What is network flow analysis (NetFlow)?

NetFlow (developed by Cisco) is a network protocol that collects and monitors IP network traffic as it flows through routers and switches, providing visibility into who is talking to whom and how much bandwidth they use. A flow is a unidirectional sequence of packets sharing the same source IP, destination IP, source port, destination port, and protocol. NetFlow exports flow records to a flow collector for analysis and storage. sFlow (standards-based) samples packets statistically — less CPU intensive. IPFIX (IP Flow Information Export, RFC 7011) is the IETF standard based on NetFlow v9. Use cases: bandwidth monitoring (which users/apps use the most), security (detect DDoS, port scanning, unusual traffic patterns), capacity planning, billing. Tools: SolarWinds NTA, ntopng, Elastic Stack, Grafana + InfluxDB. NetFlow is typically enabled on routers and Layer 3 switches. It consumes router CPU and memory, so sampling is often used on high-speed links.