Netflow Monitoring ( Cisco, Mikrotik + NFCAPD )

Netflow Monitoring ( Cisco, Mikrotik + NFCAPD ) Scenario : As we know sometimes we want to know the detail about traffic flow in ou...

Netflow Monitoring ( Cisco, Mikrotik + NFCAPD )

Scenario :

As we know sometimes we want to know the detail about traffic flow in our infrastructure, so in this manual we can get the detail capture ip flow with using Nfdump which installed on Centos 6
Netflow Server IP : 192.168.0.10
Port Mikrotik : 9996
Port Cisco : 9997

1. Setting Netflow on mikrotik pointing to Netflow Colector Server

====================================================
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=yes \
inactive-flow-timeout=15s interfaces=ether2
/ip traffic-flow target
add address=192.168.0.10:9996 disabled=no v9-template-refresh=20 \
v9-template-timeout=30m version=5
====================================================

2. Setting Netflow on Cisco pointing to Netflow Colector Server

====================================================
ip flow-export version 9 origin-as
ip flow-export destination 192.168.0.10 9997
interface fastethernet 0/0
ip route-cache flow
ip flow ingress
ip flow egress
mls ip multicast flow-stat-timer 9
mls flow ip interface-full
no mls flow ipv6
mls nde sender
====================================================

3. Install Dependencies NFDump On Centos

====================================================
yum install rrdtool rrdtool-devel rrdtool-doc perl-rrdtool
====================================================

4. Download and Install NFDump

====================================================
Nfdump can download in http://sourceforge.net/projects/nfdump/

#wget -c http://sourceforge.net/projects/nfdump/files/latest/download
#tar zxvf nfdump-1.6.5.tar.gz
#cd nfdump-1.6.5
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--enable-nfprofile \
--enable-nftrack
#make && make install
====================================================

5. Running NFDump

====================================================
#nfcapd -x -D -l /netflow/mikrotik/ -p 9996 &
#nfcapd -x -D -l /netflow/cisco/ -p 9997 &
====================================================

6. Generate Report
====================================================
Summary Report by Top10
----------------------------------------------------------------------------------------------------------------
#nfdump -r nfcapd.current.1301 -n 10 -o extended -s srcip -s ip/flows -s dstport/pps/packets/bytes -s record/bytes
----------------------------------------------------------------------------------------------------------------
Top 10 flows ordered by bytes:
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos Packets    Bytes      pps      bps    Bpp Flows
2013-10-17 08:06:40.119   866.880 TCP     192.168.49.132:80    ->   101.255.62.134:3022 ......   0   182617 271.9 M      210    2.5 M   1489     1
2013-10-17 07:54:26.387 1674.560 TCP     192.168.49.132:80    ->    118.96.104.47:2318 ......   0   176592 259.4 M      105    1.2 M   1469     1
2013-10-17 08:01:07.395 1282.560 TCP     192.168.49.132:80    ->     180.242.45.6:15588 ......   0   135366 193.9 M      105    1.2 M   1432     1
2013-10-17 08:10:53.535   815.936 TCP     192.168.49.132:80    ->   180.246.108.92:10874 ......   0    89836 133.0 M      110    1.3 M   1480     1
2013-10-17 07:54:18.665 1921.280 TCP     192.168.49.120:80    -> 180.248.210.119:23294 ......   0    89375 128.4 M       46   534815   1437     1
2013-10-17 08:19:03.051   162.112 TCP     192.168.49.132:80    ->    139.193.144.5:5998 ......   0    83969 125.3 M      517    6.2 M   1492     1
2013-10-17 07:58:15.491 1924.352 TCP     192.168.49.132:80    ->   125.164.93.242:12566 ......   0    51070   73.4 M       26   305210   1437     1
2013-10-17 08:02:55.652 1492.672 TCP     192.168.49.121:80    -> 180.246.161.228:16500 ......   0    83798   48.3 M       56   258927    576     1
2013-10-17 08:01:07.665 1739.136 TCP       192.168.51.2:7777 ->   118.137.97.232:61595 ......   0    38876   44.3 M       22   203663   1138     1
2013-10-17 08:05:33.038 1157.248 TCP     192.168.49.133:80    ->    36.81.158.180:23226 ......   0    30324   40.6 M       26   280622   1338     1

Top 10 Src IP Addr ordered by flows:
Date first seen          Duration Proto       Src IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2013-10-17 07:56:45.863 2021.992 any       192.168.52.13    19438(13.9)   147337( 1.7) 118.2 M( 3.0)       72   467581   802
2013-10-17 08:18:03.722   744.139 any       192.168.52.10     8506( 6.1)   140837( 1.7) 161.6 M( 4.1)      189    1.7 M 1147
2013-10-17 07:57:01.280 2006.516 any      192.168.48.132     6501( 4.7)    39844( 0.5)    8.1 M( 0.2)       19    32112   202
2013-10-17 07:54:26.387 2159.808 any      192.168.49.132     5785( 4.1)   802296( 9.4)    1.2 G(29.5)      371    4.3 M 1446
2013-10-17 08:20:59.769   568.028 any       64.133.140.66     4632( 3.3)    29387( 0.3)    1.4 M( 0.0)       51    20155    48
2013-10-17 08:11:00.915 1163.292 any       192.168.50.28     4550( 3.3)    25885( 0.3)    3.7 M( 0.1)       22    25764   144
2013-10-17 08:19:25.549   645.495 any        192.168.50.5     3722( 2.7)     3723( 0.0)   266341( 0.0)        5     3300    71
2013-10-17 07:56:23.087 2043.813 any       192.168.52.14     3324( 2.4)    70357( 0.8)   81.9 M( 2.1)       34   320397 1163
2013-10-17 08:16:38.144   829.713 any        192.168.52.5     3041( 2.2)    34013( 0.4)   31.8 M( 0.8)       40   306263   933
2013-10-17 07:54:14.441 2173.225 any       192.168.50.39     2156( 1.5)    27187( 0.3)    3.4 M( 0.1)       12    12336   123

Top 10 IP Addr ordered by flows:
Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2013-10-17 07:56:45.859 2021.996 any       192.168.52.13    39782(28.5)   278782( 3.3) 132.3 M( 3.4)      137   523635   474
2013-10-17 08:18:03.722   744.139 any       192.168.52.10    16406(11.7)   239669( 2.8) 172.4 M( 4.4)      322    1.9 M   719
2013-10-17 07:55:50.894 2076.903 any      192.168.48.132    15120(10.8)    78916( 0.9)   10.5 M( 0.3)       37    40617   133
2013-10-17 07:54:26.387 2161.468 any      192.168.49.132    11522( 8.2)   926670(10.9)    1.2 G(29.7)      428    4.3 M 1259
2013-10-17 08:20:59.769   568.028 any       64.133.140.66     8650( 6.2)    62421( 0.7)    3.1 M( 0.1)      109    44307    50
2013-10-17 08:16:38.144   829.713 any        192.168.52.5     8494( 6.1)    66209( 0.8)   34.6 M( 0.9)       79   333947   523
2013-10-17 07:56:23.087 2043.878 any       192.168.52.14     6462( 4.6)   121350( 1.4)   87.5 M( 2.2)       59   342603   721
2013-10-17 08:10:18.827 1208.392 any       192.168.50.28     5863( 4.2)    47235( 0.6)   22.9 M( 0.6)       39   151360   484
2013-10-17 07:54:14.441 2173.225 any       192.168.50.39     4272( 3.1)    53276( 0.6)   24.9 M( 0.6)       24    91501   466
2013-10-17 08:19:25.549   645.495 any        192.168.50.5     3730( 2.7)     3732( 0.0)   266791( 0.0)        5     3306    71

Top 10 Dst Port ordered by packets:
Date first seen          Duration Proto          Dst Port    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2013-10-17 07:54:16.485 2171.370 any                  80    42034(30.1)    1.6 M(18.2)   98.7 M( 2.5)      715   363487    63
2013-10-17 07:53:59.866 2187.867 any               18901     1128( 0.8)    1.0 M(11.8)   61.4 M( 1.6)      458   224625    61
2013-10-17 07:54:28.988 2147.242 any                2567        4( 0.0)   213468( 2.5)   11.1 M( 0.3)       99    41364    52
2013-10-17 08:06:40.119 1413.377 any                3022        4( 0.0)   182641( 2.1) 272.0 M( 6.9)      129    1.5 M 1489
2013-10-17 07:54:26.387 2122.168 any                2318        6( 0.0)   176621( 2.1) 259.4 M( 6.6)       83   978025 1468
2013-10-17 07:54:02.649 2185.083 any                7777       18( 0.0)   161415( 1.9)    7.9 M( 0.2)       73    28781    48
2013-10-17 07:54:44.174 2131.865 any               10376       18( 0.0)   153380( 1.8)    9.5 M( 0.2)       71    35537    61
2013-10-17 08:01:07.395 1534.448 any               15588        4( 0.0)   135390( 1.6) 193.9 M( 4.9)       88    1.0 M 1432
2013-10-17 08:10:53.535   827.252 any               10874        3( 0.0)    89845( 1.1) 133.0 M( 3.4)      108    1.3 M 1480
2013-10-17 07:54:18.665 1921.280 any               23294        1( 0.0)    89375( 1.0) 128.4 M( 3.3)       46   534815 1437

Top 10 Dst Port ordered by bytes:
Date first seen          Duration Proto          Dst Port    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2013-10-17 08:06:40.119 1413.377 any                3022        4( 0.0)   182641( 2.1) 272.0 M( 6.9)      129    1.5 M 1489
2013-10-17 07:54:26.387 2122.168 any                2318        6( 0.0)   176621( 2.1) 259.4 M( 6.6)       83   978025 1468
2013-10-17 08:01:07.395 1534.448 any               15588        4( 0.0)   135390( 1.6) 193.9 M( 4.9)       88    1.0 M 1432
2013-10-17 08:10:53.535   827.252 any               10874        3( 0.0)    89845( 1.1) 133.0 M( 3.4)      108    1.3 M 1480
2013-10-17 07:54:18.665 1921.280 any               23294        1( 0.0)    89375( 1.0) 128.4 M( 3.3)       46   534815 1437
2013-10-17 08:19:03.051   162.112 any                5998        1( 0.0)    83969( 1.0) 125.3 M( 3.2)      517    6.2 M 1492
2013-10-17 07:54:16.485 2171.370 any                  80    42034(30.1)    1.6 M(18.2)   98.7 M( 2.5)      715   363487    63
2013-10-17 07:58:15.491 1924.352 any               12566        5( 0.0)    51102( 0.6)   73.4 M( 1.9)       26   305249 1436
2013-10-17 07:53:59.866 2187.867 any               18901     1128( 0.8)    1.0 M(11.8)   61.4 M( 1.6)      458   224625    61
2013-10-17 08:02:55.652 1492.672 any               16500        2( 0.0)    83804( 1.0)   48.3 M( 1.2)       56   258929   576

Top 10 Dst Port ordered by pps:
Date first seen          Duration Proto          Dst Port    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
2013-10-17 08:21:41.305     0.002 any               35983        2( 0.0)      121( 0.0)     5566( 0.0)    60500   22.3 M    46
2013-10-17 08:21:53.336     0.002 any               27156        2( 0.0)      121( 0.0)     5566( 0.0)    60500   22.3 M    46
2013-10-17 08:22:48.819     0.003 any               35050        2( 0.0)      121( 0.0)     5566( 0.0)    40333   14.8 M    46
2013-10-17 08:22:24.438     0.003 any               38174        2( 0.0)      121( 0.0)     5566( 0.0)    40333   14.8 M    46
2013-10-17 08:22:45.428     0.003 any               45359        2( 0.0)      121( 0.0)     5566( 0.0)    40333   14.8 M    46
2013-10-17 08:26:39.854     0.004 any               36314        2( 0.0)      121( 0.0)     5566( 0.0)    30250   11.1 M    46
2013-10-17 08:22:04.214     0.004 any               16577        2( 0.0)      121( 0.0)     5566( 0.0)    30250   11.1 M    46
2013-10-17 08:22:48.691     0.004 any               21248        2( 0.0)      121( 0.0)     5566( 0.0)    30250   11.1 M    46
2013-10-17 08:24:20.268     0.005 any               57081        2( 0.0)      121( 0.0)     5566( 0.0)    24200    8.9 M    46
2013-10-17 08:22:00.174     0.013 any               41125        2( 0.0)      121( 0.0)     5566( 0.0)     9307    3.4 M    46

Summary: total flows: 139806, total bytes: 3.9 G, total packets: 8.5 M, avg bps: 14.4 M, avg pps: 3888, avg bpp: 462
Time window: <unknown>
Total flows processed: 139806, Blocks skipped: 0, Bytes read: 8388564
Sys: 0.137s flows/second: 1013248.5 Wall: 0.140s flows/second: 995989.1

Summary Report sort by port 80
----------------------------------------------------------------------------------------------------------------
#nfdump -r nfcapd.current.1301 'proto tcp and ( src port > 2048 and dst port 80 )' -c 20
----------------------------------------------------------------------------------------------------------------
Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
2013-10-17 08:35:58.564     0.000 TCP     10.190.174.209:49828 ->    192.168.52.10:80           1       40     1
2013-10-17 08:35:45.788     0.000 TCP    180.241.248.242:37768 ->   192.168.49.202:80           1       60     1
2013-10-17 08:35:36.844     9.124 TCP      180.247.57.22:14509 ->   192.168.49.202:80           3      144     1
2013-10-17 08:35:36.880     9.004 TCP    180.248.137.194:10413 ->   192.168.49.202:80           3      152     1
2013-10-17 08:30:57.429     0.000 TCP       202.67.40.19:15704 ->   192.168.49.121:80           1       52     1
2013-10-17 08:30:57.558     0.000 TCP       202.67.40.19:15707 ->   192.168.49.121:80           2      104     1
2013-10-17 08:30:57.558     0.000 TCP       202.67.40.19:15709 ->   192.168.49.121:80           2      104     1
2013-10-17 08:30:57.558     0.000 TCP       202.67.40.19:15710 ->   192.168.49.121:80           2      104     1
2013-10-17 08:31:00.292     0.000 TCP      182.253.72.39:3104 ->    192.168.52.10:80           1       46     1
2013-10-17 08:30:58.500     0.000 TCP       114.79.19.29:40960 ->     192.168.52.5:80           1       46     1
2013-10-17 08:31:01.892     0.000 TCP       114.79.17.69:14701 ->    192.168.52.12:80           1       46     1
2013-10-17 08:31:00.294     0.000 TCP      182.253.72.39:3106 ->    192.168.52.10:80           1       46     1
2013-10-17 08:31:00.294     0.000 TCP      182.253.72.39:3108 ->    192.168.52.10:80           1       46     1
2013-10-17 08:30:58.757     0.000 TCP     180.242.44.137:17856 ->    192.168.52.13:80           1       46     1
2013-10-17 08:30:58.565     0.000 TCP     180.242.44.137:17853 ->    192.168.52.13:80           1       46     1
2013-10-17 08:31:00.549     0.000 TCP      180.253.226.7:12007 ->    192.168.52.14:80           1       52     1
2013-10-17 08:30:52.933     5.504 TCP     202.152.201.13:61142 ->    192.168.52.13:80           5     1771     1
2013-10-17 08:31:01.189     0.000 TCP      180.248.190.1:25468 ->    192.168.52.14:80           1       48     1
2013-10-17 08:31:00.997     0.000 TCP      180.254.2.120:49223 ->    192.168.52.13:80           2       92     1
2013-10-17 08:30:57.796     0.512 TCP     180.242.49.166:32971 ->    192.168.52.14:80           2      671     1
Summary: total flows: 20, total bytes: 3716, total packets: 33, avg bps: 97, avg pps: 0, avg bpp: 112
Time window: <unknown>
Total flows processed: 17474, Blocks skipped: 0, Bytes read: 1048560
Sys: 0.001s flows/second: 8741370.7 Wall: 0.003s flows/second: 5582747.6

Summary Report sort by SrcIP with Timeprefix
---------------------------------------------------------------------------------------------------------------
#nfdump -r nfcapd.current.1301 -t 2013/10/17.08:40:00 -A outif,inif,srcip,dstip,dstport -c 10 -n 10 -s record/bytes
---------------------------------------------------------------------------------------------------------------

Top 10 flows ordered by bytes:
Date first seen          Duration Output Input      Src IP Addr      Dst IP Addr Dst Pt   Packets    Bytes      bps    Bpp Flows
2013-10-17 08:45:30.744    34.958      69     68    192.168.50.28    119.110.77.11     80    117395    5.5 M    1.2 M     46     4
2013-10-17 08:46:05.253     0.448      68     69    119.110.77.11    192.168.50.28   1353      1878    2.8 M   50.2 M   1496     1
2013-10-17 08:40:11.675    64.384      53     68   192.168.49.133   180.252.43.105 61315      1724    2.6 M   320622   1496     1
2013-10-17 08:45:43.748    26.816      53     68   192.168.49.121    118.96.40.120 10702      1686    2.4 M   720542   1432     1
2013-10-17 08:40:43.948   328.192      69     48     192.168.51.2    110.5.101.181 50996      2867    2.4 M    58679    839     1
2013-10-17 08:40:37.578    26.240      69     68   192.168.49.132     122.144.4.28   1851      1167    1.7 M   521600   1466     1
2013-10-17 08:44:20.842   104.384      53     68   192.168.49.121 180.253.230.201 12799      1031    1.5 M   113197   1432     1
2013-10-17 08:40:49.884    24.576      53     68    192.168.52.13 180.245.245.240 22860       624   787554   256365   1262     1
2013-10-17 08:40:05.979    75.648      69     68    192.168.52.12    117.74.120.34   1803       577   754249    79764   1307     1
2013-10-17 08:40:45.785    22.656      53     68    192.168.52.14   110.137.126.20   3049       498   730891   258082   1467     1
Summary: total flows: 16877, total bytes: 99.4 M, total packets: 324136, avg bps: 2.0 M, avg pps: 828, avg bpp: 306
Time window: <unknown>
Total flows processed: 17474, Blocks skipped: 0, Bytes read: 1048560
Sys: 0.014s flows/second: 1165166.4 Wall: 0.014s flows/second: 1195212.0
====================================================

Berbagi Itu Indah

Netflow Monitoring ( Cisco, Mikrotik + NFCAPD )

Labels:

COMMENTS

Get Free Member

/fa-clock-o/ WEEK TRENDING$type=list

RECENT WITH THUMBS$type=blogging$m=0$cate=0$sn=0$rm=0$c=4$va=0

RECENT$type=list-tab$date=0$au=0$c=5

REPLIES$type=list-tab$com=0$c=4$src=recent-comments

RANDOM$type=list-tab$date=0$au=0$c=5$src=random-posts

/fa-fire/ YEAR POPULAR$type=one

Netflow Monitoring ( Cisco, Mikrotik + NFCAPD )

Labels:

SHARE:

COMMENTS

Get Free Member

/fa-clock-o/ WEEK TRENDING$type=list

RECENT WITH THUMBS$type=blogging$m=0$cate=0$sn=0$rm=0$c=4$va=0

RECENT$type=list-tab$date=0$au=0$c=5

REPLIES$type=list-tab$com=0$c=4$src=recent-comments

RANDOM$type=list-tab$date=0$au=0$c=5$src=random-posts

/fa-fire/ YEAR POPULAR$type=one