Measurement Artifacts in NetFlow Data
Flows provide an aggregated view of network traffic by grouping streams of packets. The resulting scalability gain usually excuses the coarser data granularity, as long as the flow data reflects the actual network traffic faithfully. However, it is known that the flow export process may introduce artifacts in the exported data. This paper extends the set of known artifacts by explaining which implementation decisions are causing them. In addition, we verify the artifacts’ presence in data from a set of widely-used devices. Our results show that the revealed artifacts are widely spread among different devices from various vendors. We believe that these results provide researchers and operators with important insights for developing robust analysis applications.
KeywordsNetwork management measurements NetFlow artifacts
Unable to display preview. Download preview PDF.
- 1.Cisco Systems, Inc.: Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide (2009), http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/122sxscg.pdf (accessed on December 14, 2012)
- 2.Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (2004)Google Scholar
- 5.Duffield, N., Lund, C., Thorup, M.: Properties and Prediction of Flow Statistics from Sampled Packet Streams. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 159–171 (2002)Google Scholar
- 7.Follett, J.H.: Cisco: Catalyst 6500 The Most Successful Switch Ever (2006), http://www.crn.com/news/networking/189500982/cisco-catalyst-6500-the-most-successful-switch-ever.htm (accessed on December 14, 2012)
- 8.Gu, Y., Breslau, L., Duffield, N.G., Sen, S.: On Passive One-Way Loss Measurements Using Sampled Flow Statistics. In: INFOCOM 2009, pp. 2946–2950 (2009)Google Scholar
- 9.Kögel, J.: One-way Delay Measurement based on Flow Data: Quantification and Compensation of Errors by Exporter Profiling. In: Proceedings of the 25th International Conference on Information Networking (ICOIN 2011), pp. 25–30 (2011)Google Scholar
- 10.Kompella, R.R., Estan, C.: The Power of Slicing in Internet Flow Measurement. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement (IMC 2005), pp. 105–118 (2005)Google Scholar
- 11.Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational) (2009)Google Scholar
- 12.Sommer, R., Feldmann, A.: NetFlow: Information loss or win? In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 173–174 (2002)Google Scholar