A typical flow monitoring setup (using NetFlow) consists of three main components:

• Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.
• Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
• Analysis application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example.

1. NetFlow is based on 7 key fields: (If one field is different, a new flow is created in the flow cache.)
   • Source IP address
   • Destination IP address
   • Source port number
   • Destination port number
   • Layer 3 protocol type (ex. TCP, UDP)
   • ToS (type of service) byte
   • Input logical interface
2. It is best practice to use a NetFlow “source interface” that would never go down such as a loopback interface.

Define custom fields other than the 7 key fields.

Feature	NetFlow	Port Mirroring	SNMPv3
Data Captured	Flow metadata (headers, statistics)	Full packet contents	Device statistics (CPU, memory, interface status, traffic counters)
Overhead	Low	High	Very low
Use Case	Traffic analytics, security monitoring	Deep packet inspection, troubleshooting	Network performance monitoring, device health checks
Scalability	High (aggregated data)	Low (raw packet capture)	Very high (only periodic polling data)
Real-Time Monitoring	Yes, but metadata only	Yes, with full packet details	No (polling-based, interval-driven)
Security	Can use authentication & encryption (IPFIX)	No built-in security (plain text packets)	Strong authentication & encryption (AES, SHA)
Resource Consumption	Moderate (some processing on routers/switches)	High (mirroring impacts switch performance)	Very low (only SNMP agent processing)