Netflow Traffic — Analysis [new]

NetFlow v9 and IPFIX are template-based and can include additional fields (TCP flags, AS numbers, MPLS labels, etc.). 3. Deployment Architecture A standard NetFlow analysis stack consists of three components:

| Panel | Purpose | Alert Threshold | |-------|---------|----------------| | Top Talkers (IPs) | Identify bandwidth hogs | >200 Mbps for >10 min | | Top Applications (by port & protocol) | Unusual app usage | Non-standard ports >10% of total | | Conversation Matrix | East-West traffic visibility | Unusual server-to-server chatter | | Protocol Distribution | TCP/UDP/ICMP ratio | >5% ICMP (possible scanning) | | Asymmetric Routing Flag | Flows with mismatched interfaces | >1% of total flows | | DDoS Signature (Flood) | Single IP with >10k flows/min | Threshold per interface | | Feature | Full NetFlow (All flows) | Sampled NetFlow (1 in N packets) | |---------|--------------------------|----------------------------------| | Accuracy | 100% | ~1/N probability of missing flows | | CPU load on router | High (10-20%) | Low (1-3%) | | Storage required | Very high | Low | | Security use (C2 detection) | ✅ Yes | ❌ Risky (can miss beacons) | | Bandwidth top-N reporting | ✅ Yes | ✅ Acceptable | netflow traffic analysis

| Field | Description | Example | |-------|-------------|---------| | Source IP | Where traffic originates | 192.168.1.100 | | Destination IP | Target of communication | 8.8.8.8 | | Source Port | Application on source | 54322 (ephemeral) | | Destination Port | Service on destination | 443 (HTTPS) | | Protocol | Layer 4 protocol | TCP (6), UDP (17) | | Packets & Bytes | Volume of transfer | 1,200 packets / 1.4 MB | | Timestamps (Start/End) | Flow duration | 14:32:10.100 – 14:32:10.950 | NetFlow v9 and IPFIX are template-based and can

Use IPFIX (vendor-agnostic) for new deployments. Report prepared by: [Your Name/Team] For questions or hands-on workshop: Contact Network Observability Team End of Report Report prepared by: [Your Name/Team] For questions or

Implementing NetFlow analysis transforms a reactive, "black box" network into a measurable, observable system. It is essential for capacity planning, security incident detection, and troubleshooting performance issues.