Requirements for Using NetFlow Data

Before you configure the system to analyze NetFlow data, you must enable the NetFlow feature on the routers or other NetFlow-enabled network devices you plan to use, and configure the devices to broadcast NetFlow data to a destination network where the sensing interface of a managed device is connected.

The system can parse both NetFlow version 5 and NetFlow version 9 records. NetFlow exporters must use one of those versions if you want to export the data to the system. In addition, the system requires that specific fields be present in the exported NetFlow templates and records. If your NetFlow exporters are using version 9, which you can customize, you must make sure that the exported templates and records contain the following fields, in any order:

  • IN_BYTES (1)

  • IN_PKTS (2)

  • PROTOCOL (4)

  • TCP_FLAGS (6)

  • L4_SRC_PORT (7)

  • IPV4_SRC_ADDR (8)

  • L4_DST_PORT (11)

  • IPV4_DST_ADDR (12)

  • LAST_SWITCHED (21)

  • FIRST_SWITCHED (22)

  • IPV6_SRC_ADDR (27)

  • IPV6_DST_ADDR (28)

Because the system uses managed devices to analyze NetFlow data, your deployment must include at least one managed device that can monitor NetFlow exporters. At least one sensing interface on that managed device must be connected to a network where it can collect the exported NetFlow data. Because the sensing interfaces on managed devices do not usually have IP addresses, the system does not support the direct collection of NetFlow records.

Note that the Sampled NetFlow feature available on some network devices collects NetFlow statistics on only a subset of packets that pass through the devices. Although enabling this feature can improve CPU utilization on the network device, it may affect the NetFlow data you are collecting for analysis by the system.