3. NetworkFlow
A flow is a set of packets with common characteristics within a given time frame and a
given direction.
In packet switching networks, traffic flow, packet flow or network flow is a
sequence of packets from a source computer to a destination, which maybe
another host, a multicast group, or a broadcast domain.
RFC 2722 defines traffic flow as "A TRAFFIC FLOW is an artificial logical
equivalent to a call or connection, belonging to a (user-specified) METERED
TRAFFIC GROUP."
5. NetFlow
NetFlow was introduced in Cisco routers first to get the traffic informationfrom one or
many source/s to one or many destination/s.
Also supported by Juniper, Mikrotiketc.
Jflow or cflowd for Juniper Networks
NetStream for 3Com/HP
NetStream for Huawei Technologies
Cflowd for Alcatel-Lucent
Rflow for Ericsson
AppFlow Citrix
Traffic Flow MikroTik
sFlow vendors include: AlcatelLucent, Cisco, Dell, D-Link, Fortinet, Hewlett-Packard,
Huawei, IBM, Juniper, NEC, Netgear, ZTE etc
6. NetFlow
Version Comment
v1
First implementation, now obsolete, and restricted to IPv4 (without IP mask and
AS Numbers).
v2 Cisco internal version, never released.
v3 Cisco internal version, never released.
v4 Cisco internal version, never released.
v5
Most common version, available on many routers from different brands, but
restricted to IPv4 flows.
v6 No longer supported by Cisco.
v7 Like version 5 with a source router field. Used on Cisco Catalyst switches.
v8
Several aggregation form, but only for information that is already present in
version 5 records
v9
Template Based, available on some recent routers. Mostly used to report flows like
IPv6, MPLS, or even plain IPv4 with BGP nexthop.
v10 Used for identifying IPFIX - IP Flow Information Export.
7. Cisco Configuration
ip flow-export version 5 origin-as
ip flow-export source Loopback0
ip flow-export destination[ServerIP] 3000
interface TenGigabitEthernet1/0/0
ip flow ingress
ip flow egress
8. Juniper Configuration
set firewallfilter test-flow term 1 then sample
set firewallfilter test-flow term 1 then accept
set interfaces ge-0/0/0 unit 0 family inet filter input test-flow
set interfaces ge-0/0/0 unit 0 family inet filter output test-flow
set forwarding-optionssampling input rate 1000
set forwarding-optionssampling familyinet output flow-server [ServerIp] port 3000
set forwarding-optionssampling familyinet output flow-server [ServerIp] version 5
9. Server
First Check if you are receiving the flows or not
tcpdump -i eth0 port 3000
17:30:19.248072 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248079 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.248853 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248887 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248894 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.249385 IP InterfaceName.60532 > ServerName.3000: UDP, length 1416
10. Now What !!!
Yes….
The Flow exporter is exporting the flows and the Flow Collector is receiving them.
So now we can start analyzingthem to understandthe traffic pattern of our network.
Can be done in many ways with many tools.
We will discuss one of the most basic tools which can be run on bash easily with little
resources and required output.
11. Flow-Tools
Flow-toolsis a library and a collection of programs used to collect, send, process, and
generate reports from NetFlow data.
Supports NetFlow version upto 8. Best output with NetFlow version 5.
Included Programs are flow-capture , flow-cat, flow-statsand many more.
http://linux.die.net/man/1/flow-tools
12. Advantages
1. Gives detailinformation on each & every particularconversationwithout sniffing.
2. No problem for encrypted data.For any incident,traffic source & Destinationsare
visible.
3. Historicaldata of Flows can help operator to improve quality.
4. Data can be fetched from anywhere in network as needed in a customized way.
5. If you are multihomed, these information are importantto make sure that your
clients are getting qualityservice.
6. NFSEN does the same work but needs bigger resources compared to Flow-Tools.
7. Ideal for startup ISPs, small enterprise, office IT network, campus network etc.
13. Flow-Tools
apt-get installflow-tools
Or get it from here and installit
https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2
Make a directory to store your flows
mkdir /var/flows/
14. Flow-Tools
Edit the flow-capture.conf file at /etc/flow-tools/ , comment all and use the below line.
-V 5 -E 5G -N 3 -w /var/flows 0.0.0.0/ServerIP/3000
Which means –
NetFlow Version will be 5
Expire the totalstored flow files as per the given space – here we will set 5 G
Nesting level for sorting flow files
Working directory will be /var/flows
Allow any IP as analyzer and ServerIP as exporter with port 3000
15. Flow-Tools
We can now start capturing flows with the following command.
flow-capture -w /var/flows -E5G -S3 0/0/3000
Which means –
Flow capture will start with working directory /var/flows
Totalsize of all the flow files will not exceed 5 G
Emit a stat log message every 3 minutes
Allow any IP as analyzer and exporter with port 3000
16. Flow-Tools
Now if you go to /var/flows/2015/2015-10/2015-10-27/ to see the flow files.
Filenamesbegining with tmp which are typicallyin-progress flow files from flow-capture
are not processed.
cd /var/flows/2015/2015-10/2015-10-27/ [3 level nesting for sorting files]
ls -lah
total 259M
drwxr-xr-x 2 root root 4.0K Oct 27 17:07 .
drwxr-xr-x 3 root root 4.0K Oct 27 15:24 ..
-rw-r--r-- 1 root root 36M Oct 27 16:43 ft-v05.2015-10-27.163000+0600
-rw-r--r-- 1 root root 1022K Oct 27 16:45 ft-v05.2015-10-27.164438+0600
-rw-r--r-- 1 root root 26M Oct 27 16:54 ft-v05.2015-10-27.164500+0600
-rw-r--r-- 1 root root 2.6M Oct 27 16:55 ft-v05.2015-10-27.165435+0600
-rw-r--r-- 1 root root 12M Oct 27 17:00 ft-v05.2015-10-27.165558+0600
-rw-r--r-- 1 root root 21M Oct 27 17:07 ft-v05.2015-10-27.170000+0600
-rw-r--r-- 1 root root 16M Oct 27 17:13 tmp-v05.2015-10-27.170753+0600
17. Flow-Tools
We are ready to see some outputs finally…
0 OverallSummary
1 Average packet size distribution
2 Packets per flow distribution
3 Octets per flow distribution
4 Bandwidthper flow distribution
5 UDP/TCP destinationport
6 UDP/TCP source port
7 UDP/TCP port
8 DestinationIP
9 Source IP
10 Source/DestinationIP
11 Source or DestinationIP
12 IP protocol
13 octets for flow durationplot data
14 packets for flow durationplot data
15 short summary
16 IP Next Hop
17 Input interface
18 Output interface
19 Source AS
20 DestinationAS
21 Source/DestinationAS
22 IP ToS
23 Input/OutputInterface
24 Source Prefix
25 DestinationPrefix
26 Source/DestinationPrefix
27 Exporter IP
28 Engine Id
29 Engine Type
30 Source Tag
31 DestinationTag
32 Source/DestinationTag
18. Flow-Tools
To view output in bash we need to use the below command remaining at the flow files
directory which is /var/flows/2015/2015-10/2015-10-27/
flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f11 -P -p -S4 | head -30
Meaning –
Concatenateflow file named ft-v05.2015-10-27.170000+0600
The headers are preloaded for this file containingthe metadata.
Flow-stat will provide function 11 (Source or DestinationIP) with preloaded headers and
Percentage to the total amount for 4 minutes durationof flows.