netflow flow tools tutorial
play

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop - PowerPoint PPT Presentation

Mar 23, 2023 •170 likes •1.1k views

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

  1. Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi

  2. Agenda • Agenda bashing – Do you want to see the labs, or want to discuss issues • Netflow – What it is and how it works – Uses and Applications • Vendor Configurations/ Implementation – Cisco and Juniper • Flow-tools – Architectural issues – Software, tools etc SANOG X Workshop : 29 September -7 August 2007, New Delhi

  3. Net-flow SANOG X Workshop : 29 September -7 August 2007, New Delhi

  4. Network Flows • Packets or frames that have a common attribute. • Creation and expiration policy – what conditions start and stop a flow. • Counters – packets,bytes,time. • Routing information – AS, network mask, interfaces. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  5. Network Flows • Unidirectional or bidirectional. • Bidirectional flows can contain other information such as round trip time, TCP behavior. • Application flows look past the headers to classify packets by their contents. • Aggregated flows – flows of flows. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  6. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 login: 10.0.0.1 10.0.0.2 Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 SANOG X Workshop : 29 September -7 August 2007, New Delhi

  7. Unidirectional Flow with Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 SANOG X Workshop : 29 September -7 August 2007, New Delhi

  8. Unidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 SANOG X Workshop : 29 September -7 August 2007, New Delhi

  9. Bidirectional Flow with IP, Port,Protocol Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.1 10.0.0.2 ICMP 0 0 SANOG X Workshop : 29 September -7 August 2007, New Delhi

  10. Application Flow Web server on Port 9090 % netscape http://10.0.0.2/9090 10.0.0.1 10.0.0.2 Content-type: Active Flows Flow Source IP Destination IP Application 1 10.0.0.1 10.0.0.2 HTTP SANOG X Workshop : 29 September -7 August 2007, New Delhi

  11. Aggregated Flow Main Active flow table Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 Source/Destination IP Aggregate Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1 SANOG X Workshop : 29 September -7 August 2007, New Delhi

  12. Working with Flows • Generating and Viewing Flows • Exporting Flows from devices – Types of flows – Sampling rates • Collecting it – Tools to Collect Flows - Flow-tools • Analyzing it – More tools available, can write your own SANOG X Workshop : 29 September -7 August 2007, New Delhi

  13. Flow Descriptors • A Key with more elements will generate more flows. • Greater number of flows leads to more post processing time to generate reports, more memory and CPU requirements for device generating flows. • Depends on application. Tra ffj c engineering vs. intrusion detection. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  14. Flow Accounting • Accounting information accumulated with flows. • Packets, Bytes, Start Time, End Time. • Network routing information – masks and autonomous system number. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  15. Flow Generation/Collection • Passive monitor • A passive monitor (usually a unix host) receives all data and generates flows. • Resource intensive, newer investments needed • Router or other existing network device. • Router or other existing devices like switch, generate flows. • Sampling is possible • Nothing new needed SANOG X Workshop : 29 September -7 August 2007, New Delhi

  16. Passive Monitor Collection Workstation A Workstation B Flow probe connected Campus to switch port in “ tra ffj c mirror” mode SANOG X Workshop : 29 September -7 August 2007, New Delhi

  17. Router Collection LAN LAN LAN LAN Internet Flow collector stores exported flows from router. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  18. Passive Monitor • Directly connected to a LAN segment via a switch port in “mirror” mode, optical splitter, or repeated segment. • Generate flows for all local LAN tra ffj c. • Must have an interface or monitor deployed on each LAN segment. • Support for more detailed flows – bidirectional and application. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  19. Router Collection • Router will generate flows for tra ffj c that is directed to the router. • Flows are not generated for local LAN tra ffj c. • Limited to “simple” flow criteria (packet headers). • Generally easier to deploy – no new equipment. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  20. Vendor implementations SANOG X Workshop : 29 September -7 August 2007, New Delhi

  21. Cisco NetFlow • Unidirectional flows. • IPv4 unicast and multicast. • Aggregated and unaggregated. • Flows exported via UDP. • Supported on IOS and CatIOS platforms. • Catalyst NetFlow is di fg erent implementation. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  22. Cisco NetFlow Versions • 4 Unaggregated types (1,5,6,7). • 14 Aggregated types (8.x). • Each version has its own packet format. • Version 1 does not have sequence numbers – no way to detect lost flows. • The “version” defines what type of data is in the flow. • Some versions specific to Catalyst platform. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  23. NetFlow v1 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/ End time, Output interface • Other: Bitwise OR of TCP flags. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  24. NetFlow v5 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/ End time, Output interface. • Other: Bitwise OR of TCP flags, Source/Destination AS and IP Mask. • Packet format adds sequence numbers for detecting lost exports. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  25. NetFlow v8 • Aggregated v5 flows. • 3 Catalyst 65xx specific that correspond to the configurable flow mask. • Much less data to post process, but lose fine granularity of v5 – no IP addresses. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  26. NetFlow v8 • AS • Protocol/Port • Source Prefix • Destination Prefix • Prefix • Destination (Catalyst 65xx) • Source/Destination (Catalyst 65xx) • Full Flow (Catalyst 65xx) SANOG X Workshop : 29 September -7 August 2007, New Delhi

  27. NetFlow v8 • ToS/AS • ToS/Protocol/Port • ToS/Source Prefix • ToS/Destination Prefix • Tos/Source/Destination Prefix • ToS/Prefix/Port SANOG X Workshop : 29 September -7 August 2007, New Delhi

  28. NetFlow Packet Format • Common header among export versions. • All but v1 have a sequence number. • Version specific data field where N records of data type are exported. • N is determined by the size of the flow definition. Packet size is kept under ~1480 bytes. No fragmentation on Ethernet. SANOG X Workshop : 29 September -7 August 2007, New Delhi

  29. NetFlow v5 Packet Example IP/UDP packet NetFlow v5 header v5 record … … v5 record SANOG X Workshop : 29 September -7 August 2007, New Delhi

  30. NetFlow v5 Packet (Header) struct ftpdu_v5 { /* 24 byte header */ u_int16 version; /* 5 */ u_int16 count; /* The number of records in the PDU */ u_int32 sysUpTime; /* Current time in millisecs since router booted */ u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 */ u_int32 flow_sequence; /* Seq counter of total flows seen */ u_int8 engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ u_int8 engine_id; /* Slot number of the flow switching engine */ u_int16 reserved; SANOG X Workshop : 29 September -7 August 2007, New Delhi

Recommend

Flow-tools Tutorial Mark Fullmer maf@splintered.net Agenda Network flows Cisco /

Flow-tools Tutorial Mark Fullmer maf@splintered.net Agenda Network flows Cisco /

Flow-tools Tutorial Mark Fullmer maf@splintered.net Agenda Network flows Cisco / Juniper implementation NetFlow Cisco / Juniper Configuration flow-tools programs overview and examples from Abilene and Ohio- Gigapop

934 views • 74 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Net-fow Ne t wor k S e c ur i t y J une 2009 Pa pe e t e , Fr e nc h Pol y ne s i a Agenda

Net-fow Ne t wor k S e c ur i t y J une 2009 Pa pe e t e , Fr e nc h Pol y ne s i a Agenda

Net-fow Ne t wor k S e c ur i t y J une 2009 Pa pe e t e , Fr e nc h Pol y ne s i a Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools

729 views • 62 slides
From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

316 views • 17 slides
Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and

Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and

Simple C# Tutorial C# Tutorial Introducing the .NET framework Comparing C# to C++ and Java Getting Started Variable Types Arrays Operators Flow Control Flow Control Introducing Classes, Structs and

804 views • 52 slides
ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

641 views • 46 slides
Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an

Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an

STAR-CCM+ User Guide 6663 Steady Flow: Laminar and Turbulent in an S-Bend This tutorial demonstrates the flow of an incompressible gas through an s-bend of constant diameter (2 cm), for both laminar and turbulent flow. The first part of the

381 views • 35 slides
Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in

Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in

STAR-CCM+ User Guide Steady Flow: Lid-Driven Cavity Flow 2 Steady Flow: Lid-Driven Cavity Flow This tutorial demonstrates the performance of STAR-CCM+ in solving a traditional square lid-driven cavity flow. The problem geometry consists of a

334 views • 18 slides
Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas

Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas

STAR-CCM+ User Guide 6663 Steady Flow: Backward Facing Step This tutorial demonstrates the flow of an incompressible gas over a backward facing step (with height, H = 1 m). Data from a fully developed flow will be used at the inlet. The

630 views • 31 slides
Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier

Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier

Premier Literacy Tools Tutorial Guide A step-by-step guide to the most popular tools in Premier Literacy Tools. Created by: Heather Harris, Special Education Coach Intern Table of Con Table of Contents tents Talking Word

471 views • 21 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

478 views • 23 slides
Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial

Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial

This is page 1 Printer: Opaque this Optical Flow Estimation David J. Fleet, Yair Weiss ABSTRACT This chapter provides a tutorial introduction to gradient- based optical flow estimation. We discuss least-squares and robust estima- tors,

589 views • 24 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and

Introduction About Flow Unix Beginning Analysis Basic SiLK Tools rwfilter Printing and Sorting Tools Counting Tools Other Tools Advanced Sets Bags Prefix Maps Unix Scripting Visualization Basic Graphs Excel Gnuplot Advanced

1.8k views • 140 slides
The modern tools of quantum mechanics A tutorial on quantum states, measurements, and operations

The modern tools of quantum mechanics A tutorial on quantum states, measurements, and operations

Eur. Phys. J. Special Topics 203 , 6186 (2012) T HE E UROPEAN c EDP Sciences, Springer-Verlag 2012 P HYSICAL J OURNAL DOI: 10.1140/epjst/e2012-01535-1 S PECIAL T OPICS Review The modern tools of quantum mechanics A tutorial on quantum

719 views • 26 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio

Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio

Tutorial on Floating-Point Analysis and Reproducibility Tools for Scientific Software Ignacio Laguna, Harshitha Menon Lawrence Livermore National Laboratory Michael Bentley, Ian Briggs, Pavel Panchekha, Ganesh Gopalakrishnan University of Utah

311 views • 7 slides

More recommend