Let’s play with a NetFlow

I like to open my blogs with a scenario. That way the problem is much more easy to cope with. Today’s problem is this: we have a server that gets hit with some traffic from the Internet. We want to know what kind of traffic and to collect some data for investigation. Here is the diagram:

NetFlow Diagram

The router in the middle is Cisco router, of course ūüôā

In order to see the traffic between two hosts going through the router, we could debug ip packets. Often a very bad idea! We could try to narrow debugging a little bit with access lists, but still… I had a situation with ACL controlled debugs that almost crashed a router. A bug perhaps.

Another way of doing this is a NetFlow. This is very powerful tool for gathering network statistics and detecting problems. We will do this two way. The first way introduces a little bit of fun and that’s why it is here.

The first one.

On the router we would type in the following commands globally:

ip flow-capture vlan-id
ip flow-capture ip-id
ip flow-export version 5

And on the interface facing our server:

interface FastEthernet0/3/0.45
description TNT
encapsulation dot1Q 45
ip address
ip flow egress
no cdp enable

The key command here is ip flow egress. This command enables NetFlow and captures the traffic leaving out our router through the Fa0/3/0.45 interface. Let’s now see what’s cooking:

ROUTER#show ip cache flow
IP packet size distribution (4608 total packets):
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
.000 .646 .051 .003 .001 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .293 .001 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
1 active, 4095 inactive, 2215 added
48950 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
1 active, 1023 inactive, 2215 added, 2215 added to flow
0 alloc failures, 0 force free
1 chunk, 4 chunks added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–¬†¬†¬†¬†¬†¬†¬†¬† Flows¬†¬†¬†¬† /Sec¬†¬†¬†¬† /Flow¬† /Pkt¬†¬†¬†¬† /Sec¬†¬†¬†¬† /Flow¬†¬†¬†¬† /Flow
TCP-Telnet           2      0.0         1    44      0.0       0.0      15.2
TCP-FTP              2      0.0         1    44      0.0       0.0      15.2
TCP-FTPD             2      0.0         1    44      0.0       0.0      15.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
TCP-WWW             50      0.0         1    46      0.0       0.1      14.6
TCP-SMTP             2      0.0         1    44      0.0       0.0      15.2
TCP-X                3      0.0         1    44      0.0       0.0      15.5
TCP-BGP              2      0.0         1    44      0.0       0.0      15.6
TCP-NNTP             2      0.0         1    44      0.0       0.0      15.3
TCP-other         2064      0.0         1    52      0.0       0.1      15.4
UDP-DNS             38      0.0         2    66      0.0       2.6      15.2
UDP-other           42      0.0        49   373      0.0     168.2       8.3
ICMP                 5      0.0         1    53      0.0       0.6      15.5
Total:            2214      0.0         2   199      0.0       3.4      15.2

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/2    Fa0/3/0.45*       06 D693 56CE     1

And by the way that * next to interface name means this is egress traffic meaning it is leaving a router not entering it. Took me some time to figure that out.

Now we can see a lot of stuff. Among those things we can see the source IP address (perhaps an attacker) and the destination address (our server). We can also see the target service in the form of destination port. And here is a fun part: what port is 56CE? Obviously it is encoded in hex and we want it to be in decimal. The fun part is conversion. The readers of this blog are not ordinary people who are using a calculator to do this. We are not that much of geeks and won’t do it on a paper. We will use a TCL script ūüôā

ROUTER(tcl)#set PORT [ expr 0x56CE ]
ROUTER(tcl)#puts $PORT

And we have our port converted to decimal 22222. Now tell me that networking cannot be fun ūüôā

The other way is the one we will present when we are in the job interview. Now we want to be smart and say that th NetFlow is build upon three components: a record, a monitor and an exporter. The NetFlow record comprises of TCP/IP fields we would like to see or capture. The monitor we apply to an interface and ties  to the record. Finally, we could have the exporter to send collected data to the management station.

First, the record:

flow record TNT
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes

For each connection we want to collect the source and destination IP addresses, as well as source and destination ports. Actually we are collecting bytes transferred through the router with matching 4-tuple (SrcIP, DstIP, SrcPort, DstPort).

The monitor is very simple:

flow monitor TNT
cache timeout inactive 60
record TNT

We are just calling previously created record. Now we need to apply it to an interface:

interface FastEthernet0/3/0.45
description TNT
encapsulation dot1Q 45
ip address
ip flow monitor TNT output
no cdp enable

Just to make the story complete, we could create the exporter:

flow exporter TNT
source GigabitEthernet0/1
transport udp 9996
export-protocol netflow-v5

We are exporting to a management station using UDP/9996 and version 5 of NetFlow.

Let’s now check what we captured…

ROUTER#show flow monitor name TNT cache
Cache type:                               Normal
Cache size:                                 4096
Current entries:                               3
High Watermark:                                3

Flows added:                                   3
Flows aged:                                    0
РActive timeout      (  1800 secs)          0
РInactive timeout    (    60 secs)          0
РEvent aged                                 0
РWatermark aged                             0
РEmergency aged                             0

===============  ===============  =============  =============  ==========                54931          22222          80


We can now see clearly source and destination ports without a need to make conversion.


Thanks for reading!



This entry was posted in Cisco, IOS, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s