netflow协议详解_netflow协议资源-CSDN文库

netflow

需积分: 50 89 浏览量 2015-06-11 11:25:04 上传评论收藏 405KB PDF 举报

资源推荐

资源详情

资源评论

White Paper

Introduction to Cisco IOS

Flexible NetFlow

Last updated: September 2008

The next-generation in flow technology allowing optimization of the network infrastructure,

reducing operation costs, improving capacity planning and security incident detection with

increased flexibility and scalability.

Introduction

NetFlow invented by Cisco has become the standard for acquiring IP operational data for many

customers. Visibility into the network is an indispensable tool. In response to new requirements

and pressures, network operators are finding it critical to understand how the network is behaving

including:

●

Application and network usage

●

Understand who, what, when, where, and how network traffic is flowing

●

Network efficiency and utilization of network resources

●

The impact of changes to the network

●

Network anomaly and security vulnerabilities

●

Long term compliance, business process and audit trail

Applications for NetFlow data are constantly being invented but the key usages include:

●

Real-time network monitoring

●

Application and user profiling

●

Network planning and capacity planning

●

Security incident detection and classification

●

Accounting and billing

●

Network data warehousing, forensics and data mining

●

Troubleshooting

NetFlow Based Network Awareness

The ability to characterize IP traffic and understand who sent it, the traffic destination, the time of

day, the application information, is critical for network availability, performance and

troubleshooting. Monitoring IP traffic flows facilitates more accurate capacity planning and ensures

that resources are used appropriately in support of organizational goals. It helps Cisco customers

determine how to optimize resource usage, plan network capacity, where to apply Quality of

Service (QoS) and it plays a vital role in network security to detect Denial–of–Service (DoS)

attacks and network-propagated worms.

NetFlow facilitates solutions to many common problems encountered by network professionals as

shown in Table 1.

Table 1. Common Solutions Facilitated by NetFlow

White Paper

NetFlow Facilities Solutions To: Description

Analyze new applications and their

network impact

Identify new application network load such as VoIP or remote site additions.

Reduction in peak WAN traffic Use NetFlow statistics to measure WAN traffic improvement from application-

policy changes; understand who is utilizing the network and the network top

talkers.

Troubleshooting and understanding

network pain points

Diagnose slow network performance, bandwidth hogs and bandwidth utilization in

real-time with command line interface or reporting tools.

Detection of unauthorized WAN traffic Avoid costly upgrades by identifying the applications causing congestion.

Security and anomaly detection NetFlow can be used for anomaly detection, worm diagnosis along with

applications.

Validation of QoS parameters Confirm that appropriate bandwidth has been allocated to each Class of Service

(CoS) and that no CoS is over- or under-subscribed.

For a primer in the basics of NetFlow please read the

“Introduction to NetFlow—A Technical

Overview” document first.

The Next Generation in Flow Technology—Flexible NetFlow

Cisco is now innovating flow technology to a new level beyond what has been traditionally

available. Cisco IOS Flexible NetFlow is Cisco’s next-generation flow technology. Flexible NetFlow

provides enhanced optimization of the network infrastructure, reduces costs, and improves

capacity planning and security detection beyond other flow based technologies available today.

Key Advantages to using Flexible NetFlow:

●

Flexibility, scalability, aggregation of flow data beyond traditional NetFlow

●

The ability to monitor a wider range of packet information producing new information about

network behavior

●

Enhanced network anomaly and security detection

●

User configurable flow information to perform customized traffic identification and the ability

to focus and monitor specific network behavior

●

Convergence of multiple accounting technologies into one accounting mechanism

It provides a NetFlow architecture that can track multiple NetFlow applications simultaneously. For

example, the user can create simultaneous and separate Flow Monitors for security analysis and

traffic analysis. Cisco IOS Flexible NetFlow provides enhanced security detection and or network

troubleshooting by allowing customization of flow information. For example, the user can create a

specific Flow Monitor to focus and analyze a particular network issue or incident. It provides real-

time monitoring with immediate flow cache capabilities and long term or permanent tracking of flow

data. Cisco IOS Flexible NetFlow will enhance NetFlow’s already rich feature capabilities allowing

the tracking of information at layer 2 for switching environments, layer 3 and 4 for IP information

and up to layer 7 with deep packet inspection for application monitoring. Figure 1 shows various

types of Flow Monitors to view and understand network behavior.

Figure 1. Example of Flexible NetFlow Customizable Flow Monitors

White Paper

An Example of Application Tracking with Flexible NetFlow

Flexible NetFlow unlike traditional NetFlow allows the user to customize and focus on specific

network information. Scalability of the NetFlow analysis is optimized and Flexible NetFlow gives

the opportunity to track the important information for the organization. By targeting specific

information the amount of information will be reduced and the number of flows being exported

reduced, allowing enhanced scalability and aggregation. If for instance the user was interested in

TCP application analysis, in Flexible NetFlow the user would configure the tracking of the NetFlow

field’s source and destination IP addresses, TCP source and destination ports and NetFlow will

examine the packets for this information. This information will effectively show who is sending and

receiving the traffic per application port. In traditional NetFlow, packet information is used to create

flows but this information is fixed and not configurable by the user. In traditional NetFlow

aggregation comes with the expense of lost information but in Flexible NetFlow the user can

actually track multiple sets of information to make sure all flow information in the network is

captured efficiently. In the above example the user only needs four NetFlow fields to track

application usage and this is contrasted to 7 fields in traditional NetFlow. In traditional NetFlow, the

user must track the 7 key fields and each field tracked leads to a greater number of flows.

An Example of Security Detection with Flexible Netflow

Flexible NetFlow is an excellent attack detection tool with capabilities to track all parts of the IPv4

header and even packet sections, and characterize this information into flows. It is expected that

security detection systems will listen to NetFlow data and upon finding an issue in the network,

create a virtual bucket or virtual cache that will be configured to track specific information and

pinpoint details about the attack pattern or worm propagation. The capability to create caches on

the fly with specific information combined with input filtering (ie: filtering all flows to a specific

destination) allows Flexible NetFlow to be a better security detection tool than current flow

technologies. It is expected common attacks such as port scans for worm target discovery and

worm propagation will be tracked in Flexible NetFlow. Let’s discuss a common simpler attack, in

which TCP flags are used to flood open TCP requests to a destination server (ie: SYN flood

attack). The attacking device will send a stream TCP SYN’s to a given destination address but

never send the ACK in response to the servers SYN-ACK as part of the TCP 3-way handshake.

The flow information needed for security monitor requires the tracking of three key fields:

destination address or subnet, TCP flags and packet count. The security device may be monitoring

White Paper

general NetFlow information and this data may trigger a detailed view of this particular attack. The

detailed Flow Monitor might include input filtering to limit what traffic is visible in the NetFlow cache

along with the tracking of the specific information to diagnose the TCP based attack. In this case,

the user may want to filter all flow information to the server destination address or subnet to limit

the amount of information the security server needs to evaluate. If the security detection server

decided it understood this attack, it might then program another virtual cache or bucket to export

payload information or sections of packets to take a deeper look at a signature within the packet.

The above is just one of many possible examples of how Flexible NetFlow can be used to detect

security incidents.

What are the Key Components Within Flexible Netflow?

NetFlow has a number of key components:

●

NetFlow cache

●

NetFlow Flow Record

●

Flow export timers

●

NetFlow export format

●

NetFlow server for collection and reporting

The NetFlow cache stores flow information. The Flow Record is created by inspecting a packet

and a description of packet information is added to the NetFlow cache as the Flow Record.

NetFlow exports or pushes flow information to the NetFlow reporting server. This is in contrast to

SNMP pull or the polling model to retrieve data. The Flow Records in the cache will expire or

terminate and be exported to a NetFlow collector and be used to create management reports. The

flows will expire based on timers and if the flow is inactive (no new packets and bytes for the flow)

it will be exported. Flow timers are discussed later in the document.

What is a Flexible NetFlow Key Field?

Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes.

These attributes are the IP packet identity or key fields for the flow and determine if the packet

information is unique or similar to other packets.

Traditionally, an IP flow is based on a set of seven IP packet attributes. This set of key fields is

tracked and if the set of values for these fields are unique, a new Flow Record is created in the

NetFlow cache.

All packets with the same source/destination IP address, source/destination ports, protocol,

interface and class of service are grouped into a flow and then packets and bytes tallied. This

methodology of flow characterization or determining a flow is scalable because a large amount of

network information is condensed into a database of NetFlow information called the NetFlow

cache. The NetFlow cache is associated with a flexible Flow Monitor capability that will be

discussed in more detail within this document. Figure 2 shows the basic components of NetFlow

including the flow key fields, NetFlow cache and reporting server.

Figure 2. Creating a Flow in the NetFlow Cache

剩余20页未读，继续阅读

评论收藏

内容反馈

sebastianchris

粉丝: 0
资源: 1

netflow协议详解

netflow 协议介绍

netflow_v9详解.pdf

configure netflow

论文研究-基于NetFlow的协议识别 .pdf

netflow技术白皮书

Cflow使用详解

ipt-netflow：适用于Linux内核的Netflow iptables模块（官方）

开源的NETFLOW分析工具支持v5,v9

netflow数据采集

Netflow数据分析

IP-NETFLOW等流量流向技术介绍

选一款好用的Netflow流量统计分析工具

netflow_v9：生锈的netflow v9数据包解析器

sflow java解析程序

netflow 网络流量模拟发送

Netflow v5 Collector-开源

netflow v5报文

卓豪NetFlow Analyzer网络流量监控软件

NetFlow Packet Dumper-开源

NetFlow管理用户手册

NFDUMP - Netflow processing tools:Netflow收集和处理工具-开源

FlowViewer:FlowViewer是基于Web的netflow数据分析工具。-开源

Netflow Simulator in C#-开源

IPNetFlow Accounting FlowTools-开源

FlowDoh:使用Netflow源的网络顶级发言人的仪表板-开源

解决Win 10与不兼容VirtualBox操作过程文档+（附带软件）.zip

计算机网络知识点总结(谢希仁第八版).pdf

Xshell软件(配色方案&amp;高亮关键字/突出显示集)的相关文件

H3C-iNode-PC-7.3-E0630

湖南科技大学《计算机网络》配套课件（PDF版）

最新资源

Xshell软件(配色方案&高亮关键字/突出显示集)的相关文件