Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2379
Views
6
Helpful
3
Replies

What are the different between Netflow protocols and Real Time Capture

a.guillen
Level 1
Level 1

‎08-27-2013 07:47 AM - edited ‎03-10-2019 12:06 AM

Hi Gurus,

Let me know, if you have a link will be excelent, the different if we capture traffic in Real Time (using Spam Port) or export traffic by Netflow protocol.

When I capture traffic and analysis it (using Wireashark or TCPDump) in Real Time I see in detail all data, but in Netflow I see statistic?

Any other tip or link where could explian in detail, please?

Labels:
0 Helpful
3 Replies 3

Seb Rupik
VIP Alumni
VIP Alumni

‎09-02-2013 07:41 AM

Hi there,

Netflow is typically used to sample network streams, ie taking 1 out of ever 100 packets. As the name suggests it is interested in flows of data: source and destination. What protocol is being used and for how long and how much data was passed.

It is good to provide an overview on what exactly your network is being used for and to highlight possible chokepoints; popular destinations or sources which attribute for a high volume of data and whihc are all accessible via a particular uplink.

Realtime packet capture as you note is interested in each and every packet on the wire as it goes past, including the data payload. It can be used for  troubleshooting network services as you have the ability (dependant on protocol being used) to inspect what exactly is being requested and what is being sent.

cheers,

Seb.

Don Jacob
Level 1
Level 1

‎09-05-2013 01:49 AM

Capturing packets via a span port and inspecting with Wireshark or   any pcap analysis tools is looking at actual datagrams - the details are   much more indepth and detailed and you are not missing anything. You  see the actual IP conversations.

NetFlow captures the  header information from each of the IP conversations  traversing your  networking device and allows for flow analysis tools to  decipher them  and display the results. With NetFlow, each IP  conversation is  represented in a flow with information about its source  and destination  IP Address, port numbers, protocol, ToS, etc. Now  remember, NetFlow is  not all sampled - It captures all the IP  conversation information.  There is also sampled NetFlow like Seb stated  in the previous reply,  but not all NetFlow is sampled. You can enable  sampling to capture 1 in  100 packets or 1 in x packets.

A  simpler way to put it  is, consider a phone call. Packet capture is like  knowing who called  whom, how did they call, what did they use, when did  they call and also  get to know what did they talk about.

NetFlow  is like your phone bill - you know who called  whom, when it happened,  how long they talked, etc., but you do not know  what did they talk  about.

If you have a resource intensive network, capture NetFlow from all the nodes and do spanning from the most important interfaces.

Regards,
Don Thomas Jacob
http://www.solarwinds.com/netflow-traffic-analyzer.aspx

NOTE: Please rate and close questions if you found any of the answers helpful.

Regards, Don Thomas Jacob http://www.solarwinds.com/netflow-traffic-analyzer.aspx Head Geek @ SolarWinds NOTE: Please rate and close questions if you found any of the answers helpful.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents