Using NetFlow for Anomaly Detection in Operational Networks
|
|
- Georgiana Reed
- 8 years ago
- Views:
Transcription
1 Using NetFlow for Anomaly Detection in Operational Networks Maurizio Molina (DANTE) 1 st COST TMA PhD Winter school Torino, 10 th Feb, 2010
2 General Outline Introduction to IP flows IP flow monitoring systems and standards Understanding sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
3 Part 1/6 Introduction to IP flows What are they? How are they measured? What applications use these measurements? IP flow monitoring systems and standards Understanding Sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
4 IP flows IP Flows are groups of IP packets sharing a common characteristic, e.g. IP src/dst address src/dst ports Transport layer protocol Type Of Service (TOS) field Flows can be long lasting... or have a limited lifetime... and packets may belong to more than one flow
5 Measurement category IP flow monitoring is a single point, passive network measurement Routers just observe and report info about transiting flows The receiver if IP flow info is called Collector Collector Netflow Router
6 IP flows measurement Flows can be long lasting... at flow end or have a limited lifetime... Reported flow information -what: src IP, dst IP, ports -when: Start time End time # packets # bytes Periodically for long lasting flows Other and packets may belong to more than one flow t
7 Information obtained by IP flow monitoring It s time and volume summary information Pkt size No inter-pkt arrival times No single Pkt sizes All you have is a labelled brick time Tstart Tend #packets #bytes average Bytes/Pkt average Byte/s or Pkt/s Src IP, dst IP, ports, Protocol Volume Duration
8 So what can you do? Compose bricks having common features and build traffic profiles Bytes/s Overall Selective (e.g. from Subnet X to Subnet Y, or from Server Z on port 80 to any address ) Time 5min. Possibly, work with discrete time bins -flow contained in single bin => no problems -flow spanning multiple bin => split bytes and packets linearly
9 Applications using IP flow info Network Planning Discovery of network usage and application patterns who talks to whom E.g. AS/AS matrixes what applications are used (if they can be recognised ) traditional IP flow monitoring just goes up to Layer 4 Traffic Engineering Billing / Accounting Anomaly Detection Security Network Operations
10 Applications using IP flow info (cont.) Application Time Granularity Space Granularity Traffic Engineering (minutes) Billing / Accounting (minutes-months) Network Planning (months) Security (minutes-days) Discovery of usage and application patterns (months)
11 Part 2/6 Introduction to IP flows IP flow monitoring systems and standards Architecture Standards and their evolution Understanding Sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
12 General architecture of a IP flow monitoring system Meter: Filters packets, timestamps them and associates Pkts to flow(s) Flow cache: Creates/Removes/Updates flow records Flow Key Flow start time Flow last update time # Pkts # Bytes.. Exporter: Reads Flow cache, prepares and sends export packets Exp HD Router functionality or dedicated Probe info info info Netflow v5/v8/v9 IETF IPFIX Database Exp HD info info info Collector: Receives export packets, interfaces to applications Analysis tools
13 Cisco Netflow: origin and evolution 1996 Initially designed at Cisco (Daren Kerr and Barry Bruins) as a switching path speedup Then realized that per-flow information had also other value netflow/nfwhite.html v5: first widely implemented version Fixed export format, no aggregation: each flow is reported separately v7: Specific to 6500 and 7600 Switches v8: 11 possible aggregation schema v9: flexible aggregation (template based). Chosen as baseline for IPFIX
14 Netflow: other Given names Juniper cflowd (v5, v8, v9) Huawei Netstream (v5, v8, v9) Avici Supports v5 and v9 Alcatel Supports v5 and v8
15 Netflow record content What info can Flow Records contain? Flow signature Volume and Duration What identifies a Flow Record? Pkt treatment In Router Src IP, Dst IP, Src Port, Dst Port, Protocol, Input If, TOS are key fields 5-tuple (most common definition) 7-tuple Source: Cisco
16 Comments on Netflow record fields Start and end times are relative to first and last flow s packet (not to record s export time ) TCP flags (S,F,A,P,U,R) are cumulative for the flow AS can be either src/dst or prev/next, not both! It s a configuration option It s obtained in the router via a routing lookup (it s not in the IP packets)! AS 101 AS 102 AS 103 AS 104 AS 105 AS 106 Source: Cisco Netflow Enabled Router If origin-as is configured, it will report: Src AS->101, Dst AS->106 If peer-as is configured, it will report: Src AS->103, Dst AS->105
17 Controlling the exporting Four conditions govern the expiration of flows from flow cache (and their exporting) Inactive timeout: if a flow has not been updated for more than IA_tout sec., export it Active timeout: if a flow was created more than A_tout sec. ago, export it End of flow detected: works for TCP only (FIN or RST Pkt) Internal flow cache management: if flow cache has more than X flows, or is more than Y% full, start exporting flows
18 Controlling the exporting (cont.) Inactive Timeout: if too small, will split the same flow Pkt size Info for this flow exported flows with low pkt rate R are more at risk when 1/(RS) IA_tout (S: sampling rate) if too high, too many flows in cache N= is the flow interarrival time is the service time (flow duration+ IA_tout) and is dominated by IA_tout Typical values of IA_tout: 10s 60s time
19 Controlling the exporting (cont.) Active Timeout: will periodically report info about the same flow Pkt size Info for this flow exported time If too small: More burden to collect/process the info Not clear any more what a flow is If too high: collectors working on discrete time slots need to go back in time Will break some implementations Typical values of A_tout: 5min-30min
20 Common configuration commands Cisco (CLI) ip flow-export version <version> [originas peer-as bgp-nexthop] ip flow-export destination <address> <port> ip flow-cache timeout inactive <seconds> ip flow-cache timeout active <minutes> ip flow-cache entries <number> Juniper (conf-file) cflowd collector-host-address { Autonomous-system-type (origin peer); port port-number; version version-number; (local-dump no-local-dump); }
21 Visualizing the configuration and flow cache on routers Cisco show ip cache [verbose] flow Will show flow cache configuration and statistics, and flow details show ip flow export Will show exporting process statistics Juniper show configuration forwarding-options sampling Will show flow collection configuration monitor start sampled Equivalent of unix tail -f command on a file where the flow records are dumped (not advised to create this file in production, because of additional load on Routing Engine)
22 Most commonly deployed version Fixed format Flow records exported in UDP packets 30 flow records in a 1500 bytes pkt Netflow v5 Content Bytes Description srcaddr 0-3 Source IP address dstaddr 4-7 Destination IP address nexthop 8-11 Next hop router's IP address input Ingress interface SNMP ifindex output Egress interface SNMP ifindex dpkts Packets in the flow doctets Octets (bytes) in the flow first SysUptime at start of the flow last SysUptime at the time the last packet of the flow was received srcport Layer 4 source port number or equivalent dstport Layer 4 destination port number or equivalent pad1 36 Unused (zero) byte tcp_flags 37 Cumulative OR of TCP flags trot 38 Layer 4 protocol (e.g. 6=TCP, 17=UDP) tos 39 IP type-of-service byte src_as Autonomous system number of the source, either origin or peer dst_as Autonomous system number of the destination, either origin or peer src_mask 44 Source address prefix mask bits dst_mask 45 Destination address prefix mask bits pad Pad 2 is unused (zero) bytes Source: Cisco
23 Netflow v7 and v8 v7 Specific to 6500 and 7600 Switches Similar to v5, but without AS, Interface, TCP flag and ToS info v8 Goal: reduce exported information, and primary flow cache size, with aggregation 11 aggregation schemes : AS, Destination-Prefix, Prefix, Protocol-Port, Source Prefix, AS-ToS, Destination-Prefix-ToS, Prefix-ToS, Protocol-Port-ToS, Source Prefix-ToS, Prefix-Port Source: Cisco
24 Netflow v9 Previous versions have all a fixed export format To overcome the fixed format, one could always export type, length, value A lot of overhead! or separate type, length from value Templates specify the type and length of carried info just the data is exported in Data Flow Sets Each Data Flow Set is preceded by an identifier pointing to the template needed to its decoding If templates are lost, data flow sets cannot be decoded! v9 Can run over multiple transports (not just UDP) Source: Cisco
25 IPFIX IETF standard, chartered in 2002 to Find or develop a basic common IP Traffic Flow measurement technology to be available on (almost) all future routers Netflow v9 selected as a baseline for IPFIX, but without backward compatibility constraints Cisco is the driving force behind IPFIX, but other vendors (NEC, Hitachi) are active (or observing) Status: main RFCs approved Read RFC 5470 (architecture) first and then RFC 5101 (protocol) But not widely implemented and used yet
26 IPFIX what s new Formal definition of a large number of information elements to carry the elementary information big extension of the v5 table shown before E.g. absolute and delta counters, timestamps with [s], [ms], [ s], [ns] resolution Possibility to extend it and to define enterprise specific information elements Options templates and options flow records can be used to export configuration information about the metering process
27 IPFIX what s new (cont.) IPFIX can use Stream Control Transport Protocol (SCTP RFCs 2960, 3309, 3758), TCP or UDP as transport protocols Debate in the IETF, because UDP is not congestion aware TCP is heavy for line cards and exposes to Head of Line blocking SCTP is new and not widely implemented PR-SCTP is the preferred transport because it is congestion aware but with a simpler state machine than TCP An SCTP association can contain multiple streams. At minimum, an IPFIX implementation MUST have two associations, one for data an one for templates Reliable transport for templates, partly reliable (e.g. limited no of retransmissions) for data
28 IPFIX what s new (cont.) Simple devices can still use UDP as a transport But templates must then be periodically refreshed Security: If TCP is transport, use TLS If UDP or SCTP, use DTLS But mature implementation of DTLS over SCTP are missing, therefore Either use TLS over TCP Or use DTLS but without reliability Always use mutual X.509 certificates based authentication
29 Part 3/6 Introduction to IP flows IP flow monitoring systems and standards Understanding Sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
30 Sampling Most routers do deterministic 1:N sampling As long as there are a lot of flows, this is similar to randomly sampling the packets of every single flow, with probability S=1/N Sampling is independent of pkt size
31 Re-normalization Packets: multiply by N It s an un-biased estimator Bytes: multiply by N It s correct as long as the sampled packet population well represents the bytes/pkt distribution Flows: multiplying by N is wrong! No easy and universal formula (afaik) Hohn, Veitch - Inverting sampled traffic IEEE/ACM Transactions on Networking Volume 14, Issue 1 (Feb.2006) N.G. Duffield, - Sampling for Passive Internet Measurement: A Review,Statistical Science,Vol. 19, No. 3
32 Practical sampling questions I counted h sampled packets for a flow, with a sampling rate of S; I estimate H=h/S packets in unsampled flow. How precise is this? => estimation of pkts in a flow problem A lot of (similar) flows have only one or few sampled packets. What was their original size? How many flows were missed? => estimation of no. of flows problem
33 Estimation of no. of packets in a flow The issue is to control the precision of the re-normalization S=sampling rate (e.g. 1/1000) H=true number of packets in a flow h=sampled packets of a flow N=true overall number of packets n=number of overall sampled packets Ĥ=h/S number of estimated packets in a flow p=h/n true proportion of pkts of a flow in overall pkts p =h/n estimated proportion of pkts of a flow in overall pkts Result: Ĥ - v < H < Ĥ + v, where v p is unknown => Worst case assumption: p =0 z 1 S / 2 h (1 p ' ) Source: T. Szeby - Deployment of Sampling Methods for SLA Validation with Non-Intrusive Measurements [2002]
34 Estimation of no. of packets in a flow (cont.) Absolute error: grows with Ĥ S=1/100: at least 400 sampled packets for a rel_error<10% In a 5 min bin, only flows with real rate>133pk/s fulfil this So, beware of estimates for low rate flows Consider them as qualitative Relative error: decreases with Ĥ
35 Estimation of no. of flows General problem very difficult Practical problem of interest: how many (short) flows F were there, if I sampled f flows? Assuming all flows of interest have same size N I first need P FS (Flow Sampled N) = 1-(1-S)^N Then I could use P FS for estimating F=1/P FS and adapt the formulas shown before for estimating the error But P FS depends on N, which is unknown!
36 Estimation of no. of flows (cont.) I could estimate N from the first points (k=1,2,3 ) of the empirical distribution of the f sampled flow sizes P ( k k 0 N ) P ( k 0 N ) N k!( N! k 1 )! S S k N (1 S ) N k E.g. S=1/100 Tricky, isn t it? Values are so close k N=2 N=3 N=4 N= % 99.00% 98.50% 95.54% % 1.00% 1.49% 4.34% % 0.00% 0.01% 0.12%
37 Part 4/6 Introduction to IP flows IP flow monitoring systems and standards Understanding Sampling An example deployment: GÉANT The Network NetFlow collection setup The traffic view given by NetFlow (and routing) data Using IP flows for network Anomaly Detection Preparing for the lab
38 GÉANT Operates A Transit Network serving European NRENs Publicly funded (EU, Governements) Existing since early 90 Evolution of RARE, COSINE, EuropaNET, TEN-34, TEN-155 History of research networking: 18 POPs in Europe - 10 Gbps Links almost everywhere Already multiple 10G in parallel in some locations Trialling 40Gbit/s Both unusual research traffic & commodity traffic Commodity traffic via two transit providers (Telia & GBLX) Intercontinental Peerings with other research networks (Abilene, Canarie, ESNET, SINET,etc.)
39 GÉANT Peerings view
40 Netflow collection in GÉANT In GÉANT2, we collect Netflow v5 at every peering point with an external Autonomous System We use 1/100 sampling overall GEANT traffic is Gbit/s This produces, with 1/100 pkt sampling, sampled Kflow/s and an overall Netflow traffic to the collector of Mbit/s Several Gbytes/day of disk space are needed to store flow records
41 NetFlow processing tools in GÉANT Two Netflow processing tools currently in use in GEANT NfSen (by Peter Haag) Open source Processes NetFlow only NetReflex (by Guavus Inc.) Commercial Selected after trial with two other tools Processes NetFlow, BGP and IS/IS (or OSPF) There are a lot of other Netflow processing tools :
42 NetReflex: a network wide traffic view Suppose there s a communication (flow) from Athens to London, taking a certain path in GÉANT
43 NetReflex: a network wide traffic view (cont.) With NetFlow only, I just know the entry point of that traffic (Athens)
44 NetReflex: a network wide traffic view (cont.) With NetFlow + BGP, I know the entry and exit points (Athens, London)
45 NetReflex: a network wide traffic view (cont.) With NetFlow + BGP + IS-IS, I know the entry and exit points, and the path in the network (Athens, Vienna, Milan, Geneva, Paris, London)
46 Clicking on a link you get the traffic contributed on that link by every Node to Node pair in the network NetReflex: detailed link level traffic view
47 NetReflex: traffic matrix view Node to Node traffic matrix Ordered by decreasing or increasing traffic Clickable time series
48 Part 5/6 Introduction to IP flows IP flow monitoring systems and standards Understanding Sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
49 Anomaly Detection What is an Anomaly? Unusually peak of traffic? Traffic drop? Day not abiding to normal weekly pattern? Traffic focused on certain parts of the networks/hosts/ports? New application generating different traffic patterns? Here comes the tool choice!
50 A Visual example (NfSen graph) Overall traffic entering GÉANT
51 A Visual example (NfSen graph) - cont. Zooming on 1 router and on UDP traffic only..
52 The essence of Network AD In the previous example there was A daily and weekly cycle A peak, evident on disaggregate traffic but similar to a statistical variation on the overall traffic In essence, a Network AD approach must Differentiate what is normal and what not.at some aggregation level, trading off: Detection probability (true positives) False positives Scalability
53 NetReflex approach to AD In GEANT deployment, NetReflex aggregation level is the Router-Router pair (POP-POP pair) 18X18 Matrix Abnormality Detection (what is normal, what s not) based on Principal Component Analysis Metrics used are not just volume variations but also entropy variation of traffic features Multiple 18X18 matrixes used in parallel
54 Traffic feature entropy Measures the concentration or dispersion of the distribution of a traffic feature Four features are of particular interest pkts per src IP in 5 minutes pkts per dst IP in 5 minutes pkts per src port in 5 minutes pkts per dst port in 5 minutes
55 Traffic feature entropy variation during an Anomaly fr a c tio n o f to ta l flo w s r e c e ive d p e r IP a d d r e s s fr a c tio n o f to ta l flo w s r e c e ive d p e r IP a d d r e s s IP ( r a n k e d ) IP ( r a n k e d ) Normal Traffic more focused towards a few hosts The Entropy H is: H ( x ) i N 1 n S i log 2 n S i H varies between 0 ( one point takes all ) and log 2 N (uniform distribution) But.can it work in practice?
56 IP Features entropies proof of concept on GÉANT Network (2007) 10 days of GÉANT traffic TCP features entropies UDP features entropies IP feature entropies (after linear filtering)
57 Drilling down on a peak - Concentration of SRC and DST IPs and SRC ports - Dispersion of DST ports Portscan from 4 hosts, 29 bytes packets, one target -The bounce is just the result of a linear filter
58 End of theory part Thanks for your attention!
59 Part 6/6 Introduction to IP flows IP flow monitoring systems and standards Understanding Sampling An example deployment: GÉANT2 Using IP flows for network Anomaly Detection Preparing for the lab
60 Goal of the lab Let you drill down on anomalies detected by NetReflex in the GÉANT network Understand if they re true or false (there ARE) still some false positives Do you agree with the classification? Can you get more information than the one shown by default? Imagine you are a security engineer in a CERT and must collect intelligence to share it with the CERT of the attacking or victim network
61 NetReflex views to be used Use both the anomaly analysis and the search view of NetReflex The search view (aka Query Engine ) has data for last 15 days only (i.e. from the 27 th of Jan)
62 Analysing an anomaly - steps 0) access NetReflex Split in groups of 3 per PC Open Firefox or I.E. Go to URL shown on paper copy you received Login to one of the logins provided using credentials you received
63 Analysing an anomaly - steps 1) Familiarize with the anomaly analysis view Pie chart on the right refers to all days of the bar chart Change slider to 15 days back and verify Click on a single day bar Pie chart will restrict to that day Click again to return back to multiple days Click on a single type of anomalies Tab in the bottom will restrict to those Navigate to prev.-next. Tab page Note: heavy UDP/TCP transfers, traffic drop, unknown are not security-related Click on columns Ordering changes but only within displayed page!
64 Analysing an anomaly steps (cont.) 1) Familiarize (cont.) Check the other Pie chart tabs (ingress, egress, path) Click on a single portion of the pie Check how the tab in the bottom varies AS view: same story but less relevant for this lab. NetReflex detects on a POP by POP basis 2) Focus on a single anomaly (row of tab) Before double clicking: are there other anomalies close in time of the same type? Point to multipoint (or multipoint to point) anomalies may be flagged on several POP-POP pairs
65 Analysing an anomaly steps (cont.) 2) Focus.(cont) Now double click on row (e.g , 28 Jan.) Details tab Duration not often precise (e.g. here it is visually several hours not 5 minutes!) A POP POP time series will open normally an anomaly appears as a peak either in the bytes packets or flows view But rarely in all of them Try to switch to the other views (pk/bytes/flows) and filters (UDP, TCP, SSH, RPC, SMB, SQL ) Note: flows are NOT re-normalized, packets and bytes yes
66 Analysing an anomaly steps (cont.) 2) Focus.(cont) Now click on the blue anomaly dot (or anywhere else on the time series) Heavy hitter tab opens Top 5 src/dst IP and ports for 5 min interval Packets only => renormalized value in 5 min. bin. Move to prev/next 5 minutes, or open another heavy hitter tab How does the dominant dst IPs and dst ports change within and outside the anomaly? IPs in the heavy hitter are clickable Whois query => try it!
67 Analysing an anomaly steps (cont.) 3) Familiarize with the Query engine Select 28 Jan. and a random 5 min. slot between 3.00 am and 5.45 am Select the src IP of anomaly as src IP Change page size to 10,000 Hit search Quite a few hosts contacted, isn t it? Why? Add tcp flags to the selected columns Remove other columns if needed for more compact view Change query to dst IP, with same address IPs are responding looks even more than a scan Brute force pwd guessing attempt?
68 Analysing an anomaly - steps 4) Now your turn: choose anomalies in the last 15 days Make your own choice or pick some from the suggested list Refer to the next slides for tips on how to investigate anomalies Pls restrict QE searches to 15 min. maximum Double check date and hour before you hit submit If you want to query longer periods, pls ask! Be patient and wait for the query to end: do not login-logout Also be patient when time series are loading Imagine you are a security engineer in a CERT and must collect intelligence to share it with the CERT of the attacking or victim network Write down additional things you understood during the analysis 5) Have fun! And remember you signed an NDA ;-)
69 Analysis tips
70 Network Scans Scanner Targets Typical: keep a /16 or /24 fixed and vary lsb Single (or few) dst port Same packet structure Size, flags Can also be connection attempts Entry-exit points depend on target variation NetReflex may signal anomalies on multiple POP- POP pairs
71 Network Scans - analysis Keep the initial filter simple (e.g. src_ip == scanner address ). Do not filter on the destination port (even if the anomaly detection tool has identified one), or on the protocol (TCP or UDP or ICMP). Look at TCP flags (for TCP flows). Try to reverse the search, (e.g. dst_ip == scanner address ) to see if there is any return traffic to the scanner, if it is from the same (scanned) networks evidenced with the forward filter, and what the TCP flags for this return traffic are. Look at the number of packets and their average size
72 Port Scans Scanner Typical: Single target, scanned on multiple (all) ports Entry-exit points fixed Target
73 Port Scans - analysis Most obvious filter is src_ip == scanner address && dst_ip == scanned address Look for return traffic, if any
74 (D)DoS Syn floods Victim Sources Sources frequently spoofed Even if not spoofed, sources do not send the final ACK of the threeway TCP handshake on purpose Entry-exit points depend on sources variation NetReflex may signal anomalies on multiple POP- POP pairs
75 (D)DoS syn floods - analysis Set up filter dst_ip == target address, and check if the majority of the flows are single packet flows with the SYN flag set Check if/how target replied: No reply at all (SYN floods have been filtered by some intelligent firewall). Reset or ACK/Reset: the target doesn t have a service running on the dst port Some SYN/ACK replies, but in a much lower number than the incoming floods: this may indicate some SYN flood rate limiting firewall in front of the target or that the target is saturated and can only sustain that reply rate (in that case the attack would have been successful)
76 (D)DoS UDP floods Victim Sources Concentrated or distributed Sometimes target well known ports used by TCP services (ssh, http) To bypass poorly configured firewalls DNS uses UDP on port 53 Some false positives But also true positives, likely DNS cache poisoning attempts
77 (D)DoS UDP floods - analysis Look at average packet size (malicious floods frequently use small packets). Check simultaneous presence of TCP traffic May be an indication of false positive: tcp control of udp transfers Presence of UDP return traffic. May be an indication of false positive But if port is 53. Watch out! Use of well-known ports for bandwidth tests 5001, Use of well-known TCP ports (22,80,443 ) and presence of ICMP return traffic ICMP in response of UDP may indicate unwilling target But often ICMP is filtered so you won t always see that! Context information (DNS or whois queries on the end points) Do the end points looks like research?
CISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationNetwork Monitoring and Management NetFlow Overview
Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationIntroduction to Netflow
Introduction to Netflow Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationAppendix A Remote Network Monitoring
Appendix A Remote Network Monitoring This appendix describes the remote monitoring features available on HP products: Remote Monitoring (RMON) statistics All HP products support RMON statistics on the
More informationUltraFlow -Cisco Netflow tools-
UltraFlow UltraFlow is an application for collecting and analysing Cisco Netflow data. It is written in Python, wxpython, Matplotlib, SQLite and the Python based Twisted network programming framework.
More informationIntroduction to Cisco IOS Flexible NetFlow
Introduction to Cisco IOS Flexible NetFlow Last updated: September 2008 The next-generation in flow technology allowing optimization of the network infrastructure, reducing operation costs, improving capacity
More informationNetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com
NetFlow Tracker Overview Mike McGrath x ccie CTO mike@crannog-software.com 2006 Copyright Crannog Software www.crannog-software.com 1 Copyright Crannog Software www.crannog-software.com 2 LEVELS OF NETWORK
More informationNetFlow Aggregation. Feature Overview. Aggregation Cache Schemes
NetFlow Aggregation This document describes the Cisco IOS NetFlow Aggregation feature, which allows Cisco NetFlow users to summarize NetFlow export data on an IOS router before the data is exported to
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationNetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date 2012-9-6
(Integrated) Technology White Paper Issue 01 Date 2012-9-6 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means
More informationConfiguring SNMP and using the NetFlow MIB to Monitor NetFlow Data
Configuring SNMP and using the NetFlow MIB to Monitor NetFlow Data NetFlow is a technology that provides highly granular per-flow statistics on traffic in a Cisco router. The NetFlow MIB feature provides
More informationhttp://www.cisco.com/en/us/products//hw/switches/ps4324/index.html http://www.cisco.com/en/us/products/ps6350/index.html
CHAPTER 54 Supervisor Engine 6-E and Catalyst 4900M chassis do not support Netflow; it is only supported on Supervisor Engine IV, Supervisor Engine V, Supervisor Engine V-10GE, or WS-F4531. This chapter
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationNetFlow v9 Export Format
NetFlow v9 Export Format With this release, NetFlow can export data in NetFlow v9 (version 9) export format. This format is flexible and extensible, which provides the versatility needed to support new
More informationWireshark Developer and User Conference
Wireshark Developer and User Conference Using NetFlow to Analyze Your Network June 15 th, 2011 Christopher J. White Manager Applica6ons and Analy6cs, Cascade Riverbed Technology cwhite@riverbed.com SHARKFEST
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationNet-flow. PacNOG 6 Nadi, Fiji
Net-flow PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools etc
More informationNetFlow Auditor Manual Getting Started
NetFlow Auditor Manual Getting Started Setting up NetFlow Check if your Routers or Switches Supports NetFlow. Almost all Cisco devices support NetFlow since its introduction in the 11.1 train of Cisco
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationNetFlow The De Facto Standard for Traffic Analytics
NetFlow The De Facto Standard for Traffic Analytics A Webinar on NetFlow and its uses in Enterprise Networks for Bandwidth and Traffic Analytics Don Thomas Jacob Technical Marketing Engineer ManageEngine
More informationEMIST Network Traffic Digesting (NTD) Tool Manual (Version I)
EMIST Network Traffic Digesting (NTD) Tool Manual (Version I) J. Wang, D.J. Miller and G. Kesidis CSE & EE Depts, Penn State EMIST NTD Tool Manual (Version I) Page 1 of 7 Table of Contents 1. Overview...
More information8. 網路流量管理 Network Traffic Management
8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error
More informationScalable Extraction, Aggregation, and Response to Network Intelligence
Scalable Extraction, Aggregation, and Response to Network Intelligence Agenda Explain the two major limitations of using Netflow for Network Monitoring Scalability and Visibility How to resolve these issues
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationLogLogic Cisco NetFlow Log Configuration Guide
LogLogic Cisco NetFlow Log Configuration Guide Document Release: March 2012 Part Number: LL600068-00ELS090000 This manual supports LogLogic Cisco NetFlow Version 2.0, and LogLogic Software Release 5.1
More informationConfiguring NetFlow Data Export (NDE)
49 CHAPTER Prerequisites for NDE, page 49-1 Restrictions for NDE, page 49-1 Information about NDE, page 49-2 Default Settings for NDE, page 49-11 How to Configure NDE, page 49-11 Note For complete syntax
More informationNetFlow/IPFIX Various Thoughts
NetFlow/IPFIX Various Thoughts Paul Aitken & Benoit Claise 3 rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management, July 2010 1 B #1 Application Visibility Business Case NetFlow (L3/L4) DPI Application
More informationSonicOS 5.8: NetFlow Reporting
SonicOS 5.8: NetFlow Reporting Document Scope Rapid growth of IP networks has created interest in new business applications and services. These new services have resulted in increases in demand for network
More informationHP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide
HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with
More informationPlugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help
Plugging Network Security Holes using NetFlow Loopholes in todays network security solutions and how NetFlow can help About ManageEngine Network Servers & Applications Desktop ServiceDesk Windows Infrastructure
More informationCisco IOS NetFlow Version 9 Flow-Record Format
Cisco IOS NetFlow Version 9 Flow-Record Format Last updated: February 007 Overview Cisco IOS NetFlow services provide network administrators with access to information concerning IP flows within their
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationNetFlow & BGP multi-path: quo vadis?
NetFlow & BGP multi-path: quo vadis? Paolo Lucente Elisa Jasinska Netnod, Stockholm Agenda About Netflix About pmacct Brief digression on BGP ADD-PATHS Putting all
More informationand reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs
ICmyNet.Flow: NetFlow based traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF Faculty
More informationDesign and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System
Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System 1 Hyun-chul Kim, 2Jihoon Lee Dept. of Computer Software Engineering, Sangmyung Univ., hyunchulk@gmail.com
More informationWhatsUpGold. v12.3.1. NetFlow Monitor User Guide
WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...
More informationSymantec Event Collector for Cisco NetFlow version 3.7 Quick Reference
Symantec Event Collector for Cisco NetFlow version 3.7 Quick Reference Symantec Event Collector for Cisco NetFlow Quick Reference The software described in this book is furnished under a license agreement
More informationLab 4.1.2 Characterizing Network Applications
Lab 4.1.2 Characterizing Network Applications Objective Device Designation Device Name Address Subnet Mask Discovery Server Business Services 172.17.1.1 255.255.0.0 R1 FC-CPE-1 Fa0/1 172.17.0.1 Fa0/0 10.0.0.1
More informationNetwork forensics 101 Network monitoring with Netflow, nfsen + nfdump
Network forensics 101 Network monitoring with Netflow, nfsen + nfdump www.enisa.europa.eu Agenda Intro to netflow Metrics Toolbox (Nfsen + Nfdump) Demo www.enisa.europa.eu 2 What is Netflow Netflow = Netflow
More informationTE in action. Some problems that TE tries to solve. Concept of Traffic Engineering (TE)
1/28 2/28 TE in action S-38.3192 Verkkopalvelujen tuotanto S-38.3192 Network Service Provisioning Networking laboratory 3/28 4/28 Concept of Traffic Engineering (TE) Traffic Engineering (TE) (Traffic Management)
More informationIPv6 network management. Where and when?
IPv6 network management 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco Munechika Sumikawa, Hitachi Patrick Paul, 6WIND 2 Agenda
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationJ-Flow on J Series Services Routers and Branch SRX Series Services Gateways
APPLICATION NOTE Juniper Flow Monitoring J-Flow on J Series Services Routers and Branch SRX Series Services Gateways Copyright 2011, Juniper Networks, Inc. 1 APPLICATION NOTE - Juniper Flow Monitoring
More informationCatalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting
Catalyst 6500/6000 Switches NetFlow Configuration and Troubleshooting Document ID: 70974 Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram
More informationHUNTING ATTACKERS WITH NETWORK AUDIT TRAILS
HUNTING ATTACKERS WITH NETWORK AUDIT TRAILS Tom Cross tcross@lancope.com Charles Herring cherring@lancope.com 1 CREATING THE AUDIT TRAIL 2 Creating the Trail Logging Provides user and application details
More informationOverview. Why use netflow? What is a flow? Deploying Netflow Performance Impact
Netflow 6/12/07 1 Overview Why use netflow? What is a flow? Deploying Netflow Performance Impact 2 Caveats Netflow is a brand name like Kleenex. It was developed by Cisco Juniper uses the term cflowd for
More informationUKCMG Industry Forum November 2006
UKCMG Industry Forum November 2006 Capacity and Performance Management of IP Networks Using IP Flow Measurement Agenda Challenges of capacity and performance management of IP based networks What is IP
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationAdaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks
Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu
More informationAn overview of traffic analysis using NetFlow
The LOBSTER project An overview of traffic analysis using NetFlow Arne Øslebø UNINETT Arne.Oslebo@uninett.no 1 Outline What is Netflow? Available tools Collecting Processing Detailed analysis security
More informationNetwork traffic monitoring and management. Sonia Panchen sonia.panchen@inmon.com 11 th November 2010
Network traffic monitoring and management Sonia Panchen sonia.panchen@inmon.com 11 th November 2010 Lecture outline What is network traffic management? Traffic management applications Traffic monitoring
More informationConfiguring NetFlow Switching
Configuring NetFlow Switching This chapter describes how to configure NetFlow switching. For a complete description of NetFlow commands used in this chapter, refer to the Cisco IOS Switching s chapter
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationNetwork congestion control using NetFlow
Network congestion control using NetFlow Maxim A. Kolosovskiy Elena N. Kryuchkova Altai State Technical University, Russia Abstract The goal of congestion control is to avoid congestion in network elements.
More informationAnomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool
Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politècnica de Catalunya (UPC) Ashish
More informationOverview of Network Traffic Analysis
Overview of Network Traffic Analysis Network Traffic Analysis identifies which users or applications are generating traffic on your network and how much network bandwidth they are consuming. For example,
More informationIntegrated Traffic Monitoring
61202880L1-29.1F November 2009 Configuration Guide This configuration guide describes integrated traffic monitoring (ITM) and its use on ADTRAN Operating System (AOS) products. Including an overview of
More informationPort Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.
Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem
More informationFluke Networks NetFlow Tracker
Fluke Networks NetFlow Tracker Quick Install Guide for Product Evaluations Pre-installation and Installation Tasks Minimum System Requirements The type of system required to run NetFlow Tracker depends
More informationNetFlow & BGP multi-path: quo vadis?
NetFlow & BGP multi-path: quo vadis? Paolo Lucente Elisa Jasinska NANOG61, Bellevue Agenda About Netflix About pmacct Brief digression on BGP ADD-PATHS Putting all
More informationIPv6 network management. 6DEPLOY. IPv6 Deployment and Support
IPv6 network management 6DEPLOY. IPv6 Deployment and Support 1 Contributions Simon Muyal, RENATER Bernard Tuy, RENATER Jérôme Durand, RENATER Ralf Wolter, Cisco Patrick Grossetête, Cisco 10/28/2010 IPv6
More informationCHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor
Contents CHAPTER 1 WhatsUp Flow Monitor Overview What is Flow Monitor?... 1 How does Flow Monitor work?... 2 Supported versions... 2 System requirements... 2 CHAPTER 2 Configuring WhatsUp Flow Monitor
More informationNetFlow Configuration Guide, Cisco IOS Release 15M&T
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION
More informationAnalysis of a Distributed Denial-of-Service Attack
Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.
More informationRecommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document
Recommendations for Network Traffic Analysis Using the NetFlow Protocol Best Practice Document Produced by AMRES NMS Group (AMRES BPD 104) Author: Ivan Ivanović November 2011 TERENA 2010. All rights reserved.
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationUsing IPM to Measure Network Performance
CHAPTER 3 Using IPM to Measure Network Performance This chapter provides details on using IPM to measure latency, jitter, availability, packet loss, and errors. It includes the following sections: Measuring
More informationNetFlow Analytics for Splunk
NetFlow Analytics for Splunk User Manual Version 3.5.1 September, 2015 Copyright 2012-2015 NetFlow Logic Corporation. All rights reserved. Patents Pending. Contents Introduction... 3 Overview... 3 Installation...
More informationEnabling NetFlow on Virtual Switches ESX Server 3.5
Technical Note Enabling NetFlow on Virtual Switches ESX Server 3.5 NetFlow is a general networking tool with multiple uses, including network monitoring and profiling, billing, intrusion detection and
More informationConfiguring Flexible NetFlow
CHAPTER 62 Note Flexible NetFlow is only supported on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Catalyst 4500X. Flow is defined as a unique set of key fields attributes, which might include fields
More informationNetFlow Performance Analysis
NetFlow Performance Analysis Last Updated: May, 2007 The Cisco IOS NetFlow feature set allows for the tracking of individual IP flows as they are received at a Cisco router or switching device. Network
More informationNetwork Measurement. Why Measure the Network? Types of Measurement. Traffic Measurement. Packet Monitoring. Monitoring a LAN Link. ScienLfic discovery
Why Measure the Network? Network Measurement Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101 ScienLfic discovery Characterizing traffic, topology, performance Understanding
More informationQuick Start for Network Agent. 5-Step Quick Start. What is Network Agent?
What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationAbout Firewall Protection
1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote
More informationContent Distribution Networks (CDN)
229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the
More informationCisco IOS NetFlow Version 9 Flow-Record Format
White Paper Cisco IOS NetFlow Version 9 Flow-Record Format Last updated: May 0 Overview Cisco IOS NetFlow services provide network administrators with access to information concerning IP flows within their
More informationCisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software
LiveAction Application Note Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software January 2013 http://www.actionpacked.com Table of Contents 1. Introduction... 1 2. ASA NetFlow Security
More informationNetFlow FlowAnalyzer Overview
CHAPTER 1 FlowAnalyzer Overview This chapter describes the FlowAnalyzer system and its components. This system is used to read, analyze, and display switching data collected by the FlowCollector application.
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationNetFlow Configuration Guide, Cisco IOS Release 12.4
NetFlow Configuration Guide, Cisco IOS Release 12.4 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationLinux Routers and Community Networks
Summer Course at Mekelle Institute of Technology. July, 2015. Linux Routers and Community Networks Llorenç Cerdà-Alabern http://personals.ac.upc.edu/llorenc llorenc@ac.upc.edu Universitat Politènica de
More informationplixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels
Scrutinizer Competitor Worksheet Scrutinizer Malware Incident Response Scrutinizer is a massively scalable, distributed flow collection system that provides a single interface for all traffic related to
More informationMonitoring and analyzing audio, video, and multimedia traffic on the network
Monitoring and analyzing audio, video, and multimedia traffic on the network Slavko Gajin slavko.gajin@rcub.bg.ac.rs AMRES Academic Network of Serbia AMRES Academic Network of Serbia RCUB - Belgrade University
More informationFlow Analysis. Make A Right Policy for Your Network. GenieNRM
Flow Analysis Make A Right Policy for Your Network GenieNRM Why Flow Analysis? Resolve Network Managers Challenge as follow: How can I know the Detail and Real-Time situation of my network? How can I do
More informationFlow Monitor for WhatsUp Gold v16.2 User Guide
Flow Monitor for WhatsUp Gold v16.2 User Guide Contents Table of Contents Flow Monitor Overview Welcome to WhatsUp Gold Flow Monitor... 1 What is Flow Monitor?... 2 How does Flow Monitor work?... 2 System
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationBusiness and IT are Changing Like Never Before
ADVANCED NETFLOW Business and IT are Changing Like Never Before Drastic Change in Application Type, Delivery, and Consumption Public/Hybrid Cloud SaaS/IaaS Storage Users/ Machines Proliferation of Devices
More informationNetFlow: What is it, why and how to use it? Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow: What is it, why and how to use it?, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda What is NetFlow? What are the benefits? How to deploy NetFlow? Questions 2 / 22 What is NetFlow? NetFlow
More informationConfiguring NetFlow. Information About NetFlow. Send document comments to nexus1k-docfeedback@cisco.com. CHAPTER
CHAPTER 11 Use this chapter to configure NetFlow to characterize IP traffic based on its source, destination, timing, and application information, to assess network availability and performance. This chapter
More informationTEIN2 Measurement and Monitoring Workshop Netflow. Bruce.Morgan@aarnet.edu.au
TEIN2 Measurement and Monitoring Workshop Netflow Bruce.Morgan@aarnet.edu.au Passive Measurements - Netflow Netflow Setting up Netflow on a router Using Netflow Establishing exports Configuring a collector
More informationNetwork Security: Workshop. Dr. Anat Bremler-Barr. Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org
1.pcap - File download Network Security: Workshop Dr. Anat Bremler-Barr Assignment #2 Analyze dump files Solution Taken from www.chrissanders.org Downloading a file is a pretty basic function when described
More informationNFQL: A Tool for Querying Network Flow Records [6]
NFQL: A Tool for Querying Network Flow Records [6] nfql.vaibhavbajpai.com Vaibhav Bajpai, Johannes Schauer, Corneliu Claudiu Prodescu, Jürgen Schönwälder {v.bajpai, j.schauer, c.prodescu, j.schoenwaelder@jacobs-university.de
More informationPage 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications
Outline EEC 274 Internet Measurements & Analysis Spring Quarter, 2006 Traffic Measurements Traffic measurements What metrics are we interested in? Measurement and analysis methodologies Traffic characterization
More informationNetwork Monitoring and Traffic CSTNET, CNIC
Network Monitoring and Traffic Analysis in CSTNET Chunjing Han Aug. 2013 CSTNET, CNIC Topics 1. The background of network monitoring 2. Network monitoring protocols and related tools 3. Network monitoring
More informationNetFlow Configuration Guide, Cisco IOS Release 12.2SR
NetFlow Configuration Guide, Cisco IOS Release 12.2SR Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
More informationHow To Understand and Configure Your Network for IntraVUE
How To Understand and Configure Your Network for IntraVUE Summary This document attempts to standardize the methods used to configure Intrauve in situations where there is little or no understanding of
More information