netflow
play

NetFlow These materials are licensed under the Creative Commons - PowerPoint PPT Presentation

Jul 20, 2023 •394 likes •1.04k views

Advanced Registry Operations Curriculum NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) as part of the ICANN, ISOC and NSRC

  1. Advanced Registry Operations Curriculum NetFlow These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license 
 (http://creativecommons.org/licenses/by-nc/3.0/) as part of the ICANN, ISOC and NSRC Registry Operations Curriculum.

  2. Contents Contents • Netflow – What it is and how it works – Uses and Applications • Vendor Configurations/Implementation – Cisco • NetFlow tools – Architectural issues – Software, tools etc

  3. What are network flows ? What are Network Flows ? • Packets or frames that have a common attribute. • Creation and expiration policy – what conditions start and stop a flow. • Counters – packets,bytes,time. • Routing information – AS, network mask, interfaces.

  4. Network flows... Network Flows... • Unidirectional or bidirectional. • Bidirectional flows can contain other information such as round trip time, TCP behavior. • Application flows look past the headers to classify packets by their contents. • Aggregated flows – flows of flows.

  5. Unidirectional Flow with Source/ Unidirectional Flow with Destination IP Key Source/Destination IP Key % telnet 10.0.0.2 login: 10.0.0.1 10.0.0.2 Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  6. Unidirectional Flow with Source/ Unidirectional Flow with Destination IP Key Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  7. Unidirectional Flow with IP, Unidirectional Flow with Port,Protocol Key IP, Port, Protocol keys % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0

  8. Bidirectional Flow with IP, Bidirectional Flow with Port,Protocol Key Source/Destination IP Key % telnet 10.0.0.2 % ping 10.0.0.2 login: 10.0.0.1 10.0.0.2 ICMP echo reply Active Flows Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.1 10.0.0.2 ICMP 0 0

  9. Application flow Application Flow Web server on Port 9090 % firefox http://10.0.0.2:9090 10.0.0.1 10.0.0.2 Content-type: Active Flows Flow Source IP Destination IP Application 1 10.0.0.1 10.0.0.2 HTTP

  10. Aggregated flow Aggregated Flow Main Active flow table Flow Source IP Destination IP prot srcPort dstPort 1 10.0.0.1 10.0.0.2 TCP 32000 23 2 10.0.0.2 10.0.0.1 TCP 23 32000 3 10.0.0.1 10.0.0.2 ICMP 0 0 4 10.0.0.2 10.0.0.1 ICMP 0 0 Source/Destination IP Aggregate Flow Source IP Destination IP 1 10.0.0.1 10.0.0.2 2 10.0.0.2 10.0.0.1

  11. Working with flows Working with Flows • Generating and Viewing Flows • Exporting Flows from devices – Types of flows – Sampling rates • Collecting it – Tools to collect flows: flow-tools, netflowd, pfflowd, ... • Analyzing it – Use existing or write your own – nfSen, Netflow Dashboard, ...

  12. Flow descriptors Flow Descriptors • A Key with more elements will generate more flows. • Greater number of flows leads to more post processing time to generate reports, more memory and CPU requirements for device generating flows. • Depends on application. Tra ffj c engineering vs. intrusion – detection.

  13. Flow Accounting Flow Accounting • Accounting information accumulated with flows. • Packets, Bytes, Start Time, End Time. • Network routing information – masks and autonomous system number.

  14. Flow generation / collection Flow Generation/Collection • Passive monitor • A passive monitor (usually a UNIX host) receives all data and generates flows. • Resource intensive, newer investments needed • Router or other existing network device. • Router or other existing devices like switch, generate flows. • Sampling is possible (don't account for every packet) • Nothing new needed

  15. Passive monitor collection Passive Monitor Collection SWITCH Workstation A Workstation B mirrorring Flow generation AND collection Flow probe connected Campus to switch port in “ tra ffj c mirror” mode

  16. Router/eqpt. based generation Router Collection LAN LAN ROUTER LAN LAN Flow generation Flow export Internet Flow collection Flow collector stores exported flows from router.

  17. Passive monitor Passive Monitor • Directly connected to a LAN segment via a switch port in “mirror” mode, optical splitter, or repeated segment. • Generate flows for all local LAN tra ffj c. • Requires having an interface or monitor deployed on each switch/stack of the LAN/ segment. • Support for more detailed flows – bidirectional and application.

  18. Router or on-eqpt. generation Router or on-equipment collection • Router will generate flows for tra ffj c that is directed to the router. • Flows are not generated for local LAN tra ffj c (we are only seeing routed tra ffj c). • Limited to “simple” flow criteria (packet headers), but newer equipment can go deeper (firewalls). • Generally easier to deploy – no new equipment.

  19. Vendor implementations Vendor implementations

  20. Cisco NetFlow Cisco NetFlow • NetFlow originated at Cisco • Unidirectional flows • Bidirectional flows (Cisco ASA platform) • IPv4 unicast and multicast. • Aggregated and unaggregated. • Flows exported via UDP. • Supported on ASA, IOS and CatOS platforms. • Catalyst NetFlow is di fg erent from IOS

  21. Cisco NetFlow Versions Cisco NetFlow Versions • 4 Unaggregated types (1,5,6,7). • 14 Aggregated types (8.x, 9). • Each version has its own packet format. • Version 1 does not have sequence numbers – no way to detect lost flows. • The “version” defines what type of data is in the flow. • Some versions specific to Catalyst platform.

  22. NetFlow v1 NetFlow v1 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/End time, Output interface • Other: Bitwise OR of TCP flags.

  23. NetFlow v5 NetFlow v5 • Key fields: Source/Destination IP, Source/Destination Port, IP Protocol, ToS, Input interface. • Accounting: Packets, Octets, Start/End time, Output interface. • Other: Bitwise OR of TCP flags, Source/Destination AS and IP Mask. • Packet format adds sequence numbers for detecting lost exports. • Still very popular today

  24. NetFlow v8 NetFlow v8 • Aggregated v5 flows. • Not all flow types available on all equipments • Much less data to post process, but loses fine granularity of v5 – no IP addresses.

  25. NetFlow v5 fields NetFlow v8 • AS • Protocol/Port • Source Prefix • Destination Prefix • Prefix • Destination • Source/Destination • Full Flow

  26. NetFlow v8 fields (cont.) NetFlow v8 • ToS/AS • ToS/Protocol/Port • ToS/Source Prefix • ToS/Destination Prefix • Tos/Source/Destination Prefix • ToS/Prefix/Port

  27. NetFlow v9 NetFlow v9 • Record formats are defined using templates. • Template descriptions are communicated from the router to the NetFlow Collection Engine. • Flow records are sent from the router to the NetFlow Collection Engine with minimal template information so that the NetFlow Collection Engine can relate the records to the appropriate template. • Version 9 is independent of the underlying transport (UDP, TCP, SCTP, and so on).

  28. NetFlow v10 - IPFIX NetFlow v10 • Also known as IPFIX (IETF standardization) Enterprise specific support – Variable length fields –

  29. NetFlow Packet Format NetFlow Packet Format • Common header among export versions. • All but v1 have a sequence number. • Version specific data field where N records of data type are exported. • N is determined by the size of the flow definition. Packet size is kept under ~1480 bytes. No fragmentation on Ethernet.

  30. NetFlow v5 packet format NetFlow v5 Packet Example IP/UDP packet NetFlow v5 header v5 record … … v5 record

  31. NetFlow v5 packet header (C) NetFlow v5 Packet (Header) ‏ struct ftpdu_v5 { /* 24 byte header */ u_int16 version; /* 5 */ u_int16 count; /* The number of records in the PDU */ u_int32 sysUpTime; /* Current time in millisecs since router booted */ u_int32 unix_secs; /* Current seconds since 0000 UTC 1970 */ u_int32 unix_nsecs; /* Residual nanoseconds since 0000 UTC 1970 */ u_int32 flow_sequence; /* Seq counter of total flows seen */ u_int8 engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ u_int8 engine_id; /* Slot number of the flow switching engine */ u_int16 reserved;

Recommend

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents

NetFlow Ne t wor k M a na g e me nt W or k s h op APRI COT 2010 Kua l a Lumpur Contents Netflow What it is and how it works Uses and Applications Vendor Configurations/Implementation Cisco and Juniper NetFlow tools

1.24k views • 62 slides
Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network

Overview of NetFlow NetFlow and ITSG -33 Existing Monitoring Tools Network Monitoring and Visibility Challenges Technology of the future Q&A What t is NetFlow? Network protocol originally developed by Cisco

560 views • 21 slides
Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org>

nProbe: an Open Source NetFlow Probe for Gigabit Networks Luca Deri <deri@ntop.org> NetFlow Traffic Monitoring Cisco NetFlow is a commercial standard for network monitoring and accounting Many companies (e.g. Cisco, Juniper,

430 views • 14 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific

Data Fusion Enhancing NetFlow Graph Analytics EMILIE PURVINE, BRYAN OLSEN, CLIFF JOSLYN Pacific Northwest National Laboratory FloCon 2016 Outline Introduction NetFlow Windows Event Log data Remote Desktop Protocol (RDP) sessions Approach

510 views • 32 slides
Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features

Tranalyzer Netflow extension It's the network go fix it! 2 Features Command-line based GUI: Traviz Extendable by plugins Fast and simple Practitioners: Anomaly and security related flags Researchers: Full

395 views • 11 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011 Background As the number or compromises escalates and our

182 views • 15 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow

CAMNEP: Multistage Collective Network Behavior Analysis System with Hardware Accelerated NetFlow Probes Martin Rehak, Pavel Celeda, Michal Pechoucek, Jiri Novotny CESNET, z. s. p. o. Gerstner Laboratory - Agent Technology Center Department of

305 views • 29 slides
Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov,

Conformal Clustering and its Application to Botnet Traffic Giovanni Cherubin, Ilia Nouretdinov, Alexander Gammerman Roberto Jordaney, Zhi Wang, Davide Papini, Lorenzo Cavallaro Netflow, network traces Internet Bot TCP/ netflow Date

576 views • 20 slides
NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner

NetFlow Data Capturing and Processing at SWITCH and ETH Zurich Arno Wagner wagner@tik.ee.ethz.ch Communication Systems Laboratory Swiss Federal Institute of Technology Zurich (ETH Zurich) Talk Outline The DDoSVax Project The SWITCH Network

249 views • 23 slides
Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam

Large-scale NetFlow Information Management Adrien Raulot, Shahrukh Zaidi University of Amsterdam Supervisor: Wim Biemolt (SURFnet) February 5, 2018 Adrien Raulot, Shahrukh Zaidi (UvA) NetFlow Information Management February 5, 2018 1 / 24

533 views • 24 slides
SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

916 views • 57 slides
DLP Detection with Netflow Christopher Poetzel Network Security Engineer Argonne National

DLP Detection with Netflow Christopher Poetzel Network Security Engineer Argonne National

DLP Detection with Netflow Christopher Poetzel Network Security Engineer Argonne National Laboratory FloCon 2011 Jan 11, 2012 Who Am I? Christopher Joseph Poetzel University of Wisconsin-Madison BS Computer Science

347 views • 19 slides
From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

316 views • 17 slides

More recommend