Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2004 : betternetflow
Building a Better NetFlow
C. Estan, K. Keys, D. Moore, and G. Varghese, "Building a Better NetFlow", in SIGCOMM, Sep 2004, pp. 245--256.

An extended version of this paper is available as a technical report.

|   View full paper:    PDF    gzipped postscript    Related Presentation    Slides    |  Citation:    BibTeX   |

Building a Better NetFlow

Cristian Estan 2
Ken Keys 1
David Moore 1, 2
George Varghese 2

CAIDA, San Diego Supercomputer Center, University of California San Diego


Department of Computer Science and Engineering,
University of California, San Diego

Network operators need to determine the composition of the traffic mix on links when looking for dominant applications, users, or estimating traffic matrices. Cisco's NetFlow has evolved into a solution that satisfies this need by reporting flow records that summarize a sample of the traffic traversing the link. But sampled NetFlow has shortcomings that hinder the collection and analysis of traffic data. First, during flooding attacks router memory and network bandwidth consumed by flow records can increase beyond what is available; second, selecting the right static sampling rate is difficult because no single rate gives the right tradeoff of memory use versus accuracy for all traffic mixes; third, the heuristics routers use to decide when a flow is reported are a poor match to most applications that work with time bins; finally, it is impossible to estimate without bias the number of active flows for aggregates with non-TCP traffic.

In this paper we propose Adaptive NetFlow, deployable through an update to router software, which addresses many shortcomings of NetFlow by dynamically adapting the sampling rate to achieve robustness without sacrificing accuracy. To enable counting of non-TCP flows, we propose an optional Flow Counting Extension that requires augmenting existing hardware at routers. Both our proposed solutions readily provide descriptions of the traffic of progressively smaller sizes. Transmitting these at progressively higher levels of reliability allows graceful degradation of the accuracy of traffic reports in response to network congestion on the reporting path.

Keywords: measurement methodology, software/tools
  Last Modified: Wed Oct-11-2017 17:03:51 PDT
  Page URL: