PlAwAnSaI
Administrator
Enabling NetFlow on a Catalyst 6500
Code:
http://nwannura.blogspot.com/2009/06/enabling-netflow-on-catalyst-6500.html
Configuring NetFlow on Cisco IOS XR Software
Code:
http://www.cisco.com/en/US/docs/routers/xr12000/software/xr12k_r4.0/netflow/configuration/guide/nfc40flow.html
ManageEngine NetFlow Analyzer v8600
Code:
http://archives.manageengine.com/netflow/8.6/ManageEngine_NetFlowAnalyzer_8600.exe
KeyGen -> java -jar xxx.jar
Code:
http://thepiratebay.se/search/netflow/0/99/0
กำหนดให้อนุญาติการเก็บข้อมูล Flow ที่วิ่งเข้า (ingress) Interface
Router(config-if)#ip flow ingress
ดูข้อมูลโดยใช้คำสั่ง show ip cache flow
Router#sho ip cac flo
IP packet size distribution (11215434 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .254 .685 .014 .000 .018 .008 .000 .005 .003 .000 .001 .001 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
5 active, 4091 inactive, 3581241 added
59673255 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
5 active, 1019 inactive, 3581241 added, 3581241 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-other 340168 0.0 2 53 0.1 1.3 13.4
UDP-DNS 1495 0.0 1 64 0.0 0.0 15.5
UDP-other 872145 0.2 8 76 1.6 0.2 15.4
Total: 1213808 0.2 3 77 1.7 0.7 15.5
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 10.22.1.132 Local 172.28.101.46 01 0000 0800 1755
Fa0/1 10.22.1.163 Local 172.28.101.46 01 0000 0800 1753
Fa0/1 10.22.1.58 Local 172.28.101.46 11 103C 00A1 1
Fa0/1 10.22.1.133 Local 172.28.101.46 06 E430 0016 41
Code:
https://ghinryudokung.medium.com/มาทำ-traffic-analysis-like-a-pro-ในองค์กรด้วย-elastiflow-กันเถอะ-954b8e0b4577
มีรายละเอียดของข้อมูลดังต่อไปนี้
[li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
[li]IP Flow Switching Cache จะบอกจำนวนไบท์ทั้งหมดของ Flow ที่ถูกดักจับได้ รวมถึงบอกรายละเอียดของข้อกำหนด Flow เช่น Inactive flow จะมีเวลาในการเกิด timeout 15 วินาที และ ความยาวของ flow ที่ active จะไม่เกิน 30 นาที[/li]
[li]IP Sub Flow Cache จะบอกจำนวนไบท์ทั้งหมดจาก Sub Flow[/li]
[li]Protocol จะบอกว่าการดักจับพบ Protocol อะไรบ้างและรายละเอียดการทำงานเป็นอย่างไร[/li]
[li]ส่วนสุดท้ายจะบอกรายละเอียดของข้อมูล IP/Port ของ Packet ที่ดักจับได้จาก interface f0/1[/li][/list]
Introduction to Accounting Principles with NetFlow and NBAR
Why do We Need Accounting?
Accounting Reports - Business Justification
Bandwidth/Capacity Reports
[li]What is eating up my network resources?[/li]
[li]When do I need a capacity upgrade?[/li]
[li]What is causing congestion?[/li][/list]
Subscriber Demographic Reports
[li]What percentage is using P2P/gaming application?[/li]
[li]What are the usage patterns of different subscriber groups?[/li]
[li]What is the cost impact of my top subscribers?[/li][/list]
Server Activity
[li]What are the popular Web hosts used?[/li]
[li]What are the popular streaming sites?[/li][/list]
Voice Reports
[li]Quality of experience of VoIP calls[/li]
[li]Minutes spent on VoIP services[/li]
[li]Total and concurrent calls per VoIP service[/li]
[li]Compare managed vs. non-facility service[/li][/list]
Security Reports
[li]Which subscribers are infected and attacking others?[/li]
[li]Which subscribers are spamming?[/li]
[li]Which subscriber is attacking network resources?[/li][/list]
Accounting Architecture:
The Theory
The Reality
Distinguish Between Accounting and Billing
Why NetFlow?
Network Operation
[li]Capacity Planning[/li]
[li]Historic Data Collection and Trend Analysis[/li]
[li]Network Performance Analysis[/li]
[li]Unified Visibility Across Networks[/li][/list]
Security Operation
[li]Real-time Anomaly Behavior Monitoring[/li]
[li]Eliminate Network Blind Spots[/li]
[li]Reduce Time, Cost, and Complexity for Threat Detection and Response[/li][/list]
Compliance
[li]Provides User Accountability[/li]
[li]Supplies Risk Measurability and Reporting[/li]
[li]Enables Industry and Government Regulations: PCI, HIPAA, SCA.5DA, SOX, etc.[/li][/list]
Typical NetFlow Deployment
NetFlow Architecture
What Is a Traditional IP Flow?
[li]Inspect a packet's seven key fields and identify the values[/li]
[li]If the set of key field values is unique create a flow record or cache entry[/li]
[li]When the flow terminates export the flow to the collector[/li][/list]
NetFlow Key Fields Creating Flow Records
[li]Inspect packet for key field values[/li]
[li]Compare set of values to NetFlow cache[/li]
[li]If the set of values are unique create a flow in cache[/li]
[li]Inspect the next packet[/li][/list]
There are Four Types of NetFlow Fields
[li]Key fields
Key fields define the flow record
An attribute in the packet used to create a flow record
If the set of key field values is unique a new flow is created[/li]
[li]Non-key fields
These are used not to define a flow, instead they provide additional information[/li]
[li]Value fields
These are additional fields and counters, such as packet and byte counter, start and stop time stamps[/li]
[li]Lookup fields
These are additional information that are added to the flow, such as next hop address, source/destination AS number, etc.[/li][/list]
Traditional Layer 3 NetFlow Cache
NetFlow Processing Order
[li]Pre-Processing
[/list]
[li]Packet Sampling[/li]
[li]Filtering[/li][/list]
[/li]
[li]Features and Services
[li]IPv4[/li]
[li]Multicast[/li]
[li]MPLS[/li]
[li]IPv6[/li][/list]
[/li]
[li]Post-Processing
[li]Aggregation[/li]
[li]Non-key fields lookup[/li]
[li]Export[/li][/list]
[/li]
Code:
http://nwannura.blogspot.com/2009/06/enabling-netflow-on-catalyst-6500.html
Configuring NetFlow on Cisco IOS XR Software
Code:
http://www.cisco.com/en/US/docs/routers/xr12000/software/xr12k_r4.0/netflow/configuration/guide/nfc40flow.html
ManageEngine NetFlow Analyzer v8600
Code:
http://archives.manageengine.com/netflow/8.6/ManageEngine_NetFlowAnalyzer_8600.exe
KeyGen -> java -jar xxx.jar
Code:
http://thepiratebay.se/search/netflow/0/99/0
กำหนดให้อนุญาติการเก็บข้อมูล Flow ที่วิ่งเข้า (ingress) Interface
Router(config-if)#ip flow ingress
ดูข้อมูลโดยใช้คำสั่ง show ip cache flow
Router#sho ip cac flo
IP packet size distribution (11215434 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.001 .254 .685 .014 .000 .018 .008 .000 .005 .003 .000 .001 .001 .000 .000
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .001 .000 .000 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
5 active, 4091 inactive, 3581241 added
59673255 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25800 bytes
5 active, 1019 inactive, 3581241 added, 3581241 added to flow
0 alloc failures, 0 force free
1 chunk, 2 chunks added
last clearing of statistics never
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-other 340168 0.0 2 53 0.1 1.3 13.4
UDP-DNS 1495 0.0 1 64 0.0 0.0 15.5
UDP-other 872145 0.2 8 76 1.6 0.2 15.4
Total: 1213808 0.2 3 77 1.7 0.7 15.5
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa0/1 10.22.1.132 Local 172.28.101.46 01 0000 0800 1755
Fa0/1 10.22.1.163 Local 172.28.101.46 01 0000 0800 1753
Fa0/1 10.22.1.58 Local 172.28.101.46 11 103C 00A1 1
Fa0/1 10.22.1.133 Local 172.28.101.46 06 E430 0016 41
Code:
https://ghinryudokung.medium.com/มาทำ-traffic-analysis-like-a-pro-ในองค์กรด้วย-elastiflow-กันเถอะ-954b8e0b4577
มีรายละเอียดของข้อมูลดังต่อไปนี้
[li]IP packet size distribution จะเป็นการบอกจำนวน Packet ที่ขนาดต่างๆ[/li]
[li]IP Flow Switching Cache จะบอกจำนวนไบท์ทั้งหมดของ Flow ที่ถูกดักจับได้ รวมถึงบอกรายละเอียดของข้อกำหนด Flow เช่น Inactive flow จะมีเวลาในการเกิด timeout 15 วินาที และ ความยาวของ flow ที่ active จะไม่เกิน 30 นาที[/li]
[li]IP Sub Flow Cache จะบอกจำนวนไบท์ทั้งหมดจาก Sub Flow[/li]
[li]Protocol จะบอกว่าการดักจับพบ Protocol อะไรบ้างและรายละเอียดการทำงานเป็นอย่างไร[/li]
[li]ส่วนสุดท้ายจะบอกรายละเอียดของข้อมูล IP/Port ของ Packet ที่ดักจับได้จาก interface f0/1[/li][/list]
Introduction to Accounting Principles with NetFlow and NBAR
Why do We Need Accounting?

Accounting Reports - Business Justification

Bandwidth/Capacity Reports
[li]What is eating up my network resources?[/li]
[li]When do I need a capacity upgrade?[/li]
[li]What is causing congestion?[/li][/list]
Subscriber Demographic Reports
[li]What percentage is using P2P/gaming application?[/li]
[li]What are the usage patterns of different subscriber groups?[/li]
[li]What is the cost impact of my top subscribers?[/li][/list]
Server Activity
[li]What are the popular Web hosts used?[/li]
[li]What are the popular streaming sites?[/li][/list]
Voice Reports
[li]Quality of experience of VoIP calls[/li]
[li]Minutes spent on VoIP services[/li]
[li]Total and concurrent calls per VoIP service[/li]
[li]Compare managed vs. non-facility service[/li][/list]
Security Reports
[li]Which subscribers are infected and attacking others?[/li]
[li]Which subscribers are spamming?[/li]
[li]Which subscriber is attacking network resources?[/li][/list]
Accounting Architecture:
The Theory

The Reality

Distinguish Between Accounting and Billing

Why NetFlow?

Network Operation
[li]Capacity Planning[/li]
[li]Historic Data Collection and Trend Analysis[/li]
[li]Network Performance Analysis[/li]
[li]Unified Visibility Across Networks[/li][/list]
Security Operation
[li]Real-time Anomaly Behavior Monitoring[/li]
[li]Eliminate Network Blind Spots[/li]
[li]Reduce Time, Cost, and Complexity for Threat Detection and Response[/li][/list]
Compliance
[li]Provides User Accountability[/li]
[li]Supplies Risk Measurability and Reporting[/li]
[li]Enables Industry and Government Regulations: PCI, HIPAA, SCA.5DA, SOX, etc.[/li][/list]
Typical NetFlow Deployment

NetFlow Architecture

What Is a Traditional IP Flow?

[li]Inspect a packet's seven key fields and identify the values[/li]
[li]If the set of key field values is unique create a flow record or cache entry[/li]
[li]When the flow terminates export the flow to the collector[/li][/list]
NetFlow Key Fields Creating Flow Records

[li]Inspect packet for key field values[/li]
[li]Compare set of values to NetFlow cache[/li]
[li]If the set of values are unique create a flow in cache[/li]
[li]Inspect the next packet[/li][/list]
There are Four Types of NetFlow Fields
[li]Key fields
Key fields define the flow record
An attribute in the packet used to create a flow record
If the set of key field values is unique a new flow is created[/li]
[li]Non-key fields
These are used not to define a flow, instead they provide additional information[/li]
[li]Value fields
These are additional fields and counters, such as packet and byte counter, start and stop time stamps[/li]
[li]Lookup fields
These are additional information that are added to the flow, such as next hop address, source/destination AS number, etc.[/li][/list]
Traditional Layer 3 NetFlow Cache

NetFlow Processing Order
[li]Pre-Processing
[/list]
[li]Packet Sampling[/li]
[li]Filtering[/li][/list]
[/li]
[li]Features and Services
[li]IPv4[/li]
[li]Multicast[/li]
[li]MPLS[/li]
[li]IPv6[/li][/list]
[/li]
[li]Post-Processing
[li]Aggregation[/li]
[li]Non-key fields lookup[/li]
[li]Export[/li][/list]
[/li]
