1. SHARKFEST 10 | Stanford University | June 14–17, 2010 Where NetFlow and Packet Capture Complement Each Other June 17 th, 2010 Michael Patterson CEO | Plixer International, Inc. SHARKFEST 10 Stanford University June 14-17, 2010

2. SHARKFEST 10 | Stanford University | June 14–17, 2010 Course Outline What NetFlow is and how it works Egress or Ingress Comparison of the data exported by NetFlow vs. Packet Analysis Whats next in NetFlow, where the technology is going Summary

3. SHARKFEST 10 | Stanford University | June 14–17, 2010 What is NetFlow? How does it work?

4. SHARKFEST 10 | Stanford University | June 14–17, 2010 Voice Traffic Database Traffic Instant Messenger Web Browsing Private & Business Email Video Conferencing Music streaming

5. SHARKFEST 10 | Stanford University | June 14–17, 2010 A B A - sending to B is one flow entry on every NetFlow capable router / switch in the path B - acknowledging A is a 2 nd flow

6. SHARKFEST 10 | Stanford University | June 14–17, 2010 Scrutinizer Accepts NetFlow all Versions sFlow version 2,4 and 5 IPFIX NetStream

7. SHARKFEST 10 | Stanford University | June 14–17, 2010 2 Flows per Connection AB AB Router 1 2 4 A B 3

8. SHARKFEST 10 | Stanford University | June 14–17, 2010 Who Supports NetFlow? 3Com Adtran Cisco Enterasys Expand Juniper Mikrotik nProbe Riverbed VMWare Vyatta Others…

9. SHARKFEST 10 | Stanford University | June 14–17, 2010 Cisco Enterasys Foundry Hewlett Packard Nortel nProbe, nBox Many More

10. SHARKFEST 10 | Stanford University | June 14–17, 2010 MAC Addresses and VLAN IDs MAC addresses via Cisco Flexible NetFlow (aka NetFlow v9)

11. SHARKFEST 10 | Stanford University | June 14–17, 2010 NetFlow or sFlow sFlow is an RFC not a standard Sampling of every N packets technology – Cant be used for IP accounting like NetFlow Maintained by Inmon Much less expensive for vendors to implement Vendors: 3Com, AlaxalA, Alcatel-Lucent, Allied Telesis, Brocade, D-Link, Extreme Networks, Enterasys, Force10 Networks, H3C, Hewlett-Packard, Hitachi, Juniper Networks, NEC and many others

12. SHARKFEST 10 | Stanford University | June 14–17, 2010 NetFlow NBAR NBAR stands for Network Based Application Recognition How many of you care if skype or pandora is on your network? Perhaps you dont mind it but, want to know how much there is. Well, NBAR helps us with deeper packet inspection that isnt available with traditional NetFlow.

13. SHARKFEST 10 | Stanford University | June 14–17, 2010

17. Router CPU Impact Typically, the impact on the routers CPU is negligible. However, NetFlow NBAR can clobber some routers.

18. SHARKFEST 10 | Stanford University | June 14–17, 2010 Egress or Ingress Most of us are exporting NetFlow v5 which only supports ingress NetFlow. This means that traffic coming in on an interface is monitored and exported in NetFlow datagrams. NetFlow v5NetFlow datagrams Most NetFlow vendors look at where an ingress flow is headed by looking at the destination interface. Using this information, we can determine outbound utilization on any given interface as long as AND THIS IS IMPORTANT, you enable NetFlow v5 on all interfaces of the switch or router.

19. SHARKFEST 10 | Stanford University | June 14–17, 2010 When to use Egress In WAN compression environments (e.g. Cisco WAAS, Riverbed, etc.), we need to see traffic after it was compressed. Using Ingress flows causes an over stated outbound utilization on the WAN interface. Egress flows are calculated after compression.Cisco WAAS In multicast environments, ingress multicast flows have a destination interface of 0 because the router doesnt know what interface they will go out until after it processes the datagrams. Exporting egress flows delivers the destination interface and as a result multiple flows are exported if the flow is headed for multiple interfaces. When exporting NetFlow on only one interface of the router or switch. Enabling both on a single interface means that all traffic in and out is exported in NetFlow datagrams.

20. SHARKFEST 10 | Stanford University | June 14–17, 2010 Demonstration Scrutinizer NetFlow & sFlow Analyzer

21. SHARKFEST 10 | Stanford University | June 14–17, 2010 NetFlow and Packet Analysis?

22. SHARKFEST 10 | Stanford University | June 14–17, 2010 Example 1: FTP Comparison Steps for the Lab I started WireShark I logged in and FTPd a file I logged out I stopped WireShark 6 Ingress Flows represent 2221 packets 6 Egress Flows represent 1123 packets

23. SHARKFEST 10 | Stanford University | June 14–17, 2010 Ingress Lets count packets and compare with Wireshark

24. SHARKFEST 10 | Stanford University | June 14–17, 2010 Displaying Ingress Total = 2221 packets

25. SHARKFEST 10 | Stanford University | June 14–17, 2010 Displaying Ingress

26. SHARKFEST 10 | Stanford University | June 14–17, 2010 Egress Lets count packets and compare with Wireshark

27. SHARKFEST 10 | Stanford University | June 14–17, 2010 Displaying Ingress Total = 1123 packets

28. SHARKFEST 10 | Stanford University | June 14–17, 2010 Displaying Egress

29. SHARKFEST 10 | Stanford University | June 14–17, 2010 Capture Details Lets compare NetFlow details to Packet details

30. SHARKFEST 10 | Stanford University | June 14–17, 2010

32. What about Flags?

33. SHARKFEST 10 | Stanford University | June 14–17, 2010 Example 2: www.llbean.com Steps for the Lab I started WireShark I surfed to www.llbean.com I went to another web site I stopped WireShark 2 Ingress Flows represents 11 packets going out from my PC 1 Ingress Flow represents 13 packets coming back from llbean.com

34. SHARKFEST 10 | Stanford University | June 14–17, 2010 11 packets From my PC (10.1.7.5) NATd by the firewall (66.186.184.62) 2 flows Cisco Router

35. SHARKFEST 10 | Stanford University | June 14–17, 2010 11 packets Enterasys Switch From my PC (10.1.7.5) On the Enterasys switch before the router.

36. SHARKFEST 10 | Stanford University | June 14–17, 2010 13 packets From www.llbean.com

37. SHARKFEST 10 | Stanford University | June 14–17, 2010 13 packets From www.llbean.com

38. SHARKFEST 10 | Stanford University | June 14–17, 2010 Example 3: VoIP Steps for the Lab I started WireShark I started iaxLite I made a call The other end picked up I hung up I closed iaxLite I stopped WireShark 1 Ingress Flow represents 1364 UDP packets 1 Egress Flow represents 1364 UDP packets

39. SHARKFEST 10 | Stanford University | June 14–17, 2010 1364 packets My Computer to the PBX

40. SHARKFEST 10 | Stanford University | June 14–17, 2010 1364 packets My Computer to the PBX

41. SHARKFEST 10 | Stanford University | June 14–17, 2010 1364 packets PBX to My Computer

42. SHARKFEST 10 | Stanford University | June 14–17, 2010 1364 packets PBX to My Computer

43. SHARKFEST 10 | Stanford University | June 14–17, 2010 Distributed Collectors

44. SHARKFEST 10 | Stanford University | June 14–17, 2010

45. Detecting Malware

46. SHARKFEST 10 | Stanford University | June 14–17, 2010 Network Behavior Analysis – Constantly monitor NetFlow and sFlow from selected routers and switches – Looks for traffic patterns defined in behavioral algorithms – Additional filters can be created to look for unique circumstances Demonstration

47. SHARKFEST 10 | Stanford University | June 14–17, 2010 Future of NetFlow Current Innovations

48. SHARKFEST 10 | Stanford University | June 14–17, 2010 Latency via NetFlow

49. SHARKFEST 10 | Stanford University | June 14–17, 2010 RTT and Server Latency These fields got cut.

50. SHARKFEST 10 | Stanford University | June 14–17, 2010 URL Information

51. SHARKFEST 10 | Stanford University | June 14–17, 2010 WAN Optimization Sizing

52. SHARKFEST 10 | Stanford University | June 14–17, 2010 Procflow from Gerald Combs

53. SHARKFEST 10 | Stanford University | June 14–17, 2010 What is next from NetFlow? Packet captures Sampling Flows IPv6 is here and we are reporting on it. Syslogs: Cisco ASA. We already provide reports on this.

54. SHARKFEST 10 | Stanford University | June 14–17, 2010 Summary Ingress Vs. Egress NetFlow Advanced Filtering to narrow in on problems How and When to leverage reports The differences between NetFlow and Packet Capture Where the technology is going