Network flow is the equivalent of a 'pen register' for Internet traffic: http://en.wikipedia.org/wiki/Pen_register .

Conceptually, a pen register for Internet traffic is a record of "who communicated with whom; when did they communicate; how much did they communicate; and over what channels did they communicate", without including the actual content of any communications.

Flow analysis is useful in many ways: it helps pinpoint network bottlenecks, find causes of slowdowns, and see sources of attacks or information leaks, all without doing computationally expensive and privacy issue-raising content analysis.

Also, since the total number of network flows grows very slowly over time in comparison to the growth in bandwidth utilization, flow analysis is scalable far into the future. This is counterintuitive, because the size of each of our communications is growing rapidly. But because network flow is like an Internet pen register, it records when a conversation took place, between whom, what application was used, and how long it took. The actual number of bytes transferred is inconsequential, as none of the actual content bytes are saved.

This means that a flow record for a short and small communication (for instance, a DNS lookup) takes just as much space to store as a large communication (for instance, a streaming video). Longer conversations don't take any more space in a session database!

Over the years, network communications have grown exponentially in volume, but only linearly in count. On average, each network user only produces twice the number of flows than they did two years ago, even though each flow is eight times as large on average. This is why flow analysis will scale, while packet captures won't.

Although it is true that no content is retained in flow analysis, in some cases the source and destination of traffic can still reveal a lot of information by inference.

For instance, suppose flow analysis is used to monitor a network with an 'acceptable use policy' in place. The policy states that employees must not use corporate email for personal reasons. Even though the 'to:' and 'from:' fields in any email communications are not contained in a flow records, one can still tell to which server the connection was made, and that the email protocol (SMTP) was used.

This means that an employee communicating with their spouse who works at 'mysmallbusiness.com' will quickly be found to be in violation of policy, while another employee communicating with a friend at 'gmail.com' won't, since legitimate customers might be using Gmail for their communications.

Keep in mind, however, that in both cases the content of the emails remains private.

Flow reports are generated by devices that either relay traffic (like routers or switches), or devices that can monitor the network for traffic (like sniffers). These devices are called 'exporters.'

Flow analysis, on the other hand, is done by software, running on a server that collects these flow reports from one or more exporters. Such software programs are called 'collectors.' What the collector does with the flow reports often determines the usefulness of the flow analysis tool.

If you want to benefit from flow analysis, you will need both a collector and one or more exporters. Most routers and switches will export network flows in one of the following formats: NetFlow, sFlow, cFlow, or jFlow. However, not all collectors accept all formats. Check your equipment before deciding on a collector.

If you don't have any devices on your network that are capable of exporting network flow, consider using a software flow exporter. This is software agent that can run on any network-attached computer which summarizes the traffic it observes as network flow. We offer a program called Flow Exporter for this purpose. More information on Flow Exporter can be found at http://www.flowtraq.com/corporate/product/flow-exporter .

The answer to this question depends on what you hope to achieve. Flow collectors are broadly classified in two different categories: aggregators and full-fidelity collectors.

Aggregators periodically generate a pre-configured set of reports on the records they've collected, and store those reports in a database, and discard the records they are holding. They only hold flow records for as long as it takes to generate the pre-configured set of reports. This process is quick and easy, and allows you general insight into network traffic patterns. If you simply want to monitor how busy your network is, an aggregator might work for you.

On the other hand full-fidelity flow collectors store every flow record they receive in a database, and allow you to filter and view the traffic after-the-fact and in much more detail than aggregators. Generally these tools are more computationally expensive, but they offer a much wider range of possibilities. CERT's SiLK is a full-fidelity collector, as is FlowTraq.

If you want to analyze unique traffic patterns and investigate never-before-seen attacks, you will need to invest some time and money in full-fidelity flow collector.

Both aggregators amd full fidelity flow collectors are often marketed as using the term "flow analyzer."

Understand the differences and let your operational needs drive your deployment decision!

Since a software exporter works by sniffing traffic and generating flow summaries based on it, it is only as effective as the traffic it can actually see. This means that a computer located on the edges of your network will most likely see very little of the traffic passing through your organization.

Instead, it is often better to place the software exporter on a network tap or a mirror port (also known as a SPAN port) on a router or switch, allowing it to see all traffic that passes through.

In fact, simply connecting a software exporter to a switch will only allow it to see its own traffic, as switches are smart about what traffic to send to a connected computer, and what to withhold. So you actually must put the switch port in a mirroring mode to allow the software exporter to effectively monitor the traffic on the switch!