This chapter covers NetFlow and traffic flow analysis, a critical skill for the CompTIA CySA+ CS0-003 exam's Security Operations domain (Objective 1.3). You will learn how flow data provides visibility into network conversations without deep packet inspection, enabling anomaly detection, bandwidth monitoring, and forensic analysis. Approximately 10-15% of exam questions touch on flow analysis, often comparing it to packet capture or SNMP. Mastery of flow record components, export protocols, and analysis techniques is essential for the exam and for real-world security monitoring.
Jump to a section
Imagine a postal service that handles millions of letters daily. Instead of opening every letter to read its contents (which would be invasive and slow), the service records a summary of each letter's journey: sender address, recipient address, timestamp when it was posted, weight class, and when it was delivered. This summary is called a 'flow record.' The postal service doesn't need to know what's inside the letter—just the metadata about the exchange. Now, suppose you want to understand communication patterns between two cities. You'd ask the postal service for all flow records where the sender or recipient is in those cities. The postal service aggregates the records, giving you counts of letters, total weight, average delivery time, and peak hours. This is exactly how NetFlow works: routers and switches generate flow records containing packet metadata (IP addresses, ports, protocols, timestamps, packet/byte counts) without inspecting payloads. A collector aggregates these records, and an analyzer produces traffic summaries. Just as the postal service doesn't open letters, NetFlow doesn't perform deep packet inspection—it only tracks conversation metadata. This makes NetFlow efficient for high-speed networks where full packet capture is impractical. The analogy breaks down if you think of NetFlow as capturing every single packet individually; instead, it aggregates packets with the same 5-tuple into a single flow record, like the postal service grouping all letters with identical sender/recipient pairs into one summary entry.
What is NetFlow and Why Does It Exist?
NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. It was introduced in the late 1990s as a way to provide network administrators with visibility into traffic patterns without the overhead of full packet capture. The core idea is simple: instead of capturing every packet, routers and switches summarize groups of packets that share common properties into a 'flow record.' A flow is defined as a unidirectional sequence of packets between a given source and destination—sharing the same source IP, destination IP, source port, destination port, protocol, and (for Cisco) the IP type of service (ToS) byte. This 5-tuple (or 6-tuple with ToS) uniquely identifies a conversation.
NetFlow is not a single standard; it has evolved through several versions. Cisco NetFlow versions include v1 (obsolete), v5 (most common for IPv4), v7 (with Cisco Catalyst switches), v8 (aggregation schemes), and v9 (template-based, flexible, supports IPv6 and MPLS). The industry-standard IPFIX (IP Flow Information Export, RFC 7011) is based on NetFlow v9 and is vendor-neutral. For the CS0-003 exam, you must know NetFlow v5 and v9/IPFIX, their differences, and typical use cases.
How NetFlow Works: Step-by-Step Mechanism
Flow Creation: When a router receives a packet, it checks its flow cache for an existing flow entry matching the packet's 5-tuple. If no match exists, a new flow entry is created in the cache. The cache stores active flows with counters for packets and bytes, timestamps for start and end, and interface information.
2. Flow Aging: Flows are removed from the cache (exported) based on aging criteria. Cisco NetFlow uses three timers: - Active flow timeout: Default is 30 minutes. If a flow has been active for this long, it is exported as a 'long-lived flow' and a new flow record is started for subsequent packets. - Inactive flow timeout: Default is 15 seconds. If no packets are seen for this duration, the flow is considered finished and exported. - TCP FIN/RST detection: When a TCP session ends with a FIN or RST, the flow is exported immediately.
Flow Export: When a flow ages out, the router packages the flow record into a NetFlow datagram (UDP) and sends it to a configured collector. The collector listens on a specific port (default 2055 for NetFlow, 4739 for IPFIX). The export packet contains multiple flow records (up to 30 in v5) to maximize efficiency.
Flow Record Contents: A NetFlow v5 record includes:
- Source IP address (4 bytes) - Destination IP address (4 bytes) - Source port (2 bytes) - Destination port (2 bytes) - Protocol (1 byte) - IP ToS (1 byte) - Input interface index (2 bytes) - Output interface index (2 bytes) - Packet count (4 bytes) - Byte count (4 bytes) - Flow start timestamp (4 bytes, milliseconds since device boot) - Flow end timestamp (4 bytes) - TCP flags (1 byte, OR of all flags observed) - Source AS number (2 bytes) - Destination AS number (2 bytes) - Source mask (1 byte) - Destination mask (1 byte) - Next-hop IP address (4 bytes)
NetFlow v9/IPFIX uses templates, allowing flexible field definitions. Common fields include IPv6 addresses, MPLS labels, VLAN IDs, and application IDs.
Key Components and Defaults
Flow Cache: Memory on the router that holds active flows. Size varies by platform; on a Cisco ISR 4000, default is 64K flows, configurable up to 1M.
Export Format: UDP is the transport; reliability is not guaranteed. Some implementations support SCTP for reliable transport (IPFIX).
Sampling: To reduce CPU impact, NetFlow can sample packets (e.g., 1 in 1000 packets). The sampling rate is included in the export so collectors can extrapolate totals.
Collectors: Software like SolarWinds, PRTG, ntopng, or open-source tools like nfdump/Elastic Stack.
Analyzers: Tools that present flow data as graphs, top talkers, and anomaly alerts.
Configuration and Verification Commands
On a Cisco IOS router, enabling NetFlow involves:
! Enable flow export
ip flow-export destination 192.168.1.100 2055
ip flow-export version 5
! Enable flow capture on an interface
interface GigabitEthernet0/0
ip flow ingress
ip flow egressVerification commands:
show ip flow export ! Shows export stats, destination, version
show ip cache flow ! Shows active flows in cache
show ip flow top-talkers ! Shows top bandwidth consumersFor NetFlow v9:
ip flow-export version 9
ip flow-export template timeout 60 ! Template refresh interval in minutesInteraction with Related Technologies
sFlow: Sampling-based technology, exports packet headers, not flows. Lower overhead but less accurate for byte counts. Exam compares sFlow vs NetFlow.
IPFIX: Standardized version of NetFlow v9. Exam tests that IPFIX is vendor-neutral and supports variable-length fields.
SNMP: Provides aggregate interface statistics (bytes in/out), not per-flow data. NetFlow gives per-conversation visibility.
Deep Packet Inspection (DPI): Inspects payload; high overhead. NetFlow is metadata-only.
NBAR: Cisco protocol classification; can be used with NetFlow to label applications.
Traffic Flow Analysis for Security
NetFlow is invaluable for: - Anomaly Detection: Sudden spikes in traffic to a specific port (e.g., 445/TCP) may indicate worm propagation. - Data Exfiltration Detection: Large outbound flows to unusual destinations (e.g., cloud storage) at odd hours. - Botnet Identification: Flows to known C2 servers, or regular beaconing (periodic small flows). - Bandwidth Monitoring: Identify top talkers, peak usage times. - Forensics: After an incident, replay flow records to reconstruct communication patterns.
Exam Tip: NetFlow does NOT detect attacks within encrypted traffic (since it doesn't decode payload), but it can detect unusual volumes or patterns that suggest malicious activity.
Packet Arrives at Router
When a packet arrives on an interface with NetFlow enabled (ingress or egress), the router examines the packet's header to extract the 5-tuple: source IP, destination IP, source port, destination port, and protocol. It also reads the IP Type of Service (ToS) byte if configured. The router then performs a lookup in its flow cache to see if an entry already exists with the same 5-tuple. This lookup is hash-based for efficiency. If no match is found, a new flow entry is created, recording the start timestamp and initializing packet and byte counters to 1 and the packet's length, respectively. The input interface index is also stored. The flow cache is a high-speed memory structure, typically implemented in TCAM or DRAM, and its size is configurable. On Cisco routers, the default cache size is 64K flows, but this can be increased for high-traffic environments.
Flow Cache Update
If a matching flow entry exists, the router updates the counters: packet count increments by 1, byte count increments by the packet's total length (including IP and transport headers). The flow's end timestamp is updated to the current time. The TCP flags field is updated by OR-ing the current flags with the stored value. This allows the collector to see the union of all flags observed during the flow (e.g., SYN, ACK, FIN). The router also resets an inactivity timer associated with the flow. If the flow has been active for more than the active timeout (default 30 minutes), the router exports the current record immediately and creates a new flow entry for subsequent packets, ensuring long-lived flows are not lost.
Flow Aging and Export Trigger
Flows are removed from the cache and exported based on three conditions: (1) Inactive timeout: if no packets arrive for the flow within the inactive timeout (default 15 seconds), the flow is considered finished. (2) Active timeout: if the flow duration exceeds the active timeout (default 30 minutes), it is exported as a long-lived flow. (3) TCP FIN/RST: if the router detects a TCP FIN or RST flag in a packet belonging to the flow, the flow is exported immediately (or after a short hold time). The FIN/RST detection ensures that normal TCP sessions are reported promptly. When a flow is exported, the router creates a NetFlow datagram (UDP) containing one or more flow records. The datagram is sent to the configured collector IP address and UDP port (default 2055 for NetFlow, 4739 for IPFIX). The export packet includes a header with version, sequence number, and system uptime.
Collector Receives and Stores Records
The NetFlow collector listens on the configured UDP port. Upon receiving a datagram, it validates the version and sequence number (to detect lost packets). It then parses the flow records. For NetFlow v5, the fields are fixed-length and well-known. For v9/IPFIX, the collector must first receive a template describing the field layout; templates are sent periodically (every 20-30 minutes by default). The collector stores the records in a database (e.g., SQL, Elasticsearch, or flat files). The collector may also perform real-time aggregation, such as summing bytes per source IP or per protocol. The collector's storage capacity must be sized based on the number of flows per second. A typical enterprise might see 50,000 flows per second, requiring ~100 GB per day. The collector also manages timestamps, converting device uptime to absolute time using the device's system clock (often via NTP).
Analysis and Reporting
The final step is analysis by a flow analyzer (e.g., SolarWinds NetFlow Traffic Analyzer, PRTG, or open-source nfdump). Analysts query the database to answer questions like: Who are the top talkers? What protocols are consuming bandwidth? Are there flows to known malicious IPs? The analyzer can generate reports on bandwidth usage by application, user, or department. For security, the analyzer may trigger alerts on anomalies: e.g., a host generating flows to 100+ different destination IPs in a minute (possible scanning), or a large outbound flow to a new external IP at 3 AM (possible exfiltration). The analyzer can also correlate flow data with threat intelligence feeds (e.g., lists of known C2 servers). The output is typically presented as dashboards, graphs, and PDF reports. For the exam, know that flow analysis is reactive (after the fact) but can be used for near-real-time monitoring with appropriate tools.
Enterprise Scenario 1: Detecting a Worm Outbreak
A large enterprise with 10,000 endpoints deploys NetFlow on all core routers and distribution switches. The flow collector is a cluster of three servers running Elasticsearch, Logstash, and Kibana (ELK). One day, the security team notices a sudden spike in flows to port 445/TCP (SMB) from multiple internal IPs. The analyzer shows that the number of flows per second jumped from 2,000 to 50,000, and the top talkers are all workstations in the finance department. The team immediately isolates the affected VLAN and runs a packet capture on a sample host. The capture confirms EternalBlue exploit traffic. Without NetFlow, the team would have relied on user complaints or SNMP interface counters, which would not have revealed the specific protocol or the internal spread pattern. The misconfiguration risk here is setting the active timeout too high (e.g., 60 minutes), which would delay detection of the outbreak because flows would not be exported until they age out. The team now uses a 10-minute active timeout for better responsiveness.
Enterprise Scenario 2: Data Exfiltration via DNS Tunneling
A cloud service provider uses NetFlow v9 on its edge routers to monitor traffic to external DNS servers. The security analyst configures the flow analyzer to flag any flow where the destination port is 53/UDP and the byte count exceeds 100 bytes per packet (normal DNS queries are ~50-60 bytes). One alert shows a single internal server sending 1,000 flows to an external DNS server with an average packet size of 512 bytes. The flow records show that the queries are to domains like 'data.example.com' with long subdomains (typical of DNS tunneling). The analyst blocks the external IP and investigates the server. NetFlow was critical because it provided per-flow byte counts, which SNMP cannot. A common mistake is to ignore flow data from internal-to-DNS traffic, assuming it's benign. The team now applies a baseline of normal DNS flow sizes and alerts on deviations.
Enterprise Scenario 3: Capacity Planning and Billing
A university with 30,000 students uses NetFlow for bandwidth billing. Each department is charged based on its external traffic volume. The flow collector aggregates bytes per source IP subnet (assigned to departments). NetFlow v5 is used because it is simple and supported on older routers. The challenge is that NetFlow records are unidirectional, so the collector must sum both ingress and egress flows for each IP. The team discovered that some students were using VPNs, which changed the source IP to the VPN server's IP, causing incorrect billing. The solution was to enable NetFlow on the VPN concentrator as well. Performance considerations: the campus core router handles 10 Gbps and generates 200,000 flows per second. With a 64K flow cache, flow cache overflow causes packet drops. The team increased the cache to 512K flows and enabled sampling (1:100) to reduce CPU load. Misconfiguration: setting the inactive timeout too short (e.g., 5 seconds) caused premature export of flows, resulting in many short-lived flows that overwhelmed the collector. The team adjusted to 30 seconds.
CS0-003 Exam Focus on NetFlow and Traffic Flow Analysis
Objective 1.3: Given a scenario, analyze potential indicators associated with network attacks. The exam expects you to interpret flow data to identify anomalies such as port scans, DDoS, data exfiltration, and beaconing. You must distinguish NetFlow from other monitoring technologies (SNMP, sFlow, packet capture).
Common Wrong Answers and Why Candidates Choose Them: 1. 'NetFlow captures full packet payloads' – Candidates confuse NetFlow with DPI. NetFlow only exports metadata (headers + counters), never payloads. Wrong because they think 'flow' means 'full capture.' 2. 'NetFlow uses TCP for reliable export' – NetFlow traditionally uses UDP (port 2055). IPFIX can use SCTP, but TCP is rare. Candidates see 'reliable' and assume TCP. 3. 'NetFlow v5 supports IPv6' – v5 is IPv4-only. v9 and IPFIX support IPv6. Candidates may not know version differences. 4. 'sFlow provides per-flow byte counts' – sFlow is packet-sampled, not flow-based. It exports packet headers, not aggregated flow records. Candidates confuse sampling with flow aggregation.
Specific Numbers, Values, and Terms That Appear Verbatim:
Default NetFlow UDP port: 2055
IPFIX default port: 4739
Default active timeout: 30 minutes
Default inactive timeout: 15 seconds
NetFlow v5: fixed fields, IPv4 only
NetFlow v9: template-based, flexible
IPFIX: standardized (RFC 7011), vendor-neutral
Flow 5-tuple: src IP, dst IP, src port, dst port, protocol
Edge Cases the Exam Loves: - Long-lived flows: They are exported every active timeout (30 min) and a new flow starts. The exam may ask what happens to counters. - TCP FIN/RST: Flows are exported immediately. This is an exception to the timeout-based export. - Sampled NetFlow: The sampling rate is included in the export. The collector must multiply counters by the sampling ratio to estimate actual traffic. - Flow asymmetry: NetFlow records are unidirectional. To get bidirectional conversation data, the collector must pair ingress and egress flows (by matching 5-tuple with swapped src/dst).
How to Eliminate Wrong Answers:
If the question asks about 'full packet details,' eliminate NetFlow and choose packet capture.
If it asks about 'real-time per-packet analysis,' eliminate NetFlow (it's post-processing).
If the scenario mentions 'bandwidth usage by application,' NetFlow is correct (with NBAR).
If the question uses 'flow' and 'sampling,' ensure you identify whether it's sFlow (sampled headers) or NetFlow (sampled flows).
Exam Tip: Memorize the default timers and ports. On the exam, you may be given a scenario with abnormal flow export behavior and asked to identify the misconfigured timer.
NetFlow exports flow records containing metadata (5-tuple, timestamps, packet/byte counts) via UDP port 2055.
Default active timeout is 30 minutes; inactive timeout is 15 seconds. TCP FIN/RST triggers immediate export.
NetFlow v5 is IPv4-only with fixed fields; v9/IPFIX are template-based and support IPv6 and MPLS.
NetFlow is unidirectional; to get bidirectional conversation data, the collector must pair ingress/egress flows.
NetFlow does NOT capture payloads; it is not a substitute for deep packet inspection.
Common security uses: detecting port scans, DDoS, data exfiltration, and beaconing via flow analysis.
On the exam, know the differences between NetFlow, sFlow, SNMP, and packet capture for given scenarios.
These come up on the exam all the time. Here's how to tell them apart.
NetFlow
Aggregates packets into flow records based on 5-tuple
Provides per-flow byte and packet counts
Exports records via UDP (default 2055)
Higher overhead on router due to flow cache
Best for bandwidth monitoring and anomaly detection
sFlow
Samples packets at a configured rate (e.g., 1:1000)
Exports raw packet headers (up to 128 bytes) with no aggregation
Exports via UDP (default 6343)
Lower overhead, no flow cache required
Best for real-time traffic analysis and troubleshooting
Mistake
NetFlow captures packet payloads, allowing full content inspection.
Correct
NetFlow only exports packet metadata (IP addresses, ports, protocols, counters). It never captures payloads. Deep packet inspection (DPI) is required for payload analysis.
Mistake
NetFlow uses TCP for reliable export of flow records.
Correct
NetFlow traditionally uses UDP (port 2055) for export. IPFIX can use SCTP for reliability, but TCP is not standard. UDP is chosen for speed and low overhead.
Mistake
NetFlow v5 supports IPv6 traffic.
Correct
NetFlow v5 is IPv4-only. IPv6 support was introduced in NetFlow v9 and IPFIX. On the exam, if IPv6 is mentioned, the answer must involve v9 or IPFIX.
Mistake
sFlow provides the same information as NetFlow but with lower overhead.
Correct
sFlow is a packet-sampling technology that exports packet headers, not aggregated flow records. It does not provide per-flow byte counts or conversation summaries. NetFlow gives aggregated flow data.
Mistake
NetFlow can detect malware within encrypted traffic by analyzing payload patterns.
Correct
NetFlow does not inspect payloads, so it cannot detect malware within encrypted traffic. It can only detect anomalies in traffic patterns (volume, timing, destinations) that may indicate malicious activity.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NetFlow v5 has fixed field definitions and supports only IPv4. NetFlow v9 uses templates, allowing flexible field definitions and support for IPv6, MPLS, and VLAN tags. v9 is also the basis for IPFIX. On the exam, if the scenario involves IPv6 or custom fields, the answer is v9 or IPFIX.
NetFlow uses UDP port 2055 by default. IPFIX uses UDP port 4739. Some vendors use different ports (e.g., 9995 for some collectors). The exam expects 2055 for NetFlow and 4739 for IPFIX.
Yes, but only indirectly. NetFlow can show a sudden spike in traffic volume to a single destination IP or port, or a flood of flows from many sources. However, it cannot identify the attack type (e.g., SYN flood vs UDP amplification) without additional analysis. The exam may ask you to interpret flow data to identify DDoS indicators.
When a flow exceeds the active timeout (default 30 minutes), the router exports the current flow record and starts a new flow for subsequent packets. This ensures that long-lived flows are reported periodically. The new flow record will have the same 5-tuple but a new start timestamp.
IPFIX (IP Flow Information Export) is a standardized protocol defined in RFC 7011, based on Cisco NetFlow v9. It is vendor-neutral and supports variable-length fields, making it extensible. The exam expects you to know that IPFIX is the IETF standard for flow export.
Each flow record captures packets in one direction only (from source to destination). A bidirectional conversation (e.g., a TCP session) will generate two flow records: one for packets from client to server, and one for server to client. The collector must correlate these by matching the 5-tuple with swapped source and destination.
SNMP provides aggregate interface statistics (e.g., total bytes in/out) but no per-conversation data. NetFlow provides per-flow details (who is talking to whom, using which protocol). For security analysis, NetFlow is superior because it reveals individual conversations.
You've just covered NetFlow and Traffic Flow Analysis — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?