Transcription
NetFlow:what happens in your network?by Lorenzo BusattiMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy1
About meLorenzo Busatti Founder of Grifonline S.r.l. (1997) Founder of Linkwave (2006) MikroTik Trainer (2010) Member of RIPE, AMS-IX, MIX-ITMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy2
About meMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy3
I'm a MikroTik enthusiastMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy4
I'm a MikroTik enthusiastI'm a MikroTik evangelistMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy5
About me Founder (2016) of theNon Profit Organization forHigh Quality Training PartnersMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy6
Advertising time!My friend Andrew Cox booked too late forthis MUM, so the presentations slots wasalready full.I promised him to quick advertise hisfantastic product (and for free J):MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy7
MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy8
MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy9
MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy10
MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy11
Dedicated to MaxMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy12
The traffic of your networkMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy13
The traffic of your networkIs one of the mostimportants “things”.MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy14
The traffic of your networkWhat do you knowabout it ?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy15
The traffic of your networkWhat is the growth ofyour customer trafficto Netflix?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy16
The traffic of your networkWhat are the top ASyou should peer with?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy17
The traffic of your networkWho is the topbandwidth drawer?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy18
The traffic of your networkWith few tools you can knowmore than you canImagine JMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy19
NetFlow in pills Is a “common” router’s featureCollect IP traffic statisticsLater will export them to a NetFlow CollectorThey’re called: flow recordThe format is template based (since theVersion 9): expandable for the futureMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy20
NetFlow in RouterOS Yes, is supported!Is called: Traffic Flow (NetFlow it’s a Cisco naming .)He’s “living” there: /ip traffic-flowExist since ROS v. 2.9Today support the Versions 1, 5, 9Check the wiki for the differences . JMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy21
Traffic Flow in actionYOURWANYOURLANThe “Flows”NetFlowCollector(and Analyzer)The ClientMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy22
Two IngredientsThe “Flows”A NetFlowCollector(andAnalyzer)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy23
Traffic Flow limitations Up to RouterOS v. 6.0 will export only RXtraffic of an interfaceCurrently RouterOS does not export BGP ASnumbers LHope to see implemented soon . JMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy24
The “boring” part(but very short .)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy25
Packet transport protocolThe records are exported using UDPThe standard port is the 2055 (user defined)The router does not keep track of flowrecords already exportedIf a NetFlow packet is dropped all containedrecords are lost foreverDoesn’t export the “payloads”The content isn’t encryptedMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy26
General structure (v9)NetFlow Packet header– Template NetFlow Record 1NetFlow Record 2NetFlow Record n NetFlow Record n 1NetFlow Record n 2NetFlow Record n n– TemplateMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy27
The packet header Version number (v1 v5, v7 v8, v9)Sequence numberTimestampNumber of records (v5 or v8) or list oftemplates and records (v9)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy28
The Template format IDlengthField CountField 1 TypeField 1 LengthField 2 TypeField 2 LengthField N TypeField N LengthMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy29
(some) v9 FieldsIN BYTESOUT BYTESIN PKTSOUT PKTSPROTOCOLSRC TOSTCP FLAGSL4 SRC PORTL4 DST PORTIPV4 SRC ADDRIPV4 DST ADDRDIRECTIONIPV4 NEXT HOPIPV6 SRC ADDRIPV6 DST ADDRICMP TYPEIN SRC MACIN DST MACOUT DST MACOUT SRC MACSRC VLANDST VLANSRC ASDST ASBGP IPV4 NEXT HOPIP PROTOCOL VERSIONMPLS LABEL (1-10)IF NAMEIF DESCFORWARDING STATUS(lots of subcodes!!!)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy30
Live viewThe packet HeaderMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy31
Live viewThe TemplateMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy32
Live viewOne FlowMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy33
SummaryThe Traffic Flow will “export”almost “everything” exceptthe effective “payload”MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy34
Setting up(the router)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy35
IP – Traffic FlowMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy36
IP – Traffic Flow - TargetsMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy37
IP – Traffic Flow - StatusMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy38
How much resourceswill take (the flows) ?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy39
Traffic Flow “traffic”There is not an exact formulato calculate the exported“flows”, but I’ll show you a”live” example.MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy40
Traffic Flow “traffic”The router trafficThe sessionsThe “Flows”MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy41
The NetFlow Collectors(and Analyzer)MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy42
What I need now? A Collector will collect the flows exportedby your router. An Analyzer will make these datareadable and usable to you. Most of the Collectors are Analyzer also.MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy43
Which one? Open source; Closed source; For Windows; For Linux; On the Cloud; Paid Vs Free;MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy44
ExamplesMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy45
Which one?I’m not a reseller or a sales representativeof these brands.Search on the web and “try before buy”(when possible).MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy46
Which one?In this presentation I’ll show you anexample using the cloud services providedby:http://polygraph.ioMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy47
The most interesting part:What can I see?MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy48
Which traffic?Just few examples:Bandwidth monitoringApplications UsedIdentify visited domainsTop talkers (customers and host)Geolocate traffic.Attacks detection. MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy49
Which traffic? And since RouterOS 6.33 the fastpathMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy50
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy51
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy52
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy53
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy54
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy55
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy56
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy57
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy58
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy59
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy60
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy61
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy62
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy63
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy64
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy65
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy66
“Live” demoYou can also make reports,watch and export the storeflows, and .MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy67
“Live” demoMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy68
SecurityThe security is another application of theTraffic Flow.My contents will stop here, hope you’llenjoy a dedicated presentation this evening.MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy69
Wrap upüWith the Traffic Flow and a NetFlowAnalyzer you can know what happen inyour network and the kind of trafficexchanged by your customersFrom this privileged point of view youcan manage, plan and prevent the“things” of your network.üMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy70
Wrap upüI hope you’ll deploy soon yourprivileged “point of observation” JMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy71
Thank nline.itMUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy72
NetFlow: what happens in your network? by Lorenzo Busatti MUM Ljubljana 2016 Lorenzo Busatti, http://routing.wireless.academy 1
