Cisco NetFlow Accounting with Cisco NetFlow Accounting with FlowScan in SolarisFlowScan in Solaris
Topics PresentationTopics Presentation
Description NetFlow & FlowScan Role of report module in FlowScan JKFlow module Design
-Why a new module? -Principe of JKFlow-What can this module more?-Principe of JKFlow
Demo!
The BookThe Book
Contains: 1: Technical explanation:
Technology of NetFlow & FlowScan 2: In detail:
JKFlow report module-configuration-working (for Perl-fanatics)
Purpose of Final WorkPurpose of Final Work
Implementation NetFlow service profiling bandwidth monitoring system
Flows received from central WAN-routers
Collection/Analyse inSolaris 8, 9 (x86)
NetFlow protocolNetFlow protocol Flow accounting protocol Cisco routers Flow Records: src/dst IP, port, tos, bytes, ... PDU via UDP poort 2055 (default)
FlowScanFlowScan
FlowScan = Framework NetFlow system-NetFlow collector-Analyse/Reporting of flows-Presentation of the reports
Perl-scripts combines these tools to a complete system
FlowScan FlowScan DesignDesign
Cisco Router
Cfllowdmux
SharedMemory
PatchedCfllowd
Database
CGI-perl scripts, PHP, ASP,JSP/Servlets
(JKGrapher)
Voorstelling dataeindgebruiker
FlowScan
flowfiles
flowfiles
flowfiles
Flow Exports
Iedere 5 minuten
Analyse & rapporteringmodule (JKFlow)
RRD Tools
Webserver
Components:
•Cflowd•FlowScan + report module•RRDTool•Makefile/CGI-script
Report moduleReport module Analyse Flows => Counters Counters => RRDTool
databases Default:
CampusIO (services)SubnetIO (subnetten)
Others: CarrierInCUFlow
FlowScan
Analyse & reportmodule (JKFlow)
ConstraintsConstraintsNo analyses possible for subnets:
-CampusIO only services global-SubnetIO only total for each subnet
Other modules don’t deliver the wanted functionality either:
-CarrierIn only inbound, services global-CUFlow for each router, services global
CUFlow moduleCUFlow moduleCUFlow = Report module + CGI-scriptAnalysing using a global set of
protocols/services of different routersOnly total for subnetsTop-10, HTML statistics
New: JKFlow moduleNew: JKFlow module Started as a rewrite of CUFlow
+Added Subnet monitoring of protocols/services+Separated sets of protocols/services for eachrouter/subnet+Redundant code removed
Became an independed Perl-module located atURL: http://users.telenet.be/jurgen.kobierczynskihttp://users.telenet.be/jurgen.kobierczynski
Principe JKFlow: HashesPrincipe JKFlow: Hashes Hash = Assiociative Array
%fruit = ( apples => 3,oranges => 6 );
print $fruit{apples}; shows: 3
Hash-tree = Reference of a hash into a hash
$hashref = { a => { b => 2,c => 3 },d => 4 };
print $hashref->{a}{b}; shows: 2
Hashes in JKFlowHashes in JKFlow Uniform structure of Hash-trees for counters Using references to these structures
$Ref->
Reuse of routines
JKFlow FrameworkJKFlow FrameworkI needed a framework to get the desired
flexibility to integrate all desired featuresI’ve found this in XML
Perl + XML = XML::Simple module XML => Hash
JKFlow.xmlJKFlow.xml
JKFlow.xml elementsJKFlow.xml elements 1: <all>, <router(s)>, <subnet(s)>, <network(s)> 2: <direction> 3: <application>, <services>, <ftp>, <protocols>, <tos>,
<multicast>, <total>
(2) & (3) can be defined in (1) & (2)
DirectionsDirections Direction =
Selection of Source/Destination subnets Including/excluding Subnets possible
fromsubnet
tosubnet
fromsubnet
notosubnet
nofromsubnet
Recursive DirectionsRecursive Directions Directions can be nested inside Directions Each Direction has its own set of protocols and services to
monitor
<direction name="BE-NL“ …><direction name="BE-NL desktops“…>…</direction>…
</direction>
Where could you use this feature for?
...for subnet monitoring!...for subnet monitoring!
ApplicationsApplications Merge several services together as ‘one’ service
example:<application name=“web”>80/tcp,443/tcp</application>
FTPFTP State monitoring of FTP control sessions for detection of
Active/Passive FTP-sessionsexample:<ftp/>
JKGrapherJKGrapherCGI-scriptCGI-script
CGI-script for reading of RRDTool files created by JKFlow
Based on CUGrapher
1:-first preselection of routers/subnets/networks
After this you will get a website with a form where you can select protocols/services of the selected routers/subnets, of which you want to see a graphic.
DemoDemo
Parsing of flowfiles by JKFlow, generation of RRDTool files
JKGrapher interface