Shulou(Shulou.com)06/03 Report--

Topological graph

The devices involved in NetFlow monitoring:

Monitored switch (may also be a mirror server) and collector (device where the monitoring software is located)

How it works:

NetFlow uses flow for statistics, network monitoring, and even network planning. A flow has a direction attribute. Under an interface or a vlan, packets with the same parameters in a certain direction constitute a flow (flow). The above sentence is translated from the cisco document, if you do not understand, you can simply understand that a packet with the same quintuple (the same source address, destination address, source port, destination port, protocol) can be called a flow.

The monitored switch analyzes the data packets in and out of the port, and puts the relevant information (source address, destination address, source port, destination port, protocol, packet size, etc.) into the NetFlow packet and sends it to the netflow collector. This process will consume the cpu and memory of the monitored device. The collector (monitoring software, all third-party) collates the data and presents the report.

V5 only supports ipv4

V9 supports ipv4 and ipv6

Example configuration command (netflow v5, device: asr1001x): flow exporter HK-testdestination 10.136.76.117source Loopback1transport udp 9998export-protocol netflow-v5

The output device is mainly used to configure the output parameters, including address and port, output source address and version, the destination address is the ip of the collector, the port depends on the listening port of the collector, and the source port is the sending port. When grabbing packets, you will see that the source address is the ip of loopback1.

Flow monitor HK-test-monitorexporter HK-testcache type immediaterecord netflow-original

Monitor: bind the flow record to the output. Here, the flow record uses the default netflow-original configuration, because v5 cannot customize the template. The effect of cache using immediate is to immediately send the parsed packets to the monitoring server without aggregating and summarizing.

Sampler test-1mode deterministic 1 out-of 2

Sampling ratio: capture all the traffic according to the ratio of one to two

Interface GigabitEthernet0/0/4ip flow monitor try sampler test-1 inputip flow monitor try sampler test-1 output

Configure under the interface

Example configuration command (netflow v9, device: asr1001x): flow record trydescription testmatch ipv4 source addressmatch ipv4 destination addressmatch ipv4 protocolmatch transport sourceportmatch transport destinationportcollect counter bytescollect counter packets longcollect timestamp sysuptime firstcollect timestamp sysuptime lastflow exporter try_exporterdescription test_exdestination 10.136.76.117source Loopback1transport udp 9999template data timeout 30flow monitor trydescription testexporter try_exportercache type immediaterecord trysampler test1mode deterministic 1 outof 2interface GigabitEthernet0/0/4ip flow monitor trysampler test1 inputip flow monitor trysampler test1 output

Unlike v5, there are more configurations that add flow records and call try, the flow record.

Example configuration command (netflow v9, device: nexus 5k):

Link: cisco-N6k-netflow- original

Extraction code: pa8i

Flow exporter extestdestination 10.136.17.146transport udp 9996source Vlan40version 9

The output device is mainly used to configure the output parameters, including address and port, output source address and version, the destination address is the ip of the collector, the port depends on the listening port of the collector, and the source port is the sending port. When grabbing packets, you will see that the source address is the ip of int vlan 40.

Flow record rdtestmatch ipv4 source addressmatch ipv4 destination addressmatch ip protocolmatch ip tosmatch transport source-portmatch transport destination-portcollect counter bytes longcollect counter packets longcollect timestamp sys-uptime firstcollect timestamp sys-uptime lastcollect ip version

Flow records: collect relevant information for monitoring data traffic

Sampler sltestmode 1 out-of 128

Sampling ratio: select one packet for every 128 packets

Sampler fullmode 1 out-of 1

Sampling ratio: 1: 1, capture all the traffic

Flow monitor mttestrecord rdtestexporter extest

Monitor: bind the flow record to the output

Int vlan 40ip flow monitor mttest input sampler full

The monitor and one-to-one sampling ratio are applied to the interface. After testing, it is found that only netflow monitoring in input direction can be configured, but output direction cannot be configured.

V5 packet Styl

The default wireshark cannot parse netflow packets, and the corresponding port needs to be parsed into cflow format. For example, I am using port 9999, and I need to: select a packet-> right-click-> decode it to-> add the following figure before it can be parsed.

V9 packet styl

There will be two types of packets, one is called template package (defines the collection parameters, because version9 is a custom collection method, according to the configuration parameters), and the other is called packet (according to the data parameters generated by the template, the collector needs to obtain the template package before it can identify the content of the packet)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.