slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Where NetFlow and Packet Capture Complement Each Other June 17 th , 2010 Michael Patterson CEO | Plixer International, PowerPoint Presentation
Download Presentation
Where NetFlow and Packet Capture Complement Each Other June 17 th , 2010 Michael Patterson CEO | Plixer International,

Loading in 2 Seconds...

play fullscreen
1 / 54

Where NetFlow and Packet Capture Complement Each Other June 17 th , 2010 Michael Patterson CEO | Plixer International, - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Where NetFlow and Packet Capture Complement Each Other June 17 th , 2010 Michael Patterson CEO | Plixer International, Inc. SHARK FEST ‘10 Stanford University June 14-17, 2010. Course Outline. What NetFlow is and how it works Egress or Ingress

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Where NetFlow and Packet Capture Complement Each Other June 17 th , 2010 Michael Patterson CEO | Plixer International,' - dunn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Where NetFlow and Packet Capture Complement Each Other

June 17th, 2010

Michael Patterson

CEO | Plixer International, Inc.

SHARKFEST‘10

Stanford University

June 14-17, 2010

course outline
Course Outline
  • What NetFlow is and how it works
  • Egress or Ingress
  • Comparison of the data exported by NetFlow vs. Packet Analysis
  • What’s next in NetFlow, where the technology is going
  • Summary
what is netflow

What is NetFlow?

How does it work?

slide4

Voice Traffic

Database Traffic

Instant Messenger

Web Browsing

Private & Business Email

Video Conferencing

Music streaming

slide5

A

A - sending to B is one flow entry on every NetFlow capable router / switch in the path

B - acknowledging A is a 2nd flow

B

slide6

Scrutinizer Accepts

  • NetFlow all Versions
  • sFlow version 2,4 and 5
  • IPFIX
  • NetStream
slide7

2 Flows per Connection

A

B

B

A

2

1

Router

A

B

3

4

who supports netflow
Who Supports NetFlow?
  • Mikrotik
  • nProbe
  • Riverbed
  • VMWare
  • Vyatta
  • Others…
  • 3Com
  • Adtran
  • Cisco
  • Enterasys
  • Expand
  • Juniper
slide9

Cisco

  • Enterasys
  • Foundry
  • Hewlett Packard
  • Nortel
  • nProbe, nBox
  • Many More
mac addresses and vlan ids
MAC Addresses and VLAN IDs
  • MAC addresses via Cisco ‘Flexible’ NetFlow (aka NetFlow v9)
netflow or sflow
NetFlow or sFlow
  • sFlow is an RFC not a standard
  • Sampling of every N packets technology
    • Can’t be used for IP accounting like NetFlow
  • Maintained by Inmon
  • Much less expensive for vendors to implement
  • Vendors: 3Com, AlaxalA, Alcatel-Lucent, Allied Telesis, Brocade, D-Link, Extreme Networks, Enterasys, Force10 Networks, H3C, Hewlett-Packard, Hitachi, Juniper Networks, NEC and many others
netflow nbar
NetFlow NBAR
  • NBAR stands for Network Based Application Recognition
  • How many of you care if skype or pandora is on your network? Perhaps you don’t mind it but, want to know how much there is. Well, NBAR helps us with deeper packet inspection that isn’t available with traditional NetFlow.
router cpu impact
Router CPU Impact
  • Typically, the impact on the router’s CPU is negligible.
  • However, NetFlow NBAR can clobber some routers.
egress or ingress
Egress or Ingress
  • Most of us are exporting NetFlow v5 which only supports ingress NetFlow.  This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams. 
  • Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router. 
when to use egress
When to use Egress
  • In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed.  Using Ingress flows causes an over stated outbound utilization on the WAN interface.  Egress flows are calculated after compression.
  • In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams.  Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.
  • When exporting NetFlow on only one interface of the router or switch.  Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.
demonstration

Demonstration

Scrutinizer NetFlow & sFlow Analyzer

example 1 ftp comparison
Example 1: FTP Comparison

Steps for the Lab

I started WireShark

I logged in and FTP’d a file

I logged out

I stopped WireShark

6 Ingress Flows represent 2221 packets

6 Egress Flows represent 1123 packets

ingress

Ingress

Lets count packets and compare with Wireshark

slide24

Displaying Ingress

Total = 2221 packets

egress

Egress

Lets count packets and compare with Wireshark

slide27

Displaying Ingress

Total = 1123 packets

capture details

Capture Details

Lets compare NetFlow details to Packet details

example 2 www llbean com
Example 2: www.llbean.com

Steps for the Lab

I started WireShark

I surfed to www.llbean.com

I went to another web site

I stopped WireShark

2 Ingress Flows represents 11 packets going out from my PC

1 Ingress Flow represents 13 packets coming back from llbean.com

slide34

Flow Details

Cisco Router

11 packets

From my PC (10.1.7.5) NAT’d by the firewall (66.186.184.62)

2 flows

slide35

Flow Details

Enterasys

Switch

11 packets

From my PC (10.1.7.5)

On the Enterasys switch before the router.

slide36

Flow Details

From www.llbean.com

13 packets

slide37

From www.llbean.com

Packet Capture

13 packets

example 3 voip
Example 3: VoIP

Steps for the Lab

I started WireShark

I started iaxLite

I made a call

The other end picked up

I hung up

I closed iaxLite

I stopped WireShark

1 Ingress Flow represents 1364 UDP packets

1 Egress Flow represents 1364 UDP packets

slide44

Server 2

Server 1

Server 3

network behavior analysis
Network Behavior Analysis
  • Network Behavior Analysis
    • Constantly monitor NetFlow and sFlow from selected routers and switches
    • Looks for traffic patterns defined in behavioral algorithms
    • Additional filters can be created to look for unique circumstances
  • Demonstration
future of netflow

Future of NetFlow

Current Innovations

rtt and server latency
RTT and Server Latency

These fields got cut.

what is next from netflow
What is next from NetFlow?
  • Packet captures
  • Sampling Flows
  • IPv6 is here and we are reporting on it.
  • Syslogs: Cisco ASA. We already provide reports on this.
summary
Summary
  • Ingress Vs. Egress NetFlow
  • Advanced Filtering to narrow in on problems
  • How and When to leverage reports
  • The differences between NetFlow and Packet Capture
  • Where the technology is going