NetFlow is a system that accounts for how and where traffic flows (by IP address and by port). NetFlow allows administrators to measure network usage (particularly peak and average load) and can also be used to provide usage-based billing. New flows are created for each new source/destination socket pair. This means that each communication session should generate two flows (a request and a reply).

NetFlow can be exported for greater readability (as in the image for Alert Identification | IP Address). The main benefit of NetFlow is to show anomalies. These anomalies could be new IP addresses/ports being used, high traffic volume from certain hosts, or high traffic volume in a given protocol. This can provide some simple IDS capabilities. NetFlow exports will list the source and destination IP address and ports, transport protocol, packet, and byte counts.