There are many potential uses of the statistics that NetFlow provides; however, most organizations use NetFlow for some or all of the following important data collection purposes:

When comparing the functionality of SNMP to NetFlow, an analogy for SNMP might be remote-control software for an unmanned vehicle; whereas an analogy for NetFlow is a simple, yet detailed phone bill. Phone records provide call-by-call and aggregated statistics that enable the person paying the bill to track long calls, frequent calls, or calls that should not have been made.

In contrast to SNMP, NetFlow uses a “push-based” model. The collector simply listens for NetFlow traffic, and the networking devices are in charge of sending NetFlow data to the collector, based on changes in their flow cache. Another difference between NetFlow and SNMP is that NetFlow only gathers traffic statistics, as shown in the figure, whereas SNMP can also collect many other performance indicators, such as interface errors, CPU usage, and memory usage. On the other hand, the traffic statistics collected using NetFlow have a lot more granularity than the traffic statistics that can be collected using SNMP.

Note: Do not confuse NetFlow’s purpose and results with that of packet capture hardware and software. Whereas packet captures record all possible information exiting or entering a network device for later analysis, NetFlow targets specific statistical information.

When Cisco sought out to create NetFlow, two key criteria provided guidance in its creation:

Achieving these design criteria ensured that NetFlow is very easy to implement in the most complex modern networks.

Note: Although NetFlow is simple to implement and transparent to the network, it does consume additional memory on the Cisco device, because NetFlow stores record information in “cache” on the device. The default size of this cache varies based on the platform, and the administrator can adjust this value.