1FLOW-TOOLS-EXAMPLES(1) FLOW-TOOLS-EXAMPLES(1)
2
6 flow-tools-examples - Example usage of flow-tools.
7
9 NetFlow is configured on each input interface, then global commands are
10 used to specify the export destination. To ensure a consistant source
11 address address Loopback0 is configured as the export source.
12 ip cef distributed
14 ip flow-export version 5 origin-as
15 ip flow-export destination 10.0.0.100 5004
16 ip flow-export source Loopback0
17 interface Loopback0
19 ip address 10.1.1.1 255.255.255.255
20 interface FastEthernet0/1/0
22 ip address 10.0.0.1 255.255.255.0
23 no ip directed-broadcast
24 ip route-cache flow
25 ip route-cache distributed
26 Many other options exist such as aggregated NetFlow and sampled NetFlow
28 which are detailed at <URL:http://www.cisco.com>.
29
31 Some Cisco Catalyst switches support a different implementation of Net‐
32 Flow that is performed on the supervisor. With the cache based forward‐
33 ing model which is implemented in the Catalyst 55xx with Route Switch
34 Module (RSM) and NetFlow Feature Card (NFFC), the RSM processes the
35 first flow and the remaining packets in the flow are forwarded by the
36 Supervisor. This is also implemented in the early versions of the 65xx
37 with MSFC. The deterministic forwarding model used in the 65xx with
38 MSFC2 do not use NetFlow to determine the forwarding path, the flow
39 cache is only used for statistics as in the current IOS implementa‐
40 tions. In all of of the above configurations flow exports arrive from
41 both the RSM/MSFC and the Supervisor engines as distinct streams. In
42 the worst cast the RSM exports in version 5 and the Supervisor exports
43 in version 7. Fortunately flow-capture and flow-receive can sort all
44 this out by processing flows from both sources and converting them to a
45 common export format.
46 The router side running IOS is configured identically to the example
48 given above. The CatIOS NetFlow Data Export configuration follows:
49 set mls flow full
51 set mls nde version 7
52 set mls nde 10.0.0.1 9800
53 set mls nde enable
54 When the 65xx is running in Native mode, from a users perspective the
57 switch is only running IOS.
58 More detailed examples can be found on Cisco's web site
60 <URL:http://www.cisco.com>.
61
63 Juniper supports flow exports by the routing engine sampling packet
64 headers and aggregating them into flows. Packet sampling is done by
65 defining a firewall filter to accept and sample all traffic, applying
66 that rule to the interface, then configuring the sampling forwarding
67 option.
68 interfaces {
70 ge-0/3/0 {
71 unit 0 {
72 family inet {
73 filter {
74 input all;
75 output all;
76 }
77 address 10.0.0.1/24;
78 }
79 }
80 }
81 firewall {
83 filter all {
84 term all {
85 then {
86 sample;
87 accept;
88 }
89 }
90 }
91 }
92 forwarding-options {
94 sampling {
95 input {
96 family inet {
97 rate 100;
98 }
99 }
100 output {
101 cflowd 10.0.0.100 {
102 port 9800;
103 version 5;
104 }
105 }
106 }
107 }
108 Other options exist such as aggregated flows which are detailed at
111 <URL:http://www.juniper.net>.
112
114 The network topology and flow.acl will be used for many of the examples
115 that follow. Flows are collected and stored in /flows/R.
116 ISP-A ISP-B
119 + +
120 + +
121 IP=10.1.2.1/24 + + IP=10.1.1.1/24
122 ifIndex=2 + + ifIndex=1
123 interface=serial1/1 + + interface=serial0/0
124 -----
125 | R | Campus Router
126 -----
127 + +
128 IP=10.1.4.1/24 + + IP=10.1.3.1/24
129 ifIndex=4 + + ifIndex=3
130 interface=Ethernet1/1 + + interface=Ethernet0/0
131 + +
132 Sales Marketing
133 ip access-list standard sales permit 10.1.4.0 0.0.0.255
136 ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
137 ip access-list standard marketing permit 10.1.3.0 0.0.0.255
138 ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
139 ip access-list standard campus permit 10.1.4.0 0.0.0.255
140 ip access-list standard campus permit 10.1.3.0 0.0.0.255
141 ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
142 ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
143 ip access-list standard evil_hacket permit host 10.6.6.6
144 ip access-list standard spoofer permit host 10.9.9.9
145 ip access-list standard multicast 224.0.0.0 15.255.255.255
146
149 A common problem on the Internet is the use of "spoofed" (addresses
150 that are not assigned to an organization) for use in DoS attacks or
151 compromising servers that rely on the source IP address for authentica‐
152 tion.
153 Display all flow records that originate from the campus and are sent to
155 the Internet but are not using legal addresses.
156 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print
158 Summary of the destinations of the internally spoofed addresses sorted
160 by octets.
161 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2
163 Summary of the sources of the internally spoofed addresses sorted by
165 flows.
166 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1
168 Summary of the internally spoofed sources and destination pairs sorted
170 by packets.
171 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4
173 Display all flow records that originate external to the campus that
175 have campus addresses. Many times these can be attackers trying to
176 exploit host based authentication mechanisms like unix r* commands.
177 Another common source is mobile clients which send packets with their
178 campus addresses before obtaining a valid IP.
179 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print
181 Summary of the destinations of the externally spoofed addresses sorted
183 by octets.
184 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2
186
188 Find all SMTP servers active during the collection period that have
189 established connections to the Internet. Summarize sorted by octets.
190 flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2
192 Find all outbound NNTP connections to the Internet. Summarize with
194 source and destination IP sorted by octets.
195 flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3
197 Find all inbound NNTP connections to the Internet. Summarize with
199 source and destination IP sorted by octets.
200 flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3
202
204 Summarize Multicast S,G where sources are on campus.
205 flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3
207 Summarize Multicast S,G where sources are off campus.
209 flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3
211
213 Find SMTP scanners with flow-dscan. This will also find SMTP clients
214 which try to contact many servers. This behavior is characterized by a
215 recent Microsoft worm.
216 touch dscan.suppress.src dscan.suppress.dst
218 flow-cat /flows/R | flow-filter -P25 | flow-dscan -b
220
223 Mark Fullmer <maf@splintered.net>
224
226 flow-tools(1)
227 26 Август 2010 FLOW-TOOLS-EXAMPLES(1)