1. Core Concept: What NetFlow Actually Is NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network metadata. It is not packet capture (full payload) nor simple SNMP counters (bytes/sec). It is flow-level accounting .
: 30-day retention, detect botnet C2, per-department billing. netflow tools
:
SELECT src_host, sum(bytes) as total_bytes FROM netflow.flows WHERE flow_start > now() - 3600 GROUP BY src_host ORDER BY total_bytes DESC LIMIT 10; | Symptom | Likely Cause | Fix | |---------|--------------|-----| | No flows received | ACL blocking UDP 2055 | show access-list | | Flows show 0 bytes | Sampling rate too high | Reduce sampling-rate | | AS numbers are 0 | BGP table not loaded | ip flow-export bgp-nexthop | | Timestamps wrong | NTP drift | ntp peer on exporter | | High CPU on router | Flow cache too large | ip flow-cache entries 65536 | It is flow-level accounting
(v5 to collector 192.168.1.100):
