To track IP traffic flows and record metadata, IT professionals use network flow monitoring protocols and supporting solutions to collect and analyze data. The most common of these is NetFlow, an industry-standard protocol that samples input from an IP device, commonly referred to as “flow.” Packets of data arrive through a router or switch, and an IP sampler will log a new flow if the packets contain information such as source/destination address, source/destination port and what protocols the network is using.
IT professionals often use the term NetFlow generically to describe the various flow records in networking. While that is technically true, there are several distinct variants of NetFlow: J-Flow, sFlow and Internet Protocol Flow Information Export (IPFIX).
For the letter J in our ABCs of ITIM series, we cover J-Flow and other types of IP samplers. Readers will learn the differences between J-Flow, NetFlow and other protocols, as well as how IT professionals can analyze flow data.
Juniper Networks and J-Flow Explained
We won’t turn this blog into a history lesson, we should still touch upon Juniper Networks, the company that gave J-flow its namesake.
Founded in 1996, Juniper Networks started out developing data packet-based routers optimized for Internet traffic. The idea came from company founder Pradeep Sindhu while on vacation from his previous job as a research scientist at Xerox. This being the early days of the World Wide Web, Juniper Networks was at the right place to create solutions involving the intersection of the Internet and enterprise networks.
So, where does J-Flow come into the picture? While it is difficult to pinpoint when it was introduced, some sources say it was introduced in 1996—the same year Cisco debuted NetFlow to the public. However, it’s more important to discuss what J-Flow is.
J-Flow is Juniper Networks’ flow monitoring protocol. J-Flow is a proprietary network protocol, meaning it may only work with specific Juniper products. But, generally speaking, J-Flow is compatible with NetFlow. Its core differentiator from NetFlow is that the timestamps of exported data flow are preserved for the whole network session, which needs a bit of different handling on the collector side.
What Are NetFlow, sFlow and Other Types of Network Flow?
NetFlow and its many variations and updates (more on those below) is the network standard for collecting IP traffic information and monitoring telemetry data. NetFlow enables exporters, which are routers and switches, to generate aggregated traffic statistics, which provide a snapshot of bandwidth utilization, communication partners and client activity. Another version of NetFlow includes Flexible NetFlow, which offers pliability on flow export configuration and customization within critical fields.
Sampled Flow, or sFlow, is an industry-standard technology that monitors high-speed switched networks. The difference between sFlow and NetFlow is sFlow does not work with the concept of flow cache and the aggregation of metadata extracted from packets to flows. sFlow data is quickly produced and compatible with many entry-level enterprise switches. Sampled packet headers are encoded to a NetFlow-like format and exported to the collector. Since there are heavy sampling rates, sFlow data usually needs to be more accurate to handle troubleshooting uses cases or network-based anomaly detection.
IPFIX (or NetFlow V10) is an independent international standard that enables vendors of flow-based monitoring tools to define their own protocol extensions to export any information from Layer 2 to Layer 7. IPFIX is crucial to delivering exceptional network visibility without requiring continuous packet capture.
NEL and NSEL
Network Event Logging (NEL) refers to logs from network address translation. Network Security Event Logging (NSEL) refers to firewall logs produced by Cisco ASA. NetFlow v9 transports these logs to the collector, but this data cannot be considered as real NetFlow as information provided in NEL or NSEL cannot reconstruct an accurate network traffic chart.
Public cloud platforms have been providing a new technology called FlowLogs, which enables network traffic monitoring and uses a flow-based approach. Usually, FlowLogs are provided through specific APIs provided by cloud platforms in CSV or JSON format. These flows require conversion to traditional flow formats for collection and further processing on standard traffic monitoring platforms. With Amazon AWS, FlowLogs are usually referred to as VPC FlowLogs; in Microsoft Azure, it is known as NSG FlowLogs.
How Does a J-Flow Traffic Analyzer work?
Like other flow monitoring protocols, J-Flow monitoring involves accumulating traffic flow data through monitoring and supporting troubleshooting and interpretation.
J-Flow traffic analysis tools start by monitoring data packets that come through a network. Those packets of data coming through the stream can be sampled when enabled on an interface. J-Flow records network activity from the configured devices and saves the information for an administrator to analyze.
What are the Benefits of Using a J-Flow Monitoring Tool?
With an IT monitoring tool, network administrators can mitigate several problems and gain greater network insight. Benefits include:
- Monitor who is using the network and when: Easily see who is connected to the network at any given time.
- Comprehending the impact of potential application and network traffic: J-Flow statistics can be used to measure how application and policy changes affect traffic.
- Understand network pain points and troubleshoot issues: J-Flow analytics can diagnose slow network performance, recognize who is using the most bandwidth and characterize bandwidth utilization quickly via the representation of traffic totals and traffic details.
- Detect unauthorized wide area network (WAN) traffic: With J-Flow analysis, network administrators can identify the applications creating traffic congestion, verify legitimacy and adjust delivery policies. By observing the WAN, IT can understand traffic patterns and loads, fine-tune operations and avoid expensive upgrades.
- Easily detect DDoS and security anomalies: Administrators and network engineers can utilize J-Flow to detect DoS/DDoS and other types of network behavior anomalies.
- Validating the parameters of Quality of Service: J-Flow analysis can confirm that appropriate bandwidth is appointed to each Class of Service (CoS) and that no CoS is over or under-subscribed.
How Progress WhatsUp Gold Supports J-Flow, NetFlow and sFlow Data Coming from Routers and Switches
Network flows are a hidden network administrator’s secret. Network flow monitoring is often the best way to resolve intermittent network performance problems and ensure Quality of Service (QoS) for key applications and services. Also referred to as network traffic analysis, bandwidth utilization analysis or bandwidth monitoring, network flow monitoring gives you visibility essential to effective network and infrastructure management.
WhatsUp Gold’s Network Traffic Analysis (NTA) feature monitors network flow, offering IT teams greater visibility into who and what is consuming bandwidth and who is connecting to suspicious network ports. NTA also collects NetFlow, sFlow and J-Flow records from routers and switches and converts them into reports for your team.
IT can merge and categorize flow data from multiple devices and ports based on business function. From there, WhatsUp Gold generates reports by business unit or function instead of the individual ports the traffic comes from. The reporting and threshold alerting engines can leverage this functionality by giving swift response capabilities to traffic bottlenecks.
Using Simple Network Management Protocol (SNMP), WhatsUp Gold determines which devices connected to the network are “flow capable.” It can automatically configure those devices to forward records with all appropriate timeouts and flow collector parameters configured. This feature enables IT and network teams to become “flow experts” themselves, focusing on analyzing the results of the reports without having to do additional configuration.
While IT can try to diagnose a slow network without complete visibility into QoS, it is far from ideal. With WhatsUp Gold, you have full real-time visibility to manage bandwidth utilization and ensure optimal network performance. For example, a Network Based Application Recognition (NBAR) Applications report offers a complete view of NBAR traffic so any IT pro can accurately diagnose application performance issues and bandwidth constraints without digging deeper into the traffic flows.
Lastly, you can set up multiple configurable thresholds and track the following: traffic volume between conversation pairs, failed connections per host, top senders and receivers and specific interfaces over time. IT can spot traffic problems early with WhatsUp Gold's custom configurable thresholds. When the configured points exceed their limits, administrators get alerts, ongoing indications that help network managers proactively troubleshoot, resolve performance bottlenecks and eliminate malicious network behavior.
Learn More About Flow Types
Whether it is a J-Flow, NetFlow and one of the other protocols, tracking and analyzing these network flow protocols makes all the difference in the world when it comes to knowing when and where the traffic is coming from
View All of The ABCs of Infrastructure Monitoring
Looking to start on the basics of IT infrastructure monitoring? Our alphabetized index is an excellent place to begin or extend your education. View all of our current topics.