NetFlow

NetFlow is a proprietary accounting technology that is developed by Cisco Systems. NetFlow monitors traffic flows through a switch or router, and interprets the client, server, protocol, and port that is used. It also counts the number of bytes and packets, and sends that data to a NetFlow collector.

The process of sending data from NetFlow is often referred to as a NetFlow Data Export (NDE).

IBM® QRadar® accepts NetFlow Data Exports (NDE) so that it functions as a NetFlow collector. QRadar supports NetFlow versions 1, 5, 7, and 9.

While NetFlow expands the amount of the network that is monitored, it uses a connection-less protocol (UDP) to deliver NDEs. After an NDE is sent from a switch or router, the NetFlow record is purged. UDP doesn't guarantee the delivery of data. As a result, inaccurate presentations of both traffic volumes and bidirectional flows, and reduced alerting capabilities, might result with a NetFlow flow source.

For more information about NetFlow, see the Cisco web site (http://www.cisco.com).

NetFlow flow source configuration

When you configure an external flow source for NetFlow, you must do the following tasks:
  • Make sure that the appropriate firewall rules are configured.

    If you change your External Flow Source Monitoring Port parameter in the Flow Collector configuration, you must also update your firewall access configuration.

  • Make sure that the appropriate ports are configured for your Flow Collector.

NetFlow flow source template

IBM suggests that, at minimum, the following fields are included in the NetFlow flow source template:
  • FIRST_SWITCHED
  • LAST_SWITCHED
  • PROTOCOL
  • IPV4_SRC_ADDR
  • IPV4_DST_ADDR
  • L4_SRC_PORT
  • L4_DST_PORT
  • IN_BYTES or OUT_BYTES
  • IN_PKTS or OUT_PKTS
  • TCP_FLAGS (TCP flows only)

Supported fields

The following lists show some of the types of fields that are supported for NetFlow flow sources.

VLAN fields
The following VLAN fields are supported for NetFlow:
  • vlanId (IANA Element ID 58)
  • postVlanId (IANA Element ID 59)
  • dot1qVlanId (IANA Element ID 243)
  • dot1qPriority (IANA Element ID 244)
  • dot1qCustomerVlanId (IANA Element ID 245)
  • dot1qCustomerPriority (IANA Element ID 246)
  • postDot1qVlanId (IANA Element ID 254)
  • postDot1qCustomerVlanId (IANA Element ID 255)
  • dot1qDEI (IANA Element ID 388)
  • dot1qCustomerDEI (IANA Element ID 389)
MAC address fields
The following MAC address fields are supported for NetFlow:
  • sourceMacAddress (IANA Element ID 56)
  • postDestinationMacAddress (IANA Element ID 57)
  • DestinationMacAddress (IANA Element ID 80)
  • postSourceMacAddress (IANA Element ID 81)
For more information about each field, see the IANA information element assignment at IP Flow Information Export (IPFIX) Entities (https://www.iana.org/assignments/ipfix/ipfix.xhtml).