NetFlow

Short definition

NetFlow is a network telemetry protocol that records metadata about network communications, enabling visibility into who is communicating with whom, when, how often, and how much data is transferred.

Extended definition

NetFlow is not packet capture, and it is not intrusion detection. It is behavioral telemetry.

It provides a summarized view of network activity by describing conversations between endpoints rather than inspecting payload content. This makes it highly scalable, relatively low-cost, and extremely valuable for understanding traffic patterns, detecting anomalies, and supporting security investigations.

In modern SOC operations, NetFlow is one of the foundational data sources for network visibility, lateral movement detection, and traffic-based analytics, especially in encrypted environments.

Deep technical explanation

It works by aggregating packets into flows based on shared characteristics.

A flow is typically defined by a combination of:

Source IP address
Destination IP address
Source port
Destination port
Protocol
Ingress or egress interface
Start and end timestamps
Byte and packet counts

Instead of recording every packet, NetFlow exporters summarize traffic into flow records and send them to a collector for analysis.

There are multiple variants and related standards:

NetFlow v5 and v9, originally developed by Cisco
IPFIX, an IETF standardized evolution of NetFlow
sFlow, which uses sampling rather than full flow accounting

From a security perspective, it provides visibility into communication behavior without requiring payload inspection. This is increasingly important as most network traffic is encrypted.

Key strengths of NetFlow include:

Scale

NetFlow scales to high traffic volumes without the storage and processing overhead of packet capture.

Encrypted traffic visibility

Even when payloads are encrypted, flow metadata still reveals timing, frequency, volume, and communication patterns.

Lateral movement detection

Unexpected east-west traffic between systems is often visible in NetFlow long before endpoint alerts fire.

Baseline creation

It enables baselining of normal service communication, which supports anomaly detection and threat hunting.

However, NetFlow has important limitations that must be understood.

No payload visibility

It cannot show what data was transmitted, only that communication occurred.

Sampling artifacts

In high-speed environments, flows may be sampled, reducing fidelity and hiding low-volume activity.

Context dependency

Without asset context, identity mapping, and service awareness, NetFlow anomalies are ambiguous.

Blind spots

Traffic that does not traverse monitored interfaces, such as internal cloud backbone traffic or endpoint to SaaS communication, may be invisible.

NetFlow is most effective when combined with endpoint, DNS, and identity telemetry rather than used in isolation.

Practical examples

Lateral movement detection

A compromised workstation begins communicating with internal servers it has never accessed before. NetFlow highlights new east-west connections despite encrypted traffic.

Command and control identification

An endpoint shows regular low-volume outbound connections to an external IP at consistent intervals. It reveals beaconing behavior consistent with C2 activity.

False positive application change

A new application deployment introduces additional service communication. NetFlow flags the change, but correlation with deployment activity confirms legitimacy.

Segmentation validation

NetFlow reveals unexpected traffic crossing segmentation boundaries, exposing misconfigurations that diagrams did not show.