Optimizing NetFlow with PacketRanger

Network telemetry data, particularly network flow data, is ubiquitous in contemporary complex network environments and plays a crucial role in network and security operations. 

For network and security professionals, NetFlow—the most common flow protocol—is a familiar tool, as is the IETF’s version, IPFIX. NetFlow is so widely used that the term often refers to any network flow export function, much like how “Google” is used synonymously with online searching.

Introduced by Cisco in 1996, NetFlow has evolved from a basic IPv4 protocol that generates limited metadata about IP traffic flows to more flexible and extensible versions. These versions are utilized for security monitoring, DOS/DDOS detection, BGP Peering, and a wide range of other security and traffic analysis applications. 

Originally limited to physical devices like routers and switches, NetFlow records can now be captured from nearly any type of environment—including hypervisors like VMware and KVM, container platforms like Docker, and public clouds such as AWS, Azure, and GCP. Many online resources provide in-depth explanations of NetFlow, its variants, and their many use cases. For those interested in the technical details of IP flow data, a large collection of RFCs is available.

Although NetFlow and its various iterations are essential components of any IT organization, they are not without their challenges and limitations. These issues are numerous and multifaceted. Some are universal, affecting all versions of NetFlow and its variants, such as IPFIX, sFlow, jFlow, NetStream, and VPC Flow Logs. Other problems are specific to the version of a flow protocol.

Issues of a broader scope, such as the absence of packet capture with flow data or the distinction between stateful flow tracking and sampling, necessitate protocol modifications. What’s perhaps more frustrating are the new challenges that are discovered in subsequent versions of the NetFlow/IPFIX protocol that were intended to fix previous problems, such managing flow templates across disparate flow collectors. Fortunately, there are challenges that can be resolved or mitigated through the utilization of third-party solutions.

Through extensive customer engagements, Tavve has consistently observed a common set of NetFlow-related challenges in IT organizations. These include:

1. Flow exporter limitations

2. NetFlow congestion

3. Flow duplication

4. Optimizing Flow-based Licensing

5. NetFlow packet loss

Tavve’s PacketRanger and ZoneRanger effectively address the prevalent challenges associated with NetFlow. Our solutions are designed to process an astonishing 3 million flows per second on a single node. An intuitive user interface and an efficient workflow facilitate the management of your NetFlow telemetry pipelines.

Robust filtering capabilities enable the optimization of flow data. Over 480 pre-defined filter criteria, along with the ability to add custom fields for Flexible NetFlow, empower you to create tailored NetFlow pipelines. These features grant you enhanced control over the distribution of flow data across Flow Collectors, thereby optimizing applications that utilize a flow-based license.If you’re dealing with flow exporter limitations, frustrated by packet loss and congestion, confused by duplicated flows, or tired of overspending on expanding flow licenses, reach out to Tavve today and schedule a demo.