Go with the Flow

1. Go with the Flow … Md. Zobair Khan AS58587

2. kzobair One name to rule them all … :P

3. NetworkFlow A flow is a set of packets with common characteristics within a given time frame and a given direction. In packet switching networks, traffic flow, packet flow or network flow is a sequence of packets from a source computer to a destination, which maybe another host, a multicast group, or a broadcast domain. RFC 2722 defines traffic flow as "A TRAFFIC FLOW is an artificial logical equivalent to a call or connection, belonging to a (user-specified) METERED TRAFFIC GROUP."

4. NetworkFlow

5. NetFlow NetFlow was introduced in Cisco routers first to get the traffic informationfrom one or many source/s to one or many destination/s. Also supported by Juniper, Mikrotiketc. Jflow or cflowd for Juniper Networks NetStream for 3Com/HP NetStream for Huawei Technologies Cflowd for Alcatel-Lucent Rflow for Ericsson AppFlow Citrix Traffic Flow MikroTik sFlow vendors include: AlcatelLucent, Cisco, Dell, D-Link, Fortinet, Hewlett-Packard, Huawei, IBM, Juniper, NEC, Netgear, ZTE etc

6. NetFlow Version Comment v1 First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers). v2 Cisco internal version, never released. v3 Cisco internal version, never released. v4 Cisco internal version, never released. v5 Most common version, available on many routers from different brands, but restricted to IPv4 flows. v6 No longer supported by Cisco. v7 Like version 5 with a source router field. Used on Cisco Catalyst switches. v8 Several aggregation form, but only for information that is already present in version 5 records v9 Template Based, available on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop. v10 Used for identifying IPFIX - IP Flow Information Export.

7. Cisco Configuration ip flow-export version 5 origin-as ip flow-export source Loopback0 ip flow-export destination[ServerIP] 3000 interface TenGigabitEthernet1/0/0 ip flow ingress ip flow egress

8. Juniper Configuration set firewallfilter test-flow term 1 then sample set firewallfilter test-flow term 1 then accept set interfaces ge-0/0/0 unit 0 family inet filter input test-flow set interfaces ge-0/0/0 unit 0 family inet filter output test-flow set forwarding-optionssampling input rate 1000 set forwarding-optionssampling familyinet output flow-server [ServerIp] port 3000 set forwarding-optionssampling familyinet output flow-server [ServerIp] version 5

9. Server First Check if you are receiving the flows or not tcpdump -i eth0 port 3000 17:30:19.248072 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464 17:30:19.248079 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272 17:30:19.248853 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464 17:30:19.248887 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464 17:30:19.248894 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272 17:30:19.249385 IP InterfaceName.60532 > ServerName.3000: UDP, length 1416

10. Now What !!! Yes…. The Flow exporter is exporting the flows and the Flow Collector is receiving them. So now we can start analyzingthem to understandthe traffic pattern of our network. Can be done in many ways with many tools. We will discuss one of the most basic tools which can be run on bash easily with little resources and required output.

11. Flow-Tools Flow-toolsis a library and a collection of programs used to collect, send, process, and generate reports from NetFlow data. Supports NetFlow version upto 8. Best output with NetFlow version 5. Included Programs are flow-capture , flow-cat, flow-statsand many more. http://linux.die.net/man/1/flow-tools

12. Advantages 1. Gives detailinformation on each & every particularconversationwithout sniffing. 2. No problem for encrypted data.For any incident,traffic source & Destinationsare visible. 3. Historicaldata of Flows can help operator to improve quality. 4. Data can be fetched from anywhere in network as needed in a customized way. 5. If you are multihomed, these information are importantto make sure that your clients are getting qualityservice. 6. NFSEN does the same work but needs bigger resources compared to Flow-Tools. 7. Ideal for startup ISPs, small enterprise, office IT network, campus network etc.

13. Flow-Tools apt-get installflow-tools Or get it from here and installit https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2 Make a directory to store your flows mkdir /var/flows/

14. Flow-Tools Edit the flow-capture.conf file at /etc/flow-tools/ , comment all and use the below line. -V 5 -E 5G -N 3 -w /var/flows 0.0.0.0/ServerIP/3000 Which means – NetFlow Version will be 5 Expire the totalstored flow files as per the given space – here we will set 5 G Nesting level for sorting flow files Working directory will be /var/flows Allow any IP as analyzer and ServerIP as exporter with port 3000

15. Flow-Tools We can now start capturing flows with the following command. flow-capture -w /var/flows -E5G -S3 0/0/3000 Which means – Flow capture will start with working directory /var/flows Totalsize of all the flow files will not exceed 5 G Emit a stat log message every 3 minutes Allow any IP as analyzer and exporter with port 3000

16. Flow-Tools Now if you go to /var/flows/2015/2015-10/2015-10-27/ to see the flow files. Filenamesbegining with tmp which are typicallyin-progress flow files from flow-capture are not processed. cd /var/flows/2015/2015-10/2015-10-27/ [3 level nesting for sorting files] ls -lah total 259M drwxr-xr-x 2 root root 4.0K Oct 27 17:07 . drwxr-xr-x 3 root root 4.0K Oct 27 15:24 .. -rw-r--r-- 1 root root 36M Oct 27 16:43 ft-v05.2015-10-27.163000+0600 -rw-r--r-- 1 root root 1022K Oct 27 16:45 ft-v05.2015-10-27.164438+0600 -rw-r--r-- 1 root root 26M Oct 27 16:54 ft-v05.2015-10-27.164500+0600 -rw-r--r-- 1 root root 2.6M Oct 27 16:55 ft-v05.2015-10-27.165435+0600 -rw-r--r-- 1 root root 12M Oct 27 17:00 ft-v05.2015-10-27.165558+0600 -rw-r--r-- 1 root root 21M Oct 27 17:07 ft-v05.2015-10-27.170000+0600 -rw-r--r-- 1 root root 16M Oct 27 17:13 tmp-v05.2015-10-27.170753+0600

17. Flow-Tools We are ready to see some outputs finally… 0 OverallSummary 1 Average packet size distribution 2 Packets per flow distribution 3 Octets per flow distribution 4 Bandwidthper flow distribution 5 UDP/TCP destinationport 6 UDP/TCP source port 7 UDP/TCP port 8 DestinationIP 9 Source IP 10 Source/DestinationIP 11 Source or DestinationIP 12 IP protocol 13 octets for flow durationplot data 14 packets for flow durationplot data 15 short summary 16 IP Next Hop 17 Input interface 18 Output interface 19 Source AS 20 DestinationAS 21 Source/DestinationAS 22 IP ToS 23 Input/OutputInterface 24 Source Prefix 25 DestinationPrefix 26 Source/DestinationPrefix 27 Exporter IP 28 Engine Id 29 Engine Type 30 Source Tag 31 DestinationTag 32 Source/DestinationTag

18. Flow-Tools To view output in bash we need to use the below command remaining at the flow files directory which is /var/flows/2015/2015-10/2015-10-27/ flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f11 -P -p -S4 | head -30 Meaning – Concatenateflow file named ft-v05.2015-10-27.170000+0600 The headers are preloaded for this file containingthe metadata. Flow-stat will provide function 11 (Source or DestinationIP) with preloaded headers and Percentage to the total amount for 4 minutes durationof flows.

19. Flow-Tools : Case Study

20. Flow-Tools : Case Study Viewing most talkative Source or Destination IP: flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f11 -P -p -S4 | head -30 # --- ---- ---- Report Information --- --- --- # # Fields: Percent Total # Symbols: Disabled # Sorting: Descending Field 4 # Name: Source or Destination IP # # Args: flow-stat -f11 -P -p -S4 # # IPaddr flows octets packets # 122.102.32.106 5.809 7.793 8.062 103.253.38.11 2.577 10.787 9.039 122.102.32.90 2.791 5.509 5.384 103.26.112.170 3.132 3.334 3.175 103.26.112.17 1.849 1.865 1.767

21. Flow-Tools : Case Study Finding most talkative Source ASNs: flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f19 -P -p -S4 | head -30 # --- ---- ---- Report Information --- --- --- # # Fields: Percent Total # Symbols: Disabled # Sorting: Descending Field 4 # Name: Source AS # # Args: flow-stat -f19 -P -p -S4 # # # src AS flows octets packets # 45245 3.764 0.045 0.236 15169 0.738 0.071 0.066 7565 0.792 0.021 0.056 56138 0.985 0.010 0.062

22. Flow-Tools : Case Study Finding Top Source/Destination ASN: flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f21 -P -p -S4 | head -30 # --- ---- ---- Report Information --- --- --- # # Fields: Percent Total # Symbols: Disabled # Sorting: Descending Field 4 # Name: Source/Destination AS # # Args: flow-stat -f21 -P -p -S4 # # # src AS dst AS flows octets packets # 45245 32934 1.023 0.012 0.061 45245 15169 0.505 0.008 0.032 15169 7565 0.230 0.030 0.025 15169 45245 0.277 0.025 0.024

23. Flow-Tools : Case Study Finding DoS/DDoS Source/Destination: flow-cat -p ft-v05.2015-10-28.133000+0600 | flow-stat -f10 -P -p -S3 | head -40 # --- ---- ---- Report Information --- --- --- # src IPaddr dst IPaddr flows octets packets # 178.79.215.39 43.231.22.2 0.001 0.793 0.622 62.210.157.218 122.102.32.90 0.000 0.713 0.560 87.248.221.154 43.231.22.2 0.001 0.555 0.436 87.240.163.54 122.102.32.90 0.001 0.523 0.410 37.59.33.100 210.1.249.136 0.001 0.510 0.400 163.53.140.168 103.52.134.18 0.017 0.461 0.365 31.14.252.94 210.1.253.68 0.000 0.455 0.357 62.210.103.45 122.102.32.90 0.001 0.450 0.353 188.138.1.11 122.102.32.106 0.001 0.448 0.351 4.26.227.253 103.230.105.13 0.004 0.420 0.330 31.3.245.242 122.102.32.106 0.002 0.418 0.328 86.146.198.23 122.102.32.106 0.000 0.408 0.229 95.55.44.11 103.230.105.26 0.000 0.405 0.222 163.53.140.179 103.52.134.18 0.011 0.387 0.308 163.53.140.178 103.230.105.14 0.027 0.382 0.222

24. Flow-Tools : Case Study

25. Flow-Tools : Case Study Finding DoS/DDoS Source/Destination: flow-cat -p ft-v05.2015-10-28.134500+0600 | flow-stat -f10 -P -p -S3 | head -40 # --- ---- ---- Report Information --- --- --- # src IPaddr dst IPaddr flows octets packets # 103.7.251.45 173.205.124.100 12.517 6.555 5.006 95.211.191.89 103.253.38.11 0.003 4.548 2.901 69.16.175.42 103.253.38.5 0.005 3.779 2.486 46.28.51.252 103.253.38.5 0.002 2.850 1.818 89.46.103.119 103.253.38.5 0.018 2.454 1.575 69.16.175.42 103.253.38.11 0.006 2.440 1.610 91.121.4.51 103.253.38.11 0.003 2.437 1.558 195.154.194.38 103.253.38.5 0.011 2.047 1.310 203.223.95.78 50.97.95.98 0.008 2.037 0.960 87.248.212.205 103.253.38.11 0.002 1.955 2.144 176.205.18.194 103.253.38.5 0.003 1.504 1.332 188.165.200.34 103.253.38.11 0.002 1.440 0.919 94.242.246.118 103.253.38.11 0.005 1.374 0.881 205.185.216.42 103.253.38.11 0.002 0.973 0.676 178.149.93.10 103.253.38.11 0.000 0.965 0.443

26. Any Query ???

27. Thank You …

Go with the Flow

Go with the Flow

Recommended

More Related Content

What's hot

What's hot(20)

Viewers also liked

Viewers also liked(20)

Similar to Go with the Flow

Similar to Go with the Flow (20)

More from Bangladesh Network Operators Group

More from Bangladesh Network Operators Group(20)

Recently uploaded

Recently uploaded(20)

Go with the Flow