flow tools tutorial
play

Flow-tools Tutorial Mark Fullmer maf@splintered.net Agenda - PowerPoint PPT Presentation

Jul 20, 2023 •179 likes •934 views

Flow-tools Tutorial Mark Fullmer maf@splintered.net Agenda Network flows Cisco / Juniper implementation NetFlow Cisco / Juniper Configuration flow-tools programs overview and examples from Abilene and Ohio- Gigapop

  1. Flow-tools Tutorial Mark Fullmer maf@splintered.net

  2. Agenda • Network flows • Cisco / Juniper implementation – NetFlow • Cisco / Juniper Configuration • flow-tools programs overview and examples from Abilene and Ohio- Gigapop

  3. Network Flows • Packets or frames that have a common attribute. • Creation and expiration policy – what conditions start and stop a flow. • Counters – packets,bytes,time. • Routing information – AS, network mask, interfaces.

  4. Network Flows • Unidirectional or bidirectional. • Bidirectional flows can contain other information such as round trip time, TCP behavior. • Application flows look past the headers to classify packets by their contents. • Aggregated flows – flows of flows.

  5. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 login: 10.0.0.1 10.0.0.2 Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  6. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  7. Unidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0

  8. Bidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.1 10.0.0.2 ICMP 0 0

  9. Application Flow Web server on Port 9090 % netscape http://10.0.0.2/9090 10.0.0.1 10.0.0.2 Content-type: Active Flows Flow Source IP Destination IP Application 1 10.0.0.1 10.0.0.2 HTTP

  10. Aggregated Flow Main Active flow table Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 Source/Destination IP Aggregate Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  11. Flow Descriptors • A Key with more elements will generate more flows. • Greater number of flows leads to more post processing time to generate reports, more memory and CPU requirements for device generating flows. • Depends on application. Traffic engineering vs. intrusion detection.

  12. Flow Accounting • Accounting information accumulated with flows. • Packets, Bytes, Start Time, End Time. • Network routing information – masks and autonomous system number.

  13. Flow Collection • Passive monitor. • Router other existing network device.

  14. Passive Monitor Collection Workstation A Workstation B Flow probe connected Campus to switch port in “ traffic mirror” mode

  15. Router Collection LAN LAN LAN LAN Internet Flow collector stores exported flows from router.

  16. Passive Monitor • Directly connected to a LAN segment via a switch port in “mirror” mode, optical splitter, or repeated segment. • Generate flows for all local LAN traffic. • Must have an interface or monitor deployed on each LAN segment. • Support for more detailed flows – bidirectional and application.

  17. Router Collection • Router will generate flows for traffic that is directed to the router. • Flows are not generated for local LAN traffic. • Limited to “simple” flow criteria (packet headers). • Generally easier to deploy – no new equipment.

  18. Cisco NetFlow • Unidirectional flows. • IPv4 unicast and multicast. • Aggregated and unaggregated. • Flows exported via UDP. • Supported on IOS and CatIOS platforms. • Catalyst NetFlow is different implementation.

  19. Cisco NetFlow Versions • 4 Unaggregated types (1,5,6,7). • 14 Aggregated types (8.x). • Each version has its own packet format. • Version 1 does not have sequence numbers – no way to detect lost flows. • The “version” defines what type of data is in the flow. • Some versions specific to Catalyst platform.

  20. NetFlow v1 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/End time, Output interface • Other: Bitwise OR of TCP flags.

  21. NetFlow v5 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/End time, Output interface. • Other: Bitwise OR of TCP flags, Source/Destination AS and IP Mask. • Packet format adds sequence numbers for detecting lost exports.

  22. NetFlow v8 • Aggregated v5 flows. • 3 Catalyst 65xx specific that correspond to the configurable flow mask. • Much less data to post process, but lose fine granularity of v5 – no IP addresses.

  23. NetFlow v8 • AS • Protocol/Port • Source Prefix • Destination Prefix • Prefix • Destination (Catalyst 65xx) • Source/Destination (Catalyst 65xx) • Full Flow (Catalyst 65xx)

  24. NetFlow v8 • ToS/AS • ToS/Protocol/Port • ToS/Source Prefix • ToS/Destination Prefix • Tos/Source/Destination Prefix • ToS/Prefix/Port

  25. NetFlow Packet Format • Common header among export versions. • All but v1 have a sequence number. • Version specific data field where N records of data type are exported. • N is determined by the size of the flow definition. Packet size is kept under ~1480 bytes. No fragmentation on Ethernet.

  26. NetFlow v5 Packet Example IP/UDP packet NetFlow v5 header v5 record … … v5 record

  27. NetFlow v5 Packet (Header) struct ftpdu_v5 { /* 24 byte header */ u_int16 version; /* 5 */ u_int16 count; /* The number of records in the PDU */ u_int32 sysUpTime; /* Current time in millisecs since router booted */ u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 */ u_int32 flow_sequence; /* Seq counter of total flows seen */ u_int8 engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ u_int8 engine_id; /* Slot number of the flow switching engine */ u_int16 reserved;

  28. NetFlow v5 Packet (Records) /* 48 byte payload */ struct ftrec_v5 { u_int32 srcaddr; /* Source IP Address */ u_int32 dstaddr; /* Destination IP Address */ u_int32 nexthop; /* Next hop router's IP Address */ u_int16 input; /* Input interface index */ u_int16 output; /* Output interface index */ u_int32 dPkts; /* Packets sent in Duration */ u_int32 dOctets; /* Octets sent in Duration. */ u_int32 First; /* SysUptime at start of flow */ u_int32 Last; /* and of last packet of flow */ u_int16 srcport; /* TCP/UDP source port number or equivalent */ u_int16 dstport; /* TCP/UDP destination port number or equiv */ u_int8 pad; u_int8 tcp_flags; /* Cumulative OR of tcp flags */ u_int8 prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ u_int8 tos; /* IP Type-of-Service */ u_int16 src_as; /* originating AS of source address */ u_int16 dst_as; /* originating AS of destination address */ u_int8 src_mask; /* source address prefix mask bits */ u_int8 dst_mask; /* destination address prefix mask bits */ u_int16 drops; } records[FT_PDU_V5_MAXFLOWS];

  29. NetFlow v8 Packet Example (AS Aggregation) IP/UDP packet NetFlow v8 header v8 record … … v8 record

  30. NetFlow v8 AS agg. Packet struct ftpdu_v8_1 { /* 28 byte header */ u_int16 version; /* 8 */ u_int16 count; /* The number of records in the PDU */ u_int32 sysUpTime; /* Current time in millisecs since router booted */ u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 */ u_int32 flow_sequence; /* Seq counter of total flows seen */ u_int8 engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ u_int8 engine_id; /* Slot number of the flow switching engine */ u_int8 aggregation; /* Aggregation method being used */ u_int8 agg_version; /* Version of the aggregation export */ u_int32 reserved; /* 28 byte payload */ struct ftrec_v8_1 { u_int32 dFlows; /* Number of flows */ u_int32 dPkts; /* Packets sent in duration */ u_int32 dOctets; /* Octets sent in duration */ u_int32 First; /* SysUpTime at start of flow */ u_int32 Last; /* and of last packet of flow */ u_int16 src_as; /* originating AS of source address */ u_int16 dst_as; /* originating AS of destination address */ u_int16 input; /* input interface index */ u_int16 output; /* output interface index */ } records[FT_PDU_V8_1_MAXFLOWS];

  31. Cisco IOS Configuration • Configured on each input interface. • Define the version. • Define the IP address of the collector (where to send the flows). • Optionally enable aggregation tables. • Optionally configure flow timeout and main (v5) flow table size. • Optionally configure sample rate.

Recommend

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and

Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and

Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and Java Getting Started Variable Types Arrays Operators Flow Control Flow Control Introducing Classes, Structs and

804 views • 52 slides
Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an

Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an

STAR-CCM+ User Guide 6663 Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an incompressible gas through an s-bend of constant diameter (2 cm), for both laminar and turbulent flow. The first part of the

381 views • 35 slides
Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in

Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in

STAR-CCM+ User Guide Steady Flow: Lid-Driven Cavity Flow 2 Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in solving a traditional square lid-driven cavity flow. The problem geometry consists of a

331 views • 18 slides
Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas

Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas

STAR-CCM+ User Guide 6663 Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas over a backward facing step (with height, H = 1 m). Data from a fully developed flow will be used at the inlet. The

630 views • 31 slides
Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier

Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier

Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier Literacy Tools. Created by: Heather Harris, Special Education Coach Intern Table of Con Table of Contents tents Talking Word

471 views • 21 slides
Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial

Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial

This is page 1 Printer: Opaque this Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial introduction to gradient- based optical flow estimation. We discuss least-squares and robust estima- tors,

589 views • 24 slides
Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced

1.8k views • 140 slides
The modern tools of quantum mechanics A tutorial on quantum states, measurements, and operations

The modern tools of quantum mechanics A tutorial on quantum states, measurements, and operations

Eur. Phys. J. Special Topics 203 , 6186 (2012) T HE E UROPEAN c EDP Sciences, Springer-Verlag 2012 P HYSICAL J OURNAL DOI: 10.1140/epjst/e2012-01535-1 S PECIAL T OPICS Review The modern tools of quantum mechanics A tutorial on quantum

719 views • 26 slides
Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio

Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio

Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio Laguna, Harshitha Menon Lawrence Livermore National Laboratory Michael Bentley, Ian Briggs, Pavel Panchekha, Ganesh Gopalakrishnan University of Utah

311 views • 7 slides
Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal

Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal

Tutorial 1 : Setting Up Your Unix Environment to work with Synopsys Tools Authors : Bibhas Ghoshal (bibhas.ghoshal@gmail.com), Subhadip Kundu (dip224@gmail.com) This tutorial guides you to set up your design libraries for both VLSI Design and

270 views • 4 slides
Hammer VLSI Flow John Wright UC Berkeley johnwright@berkeley.edu Tutorial Roadmap Custom SoC

Hammer VLSI Flow John Wright UC Berkeley johnwright@berkeley.edu Tutorial Roadmap Custom SoC

Hammer VLSI Flow John Wright UC Berkeley johnwright@berkeley.edu Tutorial Roadmap Custom SoC Configuration FireMarshal RTL Generators Bare-metal & RISC-V Multi-level Custom Accelerators Peripherals Linux Cores Caches Verilog

952 views • 64 slides
Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST

www.liberouter.org Tools for Security Analysis of Traffic on L7 Practical course 50th TF-CSIRT meeting and FIRST Regional Symposium for Europe Security Tools as a Service Flow monitoring overview Flow monitoring extended by application layer

1.99k views • 184 slides
Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

Flow Networks Flow Network: - digraph - weights, called capacities on edges - two

M AXIMUM F LOW How to do it... Why you want it... Where you find it... The Tao of Flow: Let your body go with the flow. -Madonna, Vogue Maximum flow...because youre worth it. -Loreal Go with the flow, Joe.

619 views • 20 slides
Tutorial 1 & 2: ge0ng the code to run, thermodynamics,

Tutorial 1 & 2: ge0ng the code to run, thermodynamics,

Tutorial 1 & 2: ge0ng the code to run, thermodynamics, expecta;on values, flow diagrams, ground-state energy Rok itko Ins;tute Joef Stefan

788 views • 59 slides
Monitoring of the DAQ2 system DAQ2 Shift Tutorial 2 cDAQ group Monitoring tools RCMS/LVL0

Monitoring of the DAQ2 system DAQ2 Shift Tutorial 2 cDAQ group Monitoring tools RCMS/LVL0

DAQ2 Shift Tutorial 1 cDAQ group Monitoring of the DAQ2 system DAQ2 Shift Tutorial 2 cDAQ group Monitoring tools RCMS/LVL0 interface 1. Has been covered by Hannes aDAQMon 2. Overview screen to see at a glance the CMS running

753 views • 33 slides
Tools Programming Tutorial Last updated: 18 June 2017 References Jrg Cassens Data and

Tools Programming Tutorial Last updated: 18 June 2017 References Jrg Cassens Data and

Applications Tools Programming Tutorial Last updated: 18 June 2017 References Jrg Cassens Data and Process Visualization SoSe 2017 SoSe 2017 Jrg Cassens Tools 1 / 57 Work in Progress What is still missing Applications

1.17k views • 58 slides
Tools for MRD in AML: flow cytometry Francesco Buccisano Can MRD improve outcome determina3on?

Tools for MRD in AML: flow cytometry Francesco Buccisano Can MRD improve outcome determina3on?

ACUTE MYELOID LEUKEMIA MEETING Ravenna - October 27, 2017 Tools for MRD in AML: flow cytometry Francesco Buccisano Can MRD improve outcome determina3on? Relapse 12 10 leukemic cells 10 10 CR 8 10 6 10 MRD No. of 4 10 2 10 Cure 0 10 Time This

751 views • 25 slides
Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation)

Decompilation is an information-flow problem (Or, information flow meets program transformation) Boris Feigin Computer Laboratory, University of Cambridge PLID 2008 joint work with Alan Mycroft 1 / 22 Motivation Given suitable tools we

605 views • 33 slides
HEP Computing Tools - lecture and tutorial Graduate lecture Rene Poncelet 9th/11th March 2020

HEP Computing Tools - lecture and tutorial Graduate lecture Rene Poncelet 9th/11th March 2020

HEP Computing Tools - lecture and tutorial Graduate lecture Rene Poncelet 9th/11th March 2020 Cavendish Laboratory 1 Disclaimer This course is meant to: Be a starting point in HEP computing. Provide a guided first contact with a

382 views • 21 slides
Semantic Web Rules - Tools and Languages - Tutorial at Rule ML 2006, Athens, GA Holger Knublauch

Semantic Web Rules - Tools and Languages - Tutorial at Rule ML 2006, Athens, GA Holger Knublauch

Semantic Web Rules - Tools and Languages - Tutorial at Rule ML 2006, Athens, GA Holger Knublauch Semantic Web Languages RDF Schema OWL SWRL Jena Rules Language SPARQL RDF Triples are the common foundation RDF

319 views • 29 slides
Introduction to The HTK Toolkit Hsin-min Wang Reference: - The HTK Book Outline An Overview

Introduction to The HTK Toolkit Hsin-min Wang Reference: - The HTK Book Outline An Overview

Introduction to The HTK Toolkit Hsin-min Wang Reference: - The HTK Book Outline An Overview of HTK HTK Processing Stages Data Preparation Tools Training Tools Testing Tools Analysis Tools A Tutorial Example 2 An

809 views • 43 slides
Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools

Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools

Why was Discovery Developed? Flow Assurance Needs: There are no reliable subsea detection tools to accurately detect and characterise hydrate, wax, and asphaltene blockages 2 Why was Discovery Developed? Pipeline Integrity Needs: One

825 views • 48 slides
A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling

A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling

A GAMS TUTORIAL A GAMS TUTORIAL A GAMS TUTORIAL WHAT IS GAMS ? General Algebraic Modeling System Modeling linear, nonlinear and mixed integer optimization problems Useful with large, complex problems A GAMS TUTORIAL A GAMS TUTORIAL

274 views • 24 slides

More recommend