Flow-tools Tutorial
advertisement
Flow-tools Tutorial
Mark Fullmer
maf@oar.net
Agenda
• Deployment motivation.
• Network flows.
• Cisco / Juniper implementation –
NetFlow.
• Cisco / Juniper Configuration.
• flow-tools programs overview and
examples from Abilene and OhioGigapop.
Motivations
• Where your campus exchanges traffic
with by IP address, IP Prefix, or ASN.
• What type and how much traffic (SMTP,
WEB, File Sharing, etc).
• What services running on campus.
• Department level traffic summaries.
• Track network based viruses back to
hosts.
Motivations
• Track DoS attacks to the source(s), ie
the 100 Solaris servers flooding
whitehouse.gov that have been 0wn3d.
• Find busy hosts on campus.
• How many destinations each campus
host exchanges traffic with.
• Campus host counts by service, ie how
many active web servers.
Network Flows
• Packets or frames that have a common
attribute.
• Creation and expiration policy – what
conditions start and stop a flow.
• Counters – packets,bytes,time.
• Routing information – AS, network
mask, interfaces.
Network Flows
• Unidirectional or bidirectional.
• Bidirectional flows can contain other
information such as round trip time,
TCP behavior.
• Application flows look past the headers
to classify packets by their contents.
• Aggregated flows – flows of flows.
ssh session
faith.splintered:~% ssh eng4.oar.net w
10:12PM up 476 days, 21:06, 7 users, load
USER
TTY
FROM
maf
p0
dhcp9578217.colu
maf
p1
dhcp9578217.colu
maf
p2
dhcp9578217.colu
maf
p7
login.enss.net
maf
p8
login.enss.net
maf
p9
login.enss.net
maf
pa
login.enss.net
averages: 0.00, 0.00, 0.00
LOGIN@ IDLE WHAT
30Sep02 2days ssh
Wed12AM
12 -zsh (zsh)
Wed07AM 3:03 -zsh (zsh)
22Mar02 199days 12Apr02 47days 24Jul02 75days 25Jul02 47days -
ssh session
faith.splintered:/usr/home/maf# tcpdump -q -i sis0 -n ip and host eng4.oar.net
tcpdump: listening on sis0
22:27:46.565664 24.95.78.217.1065 > 192.148.244.24.22: tcp 0 (DF)
22:27:46.603058 192.148.244.24.22 > 24.95.78.217.1065: tcp 0 (DF)
22:27:46.603523 24.95.78.217.1065 > 192.148.244.24.22: tcp 0 (DF)
22:27:46.717333 192.148.244.24.22 > 24.95.78.217.1065: tcp 15 (DF) [tos 0x10]
22:27:46.717706 24.95.78.217.1065 > 192.148.244.24.22: tcp 20 (DF)
22:27:46.830214 192.148.244.24.22 > 24.95.78.217.1065: tcp 276 (DF) [tos 0x10]
22:27:46.846743 24.95.78.217.1065 > 192.148.244.24.22: tcp 156 (DF)
22:27:46.967105 192.148.244.24.22 > 24.95.78.217.1065: tcp 12 (DF) [tos 0x10]
22:27:46.967292 24.95.78.217.1065 > 192.148.244.24.22: tcp 20 (DF)
22:27:47.062173 192.148.244.24.22 > 24.95.78.217.1065: tcp 60 (DF) [tos 0x10]
22:27:47.062239 192.148.244.24.22 > 24.95.78.217.1065: tcp 12 (DF) [tos 0x10]
22:27:47.062433 24.95.78.217.1065 > 192.148.244.24.22: tcp 0 (DF)
22:27:47.062636 24.95.78.217.1065 > 192.148.244.24.22: tcp 140 (DF)
22:27:47.196829 192.148.244.24.22 > 24.95.78.217.1065: tcp 140 (DF) [tos 0x10]
22:27:47.204546 24.95.78.217.1065 > 192.148.244.24.22: tcp 28 (DF)
28 packets, 728 byte + IP/TCP overhead.
Unidirectional Flow with
Source/Destination IP Key
% ssh 10.0.0.2 w
10.0.0.1
reply
Active Flows
Flow Source IP
1 10.0.0.1
2 10.0.0.2
Destination IP
10.0.0.2
10.0.0.1
10.0.0.2
Unidirectional Flow with
Source/Destination IP Key
% telnet 10.0.0.2
% ping 10.0.0.2
10.0.0.1
login:
ICMP echo reply
Active Flows
Flow Source IP
1 10.0.0.1
2 10.0.0.2
Destination IP
10.0.0.2
10.0.0.1
10.0.0.2
Unidirectional Flow with IP,
Port,Protocol Key
% telnet 10.0.0.2
% ping 10.0.0.2
10.0.0.1
login:
ICMP echo reply
10.0.0.2
Active Flows
Flow Source IP
1
2
3
4
10.0.0.1
10.0.0.2
10.0.0.1
10.0.0.2
Destination IP
prot
srcPort dstPort
10.0.0.2
10.0.0.1
10.0.0.2
10.0.0.1
TCP
TCP
ICMP
ICMP
32000
23
0
0
23
32000
0
0
Bidirectional Flow with IP,
Port,Protocol Key
% telnet 10.0.0.2
% ping 10.0.0.2
10.0.0.1
login:
ICMP echo reply
10.0.0.2
Active Flows
Flow Source IP
1 10.0.0.1
2 10.0.0.1
Destination IP
prot
srcPort dstPort
10.0.0.2
10.0.0.2
TCP 32000 23
ICMP 0
0
Application Flow
% netscape http://10.0.0.2/9090
10.0.0.1
Web server on
Port 9090
10.0.0.2
Content-type:
Active Flows
Flow Source IP
1 10.0.0.1
Destination IP
Application
10.0.0.2
HTTP
Aggregated Flow
Main Active flow table
Flow Source IP
1
2
3
4
10.0.0.1
10.0.0.2
10.0.0.1
10.0.0.2
Destination IP
prot
srcPort dstPort
10.0.0.2
10.0.0.1
10.0.0.2
10.0.0.1
TCP
TCP
ICMP
ICMP
32000
23
0
0
Source/Destination IP Aggregate
Flow Source IP
1 10.0.0.1
2 10.0.0.2
Destination IP
10.0.0.2
10.0.0.1
23
32000
0
0
NetFlow data reduction
Look at 1 day of flows exports from krc4:
Flows
Octets
Packets
Flow size
Flows/packet
Packet overhead
Octets in a flow
111182160
2450050798277
4057574675
48 bytes
30 (typical)
24 bytes
1464 bytes
NetFlow data reduction
Look at 1 day of flows exports from krc4:
Packets/Flow
Octets/Flow
Octets/Packet
Packets/Flow export
Octets/Flow export
Octets/Octets in
a flow export
37
22036
603
1095
661092
452
Packets/Flow distribution
Octets/Flow distribution
Flow Descriptors
• A Key with more elements will generate
more flows.
• Greater number of flows leads to more
post processing time to generate
reports, more memory and CPU
requirements for device generating
flows.
• Depends on application. Traffic
engineering vs. intrusion detection.
Flow Accounting
• Accounting information accumulated
with flows.
• Packets, Bytes, Start Time, End Time.
• Network routing information – masks
and autonomous system number.
Flow Collection
• Passive monitor.
• Router.
• Other existing network device.
Passive Monitor Collection
Workstation A
Flow probe connected
to switch port in
“ traffic mirror” mode
Workstation B
Campus
Router Collection
LAN
LAN
LAN
LAN
Internet
Flow collector
stores exported flows from router.
Passive Monitor
• Directly connected to a LAN segment
via a switch/router port in “mirror” mode,
optical splitter, or repeated segment.
• Generate flows for all local LAN traffic.
• Must have an interface or monitor
deployed on each LAN segment.
• Support for more detailed flows –
bidirectional and application (external
probe has more resources).
Router Collection
• Router will generate flows for traffic that
traverses the router.
• Flows are not generated for local LAN
traffic (not a sniffer).
• Limited to “simple” flow criteria (packet
headers).
• Generally easier to deploy – no new
equipment.
Cisco NetFlow
• Unidirectional flows.
• IPv4 unicast and multicast.
• Aggregated (v8) and unaggregated
(v1,5,6,7).
• Flows exported via UDP.
• Supported on IOS and CatIOS
platforms.
• Catalyst NetFlow is different
implementation.
Cisco NetFlow Versions
•
•
•
•
4 Unaggregated types (1,5,6,7).
14 Aggregated types (8.x).
Each version has its own packet format.
Version 1 does not have sequence
numbers – no way to detect lost flows.
• The “version” defines what type of data
is in the flow.
• Some versions specific to Catalyst
platform.
Cisco NetFlow Versions
• v9 in development. More flexible packet
format so new fields can be added
without creating yet another version
while still maintaining compact
encoding.
NetFlow v1
• Key fields: Source/Destination IP,
Source/Destination Port, IP Protocol,
ToS, Input interface.
• Accounting: Packets, Octets, Start/End
time, Output interface.
• Other: Bitwise OR of TCP flags.
• Historical – don’t use. No sequence #’s.
NetFlow v5
• Key fields: Source/Destination IP,
Source/Destination Port, IP Protocol,
ToS, Input interface.
• Accounting: Packets, Octets, Start/End
time, Output interface.
• Other: Bitwise OR of TCP flags,
Source/Destination AS and IP Mask.
• Packet format adds sequence numbers
for detecting lost exports.
NetFlow v8
• Aggregated v5 flows.
• 3 Catalyst 65xx specific that correspond
to the configurable flow mask.
• Much less data to post process, but lose
fine granularity of v5 – no IP addresses.
NetFlow v8
•
•
•
•
•
•
•
•
AS
Protocol/Port
Source Prefix
Destination Prefix
Prefix
Destination (Catalyst 65xx)
Source/Destination (Catalyst 65xx)
Full Flow (Catalyst 65xx)
NetFlow v8
•
•
•
•
•
•
ToS/AS
ToS/Protocol/Port
ToS/Source Prefix
ToS/Destination Prefix
Tos/Source/Destination Prefix
ToS/Prefix/Port
NetFlow Packet Format
• Common header among export
versions.
• All but v1 have a sequence number.
• Version specific data field where N
records of data type are exported.
• N is determined by the size of the flow
definition. Packet size is kept under
~1480 bytes. No fragmentation on
Ethernet. No PMTU detection.
NetFlow v5 Packet Example
IP/UDP packet
NetFlow
v5 header
v5 record
…
…
v5 record
NetFlow v5 Packet (Header)
struct ftpdu_v5 {
/* 24 byte header */
u_int16 version;
/*
u_int16 count;
/*
u_int32 sysUpTime;
/*
u_int32 unix_secs;
/*
u_int32 unix_nsecs;
/*
u_int32 flow_sequence;/*
u_int8 engine_type; /*
u_int8 engine_id;
/*
u_int16 reserved;
5 */
The number of records in the PDU */
Current time in millisecs since router booted */
Current seconds since 0000 UTC 1970 */
Residual nanoseconds since 0000 UTC 1970 */
Seq counter of total flows seen */
Type of flow switching engine (RP,VIP,etc.) */
Slot number of the flow switching engine */
NetFlow v5 Packet (Records)
/* 48 byte payload */
struct ftrec_v5 {
u_int32 srcaddr;
/* Source IP Address */
u_int32 dstaddr;
/* Destination IP Address */
u_int32 nexthop;
/* Next hop router's IP Address */
u_int16 input;
/* Input interface index */
u_int16 output;
/* Output interface index */
u_int32 dPkts;
/* Packets sent in Duration */
u_int32 dOctets;
/* Octets sent in Duration. */
u_int32 First;
/* SysUptime at start of flow */
u_int32 Last;
/* and of last packet of flow */
u_int16 srcport;
/* TCP/UDP source port number or equivalent */
u_int16 dstport;
/* TCP/UDP destination port number or equiv */
u_int8 pad;
u_int8 tcp_flags; /* Cumulative OR of tcp flags */
u_int8 prot;
/* IP protocol, e.g., 6=TCP, 17=UDP, ... */
u_int8 tos;
/* IP Type-of-Service */
u_int16 src_as;
/* originating AS of source address */
u_int16 dst_as;
/* originating AS of destination address */
u_int8 src_mask;
/* source address prefix mask bits */
u_int8 dst_mask;
/* destination address prefix mask bits */
u_int16 drops;
} records[FT_PDU_V5_MAXFLOWS];
};
NetFlow v8 Packet Example
(AS Aggregation)
IP/UDP packet
NetFlow
v8 header
v8 record
…
…
v8 record
NetFlow v8 AS agg. Packet
struct ftpdu_v8_1 {
/* 28 byte header */
u_int16 version;
/* 8 */
u_int16 count;
/* The number of records in the PDU */
u_int32 sysUpTime;
/* Current time in millisecs since router booted */
u_int32 unix_secs;
/* Current seconds since 0000 UTC 1970 */
u_int32 unix_nsecs;
/* Residual nanoseconds since 0000 UTC 1970 */
u_int32 flow_sequence; /* Seq counter of total flows seen */
u_int8 engine_type;
/* Type of flow switching engine (RP,VIP,etc.) */
u_int8 engine_id;
/* Slot number of the flow switching engine */
u_int8 aggregation;
/* Aggregation method being used */
u_int8 agg_version;
/* Version of the aggregation export */
u_int32 reserved;
/* 28 byte payload */
struct ftrec_v8_1 {
u_int32 dFlows;
/* Number of flows */
u_int32 dPkts;
/* Packets sent in duration */
u_int32 dOctets;
/* Octets sent in duration */
u_int32 First;
/* SysUpTime at start of flow */
u_int32 Last;
/* and of last packet of flow */
u_int16 src_as;
/* originating AS of source address */
u_int16 dst_as;
/* originating AS of destination address */
u_int16 input;
/* input interface index */
u_int16 output;
/* output interface index */
} records[FT_PDU_V8_1_MAXFLOWS];
};
Cisco IOS Configuration
• Configured on each input interface.
• Define the version.
• Define the IP address of the collector
(where to send the flows).
• Optionally enable aggregation tables.
• Optionally configure flow timeout and
main (v5) flow table size.
• Optionally configure sample rate.
Cisco IOS Configuration
interface FastEthernet0/0/0
ip address 10.0.0.1 255.255.255.0
no ip directed-broadcast
ip route-cache flow
interface ATM1/0/0
no ip address
no ip directed-broadcast
ip route-cache flow
interface Loopback0
ip address 10.10.10.10 255.255.255.255
no ip directed-broadcast
ip flow-export version 5 origin-as
ip flow-export destination 10.0.0.10 5004
ip flow-export source loopback 0
ip flow-aggregation cache prefix
export destination 10.0.0.10 5555
enabled
Cisco IOS Configuration
krc4#sh ip flow export
Flow export is enabled
Exporting flows to 10.0.0.10 (5004)
Exporting using source IP address 10.10.10.10
Version 5 flow records, origin-as
Cache for prefix aggregation:
Exporting flows to 10.0.0.10 (5555)
Exporting using source IP address 10.10.10.10
3176848179 flows exported in 105898459 udp datagrams
0 flows failed due to lack of export packet
45 export packets were sent up to process level
0 export packets were punted to the RP
5 export packets were dropped due to no fib
31 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops
Cisco IOS Configuration
krc4#sho ip ca fl
IP packet size distribution (106519M total packets):
1-32
64
96 128 160 192 224 256 288 320 352 384 416 448 480
.002 .405 .076 .017 .011 .010 .007 .005 .004 .005 .004 .004 .003 .002 .002
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.002 .006 .024 .032 .368 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 4456704 bytes
36418 active, 29118 inactive, 3141073565 added
3132256745 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
last clearing of statistics never
Protocol
Total
Flows
Packets Bytes Packets Active(Sec) Idle(Sec)
-------Flows
/Sec
/Flow /Pkt
/Sec
/Flow
/Flow
TCP-Telnet
2951815
0.6
61
216
42.2
26.6
21.4
TCP-FTP
24128311
5.6
71
748
402.3
15.0
26.3
TCP-FTPD
2865416
0.6
916
843
611.6
34.7
19.8
TCP-WWW
467748914
108.9
15
566
1675.8
4.9
21.6
TCP-SMTP
46697428
10.8
14
370
159.6
4.0
20.1
TCP-X
521071
0.1
203
608
24.7
24.5
24.2
TCP-BGP
2835505
0.6
5
94
3.3
16.2
20.7
Cisco IOS Configuration
krc4#sho ip ca fl
TCP-other
UDP-DNS
UDP-NTP
UDP-TFTP
UDP-Frag
UDP-other
ICMP
IGMP
IPINIP
GRE
IP-other
Total:
SrcIf
AT5/0/0.4
AT4/0/0.10
AT4/0/0.12
AT1/0/0.1
1620253066
125622144
67332976
37173
68421
493337764
243659509
18601
12246
125763
75976755
3176854246
377.2
29.2
15.6
0.0
0.0
114.8
56.7
0.0
0.0
0.0
17.6
739.6
SrcIPaddress
206.21.162.150
132.235.174.9
131.123.59.33
137.99.166.126
47
2
1
2
474
17
3
96
69
235
2
33
DstIf
AT1/0/0.1
AT1/0/0.1
AT1/0/0.1
AT4/0/0.10
631
78
76
76
900
479
166
35
52
156
78
619
18001.6
82.5
22.0
0.0
7.5
1990.3
179.7
0.4
0.1
6.9
45.4
24797.4
DstIPaddress
141.219.73.45
137.99.166.126
137.229.58.168
132.235.174.9
27.3
4.6
2.7
4.1
111.7
3.8
3.3
941.4
548.4
50.3
3.9
16.2
Pr
06
06
06
06
SrcP
0E4B
04BE
04BE
074C
23.4
24.7
23.4
24.6
21.6
20.2
23.3
8.1
15.2
21.1
22.8
22.6
DstP
A029
074C
09BB
04BE
Pkts
507
3
646
3
Cisco CatIOS Configuration
set
set
set
set
mls
mls
mls
mls
flow full
nde version 7
nde 10.0.0.10 9110
agingtime 32
Cisco CatIOS Configuration
swlap1> sh mls
Total packets switched = 5116997156
Total bytes switched = 2289120109999
Total routes = 2283
IP statistics flows aging time = 32 seconds
IP statistics flows fast aging time = 0 seconds, packet threshold = 0
IP Current flow mask is Full flow
Netflow Data Export version: 8
Netflow Data Export disabled
Netflow Data Export configured for port 9110 on host 10.0.0.10
Total packets exported = 6545
IPX statistics flows aging time = 256 seconds
IPX flow mask is Destination flow
IPX max hop is 255
Module 15: Physical MAC-Address 00-04-9b-78-bb-fc
Cisco CatIOS Configuration
swlap1> sh mls stat entry
Last
Destination IP
Source IP
Prot
---------------- --------------- ----64.219.177.137 206.21.217.6
TCP
207.254.193.44 198.30.37.194
TCP
198.30.37.19
66.183.100.164 TCP
192.88.193.144 199.218.4.130
UDP
192.88.193.144 199.218.5.131
TCP
199.218.4.3
208.249.92.145 TCP
12.42.50.51
198.30.37.19
TCP
199.218.5.130
142.22.16.54
TCP
207.254.193.44 198.30.37.194
TCP
206.21.0.139
24.178.12.64
TCP
217.10.162.50
199.218.5.130
TCP
65.224.146.242 198.30.37.19
TCP
199.218.4.135
65.31.16.245
TCP
24.150.19.19
205.133.123.10 TCP
Used
DstPrt SrcPrt
------ -----2206
WWW
56403 WWW
WWW
1604
DNS
61449
DNS
2157
WWW
37519
11200 WWW
WWW
54658
56391 WWW
110
1085
46983 WWW
2282
WWW
WWW
1196
58043 WWW
Stat-Pkts
---------4
9
4
1
5
6
5
6
40
8
53
4
6
4
Stat-Bytes
--------1113
10567
731
71
235
506
494
745
50762
484
73775
390
650
176
Cisco Catalyst Native IOS
Configuration
mls flow ip destination-source
mls nde flow include
mls nde src_address 10.0.0.9 version 7
ip flow-export source Loopback0
ip flow-export version 5 peer-as
ip flow-export destination 10.0.0.5 5555
Cisco Issues
• Cat 65K Sup2/MSFC2 NetFlow
implementation does not fill in important
fields like input/output interface.
Resolved?
Bug Id : CSCdt21216
Headline Netflow records source / dst interface index missing
Product cat6000
Model x6k-sup2
Component earl
Duplicate of
Severity 3
Status C
Version Found 6.1(1)
Fixed-in Version 6.2(1) 6.1(3) 6.3(1)PAN
Release Notes
On Sup2, the destination and source Interface indices would be reported as zero
in netflow exports. This is a hardware limitation.
Juniper Configration
• Sample packets with firewall filter and
forward to routing engine.
• Sampling rate is limited to 7000pps
(addressed with future PIC).
• Fine for traffic engineering, but
restrictive for DoS and intrusion
detection.
• Juniper calls NetFlow cflowd.
Juniper Configration
Firewall filter
firewall {
filter all {
term all {
then {
sample;
accept;
}
}
}
}
Enable sampling / flows
forwarding-options {
sampling {
input {
family inet {
rate 100;
}
}
output {
cflowd 10.0.0.16{
port 2055;
version 5;
}
}
}
}
Juniper Configration
Apply firewall filter to each interface.
interfaces {
ge-0/3/0 {
unit 0 {
family inet {
filter {
input all;
output all;
}
address 192.148.244.1/24;
}
}
}
Flow-tools
• Collection of programs to collect and
post process Cisco NetFlow compatible
flows.
• Written in C, designed to be fast (scales
to large installations).
• Includes library (ftlib) for custom
applications.
• Installation with configure;make;make
install on most platforms.
• Distributed design for large installations.
flow-capture
• Collect NetFlow export packets and
store to disk.
• Built in compression.
• Manages disk space by expiring older
flow files at configurable limits (dataset
size or number of files).
• Pre-filtering and Pre-tagging.
flow-capture
• Instrumentation for flows/second,
packets/second, and dropped packets.
• Server for TCP based flow-client.
• Privacy mask option for removing host
bits from flows.
flow-capture – flows/second
flow-capture – packets/second
flow-capture –
flow drops/second
flow-fanout
• Replicate NetFlow UDP streams from
one source to many destinations.
• Destination may be a multicast address.
• Same instrumentation as flow-capture.
• Can translate NetFlow packet format on
output.
• Privacy mask support.
flow-expire
• Expire (remove) old flow files based on
dataset size or number of files.
• Same functionality built in to flowcapture.
• Used when managing disk space in a
distributed environment.
Abilene Configuration
• Collect and process flows for Abilene
routers.
• Use sampled NetFlow on Cisco GSR’s.
• Distribute flows to Asta and Arbor
Networks.
• Nightly usage reports.
• Archive of raw anonymized flows.
Abilene Configuration
• Dsitribute post processed data to
internet2.edu.
• Moving to sampled data from Juniper
T640’ and new architecture.
Current Abilene Configuration
NetFlow exports (UDP)
Server running
flow-fanout
@ IU
12 Abilene core routers
Configured with sampled NetFlow
Arbor
Ohio ITEC
Post Processed NetFlow (ssh)
Asta
Internet2.edu
Current Abilene Configuration
Ohio ITEC
NetFlow exports
4 servers running
flow-capture
(data anonymized at collection)
Pull compressed flow files
with rsync from collectors.
Server with 2 Terabyte
RAID5 Array &
flow-expire to
web serverfor nightly
manage disk space reports.
New Abilene Configuration
Server running
flow-fanout
@ IU
POP router with local directly
connected server running
flow-capture and flow-fanout.
NetFlow exports
(UDP)
Compressed files
(rsync via TCP)
Arbor
Ohio ITEC
Post Processed NetFlow (ssh)
Asta
Internet2.edu
New Abilene Configuration
11 Abilene
POPS
Ohio ITEC
Pull compressed flow files
with rsync from collectors.
flow-expire to
manage disk space
flow-report, flow-nfilter,
flow-tag for reports.
Server with 2 Terabyte
RAID5 Array &
web serverfor nightly
reports.
Collector Placement and
configuration
• NetFlow is UDP so the collector should
ideally be directly connected to the
router to minimize packet loss and IP
spoofing risks.
• No flow control. Undersized collector
will drop flows. Monitor netstat –s | grep
buf and configure syslog so dropped
flows will be logged.
flow-print
• Formatted output of flow files.
eng1:% flow-print < ft-v05.2002-01-21.093345-0500 | head -15
srcIP
dstIP
prot srcPort dstPort octets packets
131.238.205.199 194.210.13.1
6
6346
40355
221
5
192.5.110.20
128.195.186.5
17
57040
33468
40
1
128.146.1.7
194.85.127.69
17
53
53
64
1
193.170.62.114
132.235.156.242 6
1453
1214
192
4
134.243.5.160
192.129.25.10
6
80
3360
654
7
132.235.156.242 193.170.62.114
6
1214
1453
160
4
130.206.43.51
130.101.99.107
6
3226
80
96
2
206.244.141.3
128.163.62.17
6
35593
80
739
10
206.244.141.3
128.163.62.17
6
35594
80
577
6
212.33.84.160
132.235.152.47
6
1447
1214
192
4
132.235.157.187 164.58.150.166
6
1214
56938
81
2
129.1.246.97
152.94.20.214
6
4541
6346
912
10
132.235.152.47
212.33.84.160
6
1214
1447
160
4
130.237.131.52
130.101.9.20
6
1246
80
902
15
flow-cat
• Concat many flow files or directories of
files.
eng1:% ls
ft-v05.2002-01-21.160001-0500
ft-v05.2002-01-21.161501-0500
ft-v05.2002-01-21.163001-0500
ft-v05.2002-01-21.164501-0500
ft-v05.2002-01-21.170001-0500
ft-v05.2002-01-21.171501-0500
ft-v05.2002-01-21.173001-0500
tmp-v05.2002-01-21.174501-0500
eng1:% flow-cat . | flow-print
srcIP
138.26.220.46
143.105.55.23
129.15.134.66
132.235.170.19
dstIP
192.5.110.20
18.123.66.15
164.107.69.33
152.30.96.188
prot
17
17
6
6
srcPort
62242
41794
1214
6346
dstPort
33456
41794
2222
1475
octets packets
40
1
40
1
4500
3
128
3
flow-merge
• Flow-merge is similar to flow-cat except
it maintains relative ordering of flows
when combining the files.
• Typically used when combining flows
from multiple collectors.
flow-filter
• Filter flows based on port, protocol,
ASN, IP address, ToS bits, TCP bits,
and tags. (Historical, use flow-nfilter).
eng1% flow-cat . | flow-filter -P119 | flow-print | head -10
srcIP
155.52.46.50
128.223.220.29
155.52.46.50
164.107.115.4
128.223.220.29
128.223.220.29
130.207.244.18
155.52.46.50
198.108.1.146
dstIP
164.107.115.4
129.137.4.135
164.107.115.4
192.58.107.160
129.137.4.135
129.137.4.135
129.22.8.64
164.107.115.4
129.137.4.135
prot
6
6
6
6
6
6
6
6
6
srcPort
33225
52745
33225
60141
52745
52714
36033
33225
17800
dstPort
119
119
119
119
119
119
119
119
119
octets
114
1438382
374
5147961
1356325
561016
30194
130
210720652
packets
2
1022
6
8876
965
398
121
2
216072
flow-nfilter
• Filter flows based any defined fields
including derived operations such as
pps, bbs, and duration.
• Configuration file based.
• Supports AND and OR operations.
• Filters and primitives are named for
ease of use.
• Use patricia trees, hash tables, and
bucket lookups where possible for fast
processing.
flow-nfilter
filter-primitive abilene-interface
type ifindex
permit 25
filter-definition to-abilene
match dst-ifindex abilene-interface
filter-definition from-abilene
match src-ifindex abilene-interface
filter-primitive UDPTCP
type ip-protocol
permit tcp
permit udp
filter-definition udptcp
match ip-protocol UDPTCP
flow-nfilter
filter-primitive OSU
type ip-address-prefix
permit 128.146/16
permit 140.254/16
permit 164.107/16
filter-primitive DNS
type ip-port
match 53
filter-primitive WEB
type ip-port
match 80,8080,443
filter-definition OSUDNS
match ip-address OSU
match ip-protocol UDP
match ip-destination-port DNS
flow-nfilter
• IP address lookup is patricia trie, worst
case performance O(W) (W is length of
address).
• IP Protocol lookup is bucket, always
O(1).
• IP Port lookup is bucket, always O(1).
• Performance remains relatively constant
even if loading up prefix list with full
internet routing table (100,000+ entries).
flow-nfilter
• Some other lookups use hash tables,
for example IP address list or tag list.
Usually O(1).
• A few filters do require linear lookups
but by nature list is short, ie pps filter or
start time filter.
• Short circuit evaluation for AND and OR
operations.
flow-split
• Split flow files into smaller files.
• Split based on time, tags, or number of
flows.
• Typically used with flow-stat/flow-report
for graphing. For example flow-split can
produce 5 minute intervals from a day
long dataset for time-series graphing.
flow-tag
• Adds a tag field to flows based on IP
exporter, IP prefix, Autonomous System,
or next hop.
• Used to manage groups of prefixes or
ASN’s.
• Example, group IP prefixes by customer
ID for billing.
flow-tag
#
# tag format
#
# 0
7
15
23
31
# 0000 0000 0000 0000 0000 0000 0000 0000 (32 bits)
# RRRRRRRRRRRRRR TTTT NNNNNNNNNNNNNNNNNNN
#
|
|
| Site name
#
|
| Site type
#
| Reserved
#
# BGP community 65000:X is site name (X -> N)
# BGP community 65001:Y is site type (Y -> T)
#
# SITE_NAME_MASK = 0x0000FFFF
# SITE_TYPE_MASK = 0x00FF0000
#
# ID
Name
#--------------------------------# 0x0001
OSU
# 0x0002
CWRU
# 0x0003
BGSU
# 0x0004
UC
# 0x0005
UAKRON
# 0x0006
WRIGHT
# 0x0007
KENT
# 0x0008
DAYTON
# 0x0009
OBERLIN
# ID
Type
#-----------------------# 0x01
Participant
# 0x02
SEGP
# 0x03
Sponsored-Participant
# 0x04
Gigapop
# 0x05
MULTICAST
flow-tag
tag-action OHIO-GIGAPOP_DST
type dst-prefix
# OSU
match 128.146/16 set-dst
match 164.107/16 set-dst
match 140.254/16 set-dst
match 192.153.26/24 set-dst
# CWRU
match 129.22/16 set-dst
match 192.5.110/24 set-dst
# BGSU
match 129.1/16 set-dst
# UC
match 129.137/16 set-dst
# UAKRON
match 130.101/16 set-dst
# WRIGHT
match 130.108/16 set-dst
# KENT
match 131.123/16 set-dst
# DAYTON
match 131.238/16 set-dst
# OBERLIN
match 132.162/16 set-dst
0x010001
0x010001
0x010001
0x010001
0x010002
0x010002
0x010003
0x010004
0x010005
0x010006
0x010007
0x020008
0x020009
tag-action OTHER_DST
type src-prefix
match 0/0 set-dst 0x0
tag-action OTHER_SRC
type src-prefix
match 0/0 set-src 0x0
tag-definition OHIO-GIGAPOP
term
input-filter 25
action OTHER_DST
action OHIO-GIGAPOP_DST
term
output-filter 25
action OTHER_SRC
action OHIO-GIGAPOP_SRC
flow-header
• Display meta information in flow file.
eng1:% flow-header < ft-v05.2002-01-21.093345-0500
#
# mode:
normal
# capture hostname:
eng1.oar.net
# exporter IP address: 0.0.0.0
# capture start:
Mon Jan 21 09:33:45 2002
# capture end:
Mon Jan 21 09:45:01 2002
# capture period:
676 seconds
# compress:
on
# byte order:
little
# stream version:
3
# export version:
5
# lost flows:
0
# corrupt packets:
0
# sequencer resets:
0
# capture flows:
341370
#
flow-stat
• Generates reports from flow files.
• Output is readable and easily imported
into graphing programs (gnuplot, etc).
• IP Address, IP address pairs, ports,
packets, bytes, interfaces, next hop,
Autonomous System, ToS bits, exporter,
and tags.
• Historical – use flow-report.
flow-stat
# --- ---- ---- Report Information --- --- --#
# Fields:
Total
# Symbols:
Disabled
# Sorting:
None
# Name:
Overall Summary
#
# Args:
flow-stat -f0
#
Total Flows
: 111182160
Total Octets
: 2450050798277
Total Packets
: 4057574675
Total Time (1/1000 secs) (flows): 2414764456464
Duration of data (realtime)
: 86409
Duration of data (1/1000 secs) : 88281720
Average flow time (1/1000 secs) : 21718.0000
Average packet size (octets)
: 603.0000
Average flow size (octets)
: 22036.0000
Average packets per flow
: 36.0000
flow-report
•
•
•
•
Replacement for flow-stat.
Configuration file based.
Multiple reports per data pass.
Concurrent output per report (file,
program, sorting options, fields).
• Integrated tagging and filtering for
performance gain and readability.
• ~ 70 reports currently defined.
flow-report
include-filter ./filter
include-tag ./gigapop-tags
stat-report to-abilene-by-customer
type source-tag
tag-mask 0xFF 0xFF
filter to-abilene
output
path out/to-abilene-by-customer
options +header,+names
fields -pps,-bps,-duration
sort +octets
stat-report from-abilene-by-customer
type destination-tag
tag-mask 0xFF 0xFF
filter from-abilene
output
path out/from-abilene-by-customer
options +header,+names
fields -pps,-bps,-duration
sort +octets
stat-report from-abilene-by-protocol
type ip-protocol
filter from-abilene
output
path out/from-abilene-by-protocol
options +header,+names
fields -pps,-bps,-duration
sort +octets
stat-report to-abilene-tcp
type ip-destination-port
filter tcp-to-abilene
output
path out/to-abilene-tcp
options +header,+names
fields -pps,-bps,-duration
sort +octets
output
path out/to-abilene-tcp.p
options +header,+names,+percent-total
fields -pps,-bps,-duration
sort +octets
flow-report
stat-report to-abilene-host-count
type ip-source-address-destination-count
filter to-abilene
output
path out/to-abilene-host-count
options +header,+names
fields -pps,-bps,-duration
sort +count
stat-report to-abilene-multicast
type ip-source/destination-address
filter mcast-to-abilene
output
path | flow-rptfmt %Y-%d-%m
options +header
fields -pps,-bps,-duration
sort +octets
stat-definition all
tag OHIO-GIGAPOP
report to-abilene-by-customer
report from-abilene-by-customer
report to-abilene-by-group
report from-abilene-by-group
report to-abilene-by-protocol
report from-abilene-by-protocol
report to-abilene-tcp
report from-abilene-tcp
report to-abilene-udp
report from-abilene-udp
Flow-report
• The following examples are all for flows
received on Oct 2, 2002.
• The output has been formatted with
flow-rptfmt.
flow-report
To abilene by customer
source-tag
flows
OHIOU
12468213
OSU
10083752
MIAMI
11555447
UC
3408919
CWRU
2146398
KENT
3548222
UAKRON
680448
WRIGHT
695999
DAYTON
2439731
BGSU
2572766
OBERLIN
802277
CSU
542017
0
578005
XAVIER
509438
DENISON
1335965
CENTRAL_STATE
12113
OHIO-GIGAPOP
145075
OTTERBEIN
393828
(27 records total)
octets
346780284114
216222538921
85209430257
69337541299
53967968301
35856830763
30197772896
29646284289
18139794910
16310992145
10831055817
9751230620
8311955805
8303822859
4930300208
3587783969
3409588817
3337857516
packets
474584209
456970704
211139319
150235362
71557236
98904064
76634728
57189398
59435826
40206277
21659836
17011505
17920369
19977123
25778299
2946397
4352398
6427175
flow-report
From abilene by customer
destination-tag flows
OSU
8206984
OHIOU
10632410
UC
3039419
MIAMI
10203261
WRIGHT
625040
KENT
3571049
CWRU
1809929
UAKRON
1203008
BGSU
2556832
DAYTON
4039081
OHIO-ITEC
24500
DENISON
1771432
OSC
74247
XAVIER
539444
OBERLIN
976343
0
495554
BWC
1132527
MULTICAST
37725
CSU
569675
(28 records total)
octets
404410296660
378662580090
146987191906
71462550082
64552082817
55469667804
47298827158
42302272842
27454028852
27083462962
23197891069
22412975083
21575406055
17389557985
16896684646
14545105602
9667335610
9408996691
9202402106
packets
493518138
553882360
166540812
182178469
63606132
100115387
66748219
76792866
38833117
64213411
15634326
28021003
15617253
21496360
21949892
18824353
15154831
102650979
16078735
flow-report
To/From abilene by group
source-tag
PART
SEGP
0
GIGAPOP
SPART
flows
36146734
19074659
578005
253853
154001
octets
808071443348
140069521118
8311955805
7210265828
685371077
packets
1443293483
376283762
17920369
16180995
4022173
destination-tag
PART
SEGP
GIGAPOP
0
MULTICAST
SPART
flows
32214346
19779445
129062
495554
37725
144483
octets
1176339350235
182946067604
48388568451
14545105602
9408996691
5741808731
packets
1576115766
357284495
35179510
18824353
102650979
5270298
flow-report
To/From Abilene by Protocol
ip-protocol
tcp
udp
icmp
gre
169
esp
ipv6
flows
38903962
14733318
2054787
1104
510943
671
2467
octets
949344938829
14280174521
578664366
81503144
58796208
3200640
1279468
packets
1780524499
70130455
5964561
230466
816614
20259
13928
ip-protocol
tcp
udp
icmp
gre
169
esp
ipv6
ax.25
ipencap
igmp
narp
pup
flows
36737595
13734354
1862340
906
462826
646
1731
93
92
12
18
2
octets
1389381631832
47439394244
379697738
110143341
54259200
1672800
1577881
882162
590868
44296
2576
376
packets
1905052404
184078339
5177470
225355
753600
12308
11379
3288
11124
86
40
8
flow-report
To Abilene TCP Dest Port
ip-destination-port flows
FastTrack
24.835828
Gnutella
7.692790
Napster
0.159431
7999
0.003208
http
4.813186
59
0.000496
innosys
0.033706
ssh
0.031968
smtp
0.360454
eDonkey-2000
0.064587
nntp
0.014585
2234
0.070181
2702
0.015261
10021
0.000673
ftp-data
0.012528
telnet
0.030663
1107
0.011328
7668
0.003095
Gnutella
0.972104
Neomodus-Direct-Connect 0.003958
…
octets
6.603882
2.308477
1.214922
0.607430
0.491013
0.398512
0.396740
0.386647
0.371606
0.353453
0.336791
0.335752
0.314940
0.302725
0.293089
0.291930
0.259371
0.253869
0.246086
0.204204
packets
11.541223
4.933651
1.358084
0.240277
2.402686
0.193378
0.303003
0.218494
0.239597
0.253181
0.247589
0.190099
0.135489
0.114831
1.122457
0.143617
0.107312
0.100611
0.593843
0.204218
flow-report
From Abilene TCP Dest Port
ip-destination-port flows
FastTrack
13.538197
msg-icp
0.000133
Neomodus-Direct-Connect 0.007053
Gnutella
6.074029
ftp
0.063839
nntp
0.027901
4422
0.013477
http
4.857253
aol
0.012902
3819
0.012325
47399
0.000180
Napster
0.031839
smtp
0.357062
innosys
0.021909
1976
0.013640
1097
0.020655
2925
0.018736
7776
0.000452
ftp-data
0.009565
1677
0.021615
…
octets
5.509694
0.934877
0.526346
0.466143
0.394695
0.365369
0.339689
0.319698
0.257276
0.221330
0.217029
0.215064
0.201978
0.181785
0.173067
0.166452
0.165947
0.158655
0.154542
0.148936
packets
9.777353
0.456198
0.383283
1.583139
0.224846
0.303404
0.179834
1.131411
0.351811
0.159259
0.123149
0.369720
0.202899
0.135780
0.113857
0.088196
0.088380
0.082350
0.395363
0.258940
flow-report
To Abilene UDP Dest Port
ip-destination-port
2055
commplex-link
41170
49156
10000
49606
FastTrack
27015
5012
49176
27005
5016
6970
radius
domain
12203
49198
8888
49154
1235
…
flows
0.006312
0.000387
25.035270
0.000217
0.002640
0.000339
13.620897
0.351659
0.000068
0.000081
0.001317
0.000041
0.000543
2.717311
7.108589
0.000842
0.000034
0.000964
0.001140
0.002213
octets
17.053153
12.342609
10.970910
5.389666
3.168155
2.922246
2.795093
2.651897
2.514314
2.157357
2.108271
2.087801
2.067873
1.561363
1.528589
1.458771
1.287165
1.228599
1.196136
0.996790
packets
2.329062
1.677807
32.354782
1.138699
0.496024
1.292035
3.861790
7.886515
0.582493
0.650475
2.622176
0.468828
0.665665
3.717907
4.462461
1.551721
0.283817
0.167672
0.468568
0.385473
flow-report
From Abilene UDP Dest Port
ip-destination-port
56464
4252
4247
4244
4250
6970
4245
4242
afs3-prserver
4254
41170
4243
4248
59818
4246
27005
49606
radius
4249
afs3-callback
…
flows
0.049555
0.000692
0.000612
0.000655
0.000619
0.002621
0.000604
0.000619
0.026030
0.000714
30.282116
0.000728
0.001318
0.001427
0.000670
0.003007
0.000218
3.873011
0.000699
0.032007
octets
17.677823
11.352055
7.053652
6.386842
5.128119
4.618467
4.574414
4.147176
3.593472
2.819961
2.635842
2.179707
1.769443
1.730026
1.627574
1.580597
1.134879
1.073899
1.040643
1.015535
packets
51.282764
1.960886
1.220310
1.103243
0.885821
1.651840
0.790175
0.716384
0.627750
0.487140
9.693955
0.376556
0.307173
4.210950
0.283242
2.507883
0.370680
3.489514
0.181706
0.179987
flow-report
To Abilene Multicast S,G
ip-source-address
128.146.112.93
164.107.73.49
164.107.73.50
128.146.111.36
164.107.73.50
164.107.73.49
193.166.0.41
171.68.122.14
128.107.150.34
129.217.131.30
192.148.244.23
64.65.127.133
130.83.47.123
171.69.248.71
130.83.126.22
212.219.151.116
205.189.33.76
139.133.204.110
207.75.164.44
…
ip-destination-address
224.2.0.1
224.2.133.133
224.2.133.133
224.2.0.1
224.2.133.134
224.2.133.134
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.5.5.5
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
flows
52
49
48
57
48
48
286
275
199
280
3
287
183
163
168
67
22
50
41
octets
3644792
2104830
2042136
1732352
1502592
1490216
237666
224675
197010
180040
149304
110495
91317
61832
61824
29390
27214
27000
23042
packets
22848
8190
8136
22988
8256
8188
286
275
199
280
102
287
183
163
168
67
22
50
41
flow-report
From Abilene Multicast S,G
ip-source-address
155.101.21.38
131.252.80.100
150.29.224.28
131.252.176.50
171.69.248.71
128.3.10.50
131.193.77.102
134.174.178.254
134.174.178.253
128.223.83.33
129.105.153.48
129.105.153.49
129.105.12.35
141.225.215.61
63.105.122.14
131.247.105.10
128.227.8.136
140.221.8.53
…
ip-destination-address
224.2.127.254
224.2.127.254
224.2.177.155
224.2.127.254
224.2.145.19
224.2.177.155
224.2.177.155
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.127.254
224.2.177.155
224.2.127.254
224.2.127.254
224.2.133.133
224.2.133.133
224.2.177.155
flows
64
580
54
284
18
60
50
49
49
252
121
116
23
66
206
55
49
23
octets
14115449
11091500
8569074
6283704
5535907
5488196
4987121
4559324
4557228
4197456
4122602
3628240
3188598
2843808
2719485
2169700
2158428
2154591
packets
49187
38113
9722
18984
6313
7028
6273
17402
17394
3839
13059
11935
3723
9416
4495
8345
8366
2722
flow-report
To Abilene by source Address
ip-source-address
128.146.11.117
64.247.109.217
164.107.77.104
131.187.254.2
164.107.77.100
64.247.105.200
129.22.39.145
132.235.196.5
64.247.65.121
164.107.35.58
128.146.135.184
129.137.150.144
129.22.164.158
64.247.94.142
64.247.110.33
164.107.210.142
137.148.203.177
206.21.71.10
…
flows
0.001658
0.001745
0.001007
0.553731
0.000203
0.010792
0.002991
0.000059
0.011723
0.000751
0.000151
0.006720
0.000557
0.012429
0.002179
0.001585
0.012794
0.687776
octets
1.198353
0.827703
0.683243
0.622047
0.490449
0.472982
0.472295
0.443100
0.398491
0.394327
0.393943
0.388005
0.371489
0.371459
0.363492
0.363146
0.351391
0.340878
packets
0.436777
0.323890
0.350049
0.615308
0.412104
0.172323
0.164211
0.177759
0.150519
0.154084
0.145393
0.178204
0.137157
0.132373
0.205407
0.197966
0.139850
0.340017
flow-report
From Abilene by dst Address
ip-destination-address
192.148.248.24
164.107.77.100
64.247.108.177
131.187.254.2
233.2.171.1
129.137.164.187
164.107.242.71
129.137.150.89
64.247.85.174
164.107.3.40
129.137.155.167
206.21.71.10
129.22.130.35
129.22.34.18
192.148.251.54
129.137.240.228
128.146.135.106
164.107.220.83
64.247.65.205
140.254.232.142
…
flows
0.000335
0.000206
0.088410
0.526903
0.012888
0.021733
0.019257
0.012727
0.001750
0.019604
0.003318
0.703418
0.023909
0.005377
0.000104
0.002119
0.000263
0.013447
0.001045
0.000386
octets
0.931192
0.908344
0.694466
0.601483
0.583444
0.529286
0.523264
0.493833
0.486535
0.475143
0.418701
0.417402
0.406043
0.379816
0.374664
0.370352
0.361298
0.361096
0.360547
0.349813
packets
0.426093
0.494996
0.339623
0.536259
4.505289
0.263854
0.286042
0.252883
0.226529
0.279502
0.248909
0.315859
0.188727
0.204850
0.172263
0.180073
0.197680
0.180690
0.175456
0.160018
flow-report
To Abilene SMTP / Customer
source-tag
flows
OSU
25.239783
MIAMI
13.119068
OHIOU
3.949198
DENISON
0.432857
CWRU
7.459834
UC
5.421768
DAYTON
1.192318
KENT
15.641335
OBERLIN
1.494677
WRIGHT
1.337793
0
0.456390
BGSU
4.155287
UAKRON
2.397473
BWC
0.472078
OSC
12.000200
CEDARVILLE
0.479922
CHMCC
0.704552
CSU
1.298572
MCO
0.250301
FINDLAY
0.084860
(26 records total)
octets
20.947484
10.971892
9.196418
9.156816
8.121457
8.035289
5.946226
4.911743
3.988554
3.655101
2.449019
2.430585
2.240855
1.331747
1.294894
1.276318
1.221819
1.101268
0.854932
0.285458
packets
21.210771
17.199629
7.206689
5.579017
6.653185
8.601174
3.953595
6.972634
2.602640
3.306141
1.528096
3.172927
1.994214
1.045406
4.188048
0.854342
0.934251
1.252083
0.566654
0.242798
flow-report
To Abilene SMTP / Address
ip-source-address
140.141.31.28
131.238.75.33
132.162.1.220
130.108.128.60
134.53.253.21
129.137.2.198
64.247.72.226
134.53.253.22
192.153.34.91
131.123.72.253
134.53.7.26
128.146.216.45
128.146.216.43
129.22.8.4
140.254.120.28
140.141.2.2
131.123.250.221
132.235.8.45
129.137.3.131
…
flows
0.054196
0.482775
0.733789
0.759461
2.367522
0.800822
0.024246
2.437407
0.046352
13.613252
7.292967
0.526275
3.745249
0.755183
0.517004
0.280965
0.187548
1.506799
0.362973
octets
7.621240
4.601938
3.700020
3.048794
3.025292
2.759806
2.716476
2.517202
2.402720
2.224239
2.135118
2.114172
2.021460
2.019472
1.849312
1.496925
1.478498
1.474040
1.469402
packets
4.219975
2.969837
2.225292
2.735314
4.628053
1.988307
1.904014
3.913066
1.415066
4.916420
5.008120
1.957881
2.449103
1.396735
1.211226
1.315912
0.869953
1.207475
1.203561
flow-report
flow-report
flow-report
flow-dscan
• DoS detection / network scanning tool.
• Flag hosts which have flows to many
other hosts.
• Flag hosts which are using a large
number of TCP/UDP ports.
• Works better on smaller networks or
with flow-filter to limit traffic. For
example filter TCP port 25 to detect
hosts infected with e-mail worm.
flow-gen
• Debugging tool to generate flows.
eng1:% flow-gen -V8.1 | flow-print | head -10
srcAS
0
1
2
3
4
5
6
7
8
dstAS
65280
65281
65282
65283
65284
65285
65286
65287
65288
in
0
1
2
3
4
5
6
7
8
out
65280
65281
65282
65283
65284
65285
65286
65287
65288
flows
2
4
6
8
10
12
14
16
18
octets
1
2
3
4
5
6
7
8
9
packets
1
2
3
4
5
6
7
8
9
duration
4294901760
4294901760
4294901760
4294901760
4294901760
4294901760
4294901760
4294901760
4294901760
flow-send
• Transmit flow files with NetFlow protocol
to another collector.
• Can be used to take flow-tools files and
send them to other NetFlow compatible
collector.
flow-receive
• Like flow-capture but does not manage
disk space. Output is to standard out
and can be used directly with other flowtools programs.
• Typically used for debugging.
eng1:% flow-receive 0/0/5555 | flow-print
flow-receive: New exporter: time=1011652474 src_ip=199.18.112.114
dst_ip=199.18.97.102 d_version=8
srcPrefix
srcAS dstPrefix
dstAS input output
143.105/16
600
128.9/16
4
48
25
140.141/16
600
150.216/16
81
48
25
132.235/16
17135 130.49/17
4130
38
25
131.123/16
11050 129.59/16
7212
42
25
206.21/16
600
128.239/16
11975 48
25
199.218/16
600
128.255/16
3676
48
25
flows
1
4
25
1
2
1
flow-import
• Import flows from other formats into
flow-tools.
• Currently supports ASCII, cflowd and
Cisco NFC formats.
flow-export
• Export flows from flow-tools files to
other formats.
• Currently supports ASCII, cflowd and
MySQL formats.
• ASCII output can be used with perl or
other scripting languages (with a
performance penalty).
flow-xlate
• Translate flows among NetFlow
versions.
• Originally intended for use with Catalyst
switches since they export some flows
in version 7 and others in version 5
format.
• Can also mask tag values.
Future work
• Flow-report – more reports, time series
data generation, data formatting.
• Clean interface to rrdtool and possibly
other graphing utilities.
• Flow-report -> SQL for billing or long
term trend analysis.
• IPFX support.
• Cleaner interface to BGP information.
• Probe support.
Contributed software
• Dave Plonka’s Cflow module. Perl
interface to flow-tools. Allows flow-tools
to be the back-end to flowscan.
• Robin Sommer’s Python interface.
• E. Larry Lidz @ U Chicago Network
forensics tools.
• Miguel Paraz & William Emmanuel
inter.net billing and other tools.
• Other stuff – look in contrib area.
References
• flow-tools: http://www.splintered.net/sw/flow-tools
• Abilene NetFlow page
http://www.itec.oar.net/abilene-netflow
• Simon Leinen’s FloMA Pointers &
Software page: http://www.switch.cf/tftant/floma/software.html
• IETF standards effort: http://ipfix.doit.wisc.edu
