Transaction data (NetFlow)

4.1 Map the provided events to source technologies

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

1. What is NetFlow?

NetFlow is a network protocol developed by Cisco that collects information about network traffic. It tells you who is talking to whom, when, and how much data they are sending.

  • Think of it as a traffic log for network data.
  • Unlike firewalls or IDS/IPS, which focus on blocking threats or alerting on attacks, NetFlow focuses on monitoring network usage patterns.

2. Purpose of NetFlow in Cybersecurity

NetFlow data is crucial for network monitoring, security analysis, and incident investigation. It helps you:

  • Detect unusual network activity: Large amounts of unexpected traffic may indicate a compromised server.
  • Identify top talkers: Find devices or users sending or receiving the most traffic.
  • Track applications and protocols: See which applications or protocols are consuming bandwidth.
  • Investigate incidents: Trace back malicious activity to the source IP or destination IP.

3. How NetFlow Works

NetFlow monitors network devices like routers and switches to collect flow data. A “flow” is essentially a conversation between two network endpoints.

Key Components of a Flow:

  • Source IP address – Where the traffic came from.
  • Destination IP address – Where the traffic is going.
  • Source and destination ports – Which application/service is being used (e.g., HTTP on port 80).
  • Protocol – TCP, UDP, ICMP, etc.
  • Timestamps – When the flow started and ended.
  • Bytes and packets – Amount of data transferred.

Example in IT environment:
If a database server talks to a web server to send query results, NetFlow records:

  • Source = Database server IP
  • Destination = Web server IP
  • Port = 1433 (SQL Server)
  • Protocol = TCP
  • Bytes sent = 500 KB
  • Start and end time of conversation

This helps analysts see who is communicating with what, and how much data is transferred, which is crucial for spotting anomalies.

4. NetFlow Versions

There are several NetFlow versions, but the exam focuses on the main ones:

  • NetFlow v5: Most common, supports IPv4, basic traffic info.
  • NetFlow v9: Flexible, supports IPv6, MPLS, and templates.
  • IPFIX (IP Flow Information Export): Standardized version of NetFlow v9, supported by multiple vendors.

5. Where NetFlow Data Comes From

NetFlow data is exported from network devices like:

  • Routers
  • Switches
  • Firewalls

The data is sent to a NetFlow collector, a server that stores, analyzes, and visualizes flows for further investigation.

6. NetFlow vs. Packet Capture

  • Packet capture (PCAP): Captures entire packet content.
  • NetFlow: Captures metadata about the traffic, not full content.

Why this matters:
NetFlow uses less storage and still gives enough info to detect patterns, anomalies, or attacks.

7. Typical NetFlow Use Cases in Security

  1. Detect unusual outbound traffic
    • A server suddenly sends large amounts of data to an unknown IP → could indicate data exfiltration.
  2. Identify scanning activity
    • Multiple flows from one IP to many different ports → may indicate a port scan.
  3. Monitor bandwidth usage
    • Network admin can see which applications are consuming too much bandwidth.
  4. Incident response
    • During a malware infection, NetFlow logs help trace which systems were contacted.

8. Important Terms to Know for Exam

  • Flow Record – The data record for a single flow.
  • Exporter – Network device that generates NetFlow data.
  • Collector – Server that receives and stores NetFlow data.
  • Analyzer – Tool/software that interprets NetFlow data for visualization and alerts.
  • Top Talkers – Hosts generating the most traffic.
  • Anomalies – Deviations from normal traffic patterns, potentially indicating threats.

9. How NetFlow Data is Used in CBROPS Exam Context

When the exam asks you to map events to source technologies, remember:

Event TypeSource Technology (NetFlow)
Unusual network traffic patternsNetFlow
High bandwidth usage by a hostNetFlow
Multiple failed connections to many portsNetFlow
Connections from unknown external IPsNetFlow
Lateral movement within networkNetFlow

Key takeaway: If the event involves network conversation patterns, volume of traffic, or unusual flows, the source technology is NetFlow.

✅ Summary (Exam-Focused)

  1. NetFlow is Cisco technology for monitoring network flows.
  2. Collects metadata about network conversations, not full packets.
  3. Used for detecting anomalies, monitoring bandwidth, and investigating incidents.
  4. Key components: Source/Dest IP, Ports, Protocol, Bytes, Time.
  5. NetFlow versions: v5, v9, IPFIX.
  6. Exported from routers/switches/firewalls → sent to collectors/analyzers.
  7. Events like unexpected traffic, scanning, or lateral movement are mapped to NetFlow.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by