Manuel de l'administrateur Table des matières LinkedIn social network LinkedIn social network LinkedIn social network LinkedIn social network Share on social media

Netflow Collector


Introduction

The Netflow collector plug-in collecte the datagram send by Cisco routers or Netflow V5 compatible routers and store it in a SQL Database.

The Netflow collector plug-in is a LoriotPro service plug-in and should be launched from the Service tab. The Netflow collector uses ODBC to access the SQL database.

To work with Netflow collector, it is required to install the SQL database and the ODBC driver as described in chapter Using an external Database

Queries on this database can be performed from the LoriotPro WEB remote access interface (IE5) and data extracted with multiple options. The queires tool is described in chapter Working on Netflow Table.

To work with Netflow Query tool, it is required to install the PHP interpreter as described in chapter Adding PHP support to LoriotPro WEB Server

A network flow is defined as a unidirectional sequence of packets between given source and destination endpoints. Network flows are highly granular; flow endpoints are identified both by IP address as well as by transport layer application port numbers. NetFlow also utilizes the IP Protocol type, Type of Service (ToS) and the input interface identifier to uniquely identify flows.

NetFlow enables several key customer applications:

Accounting/Billing
NetFlow data provides fine-grained metering for highly flexible and detailed resource utilization accounting.

Network Planning and Analysis
NetFlow data provides key information to optimize both strategic network planning as well as tactical network engineering decisions minimizing the total cost of network operations while maximizing network performance, capacity and reliability.

Network Monitoring
NetFlow data enables extensive near real time network monitoring capabilities. Flow-based analysis techniques may be utilized to visualize traffic patterns associated with individual routers and switches as well as on a network-wide basis to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution.

Application Monitoring and Profiling
NetFlow data enables network managers to gain a detailed, time-based, view of application usage over the network.

User Monitoring and Profiling
NetFlow data enables network managers to gain detailed understanding of customer/user utilization of network and application resources.

NetFlow Data Warehousing and Mining
NetFlow data can be warehoused for later retrieval and analysis in support of proactive marketing and customer service programs.


Netflow datagram

The NetFlow Export datagram consists of a header and a sequence of flow records.

LoriotPro Netflow Collector is designed for Netflow version 5.

Netflow V5 is available with IOS 12 and 12T on the following Cisco Devices

12.0 Cisco 2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM
12.0T Cisco 1000*,1600*,1720**, 2500*,2600, 3600, 4500, 4700, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX8800 RPM

The NetFlow Export Version 5 Header Format is :

version Current version = 5
count The number of records in PDU
SysUptime Current time in msecs since router boote
unix_secs Current seconds since 0000 UTC 1970
unix_nsecs Residual nanoseconds since 0000 UTC 1970
flow_sequence Sequence number of total flows seen
engine_type Type of flow switching engine (RP,VIP,etc.)
engine_id Slot number of the flow switching engine

A flow record contains the following data

source IP address  
destination IP address  
source TCP/UDP application port  
destination TCP/UDP application port  
next hop router IP address  
input physical interface index  
output physical interface index  
packet count for this flow  
byte count for this flow  
start of flow timestamp  
end of flow timestamp  
IP Protocol (for example, TCP=6; UDP=17)  
Type of Service (ToS) byte  
TCP Flags (cumulative OR of TCP flags)  
source AS number  
destination AS number  
source subnet mask  
destination subnet mask  
flags (indicates, among other things, which flows are invalid)  
shortcut router IP address3  


Configuring a Cisco Router to Send NetFlow Data to LoriotPro

Enter global configuration mode on the IOS device, and issue the following commands for each interface on which you want to enable NetFlow:

interface <interface> <interface number>
ip route-cache flow
bandwidth <kbps>
exit

For each router you want to configure to send NetFlow data to the LoriotPro NetFlow Collector, you must enter the following Cisco IOS command at the config level. Use the IP address of LoriotPro on which NetFlow Colletor is running and the configured NetFlow listener port. The default port is 9996.

ip flow-export ip-address udp-port

You can set the NetFlow export version to version 5. NetFlow Collector supports only version 5.

ip flow-export version 5

Optionnaly you can sets the source IP address of the NetFlow exports sent by the device to the specified IP address.

ip flow-export source <interface> <interface number>

Example of configuration:

!
!
interface FastEthernet0/0
ip address 12.1.1.254 255.255.0.0
ip route-cache flow
speed auto
half-duplex
!
!
ip default-gateway 12.1.1.253
ip flow-export version 5
ip flow-export destination 12.1.1.2 9996

no ip classless
ip http server
ip pim bidir-enable
!
!




Starting Netflow Collector Plug-in on LoriotPro

To start the Neflow collector Plug-in you should access the Service tab of the workspace and click the the right mouse button to open the contextual menu. The select Netflow collector.

Select the NetflowCollector Service.

The parameters setting windows is displayed

The UPD listening port should be left at 9996 according to what Cisco define also by default

The URL should be set to link the Netflow Query tool page. You may have to change the IP address of the LoriotPro WEB server if necessary. Check the setting of the LoriotPro WEB server.

When done click the OK button, the Netflow Collector Plu-in start.

The Netflow Socket Started at UDP Port 9996 is displayed.

Soon you should see incomming packet information in the status bar of the Plug-in

You can also use the Dump Packet and Display Fields records to have a verbose mode.

The Display fileds records show each flow information received with the Source IP address and Port, the Destinatipn IP address and port.

On this screen shot we see a WEB acces from 12.1.1.2 to 12.1.1.254 that last 5725 ms.


Analyze Collected Netflow data

When the Database is filled with collected data, it is time to analyze what we have. The Query tool helps you to perform queries on the Database and extract data on various criteria.

A click on the Analyze button display the Query tool. The Query tool is also available from the WEB remote console of LoriotPro under the Database button.

To work with Netflow Query tool, it is required to install the PHP interpreter as described in chapter Adding PHP support to LoriotPro WEB Server

The Query Tool and it utilization is describe in the Chapter Working on Netflow Table

 


www.loriotpro.com