Flows? What’s a network flow?

By: Vincent Berk — October 27, 2009

When you sit at your computer and browse the web, send an email, watch an online-video, or play a video game against others, you are sending and receiving network traffic. This network traffic carries content back and forth between your computer and a remote server (also a computer) in little fragments called packets. For small communications, such as an email, a few of these packets will do the job. For large communications, such as watching an online-video, a lot more are needed, sometimes tens of thousands!

Each task you perform on the Internet will have its own stream of packets associated with it, and this stream has different destinations and content based on what you are doing. For instance, when I do a search on www.google.com, the endpoints of the packet stream are my computer, and one of google’s servers. The content is formatted in a language referred to as ‘HTML’, something that my web browser program understands. If I send an email to someone at hotmail, then the endpoints of the packet stream will be my computer, and one of the hotmail email servers. The content will be formatted as ‘SMTP’, which is a language that most email programs understand. So in summary, each task has a stream of packets associated with it, a destination (or more accurately: two endpoints, one of which is your computer), and a specifically formatted content. Let’s call this back-and-forth stream of packets for a given task a ‘session’.

In general, a ‘flow’ is considered to be the uni-directional half of a session, meaning that each session consists of two flows: one from your computer to the server, and one from the server to your computer.

The Internet is a very complex system with millions of connected computers, many of them serving unique content, and all of them communicating with others though network flows. On any given day, an active Internet user might generate thousands of these flows to hundreds of different computers all over the world. Network administrators can use summaries of these flows to quickly spot a variety of network problems, such as bottlenecks, computers using too much of the available bandwidth, connections to or from unwanted locations, and even virus-infected systems on their networks.

In order to do such flow analysis, the flows must be observed at some location in the network. This is usually done at the main connection to the Internet, and sometimes locally between all connected computers in an organization. Flow summaries are tallied up and ‘exported’ to a central location to be viewed and analyzed. This central location is usually referred to as a flows ‘collector’, and it can generally accept flow reports from multiple exporters. This collector computer will run one or more programs that allow an adminstrator to investigate when certain flows were observed, between which computers, how long they took, and how much data was transferred. This allows a quick and easy way to effectively spot network problems early.

Vincent Berk is the founder of ProQSys, a company that specializes in network security and analysis software.

Get Started

• Interactive Demo
• Try FlowTraq
• Buy now

Learn More

• Schedule Call
• Watch video
• Read whitepaper

Free Flow Exporter

Export CISCO NetFlow datagrams to up to 16 flow collectors using TAP or SPAN. ProQSys Flow Exporter captures 100% of the data in an easy-to-deploy way
Download Now »