Using NAM Probe flow collectors for NetFlow analysis

In the NAM deployment architecture, a flow collector is one of the services running on a NAM Probe, while other services may at the same time be used for passive traffic monitoring of a data center.

Information available through NetFlow analysis

In a NetFlow-enabled device, each IP packet that passes through the router is examined for a set of IP packet attributes:

  • IP source and destination addresses
  • Source and destination ports
  • Layer 3 protocol type
  • Class of Service
  • Router interface

These attributes comprise an IP packet’s identity, which is used by the router to determine whether the packet is unique or is similar to other packets. All packets with the same source/destination IP address, source/destination ports, protocol interface, and class of service are grouped into a flow. The flows are stored as flow records in the router’s NetFlow cache database. At the expiration of device timers, all flow records in the NetFlow cache are exported as NetFlow packets to the destinations listed in the router's export configuration settings.

NAM Probes as flow collectors

A NAM Probe can be named as a NetFlow export destination.

A NAM Probe flow collector process (service) operates in the same way as a traffic monitoring service, in that it analyzes received data and stores the statistics from a given period (monitoring interval) in a database record. The data record is then forwarded to a requesting reporting server.

Before storing the statistics, NAM Probe flow collectors analyze the raw FlowSet information by applying built-in and user-defined software service definitions. The definitions allow for the identification of observed software services, based on IP address and TCP/UDP port and socket number.