Blog :: Network Operations :: Security Operations

NetFlow Observation Point: octetDeltaCount

Let’s talk about NetFlow observation point in Cisco NetFlow capable devices, particularly the octetDeltaCount collection. Ingress and egress Netflow  are probably notions we are the most familiar with. However, what exactly is Ingress or Egress NetFlow? At what point were bandwidth utilization values in my NetFlow report metered?

NetFlow Observation PointKEY TERMS

  • Shaper:  Is where traffic shaping occurs. Traffic shaping “allows you to control the traffic going out an interface in order to match its flow to the speed of the remote target interface and to ensure that the traffic conforms to policies contracted for it“, it is basically a process which modifies the traffic. This could be an Access Control List, Rate limiter, etc.
  • MiddleBox Function: is the core function of the device. Example: Traffic Switching.
  • OP(s): Observation Points

What is octetDeltaCount (ODC) ? “The number of octets since the previous report (if any) in incoming packets for this Flow at the Observation Point.  The number of octets includes IP header(s) and IP payload.” If you were to look inside a NetFlow packet, octetDeltaCount represents the bandwidth utilization or the number of bytes associated with the flow.
What is postOctetDeltaCount (PODC) ?: Same as octetDeltaCount,  “except that it reports a potentially modified value caused by a middlebox function after the packet passed the Observation Point.”

In Cisco’s implementation, octetDeltaCount is used for all ingress and egress flow export. As illustrated in the above diagram, there are 3 NetFlow Observation points: The initial traffic shaping process, The middlebox function, and the final traffic shaping process.

OP1: observes the ingress traffic towards the Middlebox function, and reports

  • flowDirection :Ingress
  • octetDeltaCount = ODC1
  • postOctetDeltaCount = PODC1

OP2: observes the Middlebox function and reports.

  • octetDeltaCount = ODC2 where  ODC2 == PODC1
  • There is no direction here.
  • postOctetDeltaCount = PODC2

OP3: observes the egress traffic from the Middlebox function, and reports.

  • flowDirection = Egress
  • octetDeltaCount = ODC3  where ODC3 == PODC2.
  • postOctetDeltaCount = PODC3

The Observation point for ingress is before the Middlebox and the Observation point for egress is after the MiddleBox. That is why Cisco uses octetDeltaCount (ODC3) for egress, at this point any necessary shaping to the traffic has been done (ODC3 == PODC2).  Example: WAAS  compression

Please add a comment, if you know vendors that are doing this differently?

Related

Cisco Zone-Based Firewall Reporting

Today, I will be talking about the Cisco Zone-Based Firewall, including their differences and advantages compared to a Cisco ASA. I will also walk

Find Pokemon GO Network Traffic with NetFlow

Monitor Pokemon Go Network Traffic So there I am monitoring my network with NetFlow and a wild application appears! Pokemon GO hit the scene

Configure Cisco ISE NetFlow

EDIT 5/30/18: There is a newer version of this article available. In order to configure Cisco ISE NetFlow, we’re going to take advantage of