Measurement Artifacts in NetFlow Data

  • Rick Hofstede
  • Idilio Drago
  • Anna Sperotto
  • Ramin Sadre
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7799)

Abstract

Flows provide an aggregated view of network traffic by grouping streams of packets. The resulting scalability gain usually excuses the coarser data granularity, as long as the flow data reflects the actual network traffic faithfully. However, it is known that the flow export process may introduce artifacts in the exported data. This paper extends the set of known artifacts by explaining which implementation decisions are causing them. In addition, we verify the artifacts’ presence in data from a set of widely-used devices. Our results show that the revealed artifacts are widely spread among different devices from various vendors. We believe that these results provide researchers and operators with important insights for developing robust analysis applications.

Keywords

Network management measurements NetFlow artifacts 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cisco Systems, Inc.: Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide (2009), http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/122sxscg.pdf (accessed on December 14, 2012)
  2. 2.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (2004)Google Scholar
  3. 3.
    Cunha, Í., Silveira, F., Oliveira, R., Teixeira, R., Diot, C.: Uncovering Artifacts of Flow Measurement Tools. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds.) PAM 2009. LNCS, vol. 5448, pp. 187–196. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    de Oliveira Schmidt, R., Sperotto, A., Sadre, R., Pras, A.: Towards Bandwidth Estimation Using Flow-Level Measurements. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 127–138. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Duffield, N., Lund, C., Thorup, M.: Properties and Prediction of Flow Statistics from Sampled Packet Streams. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 159–171 (2002)Google Scholar
  6. 6.
    Duffield, N., Lund, C., Thorup, M.: Estimating Flow Distributions from Sampled Flow Statistics. IEEE/ACM Transactions on Networking 13(5), 933–946 (2005)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Follett, J.H.: Cisco: Catalyst 6500 The Most Successful Switch Ever (2006), http://www.crn.com/news/networking/189500982/cisco-catalyst-6500-the-most-successful-switch-ever.htm (accessed on December 14, 2012)
  8. 8.
    Gu, Y., Breslau, L., Duffield, N.G., Sen, S.: On Passive One-Way Loss Measurements Using Sampled Flow Statistics. In: INFOCOM 2009, pp. 2946–2950 (2009)Google Scholar
  9. 9.
    Kögel, J.: One-way Delay Measurement based on Flow Data: Quantification and Compensation of Errors by Exporter Profiling. In: Proceedings of the 25th International Conference on Information Networking (ICOIN 2011), pp. 25–30 (2011)Google Scholar
  10. 10.
    Kompella, R.R., Estan, C.: The Power of Slicing in Internet Flow Measurement. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement (IMC 2005), pp. 105–118 (2005)Google Scholar
  11. 11.
    Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational) (2009)Google Scholar
  12. 12.
    Sommer, R., Feldmann, A.: NetFlow: Information loss or win? In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 173–174 (2002)Google Scholar
  13. 13.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. IEEE Communications Surveys & Tutorials 12(3), 343–356 (2010)CrossRefGoogle Scholar
  14. 14.
    Trammell, B., Tellenbach, B., Schatzmann, D., Burkhart, M.: Peeling Away Timing Error in NetFlow Data. In: Spring, N., Riley, G.F. (eds.) PAM 2011. LNCS, vol. 6579, pp. 194–203. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Rick Hofstede
    • 1
  • Idilio Drago
    • 1
  • Anna Sperotto
    • 1
  • Ramin Sadre
    • 1
  • Aiko Pras
    • 1
  1. 1.Centre for Telematics and Information Technology, Design and Analysis of Communications Systems (DACS)University of TwenteEnschedeThe Netherlands

Personalised recommendations