book

Network Flow Analysis

Name: Network Flow Analysis
Author: Michael W. Lucas
ISBN: 9781593272036

by Michael W. Lucas

June 2010

Intermediate to advanced

224 pages

5h 18m

English

No Starch Press

Read now

Unlock full access

Network Flow Analysis
ACKNOWLEDGMENTS
INTRODUCTION
Network Administration and Network Management
Network Management Tools
MRTG, Cricket, and CactiRTGNagios and Big BrotherCiscoWorks, OpenView, and More
Enough Griping: What's the Solution?
Flow-Tools and Its Prerequisites
Flows and This Book
1. FLOW FUNDAMENTALS
What Is a Flow?
Flow System Architecture

The History of Network Flow
NetFlow VersionsNetFlow Version 1NetFlow Version 5NetFlow Version 7NetFlow Version 8NetFlow Version 9NetFlow CompetitionThe Latest Standards
Flows in the Real World
ICMP FlowsUDP FlowsTCP FlowsOther Protocols
Flow Export and Timeouts
Packet-Sampled Flows
2. COLLECTORS AND SENSORS
Collector ConsiderationsOperating SystemSystem Resources
Sensor Considerations
LocationInternet BorderEthernet CoreFrom Remote FacilitiesFrom Private Network Segments/DMZs
Implementing the Collector
Installing Flow-tools
Installing from PackagesInstalling from Source
Running flow-capture
Starting flow-capture at Boot
How Many Collectors?
Collector Log Files
Collector Troubleshooting
Configuring Hardware Flow Sensors
Cisco RoutersCisco SwitchesJuniper Routers
Configuring Software Flow Sensors
Setting Up Sensor Server HardwareNetwork SetupSensor Server SetupRunning the Sensor on the Collector
The Sensor: softflowd
Running softflowdWatching softflowdViewing Tracked FlowsViewing Flow Statistics
3. VIEWING FLOWS
Using flow-printPrinting Protocol and Port NamesCommon Protocol and Port Number AssignmentsViewing Flow Record Header Information with -pPrinting to a Wide Terminal
Setting flow-print Formats with -f
Showing Interfaces and Ports in Hex with Format -f 0Two Lines with Times, Flags, and Hex Ports Using -f 1Printing BGP InformationWide-Screen DisplayIP Accounting Format
TCP Control Bits and Flow Records
ICMP Types and Codes and Flow Records
Types and Codes in ICMPFlows and ICMP Details
4. FILTERING FLOWS
Filter FundamentalsCommon PrimitivesCreating a Simple Filter with Conditions and PrimitivesUsing Your Filter
Useful Primitives
Protocol, Port, and Control Bit PrimitivesIP Protocol PrimitivesPort Number PrimitivesTCP Control Bit PrimitivesICMP Type and Code PrimitivesIP Address and Subnet PrimitivesIP AddressesSubnet PrimitivesTime, Counter, and Double PrimitivesComparison Operators in PrimitivesTime PrimitivesCounter PrimitivesDouble PrimitivesInterface and BGP PrimitivesIdentifying Interface Numbers Using SNMPInterface Number PrimitiveAutonomous System Primitives
Filter Match Statements
Protocols, Ports, and Control BitsNetwork Protocol FiltersSource or Destination Port FiltersTCP Control Bit FiltersICMP Type and Code FiltersAddresses and SubnetsFiltering by Sensor or ExporterTime FiltersClipping LevelsOctets, Packets, and Duration FiltersPackets or Bits per Second FiltersBGP and Routing FiltersAutonomous System Number FiltersNext-Hop Address FiltersInterface Filters
Using Multiple Filters
Logical Operators in Filter Definitions
Logical "or"Filter Inversion
Filters and Variables
Using Variable-Driven FiltersDefining Your Own Variable-Driven FiltersCreating Your Own Variables
5. REPORTING AND FOLLOW-UP ANALYSIS
Default ReportTiming and TotalsPacket Size DistributionPackets per FlowOctets in Each FlowFlow Time Distribution
Modifying the Default Report
Using Variables: Report TypeUsing Variables: SORT
Analyzing Individual Flows from Reports
Other Report Customizations
Choosing FieldsDisplaying Headers, Hostnames, and PercentagesPresenting Reports in HTML
Useful Report Types
IP Address ReportsHighest Data Exchange: ip-addressFlows by Recipient: ip-destination-addressMost Connected Source: ip-source-address-destination-countMost Connected Destination: ip-destination-address-source-countNetwork Protocol and Port ReportsPorts Used: ip-portFlow Origination: ip-source-portFlow Termination: ip-destination-portIndividual Connections: ip-source/destination-portNetwork Protocols: ip-protocolTraffic Size ReportsPacket Size: packet-sizeBytes per Flow: octetsPackets per Flow: packetsTraffic Speed ReportsCounting Packets: ppsTraffic at a Given Time: linear-interpolated-flows-octets-packetsRouting, Interfaces, and Next HopsInterfaces and Flow DataThe First Interface: input-interfaceThe Last Interface: output-interfaceThe Throughput Matrix: input/output-interfaceThe Next Address: ip-next-hop-addressWhere Traffic Comes from and How It Gets There: ip-source-address/output-interfaceWhere Traffic Goes, and How It Gets There: ip-destination-address/input-interfaceOther Address and Interface ReportsReporting Sensor OutputBGP ReportsUsing AS InformationTraffic's Network of Origin: source-asDestination Network: destination-asBGP Reports and Friendly Names
Customizing Reports
Custom Report: Reset-Only FlowsReport Format and OutputRemoving ColumnsApplying Filters to ReportsCombining stat-reports and stat-definitionsMore Report CustomizationsReversing SamplingFilters in stat-report StatementsReporting by BGP RoutingCustomizing Report Appearanceflow-rptfmt OptionsDump CSV to a FileUsing Time to Direct OutputSet Sorting OrderCropping OutputOther Output OptionsAlternate Configuration Files
6. PERL, FLOWSCAN, AND CFLOW.PM
Installing Cflow.pmTesting Cflow.pmInstall from Operating System PackageInstall from SourceInstalling from Source with a Big Hammer
flowdumper and Full Flow Information
FlowScan and CUFlow
FlowScan Prerequisites
Installing FlowScan and CUFlow
FlowScan User, Group, and Data DirectoriesFlowScan Startup ScriptConfiguring FlowScanConfiguring CUFlow: CUFlow.cfSubnetNetworkOutputDirScoreboardAggregateScoreRouterServiceProtocolASRotation Programs and flow-captureRunning FlowScanFlowScan File HandlingDisplaying CUFlow Graphs
Flow Record Splitting and CUFlow
Splitting FlowsScripting Flow Record SplittingFiltered CUFlow and Directory Setup
Using Cflow.pm
A Sample Cflow.pm ScriptCflow.pm VariablesOther Cflow.pm ExportsActing on Every FileReturn ValueVerbose Mode
7. FLOWVIEWER
FlowTracker and FlowGrapher vs. CUFlow
FlowViewer Security
Installing FlowViewer
PrerequisitesFlowViewer Installation Process
Configuring FlowViewer
Directories and Site PathsWebsite SetupDevices and ExportersOne Collector per SensorOne Collector for All SensorsTroubleshooting the FlowViewer Suite
Using FlowViewer
Filtering Flows with FlowViewerDeviceNext Hop IPStart and End Date and TimeTOS Field, TCP Flag, and ProtocolSource and Dest IPSource and Dest InterfaceSource and Dest Port and ASReporting ParametersInclude Flow IfSort Field, Resolve Addresses, and Oct Conv, and Sampling MultipPie ChartsCutoffsPrinted ReportsStatistics Reports
FlowGrapher
FlowGrapher SettingsDetail LinesGraph WidthSample TimeGraph TypeFlowGrapher Output
FlowTracker
FlowTracker ProcessesFlowTracker SettingsTracking Set LabelTracking TypeSampling MultiplierAlert ThresholdAlert FrequencyAlert DestinationGeneral CommentViewing TrackersGroup Trackers
Interface Names and FlowViewer
8. AD HOC FLOW VISUALIZATION
gnuplot 101Starting gnuplotgnuplot Configuration Files
Time-Series Example: Bandwidth
Total Bandwidth ReportFiltering Flows for Total TrafficThe Target GraphThe First Graph: Missing the TargetChanging How the Graph Is DrawnClipping LevelsPrinting Graphs to FilesSave Your Work!Unidirectional Bandwidth ReportsFiltering Flows for Unidirectional TrafficCreating a Unidirectional GraphCombined Inbound/Outbound TrafficPreparing the Data FilesDisplaying Two Graphs Simultaneously
Automating Graph Production
Comparison Graphs
Data NormalizingTime Scale
9. EDGES AND ANALYSIS
NetFlow v9Installing flowdConfiguring flowdConverting flowd Data to Flow-tools
sFlow
Configuring sFlow Export with sflowenableConvert sFlow to NetFlow
Problem Solving with Flow Data
Finding Busted SoftwareBroken Connection FiltersChecking for ResetsChecking for Failed ConnectionsIdentifying WormsTraffic to Illegal AddressesTraffic to Nonexistent Hosts
Afterword
About the Author
UPDATES

Content preview from Network Flow Analysis

Logical Operators in Filter Definitions

When you put multiple match conditions in a filter definition, flow-nfilter places a logical "and" between them. For example, the following filter shows all traffic that runs over TCP and has a source port of 25. This passes an email server's responses to a connection.

filter-definition TCPport25
    match ip-protocol TCP
    match ip-source-port port25

You can use other logical operators to build very complicated filters.

Logical "or"

When I try to analyze a connection problem, I usually want to see both sides of the conversation. I want a filter that will show connections to port 25 as well as from port 25. For this, use the or operator as follows:

filter-definition email match ip-protocol TCP match ip-source-port ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Sams Teach Yourself Network Troubleshooting in 24 Hours, Second Edition

Publisher Resources

ISBN: 9781593272036Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Network Flow Analysis

by Michael W. Lucas

Logical Operators in Filter Definitions

Logical "or"

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.