Tip

How to deploy NetFlow v5 and v9 probes and analyzers

Session data is one of the six kinds of network security monitoring (NSM) data available to detect and respond to intrusions, and for troubleshooting, measuring and operating your customers' networks. (The other forms of NSM data are alert, full content, statistical, transaction, and extracted content.) NetFlow is Cisco's preferred method for providing session data, although the open source community has software to generate and collect NetFlow records as well. In this article I will demonstrate how to deploy an open source NetFlow probe and an open source NetFlow collector, as well as briefly describe and compare NetFlow v5 and v9.

For demonstration purposes, I deployed Damien Miller's open source NetFlow probe

    Requires Free Membership to View

Softflowd and Peter Haag's open source NetFlow collector/analyzer suite Nfdump on a FreeBSD 7.2 system. I installed Softflowd using the FreeBSD net-mgmt/softflowd 0.9.8 port, and I installed Nfdump from source using the nfdump-1.6b-snapshot-20090619.tar.gz snapshot.

To use NetFlow, you need the following: 1) a probe to generate records; 2) a collector to accept and store them; and 3) an analyzer to read them. For this article I will run two NetFlow probes in parallel and two NetFlow collectors in parallel, in order to show NetFlow v5 and NetFlow v9 in action.

1. First, I set up the two NetFlow collectors using Nfdump's nfcapd program.

I run the first nfcapd instance in one terminal with it in the foreground so I can watch it, if necessary. I tell it to listen on port 9995 UDP and save what it sees in the /home/analyst/v5 directory.

fbsd7# /usr/local/nfdump-1.6b-snapshot-20090619/bin/nfcapd -b 192.168.201.128 -p 9995 -l /home/analyst/v5

In a second terminal, I start a second nfcapd instance and tell it to listen on port 9999 UDP while saving records to the /home/analyst/v9 directory.

fbsd7# /usr/local/nfdump-1.6b-snapshot-20090619/bin/nfcapd -b 192.168.201.128 -p 9999 -l /home/analyst/v9

2. For demonstration purposes, I start two NetFlow probes using softflowd.

I run the first softflowd instance in a third terminal and tell it to generate NetFlow v5 records, exporting them to 192.168.201.128 port 9995 UDP, where my first nfcapd listens.

fbsd7# softflowd -D -v 5 -i le0 -n 192.168.201.128:9995 -T full
softflowd v0.9.8 starting data collection
Exporting flows to [192.168.201.128]:9995
ADD FLOW seq:1 [192.168.201.1]:49552 <> [192.168.201.128]:22 proto:6
...edited...
Starting expiry scan: mode 0
Queuing flow seq:3 (0x28232160) for expiry reason 4
Queuing flow seq:4 (0x282321d0) for expiry reason 4
Queuing flow seq:5 (0x28232240) for expiry reason 5
Queuing flow seq:6 (0x282322b0) for expiry reason 4
Finished scan 4 flow(s) to be evicted
Sending v5 flow packet len = 264
sent 1 netflow packets
EXPIRED: seq:3 [192.168.201.128]:56465 <> [192.168.201.254]:67 proto:17 octets>:328 packets>:1 octets<:0 packets<:0 start:2009-08-14T16:03:27.715 finish:2009-08-14T16:03:27.715 tcp>:00 tcp<:00 flowlabel>:00000000 flowlabel<:00000000 (0x28232160) ...truncated...

I run the second softflowd instance in a fourth terminal and tell it to generate NetFlow v9 records, exporting them to 192.168.201.128 port 9999 UDP, where my second nfcapd listens.

fbsd7# softflowd -D -v 9 -i le0 -n 192.168.201.128:9999 -T full
softflowd v0.9.8 starting data collection
Exporting flows to [192.168.201.128]:9999
ADD FLOW seq:1 [192.168.201.1]:40477 <> [192.168.201.128]:22 proto:6
...edited...
Starting expiry scan: mode 0
Queuing flow seq:2 (0x282320f0) for expiry reason 4
Queuing flow seq:3 (0x28232160) for expiry reason 4
Queuing flow seq:4 (0x282321d0) for expiry reason 5
Queuing flow seq:5 (0x28232240) for expiry reason 4
Finished scan 4 flow(s) to be evicted
Flow 1/0: r 0 offset 159 type 0004 len 35(0x0023) flows 1
Flow 1/1: r 0 offset 190 type 0004 len 66(0x0042) flows 2
Flow 1/2: r 0 offset 221 type 0004 len 97(0x0061) flows 3
Flow 2/3: r 0 offset 283 type 0004 len 159(0x009f) flows 5
Sending flow packet len = 284
sent 1 netflow packets
EXPIRED: seq:2 [192.168.201.128]:56465 <> [192.168.201.254]:67 proto:17 octets>:328 packets>:1 octets<:0 packets<:0 start:2009-08-14T16:03:27.715 finish:2009-08-14T16:03:27.715 tcp>:00 tcp<:00 flowlabel>:00000000 flowlabel<:00000000 (0x282320f0) ...truncated...

3. After these records appear, I terminate all four programs using ctrl-C. I use the Nfdump analyzer to read the v5 and v9 records.

First, we see the v5 results:

fbsd7# ./nfdump -R /home/analyst/v5/ 
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2009-08-14 16:03:27.714    0.000 UDP   192.168.201.128:56465 ->  192.168.201.254:67   1      328     1
2009-08-14 16:03:27.717    0.000 UDP   192.168.201.254:67    ->  192.168.201.128:68     1      328     1
2009-08-14 16:03:27.717    0.000 ICMP  192.168.201.128:0     ->  192.168.201.254:3.3     1       56     1
2009-08-14 16:03:27.804    0.012 UDP    192.168.201.2:53    ->  192.168.201.128:56818     1       72     1
2009-08-14 16:03:27.804    0.012 UDP   192.168.201.128:56818 ->    192.168.201.2:53     1       72     1
2009-08-14 16:04:35.098    0.014 UDP    192.168.201.2:53    ->  192.168.201.128:62330   1       72     1
2009-08-14 16:04:35.098    0.014 UDP   192.168.201.128:62330 ->    192.168.201.2:53     1       72     1
...12 records edited...
Summary: total flows: 19, total bytes: 6852, total packets: 45, avg bps: 697, avg pps: 0, avg bpp: 152 Time window: 2009-08-14 16:03:27 - 2009-08-14 16:04:46 Total flows processed: 19, Blocks skipped: 0, Bytes read: 1044 Sys: 0.023s flows/second: 800.1 Wall: 0.005s flows/second: 3465.9

Next we see the v9 results.:

fbsd7# ./nfdump -R /home/analyst/v9
Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2009-08-14 16:03:26.743     0.000 UDP    192.168.201.128:56465 ->  192.168.201.254:67     1    328     1
2009-08-14 16:03:26.745     0.000 UDP    192.168.201.254:67    ->  192.168.201.128:68        1      328     1
2009-08-14 16:03:26.745     0.000 ICMP   192.168.201.128:0     ->  192.168.201.254:3.3       1       56     1
2009-08-14 16:03:26.844 4294967.284 UDP   192.168.201.2:53    ->  192.168.201.128:56818   1    72   1
2009-08-14 16:03:26.844 4294967.284 UDP 192.168.201.128:56818 ->   192.168.201.2:53      1    72    1
2009-08-14 16:04:34.138 4294967.283 UDP   192.168.201.2:53    ->  192.168.201.128:62330   1    72    1
2009-08-14 16:04:34.138 4294967.283 UDP 192.168.201.128:62330 ->   192.168.201.2:53     1    72    1
...12 records edited...
Summary: total flows: 19, total bytes: 6852, total packets: 45, avg bps: 0, avg pps: 0, avg bpp: 152 Time window: 2009-08-14 16:03:26 - 2009-10-03 09:07:32 Total flows processed: 19, Blocks skipped: 0, Bytes read: 908 Sys: 0.025s flows/second: 744.6 Wall: 0.004s flows/second: 4061.6

As you can see, NetFlow records of both types record a flow start timestamp, a duration, source IP and port, destination IP and port, along with packet and byte counts. This is the basic sort of information that summarizes conversations on the network.

There's clearly a problem with the duration field for the last four v9 records. The purpose of this exercise was to demonstrate how to generate and collect NetFlow v5 and v9 records, but the result may actually be to demonstrate an issue with either Softflowd or Nfdump. This is a good reminder to validate tools before relying upon them in production environments.

The value of NetFlow v9
If we steer clear of the duration issues, however, the question might be: What value is NetFlow v9? The difference between the two formats is that v5 is a fixed format while v9 can be defined using templates. Softflowd does not appear to support defining arbitrary flow templates on the probe side, but another NetFlow probe, like a Cisco router, would support creating templates. Such configuration allows a network or security administrator to define the fields he or she wants to be exported. Refer to Cisco's document NetFlow v9 Export Format for more information on v9 templates. On the open source collector side, Nfdump has extended its support for various templates, so that is an advantage of using newer versions of that NetFlow suite.

Beyond NetFlow v9, the IETF is building a new Internet Protocol Flow Information Export (IPFIX) standard using NetFlow v9 as the base. The University of Waikato is building an IPFIX probe (called a "meter" in IPFIX-speak) called Maji. However, it only includes very simple IPFIX collectors with its suite, and no analyzers are bundled.

Cisco also appears to be pushing ahead with its new technology called Flexible NetFlow, which I first mentioned on my blog in 2006. Some commercial vendors appear to be working with Cisco to leverage this enhancement, which has the potential to turn FNF-capable devices into packet inspection and classification engines. Thus far, I have not seen any open source FNF implementations, since even NetFlow v9 has not yet been adopted by many organizations.

Richard Bejtlich is the founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.


This was first published in September 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.