NetFlow is a technology that lets a router export information about current traffic to a collector for analysis. The analysis might be real time, such as to detect a denial of service attack, or not real time, such as to view trending information.
NetFlow is concerned with flows, which are a one way session between a source and a destination. The router is already caching information about the flow to help with the routing/switching function, NetFlow is an export of this information.
If you SSH to a server, that generates two flows. One is the connection from your ephemeral port to port 22 of the server, and one from port 22 back to your ephemeral port.
The analysis available with NetFlow is more fine-grained than what you get with SNMP. The flow contains the start and end time of the flow, the source and destination IP addresses and ports, the amount of data transferred, and autonomous system (AS) information (if the router is running BGP). There are other things, such as TCP flag information, QoS tags, and optional proprietary information, but the above gives us enough to proceed.
I’ve been playing with NetFlow for a while and have generated various reports. Every time I do something I seem to be starting from scratch, so I’m going to formalize my work on this blog. At the moment I am working on two NetFlow related projects. The first is to figure out the breakdown of protocols over our WAN. The second is to analyze our Internet usage, analyze peering, and detect DDOS traffic patterns in near-real time, or on an ad-hoc basis. I use the flow-tools package for Linux, along with some shell/perl/ruby scripting.
source :http://ccnprecertification.com
Network Search By Bilal
Custom Search
