Specifications
Understanding Flows
May 18, 2011 Page 5 of 21
Figure 2providesagraphicdepictionofhowthesetimersinteract.Flows1and3showasingle
longlastinglogicalflow.Flow1timesoutandexpiresat30minutes,theactivetimerlength.
Becausetheflowexpires,anexportpacketissenttotheNetFlowcollector.Flow3continuesthis
longlastingflowforanother10minutes.Attime40minutestheflowends.The40secondinactive
timerinitiatesandexpiresat40minutesand40secondsresultinginanexportpackettothe
NetFlowcollectorforflow3.AttheNetFlowcollector,themanagementapplicationjoinsthetwo
flowsintoasinglelogicalflowforpurposesofanalysisandreporting.
Flow2isa7.5‐minuteflowthatneverexpirestheactivetimer.Itbeginsat2.5minutesandendsat
10minutes.At10minutestheinactivetimercommencesandexpires theflowat10minutesand40
seconds.Atthistime,NetFlowsendsanexportpacketfortheflowtotheNetFlowcollectorfor
processing.
Figure 2 Flow Expiration Timers
Deriving Information from Collected Flows
Oneachcollectionserver,aNetFlowcollectorapplicationcorrelatesthereceivedrecordsand
preparesthemforusebytheNetFlowmanagementapplication.(Insomecasesthecollectorand
managementapplicationsarebundledinasingleapplication.)Themanagementapplication
retrievestheflow records,combinesflowsthatwerebrokenupdueto
expirationrules,and
aggregatesflowsbaseduponcommonvalues,beforeprocessingthedataintousefulreports
viewablebythenetworkadministrator.
Correlatedreportscanbethebasisforsuchinformationcategoriesas:
• Understandingwhoisoriginatingandreceivingthetraffic
•Characterizingtheapplicationsthatareutilizingthetraffic
Flow Expiration
Flows
Time
Flow 1
Flow 2
Flow 2 expires
Flow has expired and export packet sent
Flow has stopped, start of inactivity timer
2.5
Min.
10
Min.
30
Min.
40
Min.
10 Min.
40 Sec.
40 Min.
40 Sec.
Flow 1 expires
Flow 3
Flow 3 expires