Presentation is loading. Please wait.

Presentation is loading. Please wait.

NetFlow, Flow-Like Data, and Their Many Uses Avi Freedman CHI-NOG 06 5/12/2016.

Published byVerity Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "NetFlow, Flow-Like Data, and Their Many Uses Avi Freedman CHI-NOG 06 5/12/2016."— Presentation transcript:

1 NetFlow, Flow-Like Data, and Their Many Uses Avi Freedman avi@kentik.com CHI-NOG 06 5/12/2016

2 What is NetFlow? 2 NetFlow is… A 20-year old technology now supported in some variant by most network devices. Mostly works fine now. sFlow came later, and is packet sampling and the first bytes of the packet (including the header). … and is simpler and more accurate in real-time IPFIX and Netflow v9 are extensible via templates, and allow sending more than just ‘basic flow’ data via those templates.

3 ‘Basic’ Flow 3 Basic flow records contain byte and packet counters, TCP Flags, AS, next-hop, and other data. Aggregated by (usually) the ‘5 tuple’ of (protocol, srcip, dstip, srcport, dstport). Most devices support a fixed sampling rate. Despite the simplicity of data, there are many use cases for basic flow data for monitoring availability, efficiency, and security of networks, hosts, and applications.

4 State of Device Export 4 Mostly works! sFlow is more common at the switch layer, and NetFlow/IPFIX is more common in routers, but many devices support both protocols. Still possible to negatively impact packet forwarding by enabling flow export, but accuracy and stability is generally fine w/ correct software versions. Much, much better situation than 5+ years ago.

5 State of Flow Tools 5 All have some suck. Most suck more and some suck less. No perfect eng+perf+BI+ops tool: OSS tools don’t cluster, but popular. DIY mostly Spark, Streaming, Elastic. Most downloadable commercial sw has scale. Appliances usually limits and single-purpose. Newer vendors mostly big-data and cloudy in arch. Extensibility + openness key for augmented flow use cases.

6 Classic Flow Use Cases 6 Flow from routers and switches can and is being used today for: Congestion analysis for providers and/or customers Peering analytics Trending, planning and forecasting (d)DoS detection (primarily volumetric) Basic forensic/historic (who did an IP talk to) Modeling of TE, what-if analysis Customer cost analysis (Flow + BGP communities)

7 Classic View: Traffic by Source ASN

8 Classic View: Interface -> Interface Traffic

9 Classic View: Int -> Int -> City -> Country

10 Flows: Device -> AS -> AS -> Geo

11 Classic View: By-Market Analysis

12 Classic View: Traffic by top AS_PATHs

13 Augmented Flow 13 But what could we do with more values per flow? ‘Who talked to who’ data is great, but if we can get: Semantics (URL, DNS query, SQL query, …) Application performance info (latency, TTFB, …) Network performance info (RTT, loss, jitter, …) from passive observation, it unlocks even more/more interesting use cases! With many of the same basic report structures. Some of this is already available via IPFIX/V9.

14 Sources of Augmented Flow 14 Where to look: OSS sensor software: nprobe, argus Commercial sensors: nBox, nPulse, and others Packet Brokers: Ixia and Gigamon (IPFIX, potentially more) IDS (bro) – a superset of most flow fields, + app decode Web servers (nginx, varnish) – web logs + tcp_info for perf Load balancers – already seei HTTPS-decoded URLs CISCO AVC, Netflow Lite – generally only on small devices Common challenge: Some of the exporters don’t support sampling, and many tools can’t keep up with un-sampled flow.

15 Source: Cisco AVC 15 docwiki.cisco.com/wiki/AVC-Export:PfR#PfR_NetFlow_Export_CLI

16 Source: Citrix AppFlow 16 http://docs.citrix.com/en-us/netscaler/10-5/ns-system-wrapper-10- con/ns-ag-appflow-intro-wrapper-con.html https://github.com/splunk/ipfix/blob/master/app/Splunk_TA_IPFIX/bin /IPFIX/information-elements/netscaper-iana.xml_full

17 Source: nTop’s nprobe 17 http://ntop.org template.c in nprobe (and elsewhere)

18 Source: nginx, bro 18 http://nginx.org/en/docs/http/ngx_http_core_module.html#variables https://www.bro.org/sphinx/logs/index.html nginx: log_format combined '$remote_addr - $remote_user [$time_local] ’ '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent”’ ‘$tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, $tcpinfo_rcv_space’;

19 Use Case: Storing + Using Aug. Flow 19 Back-end needs to store/make accessible. Often requires integration (for OSS/big data tools) or vendor support. And if the tools aren’t ‘open’ via API, SQL, or CLI, data can be trapped and not as useful. Many first use cases are ad-hoc to prove effectiveness, then drive to UI reports/dashboards. Holy grail: end user app perf + net perf + net flow + host perf + app internals insturmentation.

20 Example Storage Method: Fastbit 20 https://sdm.lbl.gov/fastbit/ https://github.com/CESNET/ipfixcol/ http://www.ntop.org (nprobe CLI) fbquery -c 'DST_AS,L4_SRC_PORT,sum(IN_BYTES) as inb,sum(OUT_BYTES) as outb' \ -q 'SRC_AS <> 3 AND L4_SRC_PORT <> 80' \ -g 'DST_AS,L4_SRC_PORT' \ -o 'inb' \ -r -L 10 -d.

21 Example Storage Method: Fastbit 21

22 Example Storage Method: Fastbit 22 https://sdm.lbl.gov/fastbit/ https://github.com/CESNET/ipfixcol/ http://www.ntop.org (nprobe CLI) fbquery -c 'DST_AS,L4_SRC_PORT,sum(IN_BYTES) as inb,sum(OUT_BYTES) as outb' \ -q 'SRC_AS <> 3 AND L4_SRC_PORT <> 80' \ -g 'DST_AS,L4_SRC_PORT' \ -o 'inb' \ -r -L 10 -d.

23 Use Case: Network Performance 23 If the flow system can aggregate by arbitrary dimensions by AS, AS_PATH, Geo, Prefix, etc. Then looking at raw network performance from passive sources can be very useful. Ex: TCP rexmit by AS_PATH (i.e. from nprobe for a server or, via span/tap, a sensor). So… Is it data center, intranet, Internet, etc? Important to weight absolute relevance (not just % loss if a few 3 pkt flows).

24 Use case: Network Performance 24

25 Augmented Flow: rexmit by Dest ASN

26 Augmented Flow: rexmit by 2 nd hop ASN

27 Augmented Flow: rexmit by AS_PATH

28 Augmented Flow: Client Latency by AS_PATH

29 Use Case: “Is it the Network?” 29 The perennial question… Is it the network or the app? Sending flow with network and app performance… Can point to the root cause “Client one-way trip time” vs “Server one-way trip time” vs “App latency” And over time potentially APM-like functionality to debug intra-app-layer issues as well.

30 Augmented Flow: App Latency

31

32 Use Case: Application-Level Attacks 32 What was your network transporting last night? With URL and performance data, many kinds of application attacks can be detected. To get * URL info in an HTTPS world, will need to get data from load balancers or web logs. Simplest is WAF – looking for SQL fragments, binary, or other known attack vectors. Can hook alerts to mitigation methods, even if running OOB (for example, send TCP FIN/RST in both directions)

33 Use Case: Bot Detection 33 Is that flow human or bot? With performance information combined with URL, basic e- commerce bot detection is possible. Many attacks are advanced so may require a packet approach to get complete visibility, but basic visibility can often demonstrate a problem. Can sometimes be done with syslog analytics, but flow tools often aggregate in interesting ways (geo, AS) that syslog analytics don’t, at least out of the box.

34 Use Case: Bot Detection 34 Is that flow human or bot? With performance information combined with URL, basic e- commerce bot detection is possible. Many attacks are advanced so may require a packet approach to get complete visibility, but basic visibility can often demonstrate a problem. Can sometimes be done with syslog analytics, but flow tools often aggregate in interesting ways (geo, AS) that syslog analytics don’t, at least out of the box.

35 Questions? Avi Freedman avi@kentik.com CHI-NOG 06 5/12/2016

Download ppt "NetFlow, Flow-Like Data, and Their Many Uses Avi Freedman CHI-NOG 06 5/12/2016."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.
SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.

SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
SDN Applications Jennifer Rexford Princeton University.

SDN Applications Jennifer Rexford Princeton University.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.

1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.
Copyright © sFlow.org. 2004 All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.

Copyright © sFlow.org All Rights Reserved sFlow & Benefits Complete Network Visibility and Control You cannot control what you cannot see.
Implementing a Highly Available Network

Implementing a Highly Available Network
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
Embracing the chaos mark lorenc

Embracing the chaos mark lorenc
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
NetFlow Analyzer Drilldown to the root-QoS Product Overview.

NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.

Ch. 31 Q and A IS 333 Spring 2015 Victor Norman. SNMP, MIBs, and ASN.1 SNMP defines the protocol used to send requests and get responses. MIBs are like.
Ch. 31 Q and A CS332 Spring 2014. Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.

Ch. 31 Q and A CS332 Spring Network management more than just Ethernet Q: Comer mentions that network managers need to be able to account for different.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.

Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.
Flow tools APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008.

Flow tools APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008.
Coarse-Grained Traffic Analysis in ISP Networks A Router-Based Approach Christian Martin Verizon.

Coarse-Grained Traffic Analysis in ISP Networks A Router-Based Approach Christian Martin Verizon.

Similar presentations

Ads by Google