So we have shown you how to set up netflow and netflow export on your campus routers. We've shown you some of the tools that are used on collectors to gather these flow records and let you summarize and visualize them. And so let's have a look at some of the references for some of these tools that we've been talking about. For nfdump and nfSen you can go to the url shown on the slide. Both are hosted on sourceforge.net nfdump is kept reasonably up-to-date but notice that work on nfSen has kind of slowed down if not stopped altogether, in fact, the community is looking at next generation replacements for nfSen. So it is worth doing your research to find out what the most modern version for this netflow sensing tool is. We didn't mention them but they're also pmacct and pmgraph which can be useful traffic flow analysis tools and there's also flow-tools itself noted at the url on the bottom of the slide. We also have the wikipedia entry describing netflow in general this IETF standardization effort, the IP Flow Export Working Group Charter, the Abilene NetFlow page, for example that's the Cisco Centric Open Source Community and there's also the Cisco Netflow Collector User Guide as well. The rest of the slide deck which we're not going to cover in this video series has a look at some more detailed information about netflow. I'll quickly run through them but you should look at the rest of the presentation referenced below this video for more information about netflow and its uses. There are some examples of filters. There are some examples of use for netflow including problem identification solving, traffic classification, denial of service traceback. There's traffic analysis and engineering. We have inter-AS traffic analysis reporting on application proxies. Some network operators use netflow for accounting or billing, more for cross-verification from other sources rather than actual billing itself. We have examples of use of detection of anomalous events, for example, the famous SQL Slammer we say in early 2000s. How netflow was used to detect it and deal or help network operators deal with that serious denial of service attack. This flow based detection so once you've built a baseline for your network infrastructure you can use netflow to detect anomalous activity, in other words activity that you don't expect. There are several flow-based commercial tools. Too many to mention and we show an example of a large-scale DoS attack. How the commercial detection tool can be used for that. These are slides from the global internet in the public domain and with some examples for flow accounting as well. We also include a quick summary of the different Cisco netflow versions all the way from netflow version 1 through to version five which was the commonly used one when it was first released. netflow version six which found its way on the Cisco catalyst line of chassis based ethernet switches and then through to netflow version nine which is the current version which supports IPv6 32 bit AS numbers as needed for bgp and additional fields like MPLS labels and so on.
© Produced by Philip Smith and the Network Startup Resource Center, through the University of Oregon.
Attribution-NonCommercial 4.0 International (CC BY-NC 4.0)
This is a human-readable summary of (and not a substitute for) the license. Disclaimer. You are free to: Share — copy and redistribute the material in any medium or format Adapt — remix, transform, and build upon the material The licensor cannot revoke these freedoms as long as you follow the license terms. Under the following terms: Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. NonCommercial — You may not use the material for commercial purposes. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.