I run around talking about NetFlow quite a bit and one of the most often asked questions is:
What is the difference between NetFlow v5 vs NetFlow v9?
The fundamental difference is that NetFlow v5 is a "fixed format" data structure. The information contained within the NetFlow v5 record cannot be extended or added-to by Cisco or any other vendor without creating something that is not NetFlow v5. When you do change NetFlow v5 you get obscure flow formats like Packeteer-2 that won't work with a vanilla v5 collector. BlueCoat's Packeteer-2 flow format is nice since it includes RTT, loss, and application ID information, but it's not NetFlow v5 and doesn't have universal support (FYI: StealthWatch does support Packeteer-2).
As vendors such as Cisco and BlueCoast have evolved the kind of information they are collecting in the router or switch, so to have evolved the kind of information that you would want to place into a NetFlow record. Out of this requirement came NetFlow v9. Cisco created NetFlow v9 so that they could add additional information to flows as their IOS technology evolved.
NetFlow v9 uses a "template dataset" packet that describes the format of "data flowset" records that will follow. In this way NetFlow v9 is "self defining". Cisco or whomever can add additional fields to their NetFlow v9 exports by simply changing the template dataset. You can have multiple different flow types being sent to the collector from a single NetFlow v9 exporter. Each of these flow-sets can contain a wide range of different flow information points.
When you configure NetFlow v9 on Cisco equipment you can select from around 50+ different data points including such gems as:
"Packet Section" - allows OS fingerprinting against TCP header captured in NetFlow (increases network utilization from NetFlow however!)
"TTL" - shows the path a flow took through the network when comparing multiple exports
"Fragmention Flag" - allows alerting on excessive IP fragmentation
"TCP Flag: SYN" - allows more accurate detection of SYN floods and scanning
Cisco is adding additional fields in almost every major release of IOS so stay tuned!
So in summary: NetFlow v9 is extensible and contains much more information about the flow than does NetFlow v5. If you are using Lancope's StealthWatch Xe NetFlow collector you would benefit from switching your exporters to v9 if it's available (Cisco will force you to eventually anyway as they are phasing out v5).
note: You'll here of "IPFIX" from time to time but don't worry about it. It's the standards-based name for NetFlow v9 (almost identical). The only vendor I'm aware of that even exports "IPFIX" is Nortel and they offer a NetFlow v9 format as well. In short: IPFIX isn't being used much in production environments today.
This link talks in greater depth about IPFIX: http://en.wikipedia.org/wiki/IP_Flow_Information_Export
Comments