What is netflow and when do you use it?

What is netflow?

Intro

Netflow is a feature that was introduced on Cisco routers and that provides the ability to collect IP network traffic as it enters or exits an interface. Netflow data allows you to have an overview of traffic flows, based on the network source and destination. Because of this it lets you understand who is using the network, the destination of your traffic, when the network is utilized and the type of applications that consume the most bandwidth.

Netflow is not limited to Cisco. You can get it for most network devices and also generate it from a Linux or BSD host.

This post describes what is netflow and when do you use it. It also covers how to configure it on network and Linux devices. In a follow-up post I will describe how to use netflow with nfdump and nfsen.

What is an IP flow?

An IP flow is a sequence of network packets. An IP flow most often contains these elements

  • IP source address
  • IP destination address
  • Source port
  • Destination port

Additionally it can also contain things such as the TCP flags (to examine TCP handshakes) or the next-hop.

Netflow sampling

The default netflow implementation was a representation of every IP packet detected (a ‘1 to 1’ relation). Especially in high-traffic environments (for example hosting companies or ISPs) this can become to resource intense, both for storage and processing power. That is when sampled netflow was designed.

Sampled netflow is where every one packet out of n packets is processed. The sampling rate is “n”. The sampling method can be different. Some implementations select every n packet, others select one random packet in an interval of n packets and some implementations even use other selection methods.

How much space do you need for netflow data?

The amount of disk space needed for storing netflow data is dependant on the netflow version used, the sampling rate and obviously the amount of netflow records that are exported.

Lancope has a bandwidth calculator that gives you an estimate of how many bits per seconds are exported. As an estimate, a network with 40 routers exporting netflow data on a 40Gbps network sampled at 1 on 100 packets uses about 3 TB for 3 months of netflow data.

Use cases for netflow

Verify network IOCs

Sometimes the APT reports contain the addresses of C2 servers. If you want to check if someone on your network is affected and ever connected (or is connecting) to these C2s then you can use netflow to query the current and the past network connections.

ISP setup and visibility

If you run an ISP you can not just capture every packet that enters or leaves your network. It would be practically very difficult, costly and most important you’d be breaking a number of privacy laws. Using sampled netflow is then a very good alternative for both preserving the privacy of your customers and still being able to have a good view on what is happening on your network.

Timeline construction during incident response

If you suffer from an incident and your devices did not log all the request then netflow data allows you to reconstruct when exactly that the different network events took place. It’s also a great tool to get more easily to the root cause of an incident.

Attack fingerprinting

Netflow data can help you with fingerprinting the type of network attack that is targeting you. Netflow data can learn you what the source and destination addresses and ports are. This type of fingerprinting can be especially useful during a DDoS attack, both in detecting the volume but also the sources that participate in the attack (if they are not spoofed) and the different network ports and protocols that are being attack.

Different versions of netflow

Netflow is available in different versions, the most popular versions being v5 and v9. The major difference between the two versions is that netflow v5 is fixed whereas v9 is dynamic. The information in netflow version 5 cannot be extended (neither by Cisco or a third-party).

  • netflow version 5 :
    • suited for IPv4
  • netflow version 9 :
    • suited for IPv6
    • works with templates (need to be sent periodically)
    • MPLS

Where do you configure netflow?

Network devices

When it concerns network devices then netflow is most often configured on a central location. In essence the location where you configure netflow has to “see” all the network traffic that you’re interested in. Depending on your network architecture this configuration can be done on core routers or on your remote routers.

Cisco netflow configuration

(Example from the nfdump README) The source-address of the router that is exporting the data is 192.168.200.5 and it is exporting netflow version 5 to a collector at 192.168.1.233 on port udp/9003.

ip address 192.168.200.5 255.255.255.224
  interface fastethernet 0/0
  ip route-cache flow
ip flow-export 192.168.1.233 9003
ip flow-export version 5
ip flow-cache timeout active 5

Juniper netflow configuration

The configuration below is suited for Juniper JunOS. The source-address of the router that is exporting the data is 192.168.200.5 and it is exporting netflow version 9 with a sample rate of 1/100 to a collector at 192.168.1.233 on port udp/9003.

sampling {
    input {
        rate 100;
        run-length 0;
        max-packets-per-second 65535;
    }
    family inet {
        output {
            flow-server 192.168.1.233 {
                port 9003;
                autonomous-system-type origin;
                source-address 192.168.200.5;
                version9 {
                    template {
                        ip;
                    }
                }
            }
            interface sp-2/1/0 {
                source-address 192.168.200.5;
            }
        }
    }
} 

Linux netflow configuration

The Linux kernel has no default support for netflow but you can use the userland tools to generate netflow data. One of the most common solutions for generating netflow from Linux devices is pmacct. This project is primarily built for IP accounting but you can also use it for generating netflow data.

apt-get install pmacct

The configuration file can be found in /etc/pmacct/nfacctd.conf. You have to change these settings

!pcap_filter: net 127.0.0.0/8
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
interface: eth0
plugins: nfprobe
nfprobe_receiver: 127.0.0.1:9001
nfprobe_version: 5

This is what is changed in the configuration file :

  • !pcap_filter : Do not filter (it’s been put in comments);
  • aggregate : The field list that you’d like to export;
  • interface : The interface from which you want to grab the network information;
  • plugins : What plugins to enable;
  • nfprobe_receiver : The receiver of the netflow data (the netflow collector);
  • nfprobe_version : The netflow version.

It is important that you define the capture interface, the netflow version and the address and port of the netflow collector.

I was unable to start the netflow generation via the start-up scripts provided with pmacct. Starting it manually worked out fine though

sudo pmacctd -f /etc/pmacct/nfacctd.conf

You can check if the exporting is properly configured (and running) in syslog

Nov 10 14:47:19 ubuntu pmacctd[919]: INFO ( default/nfprobe ): Exporting flows to [127.0.0.1]:9001

Conclusion

This post is a description of what netflow is, where and how to configure it and when you would be using it.

In a follow-up post I will describe how you can use netflow with nfdump and nfsen to get the most out of your netflow data.

Leave a Reply

Your email address will not be published. Required fields are marked *