book

Network Flow Analysis

by Michael W. Lucas

June 2010

Intermediate to advanced

224 pages

5h 18m

English

No Starch Press

Read now

Unlock full access

Network Administration and Network Management
MRTG, Cricket, and CactiRTGNagios and Big BrotherCiscoWorks, OpenView, and More
What Is a Flow?

NetFlow VersionsNetFlow Version 1NetFlow Version 5NetFlow Version 7NetFlow Version 8NetFlow Version 9NetFlow CompetitionThe Latest Standards
ICMP FlowsUDP FlowsTCP FlowsOther Protocols
Collector ConsiderationsOperating SystemSystem Resources
LocationInternet BorderEthernet CoreFrom Remote FacilitiesFrom Private Network Segments/DMZs
Installing from PackagesInstalling from Source
Starting flow-capture at Boot
Cisco RoutersCisco SwitchesJuniper Routers
Setting Up Sensor Server HardwareNetwork SetupSensor Server SetupRunning the Sensor on the Collector
Running softflowdWatching softflowdViewing Tracked FlowsViewing Flow Statistics
Using flow-printPrinting Protocol and Port NamesCommon Protocol and Port Number AssignmentsViewing Flow Record Header Information with -pPrinting to a Wide Terminal
Showing Interfaces and Ports in Hex with Format -f 0Two Lines with Times, Flags, and Hex Ports Using -f 1Printing BGP InformationWide-Screen DisplayIP Accounting Format
Types and Codes in ICMPFlows and ICMP Details
Filter FundamentalsCommon PrimitivesCreating a Simple Filter with Conditions and PrimitivesUsing Your Filter
Protocol, Port, and Control Bit PrimitivesIP Protocol PrimitivesPort Number PrimitivesTCP Control Bit PrimitivesICMP Type and Code PrimitivesIP Address and Subnet PrimitivesIP AddressesSubnet PrimitivesTime, Counter, and Double PrimitivesComparison Operators in PrimitivesTime PrimitivesCounter PrimitivesDouble PrimitivesInterface and BGP PrimitivesIdentifying Interface Numbers Using SNMPInterface Number PrimitiveAutonomous System Primitives
Protocols, Ports, and Control BitsNetwork Protocol FiltersSource or Destination Port FiltersTCP Control Bit FiltersICMP Type and Code FiltersAddresses and SubnetsFiltering by Sensor or ExporterTime FiltersClipping LevelsOctets, Packets, and Duration FiltersPackets or Bits per Second FiltersBGP and Routing FiltersAutonomous System Number FiltersNext-Hop Address FiltersInterface Filters
Logical "or"Filter Inversion
Using Variable-Driven FiltersDefining Your Own Variable-Driven FiltersCreating Your Own Variables
Default ReportTiming and TotalsPacket Size DistributionPackets per FlowOctets in Each FlowFlow Time Distribution
Using Variables: Report TypeUsing Variables: SORT
Choosing FieldsDisplaying Headers, Hostnames, and PercentagesPresenting Reports in HTML
IP Address ReportsHighest Data Exchange: ip-addressFlows by Recipient: ip-destination-addressMost Connected Source: ip-source-address-destination-countMost Connected Destination: ip-destination-address-source-countNetwork Protocol and Port ReportsPorts Used: ip-portFlow Origination: ip-source-portFlow Termination: ip-destination-portIndividual Connections: ip-source/destination-portNetwork Protocols: ip-protocolTraffic Size ReportsPacket Size: packet-sizeBytes per Flow: octetsPackets per Flow: packetsTraffic Speed ReportsCounting Packets: ppsTraffic at a Given Time: linear-interpolated-flows-octets-packetsRouting, Interfaces, and Next HopsInterfaces and Flow DataThe First Interface: input-interfaceThe Last Interface: output-interfaceThe Throughput Matrix: input/output-interfaceThe Next Address: ip-next-hop-addressWhere Traffic Comes from and How It Gets There: ip-source-address/output-interfaceWhere Traffic Goes, and How It Gets There: ip-destination-address/input-interfaceOther Address and Interface ReportsReporting Sensor OutputBGP ReportsUsing AS InformationTraffic's Network of Origin: source-asDestination Network: destination-asBGP Reports and Friendly Names
Custom Report: Reset-Only FlowsReport Format and OutputRemoving ColumnsApplying Filters to ReportsCombining stat-reports and stat-definitionsMore Report CustomizationsReversing SamplingFilters in stat-report StatementsReporting by BGP RoutingCustomizing Report Appearanceflow-rptfmt OptionsDump CSV to a FileUsing Time to Direct OutputSet Sorting OrderCropping OutputOther Output OptionsAlternate Configuration Files
Installing Cflow.pmTesting Cflow.pmInstall from Operating System PackageInstall from SourceInstalling from Source with a Big Hammer
FlowScan User, Group, and Data DirectoriesFlowScan Startup ScriptConfiguring FlowScanConfiguring CUFlow: CUFlow.cfSubnetNetworkOutputDirScoreboardAggregateScoreRouterServiceProtocolASRotation Programs and flow-captureRunning FlowScanFlowScan File HandlingDisplaying CUFlow Graphs
Splitting FlowsScripting Flow Record SplittingFiltered CUFlow and Directory Setup
A Sample Cflow.pm ScriptCflow.pm VariablesOther Cflow.pm ExportsActing on Every FileReturn ValueVerbose Mode
FlowTracker and FlowGrapher vs. CUFlow
PrerequisitesFlowViewer Installation Process
Directories and Site PathsWebsite SetupDevices and ExportersOne Collector per SensorOne Collector for All SensorsTroubleshooting the FlowViewer Suite
Filtering Flows with FlowViewerDeviceNext Hop IPStart and End Date and TimeTOS Field, TCP Flag, and ProtocolSource and Dest IPSource and Dest InterfaceSource and Dest Port and ASReporting ParametersInclude Flow IfSort Field, Resolve Addresses, and Oct Conv, and Sampling MultipPie ChartsCutoffsPrinted ReportsStatistics Reports
FlowGrapher SettingsDetail LinesGraph WidthSample TimeGraph TypeFlowGrapher Output
FlowTracker ProcessesFlowTracker SettingsTracking Set LabelTracking TypeSampling MultiplierAlert ThresholdAlert FrequencyAlert DestinationGeneral CommentViewing TrackersGroup Trackers
gnuplot 101Starting gnuplotgnuplot Configuration Files
Total Bandwidth ReportFiltering Flows for Total TrafficThe Target GraphThe First Graph: Missing the TargetChanging How the Graph Is DrawnClipping LevelsPrinting Graphs to FilesSave Your Work!Unidirectional Bandwidth ReportsFiltering Flows for Unidirectional TrafficCreating a Unidirectional GraphCombined Inbound/Outbound TrafficPreparing the Data FilesDisplaying Two Graphs Simultaneously
Data NormalizingTime Scale
NetFlow v9Installing flowdConfiguring flowdConverting flowd Data to Flow-tools
Configuring sFlow Export with sflowenableConvert sFlow to NetFlow
Finding Busted SoftwareBroken Connection FiltersChecking for ResetsChecking for Failed ConnectionsIdentifying WormsTraffic to Illegal AddressesTraffic to Nonexistent Hosts

Overview

Network flow analysis is the art of studying the traffic on a computer network. Understanding the ways to export flow and collect and analyze data separates good network administrators from great ones. The detailed instructions in Network Flow Analysis teach the busy network administrator how to build every component of a flow-based network awareness system and how network analysis and auditing can help address problems and improve network reliability.