MicroNugget: What is Netflow?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you really want to know the traffic patterns that are coursing through your network one of the best ways to discover that is with a really amazing tool called net flow let's begin one of our challenges in managing a network is to really understand what is going through the network I mean we may be allowing lots of different protocols but what's the relationship percentage-wise of HTTP versus for example DNS how much is C and P is there who are the top talkers on our network what are the top destinations and all of this is very useful information and easy to get if we simply use a feature called net flow and different individuals have different reasons for running net flow from a security perspective maybe we just want a baseline of what traffic is and then we're looking for anomalies in that traffic and net flow can tell us about that or maybe we're gonna go ahead and add a new application or service to our network and we just want to know beforehand what our traffic patterns look like all of those are terrific reasons why we'd want to use net flow on our networks now setting up net flow the current flavor is version 9 but it boils down to three basic ingredients we're going to have a monitor that's actually going to look at the traffic as it goes into or out of an interface on a router that information regarding the flows of traffic is put in memory in a cache for a short period of time and then it is exported out to a management system so here's our network management system right here and as the exporter sends these records over to the network management system this network management system is going to be running some software called a collector which can then work with that data and drop beautiful graphs and create reports to reflect what's happening on our network the actual configuration of net flow is pretty simple we're going to start off with the net flow exporter and the export is going to identify the destination address that's where our collector lives we're going to identify the port and protocol we're going to use and the actual version of net flow that we're going to be exporting in this case version 9 and the source IP address based on the source interface of our one that we're going to be sending this net flow information from so our intention here on our one is that we're going to be sourcing the traffic from 1/0 and the IP address there as it goes over to our net flow collector which is running at a network management stay at 23 in this example I'm gonna be using scrutinize er as the NetFlow collector and it's already by default listening on port 9 9 9 6 so our net fill collector is sitting there just waiting for traffic to show up we can verify the details of our exporter that we created by doing a show flow exporter and then the name of the exporter that we just created next we're going to create a logical monitor object for net flow now this monitor object we're going to apply it to an interface on r1 and the biggest piece we're going to have in this monitor is the type of information we're going to collect as well as what exporter are we going to use once we collect this information to go ahead and export it off to the network management station so in this example we're going to go ahead and gather traditional ipv4 net flow information and there's lots of options with flexible net flow as far as what we could collect regarding our traffic flows and then once we gather that information is put in the cache where periodically going to use X port 1 which is this guy right here to ship that data off to our network management station at 192 168 1 dot 23 using the ports and protocols and versions that are set up in the exporter for that export I think it's really important to verify as we go so let's do a show flow monitor name and the name of the monitor we just created just to verify the details for this monitor so regarding the type of information it's gonna collect we're gonna go ahead and use the standard net flow ipv4 information the exporter is export 1 now it's currently inactive because we haven't yet applied this monitor to an interface so without further ado let's do that let's go to interface gig 1 slash 0 and say IP flow monitor the name of our monitor and the keyword input now that means we're gonna be building our flow information based on traffic as it goes into this gig 1 slash 0 interface now if we want to see information that's been collected as far as flow information on packets that have been coming in on 1 slash 0 we do a show flow monitor the keyword name the name of our flow monitor and then cache and that's going to show us the information that's in memory right now on this router regarding flows that's recently learned off now here is saying there's no entries to display and that's because there's no traffic happening on this network however you and I can fix that let's go ahead and take this PC right here at 25 and I'm gonna have this PC go out and make several requests to Internet resources and the replied traffic as it comes back in those flows will be recorded as the packets enter 1/0 and then we should be able to see some of that information in the cache so what I did I just refreshed five or six windows that were currently open browser windows and if use the up arrow key now to show flow monitor for a monitor one and look at the cached entries we are now going to have several pages of entries for example here's one of them we have a flow that came from this source address which is out on the internet coming back to this IP address and because we're looking at the flow right here this router which has happens to be r2 is running that so as the packets go out there's a network address translation for a global address the reply traffic comes back in r2 is unmad and that's why we're seeing the destination address from the perspective of this interface as having a destination of 10.1 0.25 which is this host where Bob is the source port is 80 in this example Bob's initial source port was 1816 going to the well-known port of 80 and the reply traffic has those flipped so the source port on the traffic coming back from the server is gonna be part 80 and the destination port is 1816 and that's when Bob shows as he initiated the session with that server it has information about the type of service bits the IP protocol is 6 which equates to TCP from the routers perspective it routed it out of gig to 0 to get back to this PC and regarding this flow there were 71 packets involved now there are several options that we have in looking at the console we can sort by certain types of traffic and so forth but the real benefit of net flow is having this data all sent over via the exporter to the collector that's running on a management server so we can take a look at what's happening in a tool designed to handle all of that net flow information now in this interface this is an example of a net flow collector I'm demoing in this example a product called scrutinise ER and they've got Enterprise editions they've got free editions and so if you want to play around and practice with net flow and with a collector I would strongly recommend you download and practice with their product so here we have our top applications based on ports as far as top countries most of the traffic was within the United States one of the web servers they went to was located in Ireland and this dashboard is completely customizable to the way that you want to see it if we wanted to dive into the specifics of TCP for example we click on TCP and then from the drop down select the exporter who sent us that information dot 164 correlates to mr. r1 and here is breaking out in a pie chart the different flows that it observed regarding TCP and then down here for this time range which was five minutes from 1252 12:55 because our net flow monitor is set up to gather information regarding flows inbound on gig 1/0 all of these sources are resources out on the internet and the destination is that workstation on the 10.1 Network setting up net flow is fairly simple and the information that can give us about what's really coursing through our networks is often invaluable so if you're not yet using net flow you may want to check it out I have had a blast I'm glad that you join me for this video I hope this has been informative for you and I'd like to thank you for viewing
Info
Channel: CBT Nuggets
Views: 90,672
Rating: 4.9328165 out of 5
Keywords: network monitoring, network monitoring software, netflow analyzer, network monitoring system, netflow analyzer free, network monitoring server, network monitoring tutorial, netflow analyzer installation guide, network monitoring basics, netflow analyzer tutorial, netflow analyzer linux, netflow analyzer configuration cisco router, network monitoring linux
Id: aqTpUmUibB8
Channel Id: undefined
Length: 7min 46sec (466 seconds)
Published: Tue Jun 10 2014
Related Videos
How SSL certificate works?
Sunny Classroom
473K
What is NetFlow?
Plixer
47K
MicroNugget: SNMPv3 Cisco Configuration Explained | CBT Nuggets
CBT Nuggets
166K
Net Talk #3 - IP SLA
Kevin Wallace Training, LLC
8.5K
Networking basics (2020) | What is a switch, router, gateway, subnet, gateway, firewall & DMZ
IT k Funde
1.7M
How to Configure NetFlow for Cisco Routers and Switches Running IOS
solarwindsinc
52K
How to Install and Configure Open Source Netflow Collector Nfsen - Nfdump on Linux Centos
NetSpearo
901
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
WLC & RADIUS Tutorial and Free PT Lab | Cisco CCNA 200-301
Keith Barker
17K
netflow
permit ip andy andy
1.8K
System administration complete course from beginner to advanced | IT administrator full course
Geek's Lesson
3M
Configure AAA Authentication | Cisco CCNA 200-301
Keith Barker
18K
Network Security 101: Full Workshop
SecureSet
1.6M
NTopNG - A Free, Open Source, Self Hosted, Network Monitoring and Analysis Tool.
Awesome Open Source
15K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.