Cisco NetFlow Accounting with FlowScan in Solaris

1
Cisco NetFlow Accounting with FlowScan in Solaris
2
Topics Presentation

• Description NetFlow FlowScan
• Role of report module in FlowScan
• JKFlow module Design -Why a new module?
  -Principe of JKFlow -What can this module
  more? -Principe of JKFlow
• Demo!

3
The Book

• Contains
• 1 Technical explanationTechnology of NetFlow
  FlowScan
• 2 In detailJKFlow report module -configuration
  -working (for Perl-fanatics)

4
Purpose of Final Work

• Implementation NetFlow service profiling
  bandwidth monitoring system
• Flows received from central WAN-routers
• Collection/Analyse inSolaris 8, 9 (x86)

5
NetFlow protocol

• Flow accounting protocol Cisco routers
• Flow Records src/dst IP, port, tos, bytes, ...
• PDU via UDP poort 2055 (default)

6
FlowScan

• FlowScan Framework NetFlow system-NetFlow
  collector-Analyse/Reporting of
  flows-Presentation of the reports
• Perl-scripts combines these tools to a complete
  system

7
FlowScan Design

• Components
• Cflowd
• FlowScan report module
• RRDTool
• Makefile/CGI-script

8
Report module

• Analyse Flows gt Counters
• Counters gt RRDTool databases
• Default CampusIO (services) SubnetIO
  (subnetten)
• Others CarrierIn CUFlow

9
Constraints

• No analyses possible for subnets -CampusIO only
  services global -SubnetIO only total for each
  subnet
• Other modules dont deliver the wanted
  functionality either
• -CarrierIn only inbound, services
  global -CUFlow for each router, services global

10
CUFlow module

• CUFlow Report module CGI-script
• Analysing using a global set of
  protocols/services of different routers
• Only total for subnets
• Top-10, HTML statistics

11
New JKFlow module

• Started as a rewrite of CUFlow Added Subnet
  monitoring of protocols/services Separated sets
  of protocols/services for each router/subnet Re
  dundant code removed
• Became an independed Perl-module located atURL
  http//users.telenet.be/jurgen.kobierczynski

12
Principe JKFlow Hashes

• Hash Assiociative Array
• fruit ( apples gt 3, oranges gt 6 )
• print fruitapples shows 3
• Hash-tree Reference of a hash into a hash
• hashref a gt b gt 2,
• c gt 3 ,
• d gt 4
• print hashref-gtab shows 2

13
Hashes in JKFlow

• Uniform structure of Hash-trees for counters
• Using references to these structures
• Ref-gt

14

• Reuse of routines

15
JKFlow Framework

• I needed a framework to get the desired
  flexibility to integrate all desired features
• Ive found this in XML
• Perl XML ?
• XMLSimple module XML gt Hash

16
JKFlow.xml
17
JKFlow.xml elements

• 1 ltallgt, ltrouter(s)gt, ltsubnet(s)gt, ltnetwork(s)gt
• 2 ltdirectiongt
• 3 ltapplicationgt, ltservicesgt, ltftpgt, ltprotocolsgt,
  lttosgt, ltmulticastgt, lttotalgt
• (2) (3) can be defined in (1) (2)

18
Directions

• Direction Selection of Source/Destination
  subnets
• Including/excluding Subnets possible

tosubnet
fromsubnet
notosubnet
nofromsubnet
fromsubnet
19
Recursive Directions

• Directions can be nested inside Directions
• Each Direction has its own set of protocols and
  services to monitor
• ltdirection name"BE-NL gt
• ltdirection name"BE-NL desktopsgt
• lt/directiongt
• lt/directiongt
• Where could you use this feature for?

20
...for subnet monitoring!
21
Applications

• Merge several services together as one
  serviceexampleltapplication namewebgt80/tcp,44
  3/tcplt/applicationgt

FTP

• State monitoring of FTP control sessions for
  detection of Active/Passive FTP-sessionsexample
  ltftp/gt

22
JKGrapherCGI-script

• CGI-script for reading of RRDTool files created
  by JKFlow
• Based on CUGrapher
• 1-first preselection of routers/subnets/networks

• After this you will get a website with a form
  where you can select protocols/services of the
  selected routers/subnets, of which you want to
  see a graphic.

23
Demo

• Parsing of flowfiles by JKFlow, generation of
  RRDTool files
• JKGrapher interface