What is the difference between NetFlow and full packet capture?

NetFlow stores flow metadata — source IP, destination IP, protocol, ports, bytes, packets, duration — without storing the packet payload. Full packet capture stores the complete packet including payload content. NetFlow is efficient and scalable (1,000:1 data reduction vs full capture) but can't inspect what was said. Full packet capture is required for deep protocol analysis and forensic investigation of payload content.

Definition

Flow Analysis

Examining communication patterns—source, destination, protocol, frequency, and volume—to understand expected device behavior and surface anomalies that may indicate compromise or misconfiguration.

What is Flow Analysis?

Flow analysis examines network communication patterns — the metadata of network conversations: which source IP talked to which destination IP, over which protocol and port, when, how long, and how much data was transferred. NetFlow, IPFIX, and sFlow are the common flow data formats generated by routers and switches. Unlike full packet capture (which stores entire packet contents), flow analysis stores only conversation metadata, making it feasible to collect and retain at scale across large networks.

For IoT and OT security, flow analysis provides the foundation for behavioral baselining and anomaly detection. The communication patterns of a PLC that reads sensor data every 30 seconds and sends control signals to actuators are highly consistent and representable as flow patterns. Deviations — unexpected external connections, new protocol usage, abnormal data volumes, connections to unusual destinations — show clearly in flow data.

Flow analysis does have limitations. It doesn't provide application-layer visibility into what commands are being issued or what data is being transferred. For OT protocol analysis (understanding specific Modbus or DNP3 commands), deep packet inspection is needed. Flow analysis and DPI are complementary: flow analysis provides broad coverage and behavioral trending; DPI provides depth for specific high-value protocol streams.

Key Facts

Flow analysis can process 100x more network data than full packet capture for the same storage budget
Flow data retention is typically 30–90 days — critical for forensic investigation of incidents detected after the fact
Over 90% of lateral movement indicators are detectable through flow analysis alone without full packet capture
Most enterprise routers and switches support NetFlow or IPFIX natively, requiring no additional hardware for collection

How ORDR Addresses Flow Analysis

ORDR collects and analyzes network flow data as one of its primary behavioral monitoring inputs, combining it with full packet capture for OT protocol streams and API integrations for additional context. Flow-based behavioral baselines are built for every device type, enabling detection of communication anomalies that indicate compromise, misconfiguration, or policy violations.

See ORDR in action

Frequently Asked Questions

Back to Glossary

Complete visibility across your entire attack surface.

ORDR unifies IT, IoT, and OT asset intelligence so your team can see—and act on—what matters most.

REQUEST A DEMO Platform Overview