FloMA: Pointers and References

Contents

Note: for NetFlow post-processing software, please see the software section.

General Information on Accounting and Traffic Analysis

Network Analysis Times
Electronic newsletter about NLANR's network analysis activities, and a forum for open discussions and requests for collaboration
Cisco Netflow
Flow-based accounting built into routers. See the software section for pointers to software that processes Netflow accounting data.
NetFlow Howto
"How to build detailed Network Usage Reports using RRDTool, flow-tools, FlowScan, and CUFlow", by Robert S. Galloway
flowmon.org
A Web site for CESNET projects dealing with flow monitoring, including the FlowMon probe and flow processing software. Could be used for other information related to flow monitoring.

Conferences

FloCon
Flow analysis workshops organized by the CERT Coordination Center. The proceedings are available for the 2004, 2005, and 2006 editions.

Papers about NetFlow applications

Properties and Prediction of Flow Statistics from Sampled Packet Streams
Nick Duffield, Carsten Lund, Mikkel Thorup, Proc. ACM SIGCOMM IMC, 2002. A detailed investigation of the effects of packet sampling on flow-based traffic accounting.
TCP Use and Performance on Internet2
Stanislav Shalunov, Benjamin Teitelbaum, ACL SIGCOMM IMW, 2001. See the pointer to the Abilene usage report page in the projects section of these pages.
Traffic analysis and infrastructure monitoring in CESNET2 Network
Tom Kosnar, PAM 2001.
Flow-Based Traffic Analysis at SWITCH
Simon Leinen, PAM 2001 (poster).
FlowScan Presentation and BOF
Dave Plonka, NANOG 21, 2001. Slide presentation and RealVideo recording. Slides also available here.
FlowScan: A Network Traffic Flow Reporting and Visualization Tool
by Dave Plonka, Usenix LISA 2000. Also available in full as HTML and PS, as well as the slides of the presentation.
Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics
by Bill Nickless, John-Paul Navarro, and Linda Winkler, Usenix LISA 2000.
The OSU Flow-tools Package and CISCO NetFlow Logs
by Steve Romig, Mark Fullmer, and Ron Luman, Usenix LISA 2000.
Cisco Flow Logs and Intrusion Detection at the Ohio State University
by Steve Romig, Mark Fullmer, Suresh Ramachandran, Usenix ;login: vol.9, 1999. Describes the use of the OSU flow tools for Intrusion Detection.
Deriving traffic demands for operational IP networks: Methodology and experience
by Anja Feldmann, Albert Greenberg, Carsten Lund, Nick Reingold, Jennifer Rexford, and Fred True, ACM TON, June 2001. Also available: slides from a presentation to the ISMA workshop.

Standardization Efforts

ipfix (IP Flow Information Export)

The IETF ipfix working group has been established in September 2001 in the Operations and Management Area. See its charter on the IETF site for more information and for how to join the mailing list. There was a BOF at the 51th IETF meeting in August 2001.

Jürgen Quittek has written an IPFIX Information Element Browser.

IANA has set up a number of registrations for IPFIX-related parameters:

Documents

See also the IPFIX WG drafts page provided by Henrik Levkowetz.

RFC 3917: Requirements for IP Flow Information Export (IPFIX)
J. Quittek, T. Zseby, B. Claise, S. Zander, October 2004
RFC 3954: Cisco Systems NetFlow Services Export Version 9
B. Claise, Ed., October 2004
RFC 3955: Evaluation of Candidate Protocols for IP Flow Information Export (IPFIX)
S. Leinen, October 2004
RFC 7011: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information
B. Claise, Ed.,, B. Trammell, Ed.,, P. Aitken, September 2013
RFC 7012: Information Model for IP Flow Information Export (IPFIX)
B. Claise, Ed.,, B. Trammell, Ed., September 2013
RFC 7013: Guidelines for Authors and Reviewers of IP Flow Information Export (IPFIX) Information Elements
B. Trammell,, B. Claise, September 2013
RFC 7014: Flow Selection Techniques
S. D'Antonio, T. Zseby,, C. Henke, L. Peluso, September 2013
RFC 7015: Flow Aggregation for the IP Flow Information Export (IPFIX) Protocol
B. Trammell,, A. Wagner,, B. Claise, September 2013
RFC 5103: Bidirectional Flow Export Using IP Flow Information Export (IPFIX)
B. Trammell, E. Boschi, January 2008
RFC 5153: IPFIX Implementation Guidelines
E. Boschi, L. Mark, J. Quittek, M. Stiemerling, P. Aitken, April 2008
RFC 5470: Architecture for IP Flow Information Export
G. Sadasivan, N. Brownlee, B. Claise, J. Quittek, March 2009
RFC 5471: Guidelines for IP Flow Information Export (IPFIX) Testing
C. Schmoll, P. Aitken, B. Claise, March 2009
RFC 5472: IP Flow Information Export (IPFIX) Applicability
T. Zseby, E. Boschi, N. Brownlee, B. Claise, March 2009
RFC 5473: Reducing Redundancy in IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Reports
E. Boschi, L. Mark, B. Claise, March 2009
RFC 5610: Exporting Type Information for IP Flow Information Export (IPFIX) Information Elements
E. Boschi, B. Trammell, L. Mark, T. Zseby, July 2009
Reporting Unobserved Fields in IPFIX
Paul Aitken, July 2014 (work in progress)
Reporting Equivalent IPFIX Information Elements
Paul Aitken, July 2014 (work in progress)
RFC 6526: IP Flow Information Export (IPFIX) Per Stream Control Transmission Protocol (SCTP) Stream
B. Claise, P. Aitken,, A. Johnson, G. Muenz, March 2012
RFC 6313: Export of Structured Data in IP Flow Information Export (IPFIX)
B. Claise, G. Dhandapani,, P. Aitken, S. Yates, July 2011
RFC 5655: Specification of the IP Flow Information Export (IPFIX) File Format
B. Trammell, E. Boschi, L. Mark, T. Zseby, A. Wagner, October 2009
RFC 6728: Configuration Data Model for the IP Flow Information Export (IPFIX) and Packet Sampling (PSAMP) Protocols
G. Muenz, B. Claise,, P. Aitken, October 2012
Flow-state Dependent Packet Selection Techniques
Ram Krishnan, Ning So, Salvatore D'Antonio, October 2013 (work in progress)
RFC 6615: Definitions of Managed Objects for IP Flow Information Export
T. Dietz, Ed.,, A. Kobayashi,, B. Claise,, G. Muenz, June 2012
Reliable Server Pooling Applicability for IP Flow Information Exchange
Thomas Dreibholz, Lode Coene, Phillip Conrad, July 2014 (work in progress)
RFC 5982: IP Flow Information Export (IPFIX) Mediation: Problem Statement
A. Kobayashi, Ed., B. Claise, Ed., August 2010
RFC 6183: IP Flow Information Export (IPFIX) Mediation: Framework
A. Kobayashi, B. Claise, G. Muenz, K. Ishibashi, April 2011
RFC 7119: Operation of the IP Flow Information Export (IPFIX) Protocol on IPFIX Mediators
B. Claise, A. Kobayashi,, B. Trammell, February 2014
RFC 6235: IP Flow Anonymization Support
E. Boschi, B. Trammell, May 2011
RFC 3423: XACCT's Common Reliable Accounting for Network Element (CRANE) Protocol Specification Version 1.0
K. Zhang, E. Elkin, November 2002
RFC 5695: MPLS Forwarding Benchmarking Methodology for IP Flows
A. Akhter, R. Asati, C. Pignataro, November 2009
RFC 6645: IP Flow Information Accounting and Export Benchmarking Methodology
J. Novak, July 2012
RFC 7133: Information Elements for Data Link Layer Traffic Measurement
S. Kashima, A. Kobayashi, Ed., P. Aitken, May 2014
IPFIX Information Elements for logging NAT Events
Senthil Sivakumar, Renaldo Penno, May 2016 (work in progress)
IPFIX Information Elements for logging IPSec Events
Tom Alexander, Frederic Detienne, Sandeep Rao, Thamilarasu Kandasamy, November 2014 (work in progress)
RFC 7125: Revision of the tcpControlBits IP Flow Information Export (IPFIX) Information Element
B. Trammell, P. Aitken, February 2014
RFC 7373: Textual Representation of IP Flow Information Export (IPFIX) Abstract Data Types
B. Trammell, September 2014
Hybrid Measurement using IPPM Metrics
Brian Trammell, Lianshu Zheng, Sofia Silva, Marcelo Bagnulo, February 2014 (work in progress)
Exporting MIB Variables using the IPFIX Protocol
Paul Aitken, Benoit Claise, Srikar B S, Colin McDowall, Juergen Schoenwaelder, November 2015 (work in progress)
RFC 7270: Cisco-Specific Information Elements Reused in IP Flow Information Export (IPFIX)
A. Yourtchenko,, P. Aitken,, B. Claise, June 2014
Information Elements for IPFIX Metering Process Location
Olivier Festor, Abdelkader Lahmadi, Rick Hofstede, Aiko Pras, January 2014 (work in progress)
RFC 6759: Cisco Systems Export of Application Information in IP Flow Information Export (IPFIX)
B. Claise, P. Aitken,, N. Ben-Dvora, November 2012
An LMAP application for IPFIX
Marcelo Bagnulo, Brian Trammell, February 2013 (work in progress)
Requirements for Application Layer Information Export in IP Flow Information Export (IPFIX)
Peng Fan, July 2013 (work in progress)
Information Elements for Application Layer Information Export
Peng Fan, July 2013 (work in progress)
Extending IP Flow-Based Network Monitoring with Location Information
Olivier Festor, Abdelkader Lahmadi, Rick Hofstede, Aiko Pras, March 2016 (work in progress)
IPFIX Information Elements for inspecting network security issues
Tianfu Fu, Dacheng Zhang, Danping He, Liang Xia, April 2015 (work in progress)
IPFIX Information Element extension for SFC
Nagendra Kumar, Carlos Pignataro, Paul Quinn, July 2016 (work in progress)
IPFIX IE Extensions for DDoS Attack Detection
Tianfu Fu, DaCheng Zhang, Liang Xia, Min Li, June 2016 (work in progress)
TinyIPFIX for smart meters in constrained networks
Corinna Schmitt, Burkhard Stiller, Brian Trammell, June 2016 (work in progress)
Export BGP community information in IP Flow Information Export (IPFIX)
Zhenqiang Li, Rong Gu, Jie Dong, July 2016 (work in progress)

RTFM (Real-Time Flow Measurement) IETF Working Group

This group is standardizing protocols to configure and access traffic meters which perform flow capture, filtering, and aggregation. RTFM flows are bidirectional. See the software section for pointers to RTFM implementations, and the references page for pointers to RFCs and working documents.

PSAMP (Packet Sampling) IETF Working Group

Documents

RFC 5474: A Framework for Packet Selection and Reporting
N. Duffield, Ed., D. Chiou, B. Claise, A. Greenberg, M. Grossglauser, J. Rexford, March 2009
RFC 5475: Sampling and Filtering Techniques for IP Packet Selection
T. Zseby, M. Molina, N. Duffield, S. Niccolini, F. Raspall, March 2009
RFC 5476: Packet Sampling (PSAMP) Protocol Specifications
B. Claise, Ed., A. Johnson, J. Quittek, March 2009
RFC 5477: Information Model for Packet Sampling Exports
T. Dietz, B. Claise, P. Aitken, F. Dressler, G. Carle, March 2009
RFC 6727: Definitions of Managed Objects for Packet Sampling
T. Dietz, Ed.,, B. Claise, J. Quittek, October 2012

sFlow

sFlow is an emerging multi-vendor, flow monitoring technology making use of statistical sampling. sFlow.org is an international, multi-vendor forum and gathering place for developers and users of products, services and tools based on the sFlow traffic monitoring technology. The Web site features lists of network devices capable of generating sFlow data, of sFlow applications, and of sFlow-related documents.

NEW: There's also a blog on blog.sflow.com that contains a lot of information about the sFlow protocol and recent developments, particularly in data center network monitoring.

RFC 3176: InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks
P. Phaal, S. Panchen, N. McKee, September 2001
Traffic Monitoring using sFlow, InMon Corp., 2001.
Overview of sFlow including a comparison with other accounting technologies.
sFlow - I can feel your traffic, E. Jasinska, Chaos Computer Congress, Dec. 2006. (alternative link from Elisa's home page)
Describes the use of sFlow for traffic accounting at AMS-IX, the world's busiest Internet exchange point. Includes notes about performance limitations of some implementations, in particular on Foundry Networks switches. See also the slides that accompanied the presentation.
Building Business Intelligence from the Network
Foundry Networks, 2001.
Foundry Enterprise Configuration and Management Guide
Foundry Networks, 2001.

IPDR.org

A membership-based industry initiative to standardize an IP-based usage record format and delivery protocol (NDMU) and keep a repository of NDMU specifications for common higher-level service definitions and core and optional usage metrics.

20060430