Software Engineering Institute

Network security often requires the surveillance of the actual traffic in the network. Methods like signature-based attack detection or the detection of traffic anomalies require input from network measurements. The IETF currently standardizes the IP Flow Information Export (IPFIX) protocol for exporting flow information from routers and probes. The packet sampling (PSAMP) group extends the information model of IPFIX with the ability to report per packet information including parts of the payload. With this IPFIX and PSAMP provide valuable tools for detecting anomalies and security incidents in IP networks. Whereas the basic IPFIX and PSAMP documents are currently finalized, new drafts emerge that provide recommendations and IPFIX extensions. This paper shows how IPFIX and PSAMP can be used to support network security. Furthermore it is shown which extensions are useful and can provide further features for network security.