Unleashing the Power of NetFlow and IPFIX; A Practical guide
Softcover: 155 pages
Publisher: Plixer International, Inc. (2012)
List Price: $40 from Plixer at plixer.com/Book-Order-Form.pdf
Reviewed by William Flanagan
The value in this small volume is the practicality of its guidance. The author clearly knows his stuff and shares his insight with the reader. For example, there are recommendations for choosing between NetFlow and IPFIX based on what you want to monitor and what information you want to collect.
The basic NetFlow tuple defines a flow: IP addresses, port numbers, source interface, protocol and type of service. The management system applies the tuple as a filter to identify each flow and count the number of packets and basic errors per flow. Patterson makes it clear that NetFlow/IPFIX can handle any information if it has a standard format. To capture that information, add a field to the tuple that defines a flow. It could collect a time stamp, TOS bits from the TCP header, MAC address, the next-hop routing address, or anything else the hardware can report.
Other ideas of what to monitor include reports from firewalls on attempted breaches, authentication events, and whatever is important to a network manager. Deep packet inspection in the hardware that collects the tuples can identify applications, like Skype, that use a port commonly assigned to another application.
Making sense of so much information requires some creativity in sorting and displaying results. Patterson recommends a dashboard widget that color-codes (R/Y/G) the numbers for quick perception of problems.
Chapters focus on practical ways to use the data collected in daily management. Knowing what flows are doing simplifies troubleshooting slow applications or high utilization levels. If the tuple contains the right information (e.g. application, user) the reports can help identify excessive users, malware and jabbering hosts. That is, NetFlow can help you find the bad guys.
The tone of the writing is conversational and easy to read. Boxed comments set in bold type call out key hints:
- To export a non-standard data element use IPFIX rather than NetFlow.
- Never export personal information.
- Make sure the index that identifies an exported element like ingress port is the same index used by SNMP.
The screen shots appear in color reproductions which work much better than the monochrome images in most books, particularly for the dashboards.
Though packed with information, the book is also a bit of a tease. Patterson is a consultant and software vendor who works with NetFlow and IPFIX. As helpful as the book is, it also implies there is much more available from the source.
Can’t let a volume’s shortcoming go unmentioned. This one lacks an index, though the Contents is quite detailed. There are also more typos than average, including duplicated words and sentences, tolerable for a very informative book.