NetFlow: what happens in your network?

NetFlow: what happens in your network? by Lorenzo Busatti MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 1

About me Lorenzo Busatti Founder of Grifonline S.r.l. (1997) Founder of Linkwave (2006) MikroTik Trainer (2010) Member of RIPE, AMS-IX, MIX-IT MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 2

About me MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 3

I'm a MikroTik enthusiast MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 4

I'm a MikroTik enthusiast I'm a MikroTik evangelist MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 5

About me Founder (2016) of the Non Profit Organization for High Quality Training Partners MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 6

Advertising time! My friend Andrew Cox booked too late for this MUM, so the presentations slots was already full. I promised him to quick advertise his fantastic product (and for free J): MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 7

MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 8

MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 9

MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 10

MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 11

Dedicated to Max MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 12

The traffic of your network MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 13

The traffic of your network Is one of the most importants things. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 14

The traffic of your network What do you know about it? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 15

The traffic of your network What is the growth of your customer traffic to Netflix? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 16

The traffic of your network What are the top AS you should peer with? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 17

The traffic of your network Who is the top bandwidth drawer? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 18

The traffic of your network With few tools you can know more than you can Imagine J MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 19

NetFlow in pills Is a common router s feature Collect IP traffic statistics Later will export them to a NetFlow Collector They re called: flow record The format is template based (since the Version 9): expandable for the future MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 20

NetFlow in RouterOS Yes, is supported! Is called: Traffic Flow (NetFlow it s a Cisco naming.) He s living there: /ip traffic-flow Exist since ROS v. 2.9 Today support the Versions 1, 5, 9 Check the wiki for the differences. J MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 21

Traffic Flow in action YOUR WAN YOUR LAN The Flows NetFlow Collector The Client (and Analyzer) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 22

Two Ingredients The Flows A NetFlow Collector (andanalyzer) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 23

Traffic Flow limitations Up to RouterOS v. 6.0 will export only RX traffic of an interface Currently RouterOS does not export BGP AS numbers L Hope to see implemented soon. J MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 24

The boring part (but very short.) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 25

Packet transport protocol The records are exported using UDP The standard port is the 2055 (user defined) The router does not keep track of flow records already exported If a NetFlow packet is dropped all contained records are lost forever Doesn t export the payloads The content isn t encrypted MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 26

General structure (v9) NetFlow Packet header Template NetFlow Record 1 NetFlow Record 2 NetFlow Record n Template NetFlow Record n + 1 NetFlow Record n + 2 NetFlow Record n + n MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 27

The packet header Version number (v1 v5, v7 v8, v9) Sequence number Timestamp Number of records (v5 or v8) or list of templates and records (v9) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 28

The Template format ID length Field Count Field 1 Type Field 1 Length Field 2 Type Field 2 Length Field N Type Field N Length MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 29

(some) v9 Fields IN_BYTES OUT_BYTES IN_PKTS OUT_PKTS PROTOCOL SRC_TOS TCP_FLAGS L4_SRC_PORT L4_DST_PORT IPV4_SRC_ADDR IPV4_DST_ADDR DIRECTION IPV4_NEXT_HOP IPV6_SRC_ADDR IPV6_DST_ADDR ICMP_TYPE IN_SRC_MAC IN_DST_MAC OUT_DST_MAC OUT_SRC_MAC SRC_VLAN DST_VLAN SRC_AS DST_AS BGP_IPV4_NEXT_HOP IP_PROTOCOL_VERSION MPLS_LABEL_(1-10) IF_NAME IF_DESC FORWARDING STATUS (lots of subcodes!!!) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 30

Live view The packet Header MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 31

Live view The Template MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 32

Live view One Flow MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 33

Summary The Traffic Flow will export almost everything except the effective payload MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 34

Setting up (the router) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 35

IP > Traffic Flow MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 36

IP > Traffic Flow - Targets MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 37

IP > Traffic Flow -> Status MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 38

How much resources will take (the flows)? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 39

Traffic Flow traffic There is not an exact formula to calculate the exported flows, but I ll show you a live example. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 40

Traffic Flow traffic The router traffic The sessions The Flows MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 41

The NetFlow Collectors (and Analyzer) MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 42

What I need now? A Collector will collect the flows exported by your router. An Analyzer will make these data readable and usable to you. Most of the Collectors are Analyzer also. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 43

Which one? Open source; Closed source; For Windows; For Linux; On the Cloud; Paid Vs Free; MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 44

Examples MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 45

Which one? I m not a reseller or a sales representative of these brands. Search on the web and try before buy (when possible). MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 46

Which one? In this presentation I ll show you an example using the cloud services provided by: http://polygraph.io MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 47

The most interesting part: What can I see????? MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 48

Which traffic? Just few examples: Bandwidth monitoring Applications Used Identify visited domains Top talkers (customers and host) Geolocate traffic. Attacks detection. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 49

Which traffic? And since RouterOS 6.33 the fastpath MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 50

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 51

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 52

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 53

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 54

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 55

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 56

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 57

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 58

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 59

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 60

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 61

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 62

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 63

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 64

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 65

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 66

Live demo You can also make reports, watch and export the store flows, and... MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 67

Live demo MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 68

Security The security is another application of the Traffic Flow. My contents will stop here, hope you ll enjoy a dedicated presentation this evening. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 69

Wrap up üwith the Traffic Flow and a NetFlow Analyzer you can know what happen in your network and the kind of traffic exchanged by your customers üfrom this privileged point of view you can manage, plan and prevent the things of your network. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 70

Wrap up üi hope you ll deploy soon your privileged point of observation J MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 71

Thank you! Q & A http://training.grifonline.it training@grifonline.it MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 72