Viewing NetFlow “in the raw” with Flexible NetFlow
 |
POSTED BY Adam Powers on 02.16.2010 0 comments |
I've been hard at work lately on the lab portion of Lancope's 2010 NetFlow 101 Bootcamp seminars. A major portion of the class is on setting up Flexible NetFlow in Cisco IOS.
One part of the lab involves actually viewing NetFlow "in the raw" as the flows are active in the router's cache. The old show up cache flow command that was used with traditional NetFlow (v5) in older versions of IOS doesn't work anymore. The new command that we use to show raw Flexible NetFlow is:
R6# show flow monitor NAME cache format table
Where "NAME" is the name of the monitor containing the flows of interest. See this post for more info on the FnF monitor command. And this link for details on configuring FnF.
The trouble with FnF's table output format is that it's too wide. The FnF devs made the formatting robust enough to automatically includes any collect or match fields you've specified in your record.
Lancope's standard Flexible NetFlow record looks something like...
!
flow record lancope1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 dscp
collect ipv4 ttl minimum
collect ipv4 ttl maximum
collect transport tcp flags
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
collect interface output
!
Which just barely fits on my 15" MacBook Pro shown with IOS 12.4(20)T...
<click to enlarge>
If I add any more fields to my record the output will simply be too large for my display but at this font size and screen width the NetFlow record fit quite nicely. If your using a Mac I encourage you to right click in the terminal window and select "Show Inspector".
This will bring up a list of alternative viewing presets some of which make the text easier to read. Here's another example of the above output shown in "Novel". I'm not sure which I like better really but both are better than black on white or green on black. Especially when the font is really small.
<click to enlarge>
So here's a practical use for viewing NetFlow in the raw. This massive screenshot shows a full page of port 80 scanning originating from 24.99.24.213 destined for the Lancope honeynet. Note the obvious pattern called out in red...
<click to enlarge>
Here's what the resulting scanning events look like in the StealthWatch GUI. Each event shown below raises "Concern Index" points for the suspicious host which eventually leads to an alarm...
And here's what the actual scan flows look like in StealthWatch. Scans are easy to spot. Note the "Server Total" column has no bytes while the "Client Total" column has "128". These are open air scans on port 80.
<click to enlarge>
While the FnF table view is quick and dirty, I prefer StealthWatch's Flow Table view. But when you have no StealthWatch this is certainly a way to see flows in near real time. Plus you'll always see flow in the router about before you can see flows in your flow collector (by about 60 seconds at the most).
The Mac's built-in "Terminal.app" is definitely the best shell for this kinda of CLI view. Can't imagine how the FnF table view would look in putty or worse yet, a cmd.exe shell.
TweetTAGS
Post a Comment
Join the conversation. Post a comment using the form below.