Cisco NetFlow Accounting with FlowScan in Solaris.

Cisco NetFlow Accounting with Cisco NetFlow Accounting with FlowScan in SolarisFlowScan in Solaris

Topics PresentationTopics Presentation

Description NetFlow & FlowScan Role of report module in FlowScan JKFlow module Design

-Why a new module? -Principe of JKFlow-What can this module more?-Principe of JKFlow

Demo!

The BookThe Book

Contains: 1: Technical explanation:

Technology of NetFlow & FlowScan 2: In detail:

JKFlow report module-configuration-working (for Perl-fanatics)

Purpose of Final WorkPurpose of Final Work

Implementation NetFlow service profiling bandwidth monitoring system

Flows received from central WAN-routers

Collection/Analyse inSolaris 8, 9 (x86)

NetFlow protocolNetFlow protocol

Flow accounting protocol Cisco routers Flow Records: src/dst IP, port, tos, bytes, ... PDU via UDP poort 2055 (default)

FlowScanFlowScan

FlowScan = Framework NetFlow system-NetFlow collector-Analyse/Reporting of flows-Presentation of the reports

Perl-scripts combines these tools to a complete system

FlowScan FlowScan DesignDesign

Cisco Router

Cfllowdmux

SharedMemory

PatchedCfllowd

Database

CGI-perl scripts, PHP, ASP,JSP/Servlets

(JKGrapher)

Voorstelling dataeindgebruiker

FlowScan

flowfiles

flowfiles

flowfiles

Flow Exports

Iedere 5 minuten

Analyse & rapportering

module (JKFlow)

RRD Tools

Webserver

Components:

•Cflowd•FlowScan + report module•RRDTool•Makefile/CGI-script

Report moduleReport module

Analyse Flows => Counters Counters => RRDTool

databases Default:

CampusIO (services)SubnetIO (subnetten)

Others: CarrierInCUFlow

FlowScan

Analyse & reportmodule (JKFlow)

ConstraintsConstraints

No analyses possible for subnets:-CampusIO only services global-SubnetIO only total for each subnet

Other modules don’t deliver the wanted functionality either:

-CarrierIn only inbound, services global-CUFlow for each router, services global

CUFlow moduleCUFlow moduleCUFlow = Report module + CGI-scriptAnalysing using a global set of

protocols/services of different routersOnly total for subnetsTop-10, HTML statistics

New: JKFlow moduleNew: JKFlow module Started as a rewrite of CUFlow

+Added Subnet monitoring of protocols/services+Separated sets of protocols/services for eachrouter/subnet+Redundant code removed

Became an independed Perl-module located atURL: http://users.telenet.be/jurgen.kobierczynskihttp://users.telenet.be/jurgen.kobierczynski

Principe JKFlow: HashesPrincipe JKFlow: Hashes Hash = Assiociative Array

%fruit = ( apples => 3,oranges => 6 );

print $fruit{apples}; shows: 3

Hash-tree = Reference of a hash into a hash

$hashref = { a => { b => 2,c => 3 },

d => 4 };

print $hashref->{a}{b}; shows: 2

Hashes in JKFlowHashes in JKFlow

Uniform structure of Hash-trees for counters Using references to these structures

$Ref->

Reuse of routines

JKFlow FrameworkJKFlow Framework

I needed a framework to get the desired flexibility to integrate all desired features

I’ve found this in XML

Perl + XML = XML::Simple module XML => Hash

JKFlow.xmlJKFlow.xml

JKFlow.xml elementsJKFlow.xml elements 1: <all>, <router(s)>, <subnet(s)>, <network(s)> 2: <direction> 3: <application>, <services>, <ftp>, <protocols>, <tos>,

<multicast>, <total>

(2) & (3) can be defined in (1) & (2)

DirectionsDirections Direction =

Selection of Source/Destination subnets Including/excluding Subnets possible

fromsubnet

tosubnet

fromsubnet

notosubnet

nofromsubnet

Recursive DirectionsRecursive Directions

Directions can be nested inside Directions Each Direction has its own set of protocols and services to

monitor

<direction name="BE-NL“ …><direction name="BE-NL desktops“…>

…</direction>…

</direction>

Where could you use this feature for?

...for subnet monitoring!...for subnet monitoring!

ApplicationsApplications Merge several services together as ‘one’ service

example:<application name=“web”>80/tcp,443/tcp</application>

FTPFTP State monitoring of FTP control sessions for detection of

Active/Passive FTP-sessionsexample:<ftp/>

JKGrapherJKGrapherCGI-scriptCGI-script

CGI-script for reading of RRDTool files created by JKFlow

Based on CUGrapher

1:-first preselection of routers/subnets/networks

After this you will get a website with a form where you can select protocols/services of the selected routers/subnets, of which you want to see a graphic.

DemoDemo

Parsing of flowfiles by JKFlow, generation of RRDTool files

JKGrapher interface