Packet Tracer 8.2 tutorial - Netflow configuration

: Last Updated: 23 March 2025

What is Netflow?

Netflow is a network analysis protocol that was initially created by Cisco to give the ability to collect detailled informations about network traffic as it flows through a router interface.

The data processed by Netflow collectors provides the network administrator with detailled traffic informations such as the source and destination of the traffic, class of service, .... Netflow version 9 was standardized in 2008 as IPFIX by the IETF organization. This feature is used by network operators for billing network users.

NetFlow records are exported to a Netflow collector using User Datagram Protocol (UDP). The IP address and the destination UDP port of the NetFlow collector have to be configured on the sending device (router or l3 switch). The standard value is UDP port 2055, but other values like 9555 or 9995 can also be used.

Netflow in Cisco Packet Tracer

The following Netflow components are available in Cisco Packet Tracer :

Netflow version 9 on Cisco ISR routers. This feature is not available on Layer 3 switches.
A netflow collector software on PC, laptop and server devices.

Packet Tracer 8.0 - ISR router netflow records

Packet Tracer 8.0 - Netflow collector software

Netflow configuration using Cisco 2811 ISR routers

Network topology and configuration instructions

IP configuration :

IP Phone n°1 : 192.168.10.2/24
IP Phone n°2 : 192.168.10.4/24
Router Fa0/0 : 192.168.10.1/24
Router Fa0/1 : 192.168.20.1/24
Netflow Collector : 192.168.20.2/24

First step : Configure netflow collection on router interfaces using the "ip flow" IOS command. The flow can be configured on either ingress or egress direction. It is recommended to configure the flow on ingress.

interface FastEthernet0/0
 ip flow ingress
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto

Second step : Configure the ISR router to send the flow records to the netflow collector. Packet Tracer 6.1 netflow collection software deployed on end devices (servers or PCs) uses UDP port 9996.

ip flow-export destination 192.168.20.2 9996
ip flow-export version 9

Testing the configuration

Make a phone call from IP Phone n°1 to IP Phone n°2 and use the "show ip cache flow" command on the ISR router to display the router's netflow cache. In this example, the router shows a SCCP (TCP-SKINNY) flow between the two IP Phones (192.168.10.2 & 192.168.10.4).

RouterA#show ip cache flow 
IP packet size distribution (729 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 1.00 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 

IP Flow Switching Cache, 278544 bytes
  2 active, 4094 inactive, 337 added
  3 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
  0 active, 1024 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-SKINNY         335      0.1         2    40      0.1       1.3      15.0
Total:             335      0.1         2    40      0.1       1.3      15.0

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Fa0/0         192.168.10.4    Local         192.168.10.1    06 0401 07d0     8
Fa0/0         192.168.10.2    Local         192.168.10.1    06 0401 07d0    23
RouterA#