NetFlow: what happens in your network? (@ MUM Ljubljana...
72
NetFlow: what happens in your network? by Lorenzo Busatti 1 MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy
Transcript of NetFlow: what happens in your network? (@ MUM Ljubljana...
NetFlow:whathappensinyournetwork?
byLorenzoBusatti
1MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy
LorenzoBusatti
• FounderofGrifonline S.r.l.(1997)
• FounderofLinkwave (2006)
• MikroTik Trainer(2010)
• MemberofRIPE,AMS-IX,MIX-IT
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 2
Aboutme
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 3
Aboutme
I'maMikroTik enthusiast
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 4
I'maMikroTik enthusiast
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 5
I'maMikroTik evangelist
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 6
Aboutme• Founder(2016)ofthe
NonProfitOrganizationforHighQualityTrainingPartners
Advertisingtime!
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 7
MyfriendAndrewCoxbookedtoolateforthisMUM,sothepresentationsslotswasalreadyfull.
Ipromisedhimtoquickadvertisehisfantasticproduct(andforfreeJ):
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 8
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 9
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 10
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 11
DedicatedtoMax
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 12
Thetrafficofyournetwork
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 13
Thetrafficofyournetwork
Isoneofthemostimportants “things”.
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 14
Thetrafficofyournetwork
Whatdoyouknowaboutit?
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 15
Thetrafficofyournetwork
WhatisthegrowthofyourcustomertraffictoNetflix?
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 16
Thetrafficofyournetwork
WhatarethetopASyoushouldpeerwith?
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 17
Thetrafficofyournetwork
Whoisthetopbandwidthdrawer?
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 18
Thetrafficofyournetwork
WithfewtoolsyoucanknowmorethanyoucanImagineJ
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 19
NetFlow inpills
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 20
• Isa“common”router’sfeature• Collect IPtrafficstatistics• Laterwillexport themto aNetFlow Collector• They’recalled:flowrecord• Theformatistemplatebased(sincethe
Version9):expandableforthefuture
NetFlow inRouterOS
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 21
• Yes,issupported!• Iscalled:TrafficFlow(NetFlow it’saCisconaming….)
• He’s“living”there:/ip traffic-flow
• ExistsinceROSv.2.9• TodaysupporttheVersions1,5,9• Checkthewikiforthedifferences….J
TrafficFlowinaction
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 22
NetFlowCollector
(andAnalyzer)
YOURWAN
YOURLAN
TheClient
The“Flows”
TwoIngredients
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 23
ANetFlowCollector
(andAnalyzer)
The“Flows”
TrafficFlowlimitations
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 24
• UptoRouterOS v.6.0willexportonly RXtrafficofaninterface• CurrentlyRouterOS doesnotexportBGPAS
numbersL• Hopetoseeimplementedsoon….J
The“boring”part
(butveryshort….)
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 25
Packettransportprotocol
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 26
• Therecords areexported using UDP• Thestandardport is the2055(user defined)• Therouterdoes not keep track offlow
records already exported• If aNetFlow packet is dropped all contained
records arelost forever• Doesn’t exportthe“payloads”• Thecontent isn’t encrypted
Generalstructure(v9)
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 27
NetFlow Packet header– Template• NetFlow Record 1• NetFlow Record 2• NetFlow Record n– Template• NetFlow Record n +1• NetFlow Record n +2• NetFlow Record n +n
Thepacketheader
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 28
• Versionnumber (v1�v5,v7�v8,v9)• Sequence number• Timestamp• Number ofrecords (v5orv8)orlistof
templates andrecords (v9)
TheTemplateformat
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 29
• ID• length• FieldCount• Field1Type• Field1Length• Field2Type• Field2Length• FieldN Type• FieldN Length
(some)v9Fields
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 30
IN_BYTESOUT_BYTESIN_PKTSOUT_PKTSPROTOCOLSRC_TOSTCP_FLAGSL4_SRC_PORTL4_DST_PORTIPV4_SRC_ADDRIPV4_DST_ADDR
DIRECTIONIPV4_NEXT_HOPIPV6_SRC_ADDRIPV6_DST_ADDRICMP_TYPEIN_SRC_MACIN_DST_MACOUT_DST_MACOUT_SRC_MACSRC_VLANDST_VLAN
SRC_ASDST_ASBGP_IPV4_NEXT_HOPIP_PROTOCOL_VERSIONMPLS_LABEL_(1-10)IF_NAMEIF_DESC
FORWARDINGSTATUS(lots ofsubcodes!!!)
Liveview
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 31
Thepacket Header
Liveview
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 32
TheTemplate
Liveview
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 33
One Flow
Summary
TheTrafficFlowwill“export”almost“everything”excepttheeffective“payload”
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 34
Settingup(therouter)
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 35
IP–>TrafficFlow
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 36
IP–>TrafficFlow- Targets
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 37
IP–>TrafficFlow->Status
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 38
Howmuchresourceswilltake(theflows)?
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 39
TrafficFlow“traffic”
Thereisnotanexact formulatocalculatetheexported“flows”,butI’llshowyoua”live”example.
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 40
TrafficFlow“traffic”
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 41
The“Flows”
Theroutertraffic
Thesessions
TheNetFlow Collectors(andAnalyzer)
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 42
WhatIneednow?• ACollectorwillcollecttheflowsexportedbyyourrouter.
• AnAnalyzer willmakethesedatareadableandusabletoyou.
• MostoftheCollectorsareAnalyzeralso.
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 43
Whichone?• Opensource;• Closedsource;• ForWindows;• ForLinux;• OntheCloud;• PaidVsFree;
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 44
Examples
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 45
Whichone?I’mnotaresellerorasalesrepresentativeofthesebrands.
Searchontheweband“trybeforebuy”(whenpossible).
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 46
Whichone?InthispresentationI’llshowyouanexampleusingthecloudservicesprovidedby:
http://polygraph.io
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 47
Themostinterestingpart:WhatcanIsee?????
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 48
Whichtraffic?Justfewexamples:• Bandwidthmonitoring• ApplicationsUsed• Identifyvisiteddomains• Toptalkers(customersandhost)• Geolocate traffic.• Attacksdetection.
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 49
Whichtraffic?• AndsinceRouterOS 6.33the fastpath
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 50
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 51
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 52
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 53
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 54
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 55
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 56
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 57
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 58
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 59
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 60
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 61
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 62
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 63
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 64
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 65
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 66
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 67
Youcanalsomakereports,watchandexportthestoreflows,and….....
“Live”demo
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 68
Security
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 69
ThesecurityisanotherapplicationoftheTrafficFlow.
Mycontentswillstophere,hopeyou’llenjoyadedicatedpresentationthisevening.
Wrapup
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 70
üWiththeTrafficFlowandaNetFlowAnalyzeryoucanknowwhathappeninyournetworkandthekindoftrafficexchangedbyyourcustomers
üFromthisprivilegedpointofviewyoucanmanage,planandpreventthe“things”ofyournetwork.
Wrapup
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 71
üIhopeyou’lldeploysoonyourprivileged“pointofobservation”J
Thankyou!
Q&A
http://[email protected]
MUM Ljubljana 2016 © Lorenzo Busatti, http://routing.wireless.academy 72
![NetFlow Reporting[1]](https://static.fdocuments.us/doc/165x107/55cf9021550346703ba328dc/netflow-reporting1.jpg)
