Cisco NetFlow Accounting with FlowScan in Solaris

1. Cisco NetFlow Accounting with FlowScan in Solaris

2. Topics Presentation • Description NetFlow & FlowScan • Role of report module in FlowScan • JKFlow module Design -Why a new module? -Principe of JKFlow -What can this module more? -Principe of JKFlow • Demo!

3. The Book Contains: • 1: Technical explanation:Technology of NetFlow & FlowScan • 2: In detail:JKFlow report module -configuration -working (for Perl-fanatics)

4. Purpose of Final Work • Implementation NetFlow service profiling bandwidth monitoring system • Flows received from central WAN-routers • Collection/Analyse inSolaris 8, 9 (x86)

5. NetFlow protocol • Flow accounting protocol Cisco routers • Flow Records: src/dst IP, port, tos, bytes, ... • PDU via UDP poort 2055 (default)

6. FlowScan • FlowScan = Framework NetFlow system-NetFlow collector-Analyse/Reporting of flows-Presentation of the reports • Perl-scripts combines these tools to a complete system

7. FlowScan Design • Components: • Cflowd • FlowScan + report module • RRDTool • Makefile/CGI-script

8. Report module • Analyse Flows => Counters • Counters => RRDTool databases • Default:CampusIO (services)SubnetIO (subnetten) • Others: CarrierIn CUFlow

9. Constraints • No analyses possible for subnets:-CampusIO only services global -SubnetIO only total for each subnet • Other modules don’t deliver the wanted functionality either: -CarrierIn only inbound, services global -CUFlow for each router, services global

10. CUFlow module • CUFlow = Report module + CGI-script • Analysing using a global set of protocols/services of different routers • Only total for subnets • Top-10, HTML statistics

11. New: JKFlow module • Started as a rewrite of CUFlow+Added Subnet monitoring of protocols/services +Separated sets of protocols/services for each router/subnet +Redundant code removed • Became an independed Perl-module located atURL: http://users.telenet.be/jurgen.kobierczynski

12. Principe JKFlow: Hashes • Hash = Assiociative Array %fruit = ( apples => 3, oranges => 6 ); print $fruit{apples}; shows: 3 • Hash-tree = Reference of a hash into a hash $hashref = { a => { b => 2, c => 3 }, d => 4 }; print $hashref->{a}{b}; shows: 2

13. Hashes in JKFlow • Uniform structure of Hash-trees for counters • Using references to these structures $Ref->

14. Reuse of routines

15. JKFlow Framework • I needed a framework to get the desired flexibility to integrate all desired features • I’ve found this in XML Perl + XML =  • XML::Simple module XML => Hash

16. JKFlow.xml

17. JKFlow.xml elements • 1: <all>, <router(s)>, <subnet(s)>, <network(s)> • 2: <direction> • 3: <application>, <services>, <ftp>, <protocols>, <tos>, <multicast>, <total> (2) & (3) can be defined in (1) & (2)

18. Directions • Direction =Selection of Source/Destination subnets • Including/excluding Subnets possible tosubnet fromsubnet notosubnet nofromsubnet fromsubnet

19. Recursive Directions • Directions can be nested inside Directions • Each Direction has its own set of protocols and services to monitor <direction name="BE-NL“ …> <direction name="BE-NL desktops“…> … </direction> … </direction> • Where could you use this feature for?

20. ...for subnet monitoring!

21. Applications • Merge several services together as ‘one’ serviceexample:<application name=“web”>80/tcp,443/tcp</application> FTP • State monitoring of FTP control sessions for detection of Active/Passive FTP-sessionsexample:<ftp/>

22. JKGrapherCGI-script • CGI-script for reading of RRDTool files created by JKFlow • Based on CUGrapher • 1:-first preselection of routers/subnets/networks • After this you will get a website with a form where you can select protocols/services of the selected routers/subnets, of which you want to see a graphic.

23. Demo • Parsing of flowfiles by JKFlow, generation of RRDTool files • JKGrapher interface