Now let's have a look at how we work with flows. There are four steps we need to configure the device. For example, the router to generate flow accounting records. Once we have done that we need to export the flows from the device to a collector. On the device and on the collector we need to configure the protocol version and the destination. Once we have that running we need to receive the flows and write them to disk . And once we've written them to disk we need some mechanism for analyzing these flows. There are many tools available both free and commercial. So first off where do we generate the flow records? Well we do those on a router or other network device and we do this if the device supports it. There's no additional hardware required but do note it might have some impact on performance especially on software-based routers. We could have a five to ten percent CPU impact depending on the volume of traffic being analyzed. Another place you could generate flow records is on a passive collector and this is usually a unix host. Here we receive a copy of every packet and generate flows from this but this requires a mirror port on, for example, the campus ethernet switch where we make a copy of every packet and send it off to the passive collector. And this can end up being very resource intensive. The slide shows a possible setup for flow collection. We have the router in the middle of the campus and we have various LANs connected to it as well as our internet access. The collector is plugged in directly to the router and the router will export these flow records to the collector. The collector will store these records as it gets it from the router. All flows through the router can be observed. There's router overhead to process and export these flows and we can select which interfaces Netflow collection is needed on and not activated on others. If there's a separate router for each LAN that are shown in the diagram the netflow can be acted on them and that will reduce the load on the core router. The alternative is this passive monitor collection we mentioned a little bit earlier. Here we can set up a mirror or span port on an ethernet switch, connect a flow probe to the switch port and that will mirror traffic over to the flow collector. And this allows us if we need to to monitor traffic flow between workstations or between the workstations and out to the rest of the campus. There are examples of software available for this passive flow collector. Commonly used examples is softflow which runs happily on Linux and BSD. There's also pfflowd and ng_netflow and no doubt there'll be others around as well. The collector sees all traffic through the network point it is connected on and generates flows based on that and this will relieve the router from processing traffic, creating flows and exporting them. So here's a thought, your network probably already has a device which is keeping track of IP addresses and port numbers of traffic flowing through it what is it?

© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.

Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.