NetFlow Versus
Full Packet Capture

When should you use full packet capture or when should you use NetFlow? Do you need both?

This article highlights the differences between NetFlow and full packet capture data. And explains why SecOps and NetOps teams need both to effectively protect against cyberthreats and performance issues.

Should You Use Full Packet Capture or NetFlow?

The short answer is both are useful ... and the ideal is to have access to both. Read on to find out more about the differences between full packet data and NetFlow data and the pros-and-cons of each.

For an introduction to packet capture see our "What is Network Packet Capture" guide:

Learn more

What’s the Difference between NetFlow and Full Packet Data?

NetFlow data (or jFlow, sFlow IPFIX and other flow-based standards) provides a metadata-based view of activity on the network. 

Full packet capture, on the other hand, is a complete record of actual network activity, including the actual data (packet payloads that are transferred across the network. It also includes packet header information that can provide extremely useful data - particularly for security investigations - even if packet payloads are encrypted and can't be decrypted for inspection. Often organizations use "break and inspect" solutions that can decrypt packet data before recording to ensure packet payloads can be inspected in the event of a security issue. 

(NOTE: many Endace Fusion partners offer decrypt solutions that can do this. Talk to our team if you need this capability). 

For information about packet payloads and headers see our "What is Network Packet Capture" guide:

Learn more

Why Do I Need Full Packet Data if I Have NetFlow?

Often organizations see NetFlow and full packet capture as being mutually exclusive – you only need one or the other. But the truth is that combining the NetFlow and full packet data delivers a powerful arsenal for protecting against security threats, investigating alerts and ensuring the performance of networks and the applications that run on them.

As Zero Day attacks, Advanced Persistent Threats, malware and ransomware attacks continue to proliferate, organizations are realizing that investigating threats or performance issues with NetFlow only may not be sufficient to draw definitive conclusions about what’s happened. In order to definitively understand the impact of a security breach, or a network or application performance problem, NetFlow, while useful, often isn’t sufficient by itself.

Combining NetFlow with recorded full packet data gives NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information they need to quickly and precisely reconstruct what happened.

What are the Pros and Cons of NetFlow Data?

The Pros

NetFlow’s strength is that it writes headlines. It gives you a very effective high-level view of what’s happened across your network by providing metadata: timestamps, senders’ / receivers’ IP addresses, the ports they communicated on, the length of the conversation and the amount of data transferred.

Because NetFlow is summary metadata it doesn’t take up a lot of storage space. That means more historical data can be archived – allowing analysts to go back months or years back in time. NetFlow is also easily indexable, making it fast to search for information relating to specific activity on the network.

NetFlow can also be generated by a wide variety of network elements - such as switches and routers and dedicated NetFlow generators – and can be consumed by a number of different NetFlow connectors (including SIEM tools). Which makes NetFlow a well-supported source of data for providing high-level visibility into activity happening across the network.

The Cons

The downside of NetFlow is that it doesn’t provide nearly the level of detail that full packet data provides. While NetFlow data is useful for alerting you to potential issues, it can’t necessarily tell you exactly what happened. And it won’t enable you to reconstruct events – for example let you rebuild and examine suspected malware files or confirm exactly what was contained in files that were exfiltrated by attackers.

The other issue with NetFlow data results from its originally intended purpose. NetFlow was originally designed to provide data to monitor network performance and to predict growth in bandwidth usage for future planning. For these purposes, generating NetFlow data based on a sample set of network traffic (rather than all traffic) and using statistical analysis to predict actual network activity is sufficient.

As a result, many devices that generate NetFlow data are configured to sample packets to generate that NetFlow data, rather than looking at every packet. Although many NetFlow generators - switches and routers - can be reconfigured to generate 1:1 NetFlow records (where every packet is examined) some cannot. Which means those devices are not reporting on all the activity on the network. While that may not be an issue for the purposes of monitoring network performance or predicting future network capacity requirements, it very definitely is an issue if you are relying on NetFlow data to provide complete visibility into malicious activity or cyber threats on the network.

The computational overhead of generating NetFlow on routers and switches can take a significant performance toll. This is another reason switches and routers are often configured to generate sampled NetFlow only - to reduce load and preserve capacity for the device’s core functions of routing and switching traffic around the network.

What are the Pros and Cons of Full Packet Data?

The Pros

Full packet data, gives you the full story. Packets let you accurately reconstruct exactly what happened and when it happened so you can determine the root cause of security or performance issues quickly and definitively.

Using full packet data you can reconstruct a data exfiltration event to see precisely what was taken. Or you can zoom in to microsecond level to troubleshoot short-lived network performance events that simply don’t show up at NetFlow’s metadata level of detail.

The Cons

Data volumes may mean it's not feasible to store complete packet data for years as you can with NetFlow data. However, it is certainly feasible to store weeks to months of full packet data. Particularly when that data is compressed, and irrelevant data truncated to remove the unwanted or unnecessary packet payloads but keep the packet header data. Having weeks or months of full packet data provides sufficient time to archive data that might be needed for deeper investigation or for use as evidence longer term - for prosecution for example.

How do NetFlow and Full Packet Capture Work Together?

NetFlow versus Packet Capture

NetFlow data is good for enabling efficient on-the-fly monitoring for security and performance monitoring (provided, as noted above, the NetFlow data is complete and not based on sampled traffic). It gives teams good high-level visibility into activity happening on the network and allows them to keep up-to-date with network events in real-time.

However NetFlow data is significantly enhanced when it can be coupled with full packet data. Once you have found (or been alerted to) a specific conversation or conversations of interest using NetFlow, with full packet data at hand you can quickly drill down to packet level to examine incidents in detail and determine their root cause and severity.

In short, NetFlow is useful for determining that a potential issue has occurred. But full packet capture is what will enable you to determine exactly what it was that happened and how to respond.

With access to both NetFlow data and full packet data, investigations are faster and more conclusive. IT, network, and security analysts can keep on top of the mountain of alerts they receive every day and respond rapidly to events before they escalate to become more serious security breaches or service outages.

What is EndaceFlow?

EndaceFlow is a high-speed Flow Generator application that can be hosted on EndaceProbes to generate high-resolution NetFlow in NetFlow v5, v9 or IPFIX format. 

It works by analyzing the packet data as it collected off the wire to generate NetFlow data which can then be transmitted to any NetFlow collector.

Learn more

Who is Endace?

Endace specializes in scalable, high-speed, high-performance packet capture. Our solutions are used by some of world’s biggest organizations on some of the fastest networks on the planet.

If you are looking for a packet capture solution, we’d love to show you why Endace is the best choice. Contact us to book a demo or ask a question.

Contact us