NetFlow, Cisco and traffic monitoring. Time to figure it out
Good day to all! Understanding NetFlow, such a simple, convenient and frequently used protocol, I realized that it is not so simple, and there are enough pitfalls in its operation.
Under the cut, I collected everything I needed to know about NetFlow and its settings on Cisco, paid tribute to eucariot, writing excellent articles about networks, and ... Pictures, some funny pictures.
NetFlow is a proprietary open protocol developed by Cisco for monitoring network traffic. Netflow provides the ability to analyze network traffic at the session level, recording every TCP / IP transaction.
The system architecture is based on the sensor, collector and analyzer:
- The sensor collects statistics on the traffic passing through it. Sensors it makes sense to put in the "nodal points" of the network, for example, on the border routers of network segments.
- The collector collects information from the sensors. It dumps the received data to a file for further processing. Different collectors store data in different formats.
- The analyzer, or processing system, reads these files and generates reports in a form that is more convenient for the person. This system must be compatible with the data format provided by the collector [1] . In modern systems, the collector and analyzer are often combined into one system.
Typically, the collector and analyzer are parts of a single software package running on a server. Versions of the collector / analyzer software set, paid and free, under Windows and Unix-system.
In the article I will not touch on this area, I will consider only the principles of NetFlow and the configuration of the sensor on Cisco.
It is necessary to immediately understand - the collector and the analyzer behind it are “passive” elements of the system. The sensor sends traffic reports to the collector, receives the collector, the analyzer analyzes and fills its database on the server. In fact, with the server raised, we do not need to manually connect devices that are monitored on the server. While the sensor sends reports, the collector receives them, the analyzer registers. If the sensor is turned off, it "disappears" from the current "online" statistics.
')
NetFlow uses UDP or SCTP to transfer traffic data to a collector. Typically, the collector listens on port 2055, 9555, or 9995 (or the one you specify when you configure the collector and sensor).
The sensor extracts from the passing traffic flows characterized by the following parameters:
This is a very important point - when setting up the sensor, we decide for ourselves what parameters the information sent to the collector will be combined in the reports.
Let us analyze the sensor configuration when setting up on Cisco:
Finally it came to the interface:
Or
On the basic setup, all useful links for more complete enlightenment [4] , [5] and [6].
"Other" traffic. As you know, many common applications have their own ports, consider
Figure taken from [7] .
However, over time, the proportion of traffic falling into the “Other” section is growing, due to the growing number of applications using dynamic, randomly generated ports.
Document [8] , which reviews NetFlow, casually mentions the problem, well illustrated in the figure.
Of course, it would be desirable for a very different traffic to be clearly described in the reports, for example:
Link to it [10] .
Progress does not stand still, technologies go forward, and thechief will receive a full report on the problem of unrecognized traffic being solved in various interesting ways, for example, using NBAR technology.
During the search, a discussion [11] and an interesting presentation [12] were found . I will not go further into the jungle, for youn is hot and inexperienced.
Under the cut, I collected everything I needed to know about NetFlow and its settings on Cisco, paid tribute to eucariot, writing excellent articles about networks, and ... Pictures, some funny pictures.
We define the basic concepts
NetFlow is a proprietary open protocol developed by Cisco for monitoring network traffic. Netflow provides the ability to analyze network traffic at the session level, recording every TCP / IP transaction.
The system architecture is based on the sensor, collector and analyzer:
- The sensor collects statistics on the traffic passing through it. Sensors it makes sense to put in the "nodal points" of the network, for example, on the border routers of network segments.
- The collector collects information from the sensors. It dumps the received data to a file for further processing. Different collectors store data in different formats.
- The analyzer, or processing system, reads these files and generates reports in a form that is more convenient for the person. This system must be compatible with the data format provided by the collector [1] . In modern systems, the collector and analyzer are often combined into one system.
Typically, the collector and analyzer are parts of a single software package running on a server. Versions of the collector / analyzer software set, paid and free, under Windows and Unix-system.
In the article I will not touch on this area, I will consider only the principles of NetFlow and the configuration of the sensor on Cisco.
It is necessary to immediately understand - the collector and the analyzer behind it are “passive” elements of the system. The sensor sends traffic reports to the collector, receives the collector, the analyzer analyzes and fills its database on the server. In fact, with the server raised, we do not need to manually connect devices that are monitored on the server. While the sensor sends reports, the collector receives them, the analyzer registers. If the sensor is turned off, it "disappears" from the current "online" statistics.
')
Protocol Description
NetFlow uses UDP or SCTP to transfer traffic data to a collector. Typically, the collector listens on port 2055, 9555, or 9995 (or the one you specify when you configure the collector and sensor).
The sensor extracts from the passing traffic flows characterized by the following parameters:
- Source address;
- Destination address;
- Source port for UDP and TCP;
- Destination port for UDP and TCP;
- Message Type and Code for ICMP;
- IP number;
- Network interface (ifindex SNMP parameter);
- IP Type of Service.
This is a very important point - when setting up the sensor, we decide for ourselves what parameters the information sent to the collector will be combined in the reports.
Actually, setting
Let us analyze the sensor configuration when setting up on Cisco:
Router_NF # conf tIn the configuration mode, we specify the collector addresses and ports, where to send the statistics, we specify the version of the NetFlow protocol. In a complex network, you can have two collector interfaces if there are any routing restrictions between segments
Router_NF (config) # ip flow-export destination 192.168.0.1 9996
Router_NF (config) # ip flow-export destination 10.10.0.1 9996
Router_NF (config) # ip flow-export version 9
Router_NF (config) # ip flow-cache timeout active 1We specify how often to refresh the NetFlow cache with data about the traffic of the still active session.
Router_NF (config) # ip flow-cache timeout inactive 15We specify the time during which if no data is transmitted in the existing stream, it is closed, and information about it is recorded in the cache, and then transmitted to the collector
Router_NF (config) FastEthernet 0/0 ip flow-export sourceSources of traffic reports, statistics will be collected from them. On the analyzer side, there will be separate promonitory and interface, and VLAN, and Port-channel
Router_NF (config) # ip flow-export source vlan4
Router_NF (config) # ip flow-export source Port-channel1.2
!Add ACL for more harmonious feng shui
ip access-list standard iacl-snmp
remark ACL for SNMP access to device
permit 192.168.0.1
permit 10.10.0.1
deny any log
!
!Configuring snmp for proper recognition of interface names
snmp-server group snmp v1 access iacl-snmp
snmp-server group snmp v2c access iacl-snmp
snmp-server community ******** **** iacl-snmp
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server enable traps tty
!
Finally it came to the interface:
Router_NF (config) # interface FastEthernet 0/0Specify what traffic will be taken into account, entering into the interface or outgoing from it? If outgoing, then ip flow egress, if incoming, then ip flow ingress
Router_NF (config-if) # ip flow egress
Router_NF (config-if) # ip flow ingress
Or
Router_NF (config-if) # ip route-cache flow“Ip route-cache flow” can be used only for the main interface, and “ip flow ingress” is an extension for use for subinterfaces. NetFlow functionality Subinterface Support allows you to enable NetFlow for each subinterface. In a scenario where your network contains many subinterfaces, and you only need to collect records from some, you can fine-tune the collection of information from certain subinterfaces [3]
What you can see on the sensor:
Router_NF # show ip cache flowTraffic information waiting to be sent to the collector
Router_NF # show ip cache verbose flowDetailed traffic information waiting to be sent to the collector
Router_NF # show ip flow interfaceInterfaces that are NetFlow sensors
Router_NF # show ip flow exportNetFlow source and destination reports, how many datagrams are sent, how many errors
Router_NF # show ip flow top-talkersInformation about the champions, presented categorically, up to the most visited Internet resources
On the basic setup, all useful links for more complete enlightenment [4] , [5] and [6].
A spoon of tar
"Other" traffic. As you know, many common applications have their own ports, consider
show ip cache flow output part
Figure taken from [7] .
However, over time, the proportion of traffic falling into the “Other” section is growing, due to the growing number of applications using dynamic, randomly generated ports.
Document [8] , which reviews NetFlow, casually mentions the problem, well illustrated in the figure.
Of course, it would be desirable for a very different traffic to be clearly described in the reports, for example:
Excellent table, taken from the article, could not pass by
| Traffic category | Ports | Application Protocol |
| 25, 109, 110, 113, 143 | smtp, pop2, pop3, ident, imap | |
| Web | 80, 8080, 443 | http, https |
| data | 20, 21, 3306, 66, 1521, 1526, 1524 | ftp, mysql, sqlnet, oracle, ingres |
| Network management | 53, 137, 138, 139, 445, 161, 123, 783, 8200 | domain, netbios, snmp, ntp, spamassassin, GoToMyPC |
| Interactive | 22, 23, 513, 543 | ssh, telnet, rlogin, klogin |
| nntp | 119 | nntp |
| Chat | 194, 6891–6901, 1863, 5050, 5190 | irc, msn messenger, yahoo messenger, ICQ |
| streaming | 554, 1755, 1220, 8000–8005, 7070, 7071, 6970 | rtsp, ms-streaming, Apple quicktime, internet radio (shoutcast), Real Audio & Video |
| Malware & games | 1433, 1434, 666, 1999, 31337, 12345, 12346, 20034, 1024, 1025, 31338, 31339, 3127, 27015, 27016, 26000, 27001, 27960, 3724 | Ms-sql-s, ms-sql-m, backdoor, Back Orifi, NetBus, netspy, myDoom, HalfLife, Quake, QuakeWorld, QuakeIII, WarCraft |
| p2p | 411, 412, 1214, 3531, 4111, 4661–4665, 4672, 6346, 6347, 6669.6881–6889, 23302, 32285, 59049, 41170, 57990 | Direct Connect, Fasttrack, Kazaa, eDonkey, Gnutella, Napster, BitTorrent, Ares, Mp2p, Azureus |
| Others | - | - |
Link to it [10] .
Progress does not stand still, technologies go forward, and the
During the search, a discussion [11] and an interesting presentation [12] were found . I will not go further into the jungle, for youn is hot and inexperienced.
It is believed that the author of the post has a mess in his head, and he is missing something!
PS
In the process of writing the article, I, as I could, answered my questions, and I hope I did not put new ones anywhere I was wrong.
Thanks for attention!
Thanks for attention!
Source: https://habr.com/ru/post/175359/
All Articles