sharkfest 10 | stanford university | june 14–17, 2010 where netflow and packet capture complement...

SHARKFEST ‘10 | Stanford University | June 14–17, 2010

Where NetFlow and Packet Capture Complement Each Other

June 17th, 2010

Michael PattersonCEO | Plixer International, Inc.

SHARKFEST ‘10Stanford UniversityJune 14-17, 2010


Course Outline

• What NetFlow is and how it works • Egress or Ingress• Comparison of the data exported by NetFlow vs.

Packet Analysis• What’s next in NetFlow, where the technology is going• Summary


What is NetFlow?

How does it work?


Voice Traffic

Database Traffic

Instant Messenger

Web Browsing

Private & Business Email

Video Conferencing

Music streaming


A

B

A - sending to B is one flow entry on every NetFlow capable router / switch in the path

B - acknowledging A is a 2nd flow


Scrutinizer Accepts• NetFlow all Versions

• sFlow version 2,4 and 5

• IPFIX

• NetStream


2 Flows per Connection2 Flows per Connection

A B AB

Router1

2

4

A B3


Who Supports NetFlow?

• 3Com• Adtran• Cisco• Enterasys• Expand• Juniper

• Mikrotik

• nProbe• Riverbed• VMWare• Vyatta• Others…


• Cisco

• Enterasys

• Foundry

• Hewlett Packard

• Nortel

• nProbe, nBox

• Many More


MAC Addresses and VLAN IDs

• MAC addresses via Cisco ‘Flexible’ NetFlow (aka NetFlow v9)


NetFlow or sFlow

• sFlow is an RFC not a standard• Sampling of every N packets technology

– Can’t be used for IP accounting like NetFlow

• Maintained by Inmon• Much less expensive for vendors to implement• Vendors: 3Com, AlaxalA, Alcatel-Lucent, Allied Telesis, Brocade, D-Link,

Extreme Networks, Enterasys, Force10 Networks, H3C, Hewlett-Packard, Hitachi, Juniper Networks, NEC and many others


NetFlow NBAR

• NBAR stands for Network Based Application Recognition

• How many of you care if skype or pandora is on your network? Perhaps you don’t mind it but, want to know how much there is. Well, NBAR helps us with deeper packet inspection that isn’t available with traditional NetFlow.


Router CPU Impact

• Typically, the impact on the router’s CPU is negligible.

• However, NetFlow NBAR can clobber some routers.


Egress or Ingress

• Most of us are exporting NetFlow v5 which only supports ingress NetFlow. This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams.

• Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router.


When to use Egress• In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see

traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.

• In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesn’t know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces.

• When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.


Demonstration

Scrutinizer NetFlow & sFlow Analyzer


NetFlow and Packet Analysis?


Example 1: FTP Comparison

Steps for the Lab• I started WireShark• I logged in and FTP’d a file• I logged out• I stopped WireShark• 6 Ingress Flows represent

2221 packets• 6 Egress Flows represent

1123 packets


IngressLets count packets and compare with

Wireshark


Displaying Ingress

Total = 2221 packets


Displaying Ingress


EgressLets count packets and compare with

Wireshark


Displaying Ingress

Total = 1123 packets


Displaying Egress


Capture DetailsLets compare NetFlow details to

Packet details


What about Flags?


Example 2: www.llbean.com

Steps for the Lab• I started WireShark• I surfed to www.llbean.com• I went to another web site• I stopped WireShark• 2 Ingress Flows represents 11

packets going out from my PC• 1 Ingress Flow represents 13

packets coming back from llbean.com


11 packets

From my PC (10.1.7.5) NAT’d by the firewall (66.186.184.62)

2 flows

Cisco Router


11 packets

Enterasys Switch

From my PC (10.1.7.5)On the Enterasys switch before the router.


13 packets

From www.llbean.com


Example 3: VoIPSteps for the Lab• I started WireShark• I started iaxLite• I made a call• The other end picked up• I hung up• I closed iaxLite• I stopped WireShark• 1 Ingress Flow represents 1364 UDP

packets• 1 Egress Flow represents 1364 UDP

packets


1364 packets

My Computer to the PBX


1364 packets

PBX to My Computer


Distributed Collectors


Detecting Malware


Network Behavior Analysis• Network Behavior Analysis

– Constantly monitor NetFlow and sFlow from selected routers and switches

– Looks for traffic patterns defined in behavioral algorithms

– Additional filters can be created to look for unique circumstances

• Demonstration


Future of NetFlow

Current Innovations


Latency via NetFlow


RTT and Server Latency

These fields got cut.


URL Information


WAN Optimization Sizing


Procflow from Gerald Combs


What is next from NetFlow?

• Packet captures• Sampling Flows • IPv6 is here and we are reporting on it.• Syslogs: Cisco ASA. We already provide

reports on this.


Summary

• Ingress Vs. Egress NetFlow• Advanced Filtering to narrow in on problems• How and When to leverage reports• The differences between NetFlow and Packet

Capture• Where the technology is going

sharkfest 10 | stanford university | june 14–17, 2010 where netflow and packet capture complement...

Documents

stanford university

ingress slide

egress slide

ingress netflow

wireshark slide

summary slide

netflow vendors

traditional netflow