icmynet flow netflow based traffic investigation analysis
play

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic - PowerPoint PPT Presentation

Oct 02, 2022 •174 likes •641 views

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

  1. ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES – Academic Network of Serbia RCUB - Belgrade University Computer Center ETF – Faculty of Electrical Engineering

  2. NetFlow Challenges: Who is consuming the bandwidth and how? D Deep insight into network traffic i i ht i t t k t ffi Recognize traffic anomaly – security threats Network optimization olution – NetFlow TM TM S l S i N Fl Protocol developed by Cisco for exporting IP flow statistics Other vendors: J-Flow, NetS tream, sFlow, IPFIX... TF-NOC, 11.10.2011

  3. How it works? Exported data: S rc/ dst IP S S rc/ dst ports rc/ dst ports Protocol Total bytes, packets, fllows QoS QoS BGP src/ dst AS Exporter IP I / In/ out ports t t Timestamp Router … . (Exporter) ( p ) … . TF-NOC, 11.10.2011

  4. Why to use? Performance management based on S NMP network traffic – who is using? CPU/ Memory usage – why is increased? who is talking with whom? TF-NOC, 11.10.2011

  5. NetFlow Analyzers Collect, process, present and analyze NetFlow data Most popular commercial solutions: p p S olarwinds, MenageEngine, S crutinyzer... ICmyNet.Flow ICmyNet.Flow AMRES participated the development with expertise, requirements, testing Competitive with other commercial solutions p Full free software available for NRENs and their members www.icmynet.com live demo download free trial user manual support contact pp TF-NOC, 11.10.2011

  6. System architecture Binary raw data files ICmyNet.Flow Flows_2009-10-21-09.20.00 Collector Collector Flows_2009-10-21-09.25.00 Flows_2009-10-21-09.30.00 ICmyNet.Flow Database Aggregator gg g ICmyNet.Flow Web Raw Data Files Archive TF-NOC, 11.10.2011

  7. Parameters for traffic analysis Detailed information about: IP subnets traffic Hosts traffic Hosts traffic Network S ervices and applications based on TCP/ UDP ports Network Protocols (TCP, UDP, ICMP, GRE...) QoS markers (ToS , IP precedence or DS CP) BGP Autonomous S ystem Numbers For each parameter counters for : Traffic Bandwidth (in bits/ s, kbps, Mbps..) Traffic Volume (in MBytes, GB, TB...) Number of Packets, volume and time based diagrams (pps) Number of Flows, volume and time based diagrams (fps) Configurable cut-off percentage or data amount for negligible consumers TF-NOC, 11.10.2011

  8. Overview Web application is chosen for the user interface De-facto standard for network management applications Accessibility, permanent development, flexibility Java application working under Tomcat JS F technologies TF-NOC, 11.10.2011

  9. Traffic Patterns Traffic Pattern - Traffic of Interest, defined by user Matches the traffic between “ Internal” and “ External” network S tatistics IS NOT per interface Statistics IS per subnet in Traffic Pattern D fi Defined by d b IP networks other NetFlow parameters External Internal network network TF-NOC, 11.10.2011

  10. Traffic Patterns Internet Exclude 10 0 0 0/8 Exclude 10.0.0.0/8 Internal Network 10.0.0.0/8 TF-NOC, 11.10.2011

  11. External Network Traffic Patterns Internal Network TF-NOC, 11.10.2011

  12. Traffic Patterns Application Servers 172 16 0 0/24 172.16.0.0/24 Internal Network 10.0.0.0/8 TF-NOC, 11.10.2011

  13. Traffic Pattern – basic element of analysis Internal Network 10.0.0.0/8 External Network 10.0.0.0/8 TF-NOC, 11.10.2011

  14. Traffic Patterns Advanced Traffic Patterns can be configured with flexible matching of any supported NetFlow field Examples : Examples : AMRES -> Facebook Internal address 147.91.0.0/ 16, S rc or Dst AS 32934 (Facebook) (Facebook) Router X Internal & External address: 0.0.0.0/ 0, Exporter 10.1.1.1 Potential attacks: Potential attacks: S rc or Dst port: 22, 135-139, 445, 1434,… “Weird” Protocols: Protocols: Exclude 6 (TCP) or 17 (UDP) Protocols: Exclude 6 (TCP) or 17 (UDP) Blocked Traffic: Out Interface: 0 (Null) TF-NOC, 11.10.2011

  15. Subnets S ubnets Defined by name and IP y address range in Internal network View tab / Address S pace IP address hierarchy of IP address hierarchy of subnets in a tree structure IPv6 are fully supported! TF-NOC, 11.10.2011

  16. Subnet Sets S ubnet S et User defined group of S ubnets and/ or other S ubnets S ets View tab / Custom S pace User defined hierarchy of S ubnet S S ets and belonging S ets and belonging S ubnets ubnets Any logical grouping of S ubnets: Institutions Faculties Universities S chools Libraries Libraries etc... TF-NOC, 11.10.2011

  17. View Tab – Top N TF-NOC, 11.10.2011

  18. View Tab – Chart TF-NOC, 11.10.2011

  19. View Tab – List TF-NOC, 11.10.2011

  20. Archived raw data review Raw data are archived in the files created every 5 minutes Compressed and archived in separate folder Every single flow is saved Raw data View Raw data View Access, review and explore raw data files S earching for a single flow or event that traversed the network t k TF-NOC, 11.10.2011

  21. Archived raw data review TF-NOC, 11.10.2011

  22. Searching and grouping raw data Filter, group and sort by any meaningful column TF-NOC, 11.10.2011

  23. Analysis of traffic anomaly Case study TF-NOC, 11.10.2011

  24. TF-NOC, 11.10.2011

  25. TF-NOC, 11.10.2011

  26. TF-NOC, 11.10.2011

  27. TF-NOC, 11.10.2011

  28. TF-NOC, 11.10.2011

  29. TF-NOC, 11.10.2011

  30. TF-NOC, 11.10.2011

  31. TF-NOC, 11.10.2011

  32. TF-NOC, 11.10.2011

  33. TF-NOC, 11.10.2011

  34. TF-NOC, 11.10.2011

  35. TF-NOC, 11.10.2011

  36. TF-NOC, 11.10.2011

  37. Configuration issues – Interfaces NetFlow configured in both directions on interfaces Exported data duplication Host A NetFlow Collector TF-NOC, 11.10.2011

  38. NetFlow configured in ingress direction on all interfaces Configuration issues – Interfaces No data duplication Host A TF-NOC, 11.10.2011

  39. Configuration issues – Interfaces NetFlow configured in ingress direction on all interfaces with redundant links D t d Data duplication! li ti ! Gi0/3 Gi0/3 Gi0/2 Gi0/1 Gi0/1 Host A TF-NOC, 11.10.2011

  40. Configuration issues – Interfaces S olution: Configure ingress direction on edge links (do not configure on core links) (do not configure on core links) Exclude interfaces on core links between exporters from Traffic Pattern TF-NOC, 11.10.2011

  41. Configuration issues - Timers Timer – aging Long Defines data export interval for long flows – 5 min Real Flow Received Flow Bits/s Bits/s Bits/s Bits/s Time of Time of export export 20k 5K t t 20 minutes 5 minutes TF-NOC, 11.10.2011

  42. Configuration issues - Timers Fast Defines data export criteria based on the threshold ( 100packets) (~100packets) Preserves memory overload TF-NOC, 11.10.2011

  43. Configuration issues - Aggregation Receiving application is using 5 minute aggregation TF-NOC, 11.10.2011

  44. NetFlow statistics from non-netflow device? L2 switches usually do not support NetFlow protocol Examples: Examples: LAN networks Gigabit Ethernet 0/0 FastEthernet 0/1 NREN member FastEthernet 0/2 connected to NREN backbone S olution Port mirroring Mirrored Ports S S erver with two NIC i h NIC FastEthernet 0/23 S oftflowd http:/ / www.mindrot.org/ proj ects / softflowd/ / softflowd/ FastEthernet 0/24 Gigabit Ethernet 0/1 http:/ / code.google.com/ p/ softflo wd/ NetFlow Date Export Interfaces info disappears, but Traffic Patterns don’ t need it! SOFTFLOW DEAMON NetFlow Emulator TF-NOC, 11.10.2011

  45. Conclusions ICmyNet.Flow Pros Traffic Patterns Traffic Patterns S ubnets and S ubnet S ets hierarchy Works with non-netflow devices Raw data inspection Full IPv6 support Full IPv6 support Web based, j ava – OS independent Cons S S ome net admins prefer link based statistics ome net admins prefer link based statistics (physical infrastructure view) Lack of top conversations statistics (plan to support in new version, 2012) Links www.icmynet.com live.icmynet.com/ NetFlowWeb TF-NOC, 11.10.2011

  46. rcub.bg.ac.rs slavko.gaj in@ Questions TF-NOC, 11.10.2011

Recommend

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief

NetFlow use cases ICmyNet / NetVizura Milo Zekovi, milos.zekovic@soneco.rs ICmyNet Chief Customer Officer Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic

629 views • 26 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National

NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National

NetFlow Analysis with MapReduce Wonchul Kang, Yeonhee Lee, Youngseok Lee Chungnam National University Chungnam National University {teshi85, yhlee06, lee}@cnu.ac.kr 2010.04.24(Sat) based on "An Internet Traffic Analysis Method with

534 views • 22 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying activity via payload Theory behind the idea Measuring NetFlow Measuring DNS traffic captures Implications and future work Motivation

580 views • 17 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis Using social networks we can complement our existing volumetric analysis. Identify phenomenon we are missing because they are just not

568 views • 24 slides
A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van Vliet, Aiko Pras Design and Analysis of Communication Systems University of Twente, The Netherlands NMRG Workshop on Netflow/IPFIX Usage in Network

592 views • 21 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides
An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P.

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P.

An Investigation Into Teredo and 6to4 Transition Mechanisms: Traffic Analysis M. Elich, P. Velan, T. Jirsk, P. eleda {elich|jirsik|celeda}@mail.muni.cz, petr.velan@cesnet.cz The 7th IEEE Workshop on Network Measurements, Sydney, October

397 views • 21 slides
Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction

Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction

Incorporating Intra-flow Dependencies and Inter-flow Correlations for Traffic Matrix Prediction Presenter: Kaihui Gao Tsinghua University Catalog 1. Background 2. Related Works 3. Motivation 4. Data Analysis of Traffic Matrix 5.

468 views • 18 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial

Maximilian Merkert Flow-based extended formulations for feasible traffic light controls Aussois Combinatorial Optimization Workshop, January 8, 2019 joint work with Gennadiy Averkov, Do Duc Le Outline 1 Introduction 2 Flow-based Extended

588 views • 39 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q

Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q

Traffic Flow Characteristics and Theory Primary Elements of Traffic Flow a. Flow Rate = q (vehicle per hour, vph) b. Density = k (vehicle per mile, vpm) c. Speed = u (mile per hour, mph) 2 Dr. Randa Oqab Mujalli Flow Flow (q) : is the

943 views • 20 slides
Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate

Traffic Flow Models CIVL 4162/6162 (Traffic Engineering) Lesson Objective Demonstrate traffic flow characteristics using observed data Describe traffic flow models Single regime Multiple regime Develop and calibrate traffic

343 views • 30 slides
Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney, Zhi Wang, Davide Papini, Lorenzo Cavallaro Netflow, network traces Internet Bot TCP/ netflow Date

576 views • 20 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr

NETWORK TRAFFIC CHARACTERISATION USING FLOW-BASED STATISTICS Wednesday 27 th April, 2016 Petr Velan Jana Medkov, Tom Jirsk, Pavel eleda Introduction We need to be able to describe the network traffic. The researchers have to be

320 views • 17 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

316 views • 17 slides

More recommend