|   HOME   |   RESEARCH   |   DATA   |   TOOLS   |   PUBLICATIONS   |   WORKSHOPS   |   PROJECTS   |   FUNDING   |
CAIDA Home
 papers | presentations | animations | visualizations | bibliography | posters  
 www.caida.org > publications : papers : 2004 : : betternetflow
    donate     contact     search:
CAIDA: Cooperative Association for Internet Data Analysis
Building a Better NetFlow

-----summary of contents-----

Abstract for the paper "Building a Better NetFlow" authored by Cristian Estan, Ken Keys, David Moore, and George Varghese. Presented at SIGCOMM'04, Aug. 30-Sept. 3, 2004, Portland, Oregon, USA, pp. 245-256. The slideset accompanying this paper at SIGCOMM 2004 is available online. Copyright 2004 ACM 1-58113-862-8/04/0008.

An extended version of this paper is available as a technical report.

|  Slides    View full paper:    PDF    gzipped postscript  |

-----end summary of contents-----

Building a Better NetFlow

Cristian Estan
Department of Computer Science and Engineering
University of California, San Diego

Ken Keys
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego

David Moore
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center
and Department of Computer Science and Engineering
University of California, San Diego

George Varghese
Department of Computer Science and Engineering
University of California, San Diego

Network operators need to determine the composition of the traffic mix on links when looking for dominant applications, users, or estimating traffic matrices. Cisco's NetFlow has evolved into a solution that satisfies this need by reporting flow records that summarize a sample of the traffic traversing the link. But sampled NetFlow has shortcomings that hinder the collection and analysis of traffic data. First, during flooding attacks router memory and network bandwidth consumed by flow records can increase beyond what is available; second, selecting the right static sampling rate is difficult because no single rate gives the right tradeoff of memory use versus accuracy for all traffic mixes; third, the heuristics routers use to decide when a flow is reported are a poor match to most applications that work with time bins; finally, it is impossible to estimate without bias the number of active flows for aggregates with non-TCP traffic.

In this paper we propose Adaptive NetFlow, deployable through an update to router software, which addresses many shortcomings of NetFlow by dynamically adapting the sampling rate to achieve robustness without sacrificing accuracy. To enable counting of non-TCP flows, we propose an optional Flow Counting Extension that requires augmenting existing hardware at routers. Both our proposed solutions readily provide descriptions of the traffic of progressively smaller sizes. Transmitting these at progressively higher levels of reliability allows graceful degradation of the accuracy of traffic reports in response to network congestion on the reporting path.

|  Slides    View full paper:    PDF    gzipped postscript  |

Cooperative Association for Internet Data Analysis (CAIDA)
  Last Modified: Tues May-19-2009 10:38:43 PDT
  Page URL: http://www.caida.org/publications/papers/2004/betternetflow/index.xml