• HOME
  • About
  • Conference Calendar
  • Jobs
  • Legal Agreements
  • Staff
  • Joining CAIDA
  • How-To
  • Program Plan
• RESEARCH
  • Routing
  • Topology
  • DNS
  • Security
  • Traffic Analysis
  • Policy
  • Visualization
• DATA
  • Overview
  • Data Sharing
  • How-to
  • Papers using CAIDA Data
• TOOLS
  • Measurement
  • Taxonomy
  • Utilities
  • Visualization
• PUBLICATIONS
  • Papers
  • Presentations
  • Animations
  • Visualizations
  • Bibliography
  • Posters
• WORKSHOPS
  • ISMA
  • WIDE
  • External
  • Archive
• PROJECTS
  • Macroscopic Topology
  • PREDICT
  • Day in the Life
  • IMDC
  • Ark
  • Network Telescope
  • Coralreef
  • IIC Wiki
  • COMMONS
  • IPNC
• FUNDING
  • Cybersecurity
  • Cisco
  • CONMI
  • DNS-ITR
  • NeTS-FIND
  • PREDICT
  • WIDE
  • Program Plan

Building a Better NetFlow

Cristian Estan
Department of Computer Science and Engineering
University of California, San Diego

Ken Keys
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center,
University of California, San Diego

David Moore
Cooperative Association for Internet Data Analysis - CAIDA
San Diego Supercomputer Center
and Department of Computer Science and Engineering
University of California, San Diego

George Varghese
Department of Computer Science and Engineering
University of California, San Diego

Network operators need to determine the composition of the traffic mix on links when looking for dominant applications, users, or estimating traffic matrices. Cisco's NetFlow has evolved into a solution that satisfies this need by reporting flow records that summarize a sample of the traffic traversing the link. But sampled NetFlow has shortcomings that hinder the collection and analysis of traffic data. First, during flooding attacks router memory and network bandwidth consumed by flow records can increase beyond what is available; second, selecting the right static sampling rate is difficult because no single rate gives the right tradeoff of memory use versus accuracy for all traffic mixes; third, the heuristics routers use to decide when a flow is reported are a poor match to most applications that work with time bins; finally, it is impossible to estimate without bias the number of active flows for aggregates with non-TCP traffic.

In this paper we propose Adaptive NetFlow, deployable through an update to router software, which addresses many shortcomings of NetFlow by dynamically adapting the sampling rate to achieve robustness without sacrificing accuracy. To enable counting of non-TCP flows, we propose an optional Flow Counting Extension that requires augmenting existing hardware at routers. Both our proposed solutions readily provide descriptions of the traffic of progressively smaller sizes. Transmitting these at progressively higher levels of reliability allows graceful degradation of the accuracy of traffic reports in response to network congestion on the reporting path.