• Enabling NetFlow on a Catalyst 6500
    http://nwannura.blogspot.com/2009/06/enabling-netflow-on-catalyst-6500.html


    Configuring NetFlow on Cisco IOS XR Software
    http://www.cisco.com/en/US/docs/routers/xr12000/software/xr12k_r4.0/netflow/configuration/guide/nfc40flow.html


    ManageEngine NetFlow Analyzer v8600
    http://archives.manageengine.com/netflow/8.6/ManageEngine_NetFlowAnalyzer_8600.exe

    KeyGen -> java -jar xxx.jar
    http://thepiratebay.se/search/netflow/0/99/0


    กำหนดให้อนุญาติการเก็บข้อมูล Flow ที่วิ่งเข้า (ingress) Interface

    Router(config-if)#ip flow ingress

    ดูข้อมูลโดยใช้คำสั่ง show ip cache flow

    Router#sho ip cac flo
    IP packet size distribution (11215434 total packets):
    1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
    .001 .254 .685 .014 .000 .018 .008 .000 .005 .003 .000 .001 .001 .000 .000

    512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
    .000 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000

    IP Flow Switching Cache, 278544 bytes
    5 active, 4091 inactive, 3581241 added
    59673255 ager polls, 0 flow alloc failures
    Active flows timeout in 30 minutes
    Inactive flows timeout in 15 seconds
    IP Sub Flow Cache, 25800 bytes
    5 active, 1019 inactive, 3581241 added, 3581241 added to flow
    0 alloc failures, 0 force free
    1 chunk, 2 chunks added
    last clearing of statistics never
    Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
    -------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
    TCP-other 340168 0.0 2 53 0.1 1.3 13.4
    UDP-DNS 1495 0.0 1 64 0.0 0.0 15.5
    UDP-other 872145 0.2 8 76 1.6 0.2 15.4
    Total: 1213808 0.2 3 77 1.7 0.7 15.5

    SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
    Fa0/1 10.22.1.132 Local 172.28.101.46 01 0000 0800 1755
    Fa0/1 10.22.1.163 Local 172.28.101.46 01 0000 0800 1753
    Fa0/1 10.22.1.58 Local 172.28.101.46 11 103C 00A1 1
    Fa0/1 10.22.1.133 Local 172.28.101.46 06 E430 0016 41

    https://ghinryudokung.medium.com/มาทำ-traffic-analysis-like-a-pro-ในองค์กรด้วย-elastiflow-กันเถอะ-954b8e0b4577


    มีรายละเอียดของข้อมูลดังต่อไปนี้
    • [li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
      [li]IP Flow Switching Cache จะบอกจำนวนไบท์ทั้งหมดของ Flow ที่ถูกดักจับได้ รวมถึงบอกรายละเอียดของข้อกำหนด Flow เช่น Inactive flow จะมีเวลาในการเกิด timeout 15 วินาที และ ความยาวของ flow ที่ active จะไม่เกิน 30 นาที[/li]
      [li]IP Sub Flow Cache จะบอกจำนวนไบท์ทั้งหมดจาก Sub Flow[/li]
      [li]Protocol จะบอกว่าการดักจับพบ Protocol อะไรบ้างและรายละเอียดการทำงานเป็นอย่างไร[/li]
      [li]ส่วนสุดท้ายจะบอกรายละเอียดของข้อมูล IP/Port ของ Packet ที่ดักจับได้จาก interface f0/1[/li]

    Introduction to Accounting Principles with NetFlow and NBAR

    Why do We Need Accounting?

    image

    Accounting Reports - Business Justification

    image

    Bandwidth/Capacity Reports
    • [li]What is eating up my network resources?[/li]
      [li]When do I need a capacity upgrade?[/li]
      [li]What is causing congestion?[/li]

    Subscriber Demographic Reports
    • [li]What percentage is using P2P/gaming application?[/li]
      [li]What are the usage patterns of different subscriber groups?[/li]
      [li]What is the cost impact of my top subscribers?[/li]

    Server Activity
    • [li]What are the popular Web hosts used?[/li]
      [li]What are the popular streaming sites?[/li]

    Voice Reports
    • [li]Quality of experience of VoIP calls[/li]
      [li]Minutes spent on VoIP services[/li]
      [li]Total and concurrent calls per VoIP service[/li]
      [li]Compare managed vs. non-facility service[/li]

    Security Reports
    • [li]Which subscribers are infected and attacking others?[/li]
      [li]Which subscribers are spamming?[/li]
      [li]Which subscriber is attacking network resources?[/li]

    Accounting Architecture:

    The Theory

    image

    The Reality

    image

    Distinguish Between Accounting and Billing

    image

    Why NetFlow?

    image

    Network Operation
    • [li]Capacity Planning[/li]
      [li]Historic Data Collection and Trend Analysis[/li]
      [li]Network Performance Analysis[/li]
      [li]Unified Visibility Across Networks[/li]

    Security Operation
    • [li]Real-time Anomaly Behavior Monitoring[/li]
      [li]Eliminate Network Blind Spots[/li]
      [li]Reduce Time, Cost, and Complexity for Threat Detection and Response[/li]

    Compliance
    • [li]Provides User Accountability[/li]
      [li]Supplies Risk Measurability and Reporting[/li]
      [li]Enables Industry and Government Regulations: PCI, HIPAA, SCA.5DA, SOX, etc.[/li]

    Typical NetFlow Deployment

    image

    NetFlow Architecture

    image

    What Is a Traditional IP Flow?

    image
    [list type=decimal][li]Inspect a packet's seven key fields and identify the values[/li]
    [li]If the set of key field values is unique create a flow record or cache entry[/li]
    [li]When the flow terminates export the flow to the collector[/li][/list]
    NetFlow Key Fields Creating Flow Records

    image
    [list type=decimal][li]Inspect packet for key field values[/li]
    [li]Compare set of values to NetFlow cache[/li]
    [li]If the set of values are unique create a flow in cache[/li]
    [li]Inspect the next packet[/li][/list]
    There are Four Types of NetFlow Fields
    • [li]Key fields
      Key fields define the flow record
      An attribute in the packet used to create a flow record
      If the set of key field values is unique a new flow is created[/li]
      [li]Non-key fields
      These are used not to define a flow, instead they provide additional information[/li]
      [li]Value fields
      These are additional fields and counters, such as packet and byte counter, start and stop time stamps[/li]
      [li]Lookup fields
      These are additional information that are added to the flow, such as next hop address, source/destination AS number, etc.[/li]

    Traditional Layer 3 NetFlow Cache

    image

    NetFlow Processing Order
    [list type=decimal][li]Pre-Processing
    • [li]Packet Sampling[/li]
      [li]Filtering[/li]
    [/li]
    [li]Features and Services
    • [li]IPv4[/li]
      [li]Multicast[/li]
      [li]MPLS[/li]
      [li]IPv6[/li]
    [/li]
    [li]Post-Processing
    • [li]Aggregation[/li]
      [li]Non-key fields lookup[/li]
      [li]Export[/li]
    [/li][/list]
     8)
  • 1 Comment sorted by
  • Comprehensive Hardware Support
    [list][li]Not Supported Access Switches 37xx, 36xx, 35xx, 29xx[/li]
    [li]Enterprise and Aggregation/Edge
    Cisco IOS Software Release 12.2S
    Cisco 7200/7500, 7300 Series
    Cisco 4500, 10000, 7600 Series ASIC
    Cisco Catalyst 6500[/li]
    [li]Core
    Release 12.0S/Cisco IOS-XR
    Cisco 12000 Series ASIC
    CRS-1 ASIC[/li]
    [li]Access
    Cisco IOS Software Releases T Train
    Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200/7300 Series[/li][/list]

    NetFlow Versions
    [table][tr][td]NetFlow Version[/td][td]Comments[/td][/tr]
    [tr][td]1[/td][td]Original[/td][/tr]
    [tr][td]5[/td][td]Most Common Version[/td][/tr]
    [tr][td]7[/td][td]Specific to Cisco Catalyst 6500 and 7600 Series Switches
    Similar to Version 5, but Does Not Include AS, Interface, TCP Flag, and ToS Information[/td][/tr]
    [tr][td]8[/td][td]Choice 11 Aggregation Schemes
    Reduces Resource Usage[/td][/tr]
    [tr][td]9[/td][td]Flexible, Extensible File Export Format to Enable Easier
    Support of Additional Fields and Technologies; Coming Out
    Now MPLS, Multicast, and BGP Next Hop[/td][/tr][/table]

    Version 5 - Fixed Export Format

    Usage
    [list][li]Packet count[/li]
    [li]Byte count[/li][/list]
    Time of Day
    [list][li]Start sysUpTime[/li]
    [li]End sysUpTime[/li][/list]
    Port Utilization
    [list][li]Input ifIndex[/li]
    [li]Output ifIndex[/li][/list]
    QoS
    [list][li]Type of service[/li]
    [li]TCP flags[/li]
    [li]Protocol[/li][/list]
    From/To
    [list][li]Source IP address[/li]
    [li]Destination IP address[/li][/list]
    Application
    [list][li]Source TCP/UDP port[/li]
    [li]Destination TCP/UDP port[/li][/list]
    Routing and Peering
    [list][li]Next hop address[/li]
    [li]Source AS number[/li]
    [li]Dest. AS number[/li]
    [li]Source prefix mask[/li]
    [li]Dest. prefix mask[/li][/list]
    Version 5 is still used extensively

    Version 8 - Fixed Aggregation Format
    [list][li]Router-based aggregation[/li]
    [li]Enables router to summarize NetFlow data[/li]
    [li]Reduces NetFlow export data volume[/li]
    [li]Decreases NetFlow export bandwidth requirements[/li]
    [li]Currently 11 aggregation schemes
    Five original schemes
    Six new schemes with the ToS byte field[/li]
    [li]Several aggregations can be enabled simultaneously[/li][/list]
    Note: NetFlow version 9 can be used for router-based aggregation and is recommended if the collector supports v9

    Extensibility and Flexibility Phases Approach
    [list][li]Why a new export protocol?
    Build a flexible and extensible export format
    Advantage: able to add new technologies/data types very quickly Example: MPLS, IPv6, BGP next hop, multicast, etc.[/li]
    [li]NetFlow Version 9
    New concept: template records, data records
    Advantages: extensibility
    Integrate new technologies/data types quicker
    Integrate new aggregations quicker[/li][/list]
    Template Record - Example

    [img]http://dc626.4shared.com/img/cTusBni3/s7/0.7689992978620875/12_online.gif[/img]

    Data Record - Example

    [img]http://dc593.4shared.com/img/qwaYBhax/s7/13_online.gif[/img]

    NetFlow v9 Export Packet

    [img]http://dc625.4shared.com/img/eYcWNqzP/s7/0.272851881402809/14_online.gif[/img]
    [list][li]Matching ID numbers are the way to associate template to the data records[/li]
    [li]The header follows the same format as prior NetFlow versions so collectors will be backward compatible[/li]
    [li]Each data record represents one flow[/li]
    [li]If exported flows have different fields, they cannot be contained in the same template record (i.e., BGP next hop cannot be combined with MPLS-aware, NetFlow records)[/li][/list]
    IETF: IP Flow Information Export WG (IPFIX)
    [list][li]IPFIX protocol specifications
    Changes in terminology but same NetFlow Version 9 principles
    Improvements vs. NetFlow version 9: SCTP-PR, security, variable length information element, IANA registration, etc.
    Generic streaming protocol, not flow-centric anymore
    Security:
    Threat: confidentiality, integrity, authorization
    Solution: DTLS on SCTP-PR[/li]
    [li]IPFIX information model
    Most NetFlow version 9 information elements ID are kept
    Proprietary information element specification[/li]
    [li]Is IPFIX important to you?[/li]
    [li]RFC3954 "Cisco Systems NetFlow Services Export Version 9"[/li]
    [li]RFC3917 "Requirements for IP Flow Information Export"[/li]
    [li]RFC3955 "Evaluation of Candidate Protocols for IPFIX"[/li]
    [li]RFC5101 "Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information"[/li]
    [li]RFC5102 "Information Model for IP Flow Information Export"[/li]
    [li]RFC5103 "Bidirectional Flow Export using IP Flow Information Export (IPFIX)"[/li][/list]
    NetFlow Configuration Commands (Software Platforms)
    [list][li]Configure Cisco Express Forward (CEF) Switching
    ip cef[/li]
    [li]Configure NetFlow per interface - NetFlow Collects Flows
    ip flow ingress
    (or ip route-cache flow) - Older Cisco IOS Versions Use This Command, Hidden in 12.4 and 12.4T[/li]
    [li]Configure the export version - Set Export Packet Format
    i.e., ip flow-export Version 5
    ip flow-export version <version> [origin as|peer-as|bgp-nexthop][/li]
    [li]Configure the export destination - Optional for Collector
    i.e., ip flow-export destination 10.0.0.1 65001
    ip flow-export destination <address> <port>[/li]
    [li]Interface to define export devices, usually a loopback - Enables Collector to Identify the Exporting Device
    ip flow-export source <interface>[/li][/list]
    B-)