NetFlow
Introduction
NetFlow is a network protocol system that collects active IP network traffic as it flows in or out of an interface. This o11ysource receives NetFlow data as sent by the network devices and gives the insight on traffic flowing through the network.
Getting Started
Compatibility
vuSmartMaps supports monitoring of NetFlow which collects active IP network traffic data as it passes through any network devices like routers, switches, and hosts.
Data Collection Method
vuSmartMaps collects metrics for NetFlow data using an internal data collector. This agent collects data based on the source configuration.
Prerequisites
Inputs for Configuring Data Source
- Host: The IP Address/FQDN of the network devices. This field is the key to identify each devices you add here.
- Scheme: Communication protocol for netflow data.
- Netflow Port: Port to listen for netflow ipfix or sflow packets.
- Protocol: Protocol version to use for decoding
Firewall Requirement
To collect data from this O11ySource, ensure the following ports are opened:
| Source IP | Destination IP | Destination Port | Protocol | Direction |
|---|---|---|---|---|
| vuSmartMaps IP | NetFlow IP | 2055* | TCP | Outbound |
*Before providing the firewall requirements, please update the port based on the customer environment.
Configuring the Target
Users must configure their system to send NetFlow data to a UDP port, from where the logs will be collected by the vuSmartMaps Data Collector via UDP.
Configuration Steps
Enablethe NetFlow O11ySource.- Select the sources tab and press the
+button to add a new instance that has to be monitored. - Provide the required configurations:
- *Host
- *Scheme
- *NetFlow Port
- *Protocol
- Click
Save and Continueto close the data source window.
Metrics Collected
| Name | Description | Data Type |
|---|---|---|
| timestamp | The time the flow was recorded in Unix epoch format or date/time format. | DateTime64(3) |
| tenant_id | Unique identifier of the tenant sending the NetFlow data. | LowCardinality(String) |
| bu_id | Unique identifier of the business unit. | LowCardinality(String) |
| Bandwidth | The amount of data transferred in a specific time window (in bytes or bits per second). | String |
| DeviceIP | The IP address of the device generating the flow. | String |
| LinkName | Name of the link associated with the flow. | String |
| LinkType | Type of link being monitored (e.g., Ethernet, Fiber, etc.). | String |
| LinkUsage | Percentage of link utilization. | String |
| TransPort | Transport layer port used in the communication (TCP/UDP port number). | UInt64 |
| bgp_dst_as | The destination Autonomous System (AS) number in a BGP setup. | UInt64 |
| bgp_src_as | The source Autonomous System (AS) number in a BGP setup. | UInt64 |
| convs_l3 | Number of Layer 3 (IP-level) conversations within the flow. | String |
| convs_l4 | Number of Layer 4 (Transport-level) conversations within the flow (e.g., TCP/UDP sessions). | String |
| correlate_in | The correlation of incoming flows based on various attributes. | String |
| correlate_out | The correlation of outgoing flows based on various attributes. | String |
| DeviceType | Type of the network device generating or receiving the flow (e.g., Router, Switch, Firewall). | String |
| Direction | The direction of the flow relative to the network device (Ingress or Egress). | String |
| DestinationIP | The destination IP address in the flow. | String |
| DestinationPrefixLength | The prefix length of the destination subnet (e.g., /24 for a class C subnet). | UInt64 |
| DestinationPort | The destination port number (Transport layer port) used in the communication (e.g., HTTP is port 80). | UInt64 |
| FirstSwitched | The timestamp of the first switch in the flow (when the flow first started). | UInt64 |
| FlowSampleID | A unique identifier for sampled flow data (when sampling is used). | UInt64 |
| Host | The hostname of the device sending the flow. | String |
| HostIP-InterfaceName | The IP address of the host interface involved in the flow along with its interface name. | String |
| InterfaceAdminStatus | Administrative status of the interface (whether it’s up or down). | String |
| InterfaceAlias | An alias or custom name assigned to the network interface. | String |
| InterfaceDescription | Description of the network interface as configured in the device. | String |
| InterfaceNameInput | Name of the input interface where the flow was received. | String |
| InBandwidthPercentage | Percentage of incoming bandwidth utilized. | Float64 |
| InBytes | Number of bytes received by the network interface during the flow. | UInt64 |
| in_diff_dropped | Number of dropped incoming packets. | UInt64 |
| in_diff_errors | Number of errors on incoming packets. | UInt64 |
| InPackets | Number of packets received by the network interface during the flow. | UInt64 |
| InputSNMP | Input SNMP interface number used in the NetFlow. | UInt64 |
| InterfaceStatus | Current status of the network interface (e.g., up, down). | String |
| IPAddress | The IP address involved in the flow (either source or destination depending on flow type). | String |
| LastSwitched | The timestamp of the last switch in the flow (when the flow ended). | UInt64 |
| Name | Name of the flow record or the flow-exporting device. | String |
| NextHop | IP address of the next hop in the routing path for the flow. | String |
| OutBandwidthPercentage | Percentage of outgoing bandwidth utilized. | Float64 |
| out_diff_dropped | Number of dropped outgoing packets. | UInt64 |
| out_diff_errors | Number of errors on outgoing packets. | UInt64 |
| OutputSNMP | Output SNMP interface number used in the NetFlow. | UInt64 |
| Protocol | Network protocol used in the flow (e.g., TCP, UDP, ICMP). | String |
| Source | Source of the flow (e.g., IP, hostname, or other identifier). | String |
| Speed | Speed of the network interface involved in the flow (in bits per second). | UInt64 |
| SourceIP | The source IP address in the flow. | String |
| SourceHost | The source host generating the flow. | String |
| SourceInstance | Instance name or ID of the source system in the flow. | String |
| SourcePrefixLength | The prefix length of the source subnet (e.g., /24 for a class C subnet). | UInt64 |
| SourcePort | The source port number (Transport layer port) used in the communication. | UInt64 |
| IPClassOfService | IP Type of Service (ToS) value, representing the priority of the packet. | String |
| TCPFlags | TCP flags in the flow (e.g., SYN, ACK, FIN, RST). | String |
| Version | Version of the NetFlow protocol (e.g., NetFlow V5, V9). | String |
| Application | The application protocol used in the flow (e.g., HTTP, DNS, FTP). | String |
| Country Name | The name of the country where the IP address is located. This is often derived from GeoIP or similar geographic data sources. | String |
| Timezone | The timezone of the geographic region associated with the IP address, usually in standard formats like UTC+X. | String |
| Longitude | The geographic longitude of the IP address, which is used for mapping the location on a global scale. | String |
| Latitude | The geographic latitude of the IP address, which helps in pinpointing the location on a map. | String |
