1 / 54

NetFlow and Packet Capture: Complementary Technologies for Network Analysis

This article explores the relationship between NetFlow and packet capture, comparing the data exported by NetFlow vs. packet analysis. It also discusses the future of NetFlow technology.

pdenney
Download Presentation

NetFlow and Packet Capture: Complementary Technologies for Network Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Where NetFlow and Packet Capture Complement Each Other June 17th, 2010 Michael Patterson CEO | Plixer International, Inc. SHARKFEST‘10 Stanford University June 14-17, 2010

  2. Course Outline • What NetFlow is and how it works • Egress or Ingress • Comparison of the data exported by NetFlow vs. Packet Analysis • What’s next in NetFlow, where the technology is going • Summary

  3. What is NetFlow? How does it work?

  4. Voice Traffic Database Traffic Instant Messenger Web Browsing Private & Business Email Video Conferencing Music streaming

  5. A A - sending to B is one flow entry on every NetFlow capable router / switch in the path B - acknowledging A is a 2nd flow B

  6. Scrutinizer Accepts • NetFlow all Versions • sFlow version 2,4 and 5 • IPFIX • NetStream

  7. 2 Flows per Connection A B B A 2 1 Router A B 3 4

  8. Who Supports NetFlow? • Mikrotik • nProbe • Riverbed • VMWare • Vyatta • Others… • 3Com • Adtran • Cisco • Enterasys • Expand • Juniper

  9. Cisco • Enterasys • Foundry • Hewlett Packard • Nortel • nProbe, nBox • Many More

  10. MAC Addresses and VLAN IDs • MAC addresses via Cisco ‘Flexible’ NetFlow (aka NetFlow v9)

  11. NetFlow or sFlow • sFlow is an RFC not a standard • Sampling of every N packets technology • Can’t be used for IP accounting like NetFlow • Maintained by Inmon • Much less expensive for vendors to implement • Vendors: 3Com, AlaxalA, Alcatel-Lucent, Allied Telesis, Brocade, D-Link, Extreme Networks, Enterasys, Force10 Networks, H3C, Hewlett-Packard, Hitachi, Juniper Networks, NEC and many others

  12. NetFlow NBAR • NBAR stands for Network Based Application Recognition • How many of you care if skype or pandora is on your network? Perhaps you don’t mind it but, want to know how much there is. Well, NBAR helps us with deeper packet inspection that isn’t available with traditional NetFlow.

  13. Router CPU Impact • Typically, the impact on the router’s CPU is negligible. • However, NetFlow NBAR can clobber some routers.

  14. Egress or Ingress • Most of us are exporting NetFlow v5 which only supports ingress NetFlow.  This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams.  • Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router. 

  15. When to use Egress • In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed.  Using Ingress flows causes an over stated outbound utilization on the WAN interface.  Egress flows are calculated after compression. • In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams.  Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces. • When exporting NetFlow on only one interface of the router or switch.  Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

  16. Demonstration Scrutinizer NetFlow & sFlow Analyzer

  17. NetFlow and Packet Analysis?

  18. Example 1: FTP Comparison Steps for the Lab I started WireShark I logged in and FTP’d a file I logged out I stopped WireShark 6 Ingress Flows represent 2221 packets 6 Egress Flows represent 1123 packets

  19. Ingress Lets count packets and compare with Wireshark

  20. Displaying Ingress Total = 2221 packets

  21. Displaying Ingress

  22. Egress Lets count packets and compare with Wireshark

  23. Displaying Ingress Total = 1123 packets

  24. Displaying Egress

  25. Capture Details Lets compare NetFlow details to Packet details

  26. Packet Capture

  27. Flow Details

  28. What about Flags?

  29. Example 2: www.llbean.com Steps for the Lab I started WireShark I surfed to www.llbean.com I went to another web site I stopped WireShark 2 Ingress Flows represents 11 packets going out from my PC 1 Ingress Flow represents 13 packets coming back from llbean.com

  30. Flow Details Cisco Router 11 packets From my PC (10.1.7.5) NAT’d by the firewall (66.186.184.62) 2 flows

  31. Flow Details Enterasys Switch 11 packets From my PC (10.1.7.5) On the Enterasys switch before the router.

  32. Flow Details From www.llbean.com 13 packets

  33. From www.llbean.com Packet Capture 13 packets

  34. Example 3: VoIP Steps for the Lab I started WireShark I started iaxLite I made a call The other end picked up I hung up I closed iaxLite I stopped WireShark 1 Ingress Flow represents 1364 UDP packets 1 Egress Flow represents 1364 UDP packets

  35. My Computer to the PBX 1364 packets

  36. My Computer to the PBX 1364 packets

  37. PBX to My Computer 1364 packets

  38. PBX to My Computer 1364 packets

  39. Distributed Collectors

  40. Server 2 Server 1 Server 3

  41. Detecting Malware

  42. Network Behavior Analysis • Network Behavior Analysis • Constantly monitor NetFlow and sFlow from selected routers and switches • Looks for traffic patterns defined in behavioral algorithms • Additional filters can be created to look for unique circumstances • Demonstration

  43. Future of NetFlow Current Innovations

  44. Latency via NetFlow

  45. RTT and Server Latency These fields got cut.

  46. URL Information

More Related