2
6 flow-tools-examples — Example usage of flow-tools.
7
9 NetFlow is configured on each input interface, then global commands are
10 used to specify the export destination. To ensure a consistant source
11 address address Loopback0 is configured as the export source.
12 ip cef distributed
14 ip flow-export version 5 origin-as
15 ip flow-export destination 10.0.0.100 5004
16 ip flow-export source Loopback0
17 interface Loopback0
19 ip address 10.1.1.1 255.255.255.255
20 interface FastEthernet0/1/0
22 ip address 10.0.0.1 255.255.255.0
23 no ip directed-broadcast
24 ip route-cache flow
25 ip route-cache distributed
26 Many other options exist such as aggregated NetFlow and sampled NetFlow
28 which are detailed at (link to URL http://www.cisco.com) .
29
31 Some Cisco Catalyst switches support a different implementation of Net‐
32 Flow that is performed on the supervisor. With the cache based for‐
33 warding model which is implemented in the Catalyst 55xx with Route
34 Switch Module (RSM) and NetFlow Feature Card (NFFC), the RSM processes
35 the first flow and the remaining packets in the flow are forwarded by
36 the Supervisor. This is also implemented in the early versions of the
37 65xx with MSFC. The deterministic forwarding model used in the 65xx
38 with MSFC2 do not use NetFlow to determine the forwarding path, the
39 flow cache is only used for statistics as in the current IOS implemen‐
40 tations. In all of of the above configurations flow exports arrive
41 from both the RSM/MSFC and the Supervisor engines as distinct streams.
42 In the worst cast the RSM exports in version 5 and the Supervisor
43 exports in version 7. Fortunately flow-capture and flow-receive can
44 sort all this out by processing flows from both sources and converting
45 them to a common export format.
46 The router side running IOS is configured identically to the example
48 given above. The CatIOS NetFlow Data Export configuration follows:
49 set mls flow full
51 set mls nde version 7
52 set mls nde 10.0.0.1 9800
53 set mls nde enable
54 When the 65xx is running in Native mode, from a users perspective the
56 switch is only running IOS.
57 More detailed examples can be found on Cisco's web site
59 (link to URL http://www.cisco.com) .
60
62 Juniper supports flow exports by the routing engine sampling packet
63 headers and aggregating them into flows. Packet sampling is done by
64 defining a firewall filter to accept and sample all traffic, applying
65 that rule to the interface, then configuring the sampling forwarding
66 option.
67 interfaces {
69 ge-0/3/0 {
70 unit 0 {
71 family inet {
72 filter {
73 input all;
74 output all;
75 }
76 address 10.0.0.1/24;
77 }
78 }
79 }
80 firewall {
82 filter all {
83 term all {
84 then {
85 sample;
86 accept;
87 }
88 }
89 }
90 }
91 forwarding-options {
93 sampling {
94 input {
95 family inet {
96 rate 100;
97 }
98 }
99 output {
100 cflowd 10.0.0.100 {
101 port 9800;
102 version 5;
103 }
104 }
105 }
106 }
107 Other options exist such as aggregated flows which are detailed at
109 (link to URL http://www.juniper.net) .
110
112 The network topology and flow.acl will be used for many of the examples
113 that follow. Flows are collected and stored in /flows/R.
114 ISP-A ISP-B
116 + +
117 + +
118 IP=10.1.2.1/24 + + IP=10.1.1.1/24
119 ifIndex=2 + + ifIndex=1
120 interface=serial1/1 + + interface=serial0/0
121 -----
122 | R | Campus Router
123 -----
124 + +
125 IP=10.1.4.1/24 + + IP=10.1.3.1/24
126 ifIndex=4 + + ifIndex=3
127 interface=Ethernet1/1 + + interface=Ethernet0/0
128 + +
129 Sales Marketing
130 ip access-list standard sales permit 10.1.4.0 0.0.0.255
132 ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
133 ip access-list standard marketing permit 10.1.3.0 0.0.0.255
134 ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
135 ip access-list standard campus permit 10.1.4.0 0.0.0.255
136 ip access-list standard campus permit 10.1.3.0 0.0.0.255
137 ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
138 ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
139 ip access-list standard evil_hacket permit host 10.6.6.6
140 ip access-list standard spoofer permit host 10.9.9.9
141 ip access-list standard multicast 224.0.0.0 15.255.255.255
142
144 A common problem on the Internet is the use of "spoofed" (addresses
145 that are not assigned to an organization) for use in DoS attacks or
146 compromising servers that rely on the source IP address for authentica‐
147 tion.
148 Display all flow records that originate from the campus and are sent to
150 the Internet but are not using legal addresses.
151 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print
153 Summary of the destinations of the internally spoofed addresses sorted
155 by octets.
156 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2
158 Summary of the sources of the internally spoofed addresses sorted by
160 flows.
161 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1
163 Summary of the internally spoofed sources and destination pairs sorted
165 by packets.
166 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4
168 Display all flow records that originate external to the campus that
170 have campus addresses. Many times these can be attackers trying to
171 exploit host based authentication mechanisms like unix r* commands.
172 Another common source is mobile clients which send packets with their
173 campus addresses before obtaining a valid IP.
174 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print
176 Summary of the destinations of the externally spoofed addresses sorted
178 by octets.
179 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2
181
183 Find all SMTP servers active during the collection period that have
184 established connections to the Internet. Summarize sorted by octets.
185 flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2
187 Find all outbound NNTP connections to the Internet. Summarize with
189 source and destination IP sorted by octets.
190 flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3
192 Find all inbound NNTP connections to the Internet. Summarize with
194 source and destination IP sorted by octets.
195 flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3
197
199 Summarize Multicast S,G where sources are on campus.
200 flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3
202 Summarize Multicast S,G where sources are off campus.
204 flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3
206
208 Find SMTP scanners with flow-dscan. This will also find SMTP clients
209 which try to contact many servers. This behavior is characterized by a
210 recent Microsoft worm.
211 touch dscan.suppress.src dscan.suppress.dst
213 flow-cat /flows/R | flow-filter -P25 | flow-dscan -b
214
216 Mark Fullmer maf@splintered.net
217
219 flow-tools(1)
220 flow-tools-examples(1)