport options. | | sFlow | UDP | Packet sampling (not flow-based). A single datagram can contain multiple flow samples and counter samples. Different architecture. | | J-Flow / NetStream | UDP | Juniper and Huawei variants, typically v5 or v9 compatible. |
It stores the resulting data in high-performance databases (SQL or flat files) to ensure rapid retrieval during troubleshooting. Benefits for Modern Networks Raw flow records can be noisy
The choice of storage backend defines the engine's query capability.
A NetFlow-enabled device, such as a router, switch, or firewall. It tracks packets passing through its interfaces and groups them into "flows"—unidirectional streams of packets sharing key attributes like source/destination IP, ports, and protocol.