Flow-tools is a library and collection of programs used to analyze NetFlow data exported from routers. It includes flow-capture to collect NetFlow records and flow-stat to generate reports and statistics. Key information that can be extracted includes top talkers by IP/AS, traffic patterns between IP/AS pairs, and potential DoS/DDoS sources and targets. The tool provides network visibility without deep packet inspection and with minimal resources.
The document describes the Simple Mail Transfer Protocol (SMTP) which is used for sending and receiving email. It outlines the key components of SMTP including Mail Transfer Agents (MTAs), Mail Delivery Agents (MDAs), and the core SMTP commands used to send mail such as HELO, MAIL FROM, RCPT TO, and DATA. It also provides examples of using the telnet command line tool to interact with an SMTP server and send a basic email.
This document provides best practices for implementing SIP with the Aspect Unified IP environment. It defines key SIP terms and components. It describes the SIP module hierarchy and outlines steps to configure the Server Configurator with machine names, IP addresses, SIP web services, Aspect SIP proxies, and TAs. It emphasizes adding all SIP service machines to TA host files for proper call setup and resolution.
This document contains information about various network protocols including:
- Address Resolution Protocol (ARP) which resolves IP addresses to MAC addresses and vice versa
- Internet Control Message Protocol (ICMP) which is used to send error messages and network information
- User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) which are transport layer protocols
- Congestion control algorithms used by TCP like slow start, congestion avoidance, and fast retransmit
- Stream Control Transmission Protocol (SCTP) which supports multihoming and independent data streams
The document summarizes information about a new packet card for the DCP/TA system, including:
- It will operate in existing DCPs and supports G.711 and G.729 codecs with a maximum of 120 channels per card.
- Each card takes a T1/E1 slot and has 3 Ethernet ports, but only the bottom port will be active.
- Configuration changes are required like adding entries to the TA host file and dcpsrvX.config file.
- Troubleshooting tips provided for startup or audio quality issues.
APNIC Chief Scientist Geoff Huston presented on the various approached used by root servers to deliver large DNS responses at the DNS-OARC 26 in Madrid from 15 to 16 May 2017.
This document summarizes key topics related to IPv6 and routing in IP networks. It discusses IPv6 addressing architecture, including unicast addresses, link-local addresses, and multicast addresses. It also covers IPv6 packet format, extension headers, fragmentation, and ICMPv6. The document then discusses routing within IP networks, including IPv6 subnets, routing organization with autonomous systems, and interdomain routing protocols.
Many applications are network I/O bound, including common database-based applications and service-based architectures. But operating systems and applications are often untuned to deliver high performance. This session uncovers hidden issues that lead to low network performance, and shows you how to overcome them to obtain the best network performance possible.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
The document describes the Simple Mail Transfer Protocol (SMTP) which is used for sending and receiving email. It outlines the key components of SMTP including Mail Transfer Agents (MTAs), Mail Delivery Agents (MDAs), and the core SMTP commands used to send mail such as HELO, MAIL FROM, RCPT TO, and DATA. It also provides examples of using the telnet command line tool to interact with an SMTP server and send a basic email.
This document provides best practices for implementing SIP with the Aspect Unified IP environment. It defines key SIP terms and components. It describes the SIP module hierarchy and outlines steps to configure the Server Configurator with machine names, IP addresses, SIP web services, Aspect SIP proxies, and TAs. It emphasizes adding all SIP service machines to TA host files for proper call setup and resolution.
This document contains information about various network protocols including:
- Address Resolution Protocol (ARP) which resolves IP addresses to MAC addresses and vice versa
- Internet Control Message Protocol (ICMP) which is used to send error messages and network information
- User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) which are transport layer protocols
- Congestion control algorithms used by TCP like slow start, congestion avoidance, and fast retransmit
- Stream Control Transmission Protocol (SCTP) which supports multihoming and independent data streams
The document summarizes information about a new packet card for the DCP/TA system, including:
- It will operate in existing DCPs and supports G.711 and G.729 codecs with a maximum of 120 channels per card.
- Each card takes a T1/E1 slot and has 3 Ethernet ports, but only the bottom port will be active.
- Configuration changes are required like adding entries to the TA host file and dcpsrvX.config file.
- Troubleshooting tips provided for startup or audio quality issues.
APNIC Chief Scientist Geoff Huston presented on the various approached used by root servers to deliver large DNS responses at the DNS-OARC 26 in Madrid from 15 to 16 May 2017.
This document summarizes key topics related to IPv6 and routing in IP networks. It discusses IPv6 addressing architecture, including unicast addresses, link-local addresses, and multicast addresses. It also covers IPv6 packet format, extension headers, fragmentation, and ICMPv6. The document then discusses routing within IP networks, including IPv6 subnets, routing organization with autonomous systems, and interdomain routing protocols.
Many applications are network I/O bound, including common database-based applications and service-based architectures. But operating systems and applications are often untuned to deliver high performance. This session uncovers hidden issues that lead to low network performance, and shows you how to overcome them to obtain the best network performance possible.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet
The document contains configuration for a network device using Puppet automation. It configures items like logging, SNMP, NTP, routing, interfaces, and BGP to standardize the configuration for improved operations agility, service velocity, and configuration consistency across devices. Variables are used throughout to parameterize settings like hostnames, IP addresses, and credentials.
Presentation given at MPLS+SDN+NFVWORLD 2019 in Paris that shows how network architects can leverage the support for IPv6 Segment that is included in the Linux kernel to develop new end-to-end services that use IPv6 Segment Routing on clients, routers and servers.
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
The document discusses routing protocols in IP networks and interdomain routing. It provides an overview of IPv6 neighbor discovery, routing protocols RIP and OSPF, and interdomain routing with BGP. Key concepts covered include how routers discover each other on the local link, distance vector and link-state routing, using areas in OSPF, and the path vector exchange in BGP to choose optimal routes between autonomous systems.
This document lists TCP and UDP ports along with their descriptions and status. It provides information on common ports used for protocols like HTTP, DNS, SSH, SMTP, and more. The status is categorized as official, unofficial, or multiple use to indicate if the port is registered with IANA for a specific application, not registered, or can be used by multiple applications.
This document discusses network flows and the NetFlow protocol. It begins by defining network flows as packets or frames that share common properties, such as source/destination IP and port. It then describes how NetFlow works by having network devices generate flows and export them to NetFlow collectors. The document outlines the NetFlow export packet format and different NetFlow versions, focusing on Cisco's implementation including versions 1, 5, 8 and 9. It also discusses how flows are generated, exported, collected and analyzed to monitor network traffic.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
The document discusses denial of service (DoS) attacks and how to mitigate them. It begins by defining DoS attacks and some common types like Smurf and Fraggle attacks. It then discusses tools like hping that can be used to craft packets for DoS attacks or testing defenses. The document concludes by outlining techniques to prevent networks from being used in DoS amplification attacks and recommends configuring firewalls and filters to detect and block flood traffic.
The document discusses Linux iptables firewall. Iptables is the default firewall package for Linux and runs inside the Linux kernel. It has three built-in tables (filter, nat, mangle) that are used to filter, alter, and inspect packets. Iptables uses built-in chains and user-defined rules to allow or deny traffic based on packet criteria like source/destination, protocol, interface etc. Common iptables commands and options are also explained.
The document discusses using tcpdump and ssldump on an F5 device to analyze network traffic. It provides examples of commands to capture full traffic flows, including specifying filters. It also describes how to use tcpdump to troubleshoot issues like traffic not reaching servers. The document discusses using Wireshark with the F5 plugin to decrypt SSL traffic for analysis and provides instructions for configuring Wireshark. It briefly mentions using sFlow for performance monitoring and analytics.
Future Internet protocols are evolving to support more innovation in the transport and network layers. Multipath TCP allows a TCP connection to use multiple paths to improve performance, with subflows that appear like regular TCP connections. QUIC is a new transport protocol developed by Google that aims to reduce web latency by supporting 0-RTT handshake and encrypting more headers. IPv6 Segment Routing simplifies MPLS networks by using node labels advertised in routing protocols to steer traffic on arbitrary paths through the network.
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
IPv6 addresses are 128-bit and represented by 8 colon-separated 16-bit segments in hexadecimal format. IPv6 introduces more efficient address representation methods and a standardized interface identifier generation technique using MAC addresses. IPv6 headers are simpler than IPv4 headers and introduce new address types like anycast. Transition from IPv4 to IPv6 requires dual stack support and new security practices as many old IPv4 attacks still apply to IPv6. First hop security features like RA guard help prevent rogue devices and address spoofing. Overall, IPv6 deployment faces challenges around network segmentation, firewall rules, and router configurations.
This document provides a 3 sentence summary of the installation and configuration guide for TekTape version 2.0:
TekTape is an audio recorder and call detail records generator that runs on Windows and is used to monitor and record SIP calls, with features like real-time call monitoring, recording, CDR generation, and a web-based interface for configuration and management. The guide provides instructions on installing TekTape, configuring settings like packet filtering, audio capturing and TLS decoding, and managing recorded calls, active sessions, and system logs through the web interface. Packet filters use a declarative syntax to select packets for capture based on attributes like source/destination, protocol, port and length.
Handy Networking Tools and How to Use ThemSneha Inguva
Linux networking tools can be used to analyze network connectivity and performance. Tools like ifconfig show interface configurations, route displays routing tables, arp shows the ARP cache, dig/nslookup resolve DNS, and traceroute traces the network path. Nmap scans for open ports, ping checks latency, and tcpdump captures traffic. Iperf3 and wrk2 can load test throughput and capacity, while tcpreplay replays captured traffic. These CLI tools provide essential network information and testing capabilities from the command line.
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
IETF 106 - In-flight IPv6 Extension Header Insertion Considered HarmfulMark Smith
In the past few years, as well as currently, there have and are a number of proposals to insert IPv6 Extension Headers into existing IPv6 packets while in flight. This contradicts explicit prohibition of this type of IPv6 packet proccessing in the IPv6 standard. This memo describes the possible failures that can occur with EH insertion, the harm they can cause, and the existing model that is and should continue to be used to add new information to an existing IPv6 and other packets.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
When implementing IPv6 it can be important to maintain a view of how it is being used. This presentation provides a quick look at using Zabbix with SNMP to monitor IP protocol usage.
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet
The document contains configuration for a network device using Puppet automation. It configures items like logging, SNMP, NTP, routing, interfaces, and BGP to standardize the configuration for improved operations agility, service velocity, and configuration consistency across devices. Variables are used throughout to parameterize settings like hostnames, IP addresses, and credentials.
Presentation given at MPLS+SDN+NFVWORLD 2019 in Paris that shows how network architects can leverage the support for IPv6 Segment that is included in the Linux kernel to develop new end-to-end services that use IPv6 Segment Routing on clients, routers and servers.
How You Will Get Hacked Ten Years from Nowjulievreeland
1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources;
2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes;
3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.
The document discusses routing protocols in IP networks and interdomain routing. It provides an overview of IPv6 neighbor discovery, routing protocols RIP and OSPF, and interdomain routing with BGP. Key concepts covered include how routers discover each other on the local link, distance vector and link-state routing, using areas in OSPF, and the path vector exchange in BGP to choose optimal routes between autonomous systems.
This document lists TCP and UDP ports along with their descriptions and status. It provides information on common ports used for protocols like HTTP, DNS, SSH, SMTP, and more. The status is categorized as official, unofficial, or multiple use to indicate if the port is registered with IANA for a specific application, not registered, or can be used by multiple applications.
This document discusses network flows and the NetFlow protocol. It begins by defining network flows as packets or frames that share common properties, such as source/destination IP and port. It then describes how NetFlow works by having network devices generate flows and export them to NetFlow collectors. The document outlines the NetFlow export packet format and different NetFlow versions, focusing on Cisco's implementation including versions 1, 5, 8 and 9. It also discusses how flows are generated, exported, collected and analyzed to monitor network traffic.
This document describes network address translation (NAT) and different NAT types. It includes a course on Cisco CCNA about NAT taught at Tehran Institute of Technology. The course covers introduction to NAT and private vs public addresses. It then describes static NAT, dynamic NAT, and port address translation. The document provides examples of configuring static and dynamic NAT on routers to allow internal hosts to access the internet using public IP addresses.
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
The document discusses denial of service (DoS) attacks and how to mitigate them. It begins by defining DoS attacks and some common types like Smurf and Fraggle attacks. It then discusses tools like hping that can be used to craft packets for DoS attacks or testing defenses. The document concludes by outlining techniques to prevent networks from being used in DoS amplification attacks and recommends configuring firewalls and filters to detect and block flood traffic.
The document discusses Linux iptables firewall. Iptables is the default firewall package for Linux and runs inside the Linux kernel. It has three built-in tables (filter, nat, mangle) that are used to filter, alter, and inspect packets. Iptables uses built-in chains and user-defined rules to allow or deny traffic based on packet criteria like source/destination, protocol, interface etc. Common iptables commands and options are also explained.
The document discusses using tcpdump and ssldump on an F5 device to analyze network traffic. It provides examples of commands to capture full traffic flows, including specifying filters. It also describes how to use tcpdump to troubleshoot issues like traffic not reaching servers. The document discusses using Wireshark with the F5 plugin to decrypt SSL traffic for analysis and provides instructions for configuring Wireshark. It briefly mentions using sFlow for performance monitoring and analytics.
Future Internet protocols are evolving to support more innovation in the transport and network layers. Multipath TCP allows a TCP connection to use multiple paths to improve performance, with subflows that appear like regular TCP connections. QUIC is a new transport protocol developed by Google that aims to reduce web latency by supporting 0-RTT handshake and encrypting more headers. IPv6 Segment Routing simplifies MPLS networks by using node labels advertised in routing protocols to steer traffic on arbitrary paths through the network.
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
IPv6 addresses are 128-bit and represented by 8 colon-separated 16-bit segments in hexadecimal format. IPv6 introduces more efficient address representation methods and a standardized interface identifier generation technique using MAC addresses. IPv6 headers are simpler than IPv4 headers and introduce new address types like anycast. Transition from IPv4 to IPv6 requires dual stack support and new security practices as many old IPv4 attacks still apply to IPv6. First hop security features like RA guard help prevent rogue devices and address spoofing. Overall, IPv6 deployment faces challenges around network segmentation, firewall rules, and router configurations.
This document provides a 3 sentence summary of the installation and configuration guide for TekTape version 2.0:
TekTape is an audio recorder and call detail records generator that runs on Windows and is used to monitor and record SIP calls, with features like real-time call monitoring, recording, CDR generation, and a web-based interface for configuration and management. The guide provides instructions on installing TekTape, configuring settings like packet filtering, audio capturing and TLS decoding, and managing recorded calls, active sessions, and system logs through the web interface. Packet filters use a declarative syntax to select packets for capture based on attributes like source/destination, protocol, port and length.
Handy Networking Tools and How to Use ThemSneha Inguva
Linux networking tools can be used to analyze network connectivity and performance. Tools like ifconfig show interface configurations, route displays routing tables, arp shows the ARP cache, dig/nslookup resolve DNS, and traceroute traces the network path. Nmap scans for open ports, ping checks latency, and tcpdump captures traffic. Iperf3 and wrk2 can load test throughput and capacity, while tcpreplay replays captured traffic. These CLI tools provide essential network information and testing capabilities from the command line.
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
IETF 106 - In-flight IPv6 Extension Header Insertion Considered HarmfulMark Smith
In the past few years, as well as currently, there have and are a number of proposals to insert IPv6 Extension Headers into existing IPv6 packets while in flight. This contradicts explicit prohibition of this type of IPv6 packet proccessing in the IPv6 standard. This memo describes the possible failures that can occur with EH insertion, the harm they can cause, and the existing model that is and should continue to be used to add new information to an existing IPv6 and other packets.
Part 5 : Sharing resources, security principles and protocolsOlivier Bonaventure
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
When implementing IPv6 it can be important to maintain a view of how it is being used. This presentation provides a quick look at using Zabbix with SNMP to monitor IP protocol usage.
The document provides information about different types of DDoS attacks including DoS, DDoS, DNS reflection, SYN reflection, SMURF, UDP flood, SNMP, NTP, HTTP GET, and HTTP POST attacks. It describes how each attack works and overloads the target system with traffic. Mitigation techniques are also outlined, such as firewalls, rate limiting, authentication, and modifying server configurations.
The “Hands on Experience with IPv6 Routing and Services” Techtorial will provide attendees an opportunity to configure, troubleshoot, design and implement an IPv6 network using IPv6 technologies and features such as: IPv6 addressing, IPv6 neighbor discovery, HSRPv6, static routing, OSPFv3, EIGRPv6 and BGPv6. You will be provided with a scenario made up of an IPv4 network where you will get the opportunity to configure and implement IPv6 based on the requirements on the network, i.e., where would you deploy dual stack, where it make sense to do funneling and how to deploy IPv6 routing protocols without impacting your existing Network infrastructure.
The automotive aftermarket industry in the US is poised for steady growth driven by several factors:
- The average age of vehicles on the road is at an all-time high of 11.5 years, creating more demand for repairs and replacements.
- The total number of vehicles in operation continues to rise and is expected to grow 5% in the next five years.
- Vehicles are becoming more complex with advanced technologies, leading to more expensive repairs that many owners turn to professionals for.
- Online sales of auto parts are a growing segment, estimated at $6 billion currently and projected to reach $16.6 billion by 2020.
- The industry is consolidating through mergers and acquisitions as
This powerpoint presentation discusses network address translation from IPv6 to IPv4 (NAT64). It describes the goals of implementing NAT64 to allow communication between IPv6 and IPv4 networks. It provides details on the network topology, test bed used including applications like DHCPD6, RADVD, DNS64 and TAYGA. It summarizes the steps of NAT64 operation and shows the results of testing various applications over the NAT64 network.
Applied Detection and Analysis Using Flow Data - MIRCon 2014chrissanders88
In this presentation, Chris Sanders and Jason Smith discuss the importance of using flow data for network security analysis. Flow data is discussed from the viewpoints of collection, detection, and analysis. We also discuss the FlowPlotter tool, and the use of FlowBAT, a graphical flow analysis GUI we've created.
This gives an overall idea about wireshark design and how to capture packets using wireshark, tcpdump and tshark. It also covers basics behind measuring network performance and tools to use such as bmon and iperf.
Application Visibility and Experience through Flexible NetflowCisco DevNet
The world of applications is changing rapidly in the enterprise; from the way applications are increasingly hosted in the cloud, the diverse nature of apps and to the way they are consumed by many devices. The need for organizations and network administrators is to focus on "Fast IT" - "Innovation in the Enterprise" is growing, which means having to spend less time on daily operations, maintenance and troubleshooting and more time on delivering business value with newer services. Cisco AVC with its NBAR2 technology is designed to detect applications and measure application performance through measuring round trip time, retransmission rates, jitter, delay, packet loss, MoS, URL statistics etc. Those details are transmitted using Flexible Netflow/IPFIX, so partners could leverage the data for application usage reporting, performance reporting and troubleshooting application issues to deliver best possible application experience.
Watch the DevNet 2047 replay from the Cisco Live On-Demand Library at: https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=92664&backBtn=true
Check out more and register for Cisco DevNet: http://ow.ly/jCNV3030OfS
NetFlow Monitoring for Cyber Threat DefenseCisco Canada
Recent trends have led to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. For more information, please visit our website: http://www.cisco.com/web/CA/index.html
Krzysztof Mazepa - Netflow/cflow - ulubionym narzędziem operatorów SPPROIDEA
Netflow is a widely used tool by network operators to monitor network traffic. It works by collecting IP traffic flow information from routers and switches. This flow information can then be used for various purposes such as monitoring network applications and users, network planning, identifying attacks and security threats, usage in billing systems, and analyzing traffic at peering points between operators. The presentation discusses the benefits of using Netflow/cflow mechanisms for network operators and aims to start a discussion on how it can be utilized in service provider and enterprise networks.
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
This document provides technical summaries of various network attacks and exploitation techniques. It begins with an overview of the author's background and experience in network security. It then summarizes several methods, including exploiting SNMP configurations, manipulating routing tables through policy routing, using GRE and ERSPAN tunnels to enable remote packet capture, exploiting DLSw to tunnel traffic covertly, and exploiting lawful intercept functions to duplicate traffic. The goal is to educate about various risks while maintaining an instructional tone.
How to Configure NetFlow v5 & v9 on Cisco RoutersSolarWinds
This document provides instructions for configuring NetFlow versions 5 and 9 on Cisco routers to monitor network traffic. It explains that NetFlow collects IP traffic data, what versions 5 and 9 are, and how to configure each version on a router by specifying the collector server, export port, and interfaces. It also describes how to verify the NetFlow export and how tools like SolarWinds NetFlow Traffic Analyzer analyze exported data to provide network usage insights.
Fast Streaming into Clickhouse with Apache PulsarTimothy Spann
https://github.com/tspannhw/SpeakerProfile/tree/main/2022/talks
Fast Streaming into Clickhouse with Apache Pulsar
https://github.com/tspannhw/FLiPC-FastStreamingIntoClickhouseWithApachePulsar
https://www.meetup.com/San-Francisco-Bay-Area-ClickHouse-Meetup/events/285271332/
Fast Streaming into Clickhouse with Apache Pulsar - Meetup 2022
StreamNative - Apache Pulsar - Stream to Altinity Cloud - Clickhouse
May the 4th Be With You!
04-May-2022 Clickhosue Meetup
CREATE TABLE iotjetsonjson_local
(
uuid String,
camera String,
ipaddress String,
networktime String,
top1pct String,
top1 String,
cputemp String,
gputemp String,
gputempf String,
cputempf String,
runtime String,
host String,
filename String,
host_name String,
macaddress String,
te String,
systemtime String,
cpu String,
diskusage String,
memory String,
imageinput String
)
ENGINE = MergeTree()
PARTITION BY uuid
ORDER BY (uuid);
CREATE TABLE iotjetsonjson ON CLUSTER '{cluster}' AS iotjetsonjson_local
ENGINE = Distributed('{cluster}', default, iotjetsonjson_local, rand());
select uuid, top1pct, top1, gputempf, cputempf
from iotjetsonjson
where toFloat32OrZero(top1pct) > 40
order by toFloat32OrZero(top1pct) desc, systemtime desc
select uuid, systemtime, networktime, te, top1pct, top1, cputempf, gputempf, cpu, diskusage, memory,filename
from iotjetsonjson
order by systemtime desc
select top1, max(toFloat32OrZero(top1pct)), max(gputempf), max(cputempf)
from iotjetsonjson
group by top1
select top1, max(toFloat32OrZero(top1pct)) as maxTop1, max(gputempf), max(cputempf)
from iotjetsonjson
group by top1
order by maxTop1
Tim Spann
Developer Advocate
StreamNative
This document provides an overview and agenda for the Splunk App for Stream, including:
- The architecture of the Stream Forwarder for capturing wire data and routing it to Splunk.
- The architecture of the App for Stream for analyzing wire data in Splunk.
- Examples of deployment architectures for ingesting wire data.
- A customer use case where wire data from the network helped provide visibility that log data could not due to access restrictions.
25.3.10 packet tracer explore a net flow implementationFreddy Buenaño
This document describes exploring NetFlow implementation using Packet Tracer. It has two parts: observing unidirectional NetFlow records from pinging the default gateway, and bidirectional records from accessing a web server. The objectives are to observe how NetFlow records are generated for different types of traffic and to predict and verify the values in the records.
The document provides a comprehensive list of port requirements for various SolarWinds products. It details the specific ports used by each product, including ipMonitor, LANsurveyor, Log & Event Manager, Network Topology Mapper, Orion modules, and others. The ports vary depending on the enabled features and monitored services within each product.
The document provides an overview of new commands, modified commands, and deprecated commands in the ArubaOS 6.4 Command-Line Interface. It also describes how to connect to the controller using the serial port or Telnet/SSH, navigate between different command modes, and get help with commands.
The document discusses software-defined networking (SDN) and OpenFlow, including:
1) OpenFlow allows the control logic to be separated from the forwarding hardware by defining an open interface between the two. This enables more flexible and programmable networks.
2) OpenFlow works by defining flows that match packets and actions that are applied to the matched packets. The flows are populated and managed by an external controller through the OpenFlow protocol.
3) OpenFlow is being deployed in over 100 organizations and is enabling network innovation through its programmable and customizable nature.
Network Security and Visibility through NetFlowLancope, Inc.
With the rise of disruptive forces such as cloud computing and mobile technology, the enterprise network has become larger and more complex than ever before. Meanwhile, sophisticated cyber-attackers are taking advantage of the expanded attack surface to gain access to internal networks and steal sensitive data.
Perimeter security is no longer enough to keep threat actors out, and organizations need to be able to detect and mitigate threats operating inside the network. NetFlow, a context-rich and common source of network traffic metadata, can be utilized for heightened visibility to identify attackers and accelerate incident response.
Join Richard Laval to discuss the security applications of NetFlow using StealthWatch. This session will cover:
- An overview of NetFlow, what it is, how it works, and how it benefits security
- Design, deployment, and operational best practices for NetFlow security monitoring
- How to best utilize NetFlow and identity services for security telemetry
- How to investigate and identify threats using statistical analysis of NetFlow telemetry
ManageEngine NetFlow Analyzer is a comprehensive tool that provides bandwidth monitoring, traffic analytics, and network anomaly detection using various technologies including NetFlow, sFlow, IPFIX, and others. It offers a single solution for these functions with capabilities like Cisco NBAR 2, Cisco CBQoS, Cisco Medianet monitoring, and Cisco Application Visibility and Control. The tool collects data from routers, switches, firewalls and other network devices using protocols like NetFlow, analyzes it using its built-in collector, and provides reporting and alerts through its web-based GUI. It offers various report formats, scheduling, usage-based billing, attack detection, and application visibility and control through Cisco AVC.
This webinar explains why PISA chips are inevitable, provides overview of machine architecture of such switches, presents a brief primer on the P4 language with sample programs for a variety of networks and demonstrates a powerful network diagnostics application implemented in P4.
Programmability in SDNs is confined to the network control plane. The forwarding plane is still largely dictated by fixed-function switching chips. Our goal is to change that, and to allow programmers to define how packets are to be processed all the way down to the wire.
This is made possible by a new generation of high-performance forwarding chips. At the high-end, PISA (Protocol-Independent Switch Architecture) chips promise multi-Tb/s of packet processing. At the mid- and low-end of the performance spectrum, CPUs, GPUs, FPGAs, and NPUs already offer great flexibility with performance of a few tens to hundreds of Gb/s.
In addition to programmable forwarding chips, we also need a high-level language to dictate the forwarding behavior in a target independent fashion. "P4" (www.p4.org) is such a language. In P4, the programer declares how packets are to be processed, and a compiler generates a configuration for a PISA chip, or a programmable target in general. For example, the programmer might program the switch to be a top-of-rack switch, a firewall, or a load-balancer; and might add features to run automatic diagnostics and novel congestion control algorithms.
This is a tutorial for implementing application level traffic analyzer by using SF-TAP flow abstractor.
http://sf-tap.github.io/
https://github.com/SF-TAP/
https://github.com/SF-TAP/flow-abstractor
https://www.usenix.org/conference/lisa15/conference-program/presentation/takano
http://ytakano.github.io/
OpenFlow/Software-defined Networking aims to open up the network infrastructure through a "software-defined networking" approach. It proposes using simple packet forwarding hardware with an open interface and a network operating system that provides a well-defined open API. This allows multiple network operating systems or versions to run over the same underlying hardware, similar to how virtualization allows multiple operating systems to run on the same computer hardware. OpenFlow specifies the open interface and protocol to enable this new paradigm of network virtualization and programmability.
This document provides a primer on browser networking. It begins with an introduction and overview of the target audience. The content includes an explanation of the TCP/IP network model and layers. Key aspects of TCP such as the three-way handshake, flow control, slow start, and head of line blocking are described. The history of web protocols like HTTP 0.9, HTTP 1.0, HTTP 1.1, and developments like HTTP 2.0, SPDY, and QUIC are summarized. Examples and diagrams are provided to illustrate concepts. Resources for further reading are included.
3. NetworkFlow
A flow is a set of packets with common characteristics within a given time frame and a
given direction.
In packet switching networks, traffic flow, packet flow or network flow is a
sequence of packets from a source computer to a destination, which maybe
another host, a multicast group, or a broadcast domain.
RFC 2722 defines traffic flow as "A TRAFFIC FLOW is an artificial logical
equivalent to a call or connection, belonging to a (user-specified) METERED
TRAFFIC GROUP."
5. NetFlow
NetFlow was introduced in Cisco routers first to get the traffic informationfrom one or
many source/s to one or many destination/s.
Also supported by Juniper, Mikrotiketc.
Jflow or cflowd for Juniper Networks
NetStream for 3Com/HP
NetStream for Huawei Technologies
Cflowd for Alcatel-Lucent
Rflow for Ericsson
AppFlow Citrix
Traffic Flow MikroTik
sFlow vendors include: AlcatelLucent, Cisco, Dell, D-Link, Fortinet, Hewlett-Packard,
Huawei, IBM, Juniper, NEC, Netgear, ZTE etc
6. NetFlow
Version Comment
v1
First implementation, now obsolete, and restricted to IPv4 (without IP mask and
AS Numbers).
v2 Cisco internal version, never released.
v3 Cisco internal version, never released.
v4 Cisco internal version, never released.
v5
Most common version, available on many routers from different brands, but
restricted to IPv4 flows.
v6 No longer supported by Cisco.
v7 Like version 5 with a source router field. Used on Cisco Catalyst switches.
v8
Several aggregation form, but only for information that is already present in
version 5 records
v9
Template Based, available on some recent routers. Mostly used to report flows like
IPv6, MPLS, or even plain IPv4 with BGP nexthop.
v10 Used for identifying IPFIX - IP Flow Information Export.
7. Cisco Configuration
ip flow-export version 5 origin-as
ip flow-export source Loopback0
ip flow-export destination[ServerIP] 3000
interface TenGigabitEthernet1/0/0
ip flow ingress
ip flow egress
8. Juniper Configuration
set firewallfilter test-flow term 1 then sample
set firewallfilter test-flow term 1 then accept
set interfaces ge-0/0/0 unit 0 family inet filter input test-flow
set interfaces ge-0/0/0 unit 0 family inet filter output test-flow
set forwarding-optionssampling input rate 1000
set forwarding-optionssampling familyinet output flow-server [ServerIp] port 3000
set forwarding-optionssampling familyinet output flow-server [ServerIp] version 5
9. Server
First Check if you are receiving the flows or not
tcpdump -i eth0 port 3000
17:30:19.248072 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248079 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.248853 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248887 IP InterfaceName.53344 > ServerName.3000: UDP, length 1464
17:30:19.248894 IP InterfaceName.53344 > ServerName.3000: UDP, length 1272
17:30:19.249385 IP InterfaceName.60532 > ServerName.3000: UDP, length 1416
10. Now What !!!
Yes….
The Flow exporter is exporting the flows and the Flow Collector is receiving them.
So now we can start analyzingthem to understandthe traffic pattern of our network.
Can be done in many ways with many tools.
We will discuss one of the most basic tools which can be run on bash easily with little
resources and required output.
11. Flow-Tools
Flow-toolsis a library and a collection of programs used to collect, send, process, and
generate reports from NetFlow data.
Supports NetFlow version upto 8. Best output with NetFlow version 5.
Included Programs are flow-capture , flow-cat, flow-statsand many more.
http://linux.die.net/man/1/flow-tools
12. Advantages
1. Gives detailinformation on each & every particularconversationwithout sniffing.
2. No problem for encrypted data.For any incident,traffic source & Destinationsare
visible.
3. Historicaldata of Flows can help operator to improve quality.
4. Data can be fetched from anywhere in network as needed in a customized way.
5. If you are multihomed, these information are importantto make sure that your
clients are getting qualityservice.
6. NFSEN does the same work but needs bigger resources compared to Flow-Tools.
7. Ideal for startup ISPs, small enterprise, office IT network, campus network etc.
13. Flow-Tools
apt-get installflow-tools
Or get it from here and installit
https://flow-tools.googlecode.com/files/flow-tools-0.68.5.1.tar.bz2
Make a directory to store your flows
mkdir /var/flows/
14. Flow-Tools
Edit the flow-capture.conf file at /etc/flow-tools/ , comment all and use the below line.
-V 5 -E 5G -N 3 -w /var/flows 0.0.0.0/ServerIP/3000
Which means –
NetFlow Version will be 5
Expire the totalstored flow files as per the given space – here we will set 5 G
Nesting level for sorting flow files
Working directory will be /var/flows
Allow any IP as analyzer and ServerIP as exporter with port 3000
15. Flow-Tools
We can now start capturing flows with the following command.
flow-capture -w /var/flows -E5G -S3 0/0/3000
Which means –
Flow capture will start with working directory /var/flows
Totalsize of all the flow files will not exceed 5 G
Emit a stat log message every 3 minutes
Allow any IP as analyzer and exporter with port 3000
16. Flow-Tools
Now if you go to /var/flows/2015/2015-10/2015-10-27/ to see the flow files.
Filenamesbegining with tmp which are typicallyin-progress flow files from flow-capture
are not processed.
cd /var/flows/2015/2015-10/2015-10-27/ [3 level nesting for sorting files]
ls -lah
total 259M
drwxr-xr-x 2 root root 4.0K Oct 27 17:07 .
drwxr-xr-x 3 root root 4.0K Oct 27 15:24 ..
-rw-r--r-- 1 root root 36M Oct 27 16:43 ft-v05.2015-10-27.163000+0600
-rw-r--r-- 1 root root 1022K Oct 27 16:45 ft-v05.2015-10-27.164438+0600
-rw-r--r-- 1 root root 26M Oct 27 16:54 ft-v05.2015-10-27.164500+0600
-rw-r--r-- 1 root root 2.6M Oct 27 16:55 ft-v05.2015-10-27.165435+0600
-rw-r--r-- 1 root root 12M Oct 27 17:00 ft-v05.2015-10-27.165558+0600
-rw-r--r-- 1 root root 21M Oct 27 17:07 ft-v05.2015-10-27.170000+0600
-rw-r--r-- 1 root root 16M Oct 27 17:13 tmp-v05.2015-10-27.170753+0600
17. Flow-Tools
We are ready to see some outputs finally…
0 OverallSummary
1 Average packet size distribution
2 Packets per flow distribution
3 Octets per flow distribution
4 Bandwidthper flow distribution
5 UDP/TCP destinationport
6 UDP/TCP source port
7 UDP/TCP port
8 DestinationIP
9 Source IP
10 Source/DestinationIP
11 Source or DestinationIP
12 IP protocol
13 octets for flow durationplot data
14 packets for flow durationplot data
15 short summary
16 IP Next Hop
17 Input interface
18 Output interface
19 Source AS
20 DestinationAS
21 Source/DestinationAS
22 IP ToS
23 Input/OutputInterface
24 Source Prefix
25 DestinationPrefix
26 Source/DestinationPrefix
27 Exporter IP
28 Engine Id
29 Engine Type
30 Source Tag
31 DestinationTag
32 Source/DestinationTag
18. Flow-Tools
To view output in bash we need to use the below command remaining at the flow files
directory which is /var/flows/2015/2015-10/2015-10-27/
flow-cat -p ft-v05.2015-10-27.170000+0600 | flow-stat -f11 -P -p -S4 | head -30
Meaning –
Concatenateflow file named ft-v05.2015-10-27.170000+0600
The headers are preloaded for this file containingthe metadata.
Flow-stat will provide function 11 (Source or DestinationIP) with preloaded headers and
Percentage to the total amount for 4 minutes durationof flows.