2
3
4
6 flow-tools-examples — Example usage of flow-tools.
7
9 NetFlow is configured on each input interface, then global commands are
10 used to specify the export destination. To ensure a consistant source
11 address address Loopback0 is configured as the export source.
12
13 ip cef distributed
14 ip flow-export version 5 origin-as
15 ip flow-export destination 10.0.0.100 5004
16 ip flow-export source Loopback0
17
18 interface Loopback0
19 ip address 10.1.1.1 255.255.255.255
20
21 interface FastEthernet0/1/0
22 ip address 10.0.0.1 255.255.255.0
23 no ip directed-broadcast
24 ip route-cache flow
25 ip route-cache distributed
26
27 Many other options exist such as aggregated NetFlow and sampled NetFlow
28 which are detailed at (link to URL http://www.cisco.com) .
29
31 Some Cisco Catalyst switches support a different implementation of Net‐
32 Flow that is performed on the supervisor. With the cache based for‐
33 warding model which is implemented in the Catalyst 55xx with Route
34 Switch Module (RSM) and NetFlow Feature Card (NFFC), the RSM processes
35 the first flow and the remaining packets in the flow are forwarded by
36 the Supervisor. This is also implemented in the early versions of the
37 65xx with MSFC. The deterministic forwarding model used in the 65xx
38 with MSFC2 do not use NetFlow to determine the forwarding path, the
39 flow cache is only used for statistics as in the current IOS implemen‐
40 tations. In all of of the above configurations flow exports arrive
41 from both the RSM/MSFC and the Supervisor engines as distinct streams.
42 In the worst cast the RSM exports in version 5 and the Supervisor
43 exports in version 7. Fortunately flow-capture and flow-receive can
44 sort all this out by processing flows from both sources and converting
45 them to a common export format.
46
47 The router side running IOS is configured identically to the example
48 given above. The CatIOS NetFlow Data Export configuration follows:
49
50 set mls flow full
51 set mls nde version 7
52 set mls nde 10.0.0.1 9800
53 set mls nde enable
54
55 When the 65xx is running in Native mode, from a users perspective the
56 switch is only running IOS.
57
58 More detailed examples can be found on Cisco's web site
59 (link to URL http://www.cisco.com) .
60
62 Juniper supports flow exports by the routing engine sampling packet
63 headers and aggregating them into flows. Packet sampling is done by
64 defining a firewall filter to accept and sample all traffic, applying
65 that rule to the interface, then configuring the sampling forwarding
66 option.
67
68 interfaces {
69 ge-0/3/0 {
70 unit 0 {
71 family inet {
72 filter {
73 input all;
74 output all;
75 }
76 address 10.0.0.1/24;
77 }
78 }
79 }
80
81 firewall {
82 filter all {
83 term all {
84 then {
85 sample;
86 accept;
87 }
88 }
89 }
90 }
91
92 forwarding-options {
93 sampling {
94 input {
95 family inet {
96 rate 100;
97 }
98 }
99 output {
100 cflowd 10.0.0.100 {
101 port 9800;
102 version 5;
103 }
104 }
105 }
106 }
107
108 Other options exist such as aggregated flows which are detailed at
109 (link to URL http://www.juniper.net) .
110
112 The network topology and flow.acl will be used for many of the examples
113 that follow. Flows are collected and stored in /flows/R.
114
115 ISP-A ISP-B
116 + +
117 + +
118 IP=10.1.2.1/24 + + IP=10.1.1.1/24
119 ifIndex=2 + + ifIndex=1
120 interface=serial1/1 + + interface=serial0/0
121 -----
122 | R | Campus Router
123 -----
124 + +
125 IP=10.1.4.1/24 + + IP=10.1.3.1/24
126 ifIndex=4 + + ifIndex=3
127 interface=Ethernet1/1 + + interface=Ethernet0/0
128 + +
129 Sales Marketing
130
131 ip access-list standard sales permit 10.1.4.0 0.0.0.255
132 ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
133 ip access-list standard marketing permit 10.1.3.0 0.0.0.255
134 ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
135 ip access-list standard campus permit 10.1.4.0 0.0.0.255
136 ip access-list standard campus permit 10.1.3.0 0.0.0.255
137 ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
138 ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
139 ip access-list standard evil_hacket permit host 10.6.6.6
140 ip access-list standard spoofer permit host 10.9.9.9
141 ip access-list standard multicast 224.0.0.0 15.255.255.255
142
144 A common problem on the Internet is the use of "spoofed" (addresses
145 that are not assigned to an organization) for use in DoS attacks or
146 compromising servers that rely on the source IP address for authentica‐
147 tion.
148
149 Display all flow records that originate from the campus and are sent to
150 the Internet but are not using legal addresses.
151
152 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print
153
154 Summary of the destinations of the internally spoofed addresses sorted
155 by octets.
156
157 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2
158
159 Summary of the sources of the internally spoofed addresses sorted by
160 flows.
161
162 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1
163
164 Summary of the internally spoofed sources and destination pairs sorted
165 by packets.
166
167 flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4
168
169 Display all flow records that originate external to the campus that
170 have campus addresses. Many times these can be attackers trying to
171 exploit host based authentication mechanisms like unix r* commands.
172 Another common source is mobile clients which send packets with their
173 campus addresses before obtaining a valid IP.
174
175 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print
176
177 Summary of the destinations of the externally spoofed addresses sorted
178 by octets.
179
180 flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2
181
183 Find all SMTP servers active during the collection period that have
184 established connections to the Internet. Summarize sorted by octets.
185
186 flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2
187
188 Find all outbound NNTP connections to the Internet. Summarize with
189 source and destination IP sorted by octets.
190
191 flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3
192
193 Find all inbound NNTP connections to the Internet. Summarize with
194 source and destination IP sorted by octets.
195
196 flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3
197
199 Summarize Multicast S,G where sources are on campus.
200
201 flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3
202
203 Summarize Multicast S,G where sources are off campus.
204
205 flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3
206
208 Find SMTP scanners with flow-dscan. This will also find SMTP clients
209 which try to contact many servers. This behavior is characterized by a
210 recent Microsoft worm.
211
212 touch dscan.suppress.src dscan.suppress.dst
213 flow-cat /flows/R | flow-filter -P25 | flow-dscan -b
214
216 Mark Fullmer maf@splintered.net
217
219 flow-tools(1)
220
221
222
223 flow-tools-examples(1)