NetFlow
What is NetFlow?
NetFlowA Cisco-originated flow-record protocol, and its successors sFlow and IPFIX, that exports summarized metadata about every conversation crossing a network device.
NetFlow describes a unidirectional or bidirectional conversation by five-tuple (source/destination IP and port, protocol), with byte and packet counts, timestamps, interface indices, and optional fields. The router or switch exports flow records to a collector for storage and analysis. NetFlow is widely deployed because it scales to multi-gigabit links and gives investigators long-term visibility without the storage cost of full PCAP. Variants include Cisco NetFlow v5 and v9, sFlow (sampling-based, from InMon), and IPFIX (IETF RFC 7011, vendor-neutral). Defensive uses include traffic baselining, beacon detection, DDoS triage, data-exfiltration spotting, and forensic timeline reconstruction.
● Examples
- 01
Spotting beaconing C2 traffic from a workstation that sends regular small flows to a single external IP every five minutes.
- 02
Quantifying outbound bytes to a cloud-storage IP during a suspected data-exfiltration window.
● Frequently asked questions
What is NetFlow?
A Cisco-originated flow-record protocol, and its successors sFlow and IPFIX, that exports summarized metadata about every conversation crossing a network device. It belongs to the Defense & Operations category of cybersecurity.
What does NetFlow mean?
A Cisco-originated flow-record protocol, and its successors sFlow and IPFIX, that exports summarized metadata about every conversation crossing a network device.
How does NetFlow work?
NetFlow describes a unidirectional or bidirectional conversation by five-tuple (source/destination IP and port, protocol), with byte and packet counts, timestamps, interface indices, and optional fields. The router or switch exports flow records to a collector for storage and analysis. NetFlow is widely deployed because it scales to multi-gigabit links and gives investigators long-term visibility without the storage cost of full PCAP. Variants include Cisco NetFlow v5 and v9, sFlow (sampling-based, from InMon), and IPFIX (IETF RFC 7011, vendor-neutral). Defensive uses include traffic baselining, beacon detection, DDoS triage, data-exfiltration spotting, and forensic timeline reconstruction.
How do you defend against NetFlow?
Defences for NetFlow typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NetFlow?
Common alternative names include: IPFIX, sFlow, Flow records.
● Related terms
- defense-ops№ 806
PCAP
A binary packet-capture file format produced by libpcap, tcpdump, and Wireshark that stores network packets exactly as they were seen on the wire.
- defense-ops№ 1245
Wireshark
An open-source network protocol analyzer that captures and inspects packets in real time for troubleshooting, security analysis, and education.
- network-security№ 295
Deep Packet Inspection (DPI)
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
- forensics-ir№ 722
Network Forensics
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
- defense-ops№ 716
NDR (Network Detection and Response)
A network security technology that analyses traffic — including decrypted, metadata and flow data — using behavioral analytics and ML to detect threats and orchestrate response.