Friday, July 17, 2009

Where Is All This Traffic going?

Have you ever wondered where all the network traffic is going? The standard SNMP data gives an overview of all traffic in and out of an interface, but little in the way of details regarding source/destination and protocols in use. To learn where the traffic is going and what protocols are in use, you should check out what flow-based products can provide. The most popular is NetFlow, although there are other similar products available as well (JFlow, sFlow, etc…). Each product version has a few unique attributes, but they all provide a core set of information.

So what does a flow based product do?
It provides an answer to the question,“Where is the traffic going?”. Netflow displays the top source and destinations (who and what destination IP), and does packet level inspection of your network traffic to check for source and destinations and ports and protocols. So, not only can you tell who is going to what server or website, but you can also tell what port and protocol is being used. This can often be used to identify popular applications and external “resources”. Here are some sample Netflow reports:






With this report I can see the top conversations – multiple people hitting the same IP.








Here I can learn more about the type of traffic on my network.






And here I can see the top sources coming into my network. Very helpful as a supplement to your security measures.

*Note – the IPs have been changed to protect the innocent. A 192 address would not normally be an incoming source.

What do you need to get started with Netflow?
NetFlow is already installed on many Cisco routers, so make sure to check the Cisco website for your model and version or buy a Netflow enabled router. You’ll also need a Netflow enabled network management system to create quality reports. Keep in mind, monitoring flow based data is information intensive and will use resources on the router and storage space on your network management system. One option to save storage space is to use Netflow on demand: only enabling the monitoring when necessary to troubleshoot.

It’s not hard to configure!
Here is a sample of the steps for setting up NetFlow v5:
1) Enter global configuration mode on the router, and issue the following commands for each interface on which you want to enable Netflow:
a) Router#configure terminal
b) Router >(config)#interface {interface} {interface_number} (Example: interface FastEthernet 0/1)
c) Router >(config-if)#ip route-cache flow
d) Router >(config-if)#exit
Export Netflow data to your netflow enable network management system:
a) Router#enable
b) Password:
c) Router#configure terminal
d) Router >(config)#ip flow-export 9996
e) Router >(config)#ip flow-export version 5
There is much to learn about Netflow. When you’re ready for the deep technical stuff, check out this Cisco article.



1 comment:

  1. NetFlow is a great tool for finding out the who, what, where and when. Some NetFlow monitoring tools can even take it beyond that by alerting on the kinds of traffic that could be potentially hazardous. Scrutinizer's Flow Analytics is one of those tools. Take a look.
    http://www.plixer.com/products/scrutinizer.php

    ReplyDelete