Abstract
For a network administrator, it is essential to understand the traffic characteristics and the user behavior which is typically achieved by the traffic measurement. The basis of the NetFlow technology are reviewed. The function, application, switch features and datagram format of NetFlow are further analyzed. NetFlow's application in the network of Guangdong Meteorological Bureau is introduced in detail. In order to make the network administration convenient, straightforward, and easy for decision making, a Network Monitoring System (NetFlow Analysis System of Guangdong Meteorological Bureau) is designed based on NetFlow for network monitoring. The health of network can be quickly determined by the system, statistics are compiled for each user, and warnings of impending network issues are given. The selection of monitoring nodes is based on the structure ofthe network. Depending on the application, special care is put on how to collect network traffic data. For the ease of use, a host of web application is developed to automatically collect statistics, generate real-time report, and compile statistics. The system has the characteristics that network running situation can be looked over bythe network administrator conveniently, the statistics of the user habits of using the internet and the trouble of network can be found in time. The time that the network administrator needs to search and to get rid of the network breakdown will be evidently reduced by the completion of the design.An analysis is made on a case happened in Guangdong Meteorological Bureau Network on Dec 5, 2006 on how the NetFlow Analysis System of Guangdong Meteorological Bureau is used to quickly identify the network breakdown, and to find the root cause, and to recover it by using the traffic measurement. By using the NetFlow Analysis System of Guangdong Meteorological Bureau to analyze the data stream of NetFlow, it is easy to find the IP address of virus, and the infected computers. Since the worm virus can initiate massive scanning connection during their spreading process, using SNMP and the switch ports linked with the computers those use these IP addresses can be located and the virus-infected computers can be isolated from the network by closing the corresponding switch ports. In this case, not only those kinds of abnormities of different networks in different time segment exactly can be detected by the system, but also the efficiency and bottleneck of the running network can be analyzed on time. So the network performance can be optimized by network managers more promptly and reasonably.