How are Flow Records Created?
When a Client Machine wants to talk to a Server there is a flow of packets in one direction as Seen by the ROUTER
When a browser on a Client Machine starts up, it has to choose a number greater than 1024 This is because all numbers lower than this are restricted to Set Application Ports After this the browser communicates with a number of different layers in order to reach the Server/Application Layers consist of Network Link (Low Level Transport) Wireless Ethernet Network (Involved with Addressing “PATH”) IP Reliable Transport (Control of Traffic over and back) TCP TCP uses concept of Sequence Numbers If it misses a sequence of packets it uses a sequence of numbers to request a retransmission Application Layer Pointer to Web/E-mail Applications Usually have their own individual Ports Web = Port 80 TCP = Port 6 UDP = Port 17 Browser communicates with the server through these layers and then server replies with information to fill in the tab opened by the browser.
Using a Router to create a Shortcut
Before NetFlow Switching packets of information would come in on different interfaces of the router and the router would have to make a decision on the direction of flow of the packet every time even if it had seen the exact same type of packet before. NetFlow Switching uses the concept of a Unidirectional Flow which funnels identical packets in the same direction, provides shortcut for data through the router itself
Step 1: Packet of Information is received and inspected against 7 key fields (Called the Key Tuples) in order to determine if it is unique or not. Source IP Destination IP Source Port Destination Port Layer 3 Protocol (TCP/UDP) TOS Byte Input Interface
Step 2: If Packet is Unique a Flow Record created for it Flow Record stays in the router and any packet identical to previous packet (In the above 7 fields) will be processed the exact same way It adds to the packet counter, The byte counter and the TCP Flags recorder If a packet is received that does not match in one or more of the key fields (e.g In terms of Source Port) then a new cache Entry is created for it
Step 3: Information gathered from these packets is stored in the Cache of the Router for as long as they are designated to remain. Usually defined as 1 minute At the end of 1 minute the information in the cache is packaged and sent to a Receiver (Anuview) There is also an inactivity timer for the flow
Overall the Router receives packets from a Client Machine in one interface and results in the creation a table of Unidirectional Flows out another interface This is to reduce the processing required by the Router by processing the first packet of information and then caching (Shortcutting) the rest
Breakdown of Units used in Communication
Bits: Smallest unit, similar to an electrical pulse and only communicate in an ON/OFF mechanism Packets: A series of Bits can describe a Packet or a cluster of information, this is unidirectional ( Can have an Input/Output of packets but can only in one direction) Flow: A network summary of packets created by a Router, this is also unidirectional, can send/receive flow but only in one direction. Session: Also known as a conversation, can be between a router and a server, it is Bidirectional e.g Router can send Flow to a Server and in turn the Server sends information back through the Router to the Client Machine