adam's notes

Flow Data

A flow collector is a means of recording metadata and statistics about network traffic rather than recording each frame.

  • diagnosing performance issues depends on detailed information about network traffic flows
    • packet analyzer can measure network traffic statistics
      • recording each frame imposes a heavy processing overhead
    • instead of recording entire packet payload, can just record packet metadata
  • flow analysis tool features:
    • Highlighting of trends and patterns in traffic generated by particular applications, hosts, and ports
    • Alerting based on detection of anomalies, flow analysis patterns, or custom triggers
    • Visualization tools that show a map of network connections and make interpretation of patterns of traffic and flow data easier
    • Identification of traffic patterns revealing rogue user behavior, malware in transit, tunneling, or applications exceeding their allocated bandwidth
    • Identification of attempts by malware to contact a handler or command & control (C&C) channel

NetFlow

NetFlow is a Cisco-developed means of reporting network flow information to a structured database.

  • use sampling to further reduce processing demands
  • redeveloped as the IP Flow Information Export (IPFIX) IETF standard
  • show ip cache flow displays NetFlow accounting statistics
    • shows visualization of general NetFlow data
  • A particular traffic flow can be defined by packets sharing the same characteristics
    • referred to as keys
      • IP endpoints and protocol/port types
    • selection of keys is called a flow label
    • traffic matching a flow label is called a flow record
      • is defined by packets that share the same key characteristics

Components

  • involves deploying 3 components:
    • NetFlow exporter
      • configured on network appliances
      • each flow is defined on an exporter
      • traffic flow is defined by packets that share same characteristics
        • Source IP address, Dest. IP address, Src port, Dst port, protocol
          • referred to as a 5-tuple
        • 7-tuple flow adds input interface and IP type of service data
      • each exporter:
        • caches data for new flows
        • sets a timer to determine flow expiration
      • when flow expires or becomes inactive
        • exporter transmits the data to a collector
    • NetFlow Collector
      • aggregates flows from multiple exporters
      • needs
        • high-bandwidth network link
        • substantial storage capacity
      • exporter and collector must support compatible versions of NetFlow/IPFIX
        • most common are NetFlow v5 and v9
    • NetFlow analyzer
      • reports and interprets information by querying the collector
      • can be configured to generate alerts and notifications
      • collector and analyzer are often implemented as a single product

Graph View

Backlinks