Netflow Appliance

Average user Rating:
4
6 Ratings (Login to rate)


It analyzes network traffic using netflow data and reports on bandwidth usage by top applications, conversations and hosts.

Features

Collegiate:
No

One-line Description:
It analyzes network traffic using netflow data and reports on bandwidth usage by top applications, conversations and hosts.

Filename:
netflowappliance.zip

Size Compressed:
226

Allocated Memory:
256

Username:
root

Password:
Password1

VMware Tools Installed?:
Yes

Operating System:
Mandriva Linux 2006

Applications:
Mandriva Linux 2006
Apache 2.0.54
RRDTool 1.2.13
flow-tools 0.66 (plus patches for gcc4)
Perl MOdules -
HTML:Table 2.04
Net::Patricia 1.014
Boulder::Stream 1.07
Config-Reader 0.5
cFlow 1.051
Korn Shell 5.2.14
FlowScan 1.006
CUflow 1.7
JKFlow 3.5.2
Support Files of Robert Galloway 1.1
Bison 2.0
Flex 2.5.4a
perl-devel 5.8.7

Description:
Please describe the following in terms that a typical technical end-user would understand:
1. Netflow Appliance analyses NetFlow data from routers to efficiently provide a key set of services for IP applications, including network traffic accounting, usage-based network billing, network planning, security, Denial of Service monitoring capabilities, and network monitoring and provides valuable information about network users and applications, peak usage times, and traffic routing. It enables Network adminstrators to answer the who, what, when, where and how of bandwidth usage.
2. The base operating system - Mandriva Linux 2006 was installed and only required components were selected so that size is minimized and security is improved. At completion, netflow components were compiled and installed. Also, a firewall was configured for protection.
3. Download netflowappliance.zip and unzip to a folder. Start Vmware Player/Workstation/Server and open the Vmware Configuration file (mandrake.vmx)
and start the appliance.
Default configuration -
Default Network Settings -
1. Ip address - 10.3.1.56
2. Subnet Mask - 255.255.255.0
3. Default Gateway - 10.3.1.1
4 DNS - 10.3.1.3 and 10.3.1.4
Default Netflow report module is CUFlow
Wait while machine boots. At the logon prompt, logon as root with Password1 as password.
To change Network Configuration
Edit /etc/sysconfig/network-scripts/ifcfg-eth0 and change IPADDR and NETMASK to the ip address and subnet mask you want to
use. Default is below -
DEVICE=eth0
BOOTPROTO=static
IPADDR=10.3.1.56
NETMASK=255.255.255.0
NETWORK=10.3.1.0
BROADCAST=10.3.1.255
ONBOOT=yes
Edit /etc/sysconfig/network and change GATEWAY parameter to match the gateway of the network. Default is -
HOSTNAME=netflowap
NETWORKING=yes
GATEWAY=10.3.1.1
Edit /etc/resolv.conf and change to your DNS servers. Default is -
nameserver 10.3.1.3
nameserver 10.3.1.4
Restart network service so that changes are effected by running "service network restart"
Also restart apache by running "service httpd restart". To confirm that network changes are accepted, open the home page on
the web server by opening http://ip-address-of-appliance/ and you should see "It works" displayed. You could use a ping test from another host on the network to also confirm the new ip address.
Next, the Report module must be configured. By default, CUFlow is selected. To configure to, edit /var/netflow/bin/CUFlow.cf.
CUFlow Configuration
First, you need to configure your “Subnet” statements. These are used to determine what is local and what isn’t. Use a separate line for each block. The syntax is “Subnet x.x.xx/y label”. x.x.xx/y represents your network block in CIDR format.
Example:
Subnet 10.3.0.0/16
Second, you need to list any network groups that you want to get separate usage reports for. These are OPTIONAL settings.
These groups only record the amount of traffic, not the detailed protocol and service break downs
You can specify as many network blocks as needed, separated by commas e.g -
Network 10.3.2.0/24 London
Network 10.3.3.0/24 Tokyo
Network 10.3.4.0/24 Abuja
Network 10.3.5.0/24 Boston
Network 10.3.6.0/24 Beijing
Lastly, update services and protocols list
For more information on configuring CUFlow, see http://www.columbia.edu/acis/networks/advanced/CUFlow/CUFlow.html
An alternative report module is JKFlow and provides enterprise level features.
See Comparision of CUFlow and JKFlow below -
1:
-CUFlow can only split flows on basis of router exporters.
-JKFlow can also split the flows on basis of subnets.
2:
-CUFlow monitors protocols and services globally defined on every router.
-JKFlow makes it possible to monitor a different set of protocols and services on every router,
on every subnet, and globaly .
3:
-CUFlow can only monitor subnets or networks on the total amount of traffic.
-JKFlow introduces directions, which allows definitions of source subnets and destination
subnets, so it is possible to monitor on specific carriers or destinations. These directions can be defined recursively
defined, and the recursion is used during the evaluation of flowrecord. Only
the flowrecords matching the upper subnet/router/direction are evaluated. In each direction you
can define a different set of protocols and services.
4:
-CUFlow is configured with Directives in CUFlow.cf.
-JKFlow is configured with XML in JKFlow.xml, and allows easy definition of subnetted
directions, with on each direction a different set of protocols and services to monitor. Thanks to
the XML the configuration is very structured and writing the parsing code of the XML
configuration file was a breeze.
5:
-CUGrapher doesn't allow you for selection of routers, so you have to navigate a huge webform
if you have a lot of routers.
-JKGrapher allows choosing which subnets/routers/directions you want to select trending from.
6:
-CUGrapher don't let you any choose between stacked and unstacked graphs.
-JKGrapher lets you view the protocols, services, TOS and total in the graphs
stacked and unstacked. Also protocols,services, TOS and total don't stack on each other.
JKFlow Configuration
To use JKFLow, disable CUFlow bu editing /var/netflow/bin/flowscan.cf and enabling JKFlow-
After editing, you should have -
# ReportClasses CUFlow
ReportClasses JKFlow
In JKFlow you can isolate network parts using "directions", using source- and destination subnets/sites or routergroups.
Using these directions you can isolate parts of the captured netflow to measure several parameters like total, protocols, services, etc. The design makes JKFlow perfect for branch site WAN-traffic monitoring. JKFlow.xml contains settings for JKFlow. Please consult
http://jkflow.sourceforge.net/eindwerk.pdf for more more details on configuration.
Router Configuration
All you need do is add the following to the router config:
# ip flow-cache timeout active 1
This syntax is for IOS 12.2 and later. If you are running an 11.x or 12.0/12.1 code, the syntax would be: "ip flow-cache active-timeout 1". This command ensures the timely delivery of flows to the collector.
# ip cef
# ip flow-export version 5
# ip flow-export destination ip-address-of-appliance 2055
Example- For the default address of the appliance, you would enter -
ip flow-export destination 10.3.1.56 2055
Please ensure that port udp/2055 is allowed by firewalls/access-lists between router and appliance.
For each interface on the router in question, you must enable NetFlow by running "ip route-cache flow" on each interface e.g
For a router with interfaces eth0 and
serial0, you might do this:
# int eth0
# ip route-cache flow
# exit
# int serial0
# ip route-cache flow
# exit
You have to enable netflow monitoring on all interfaces, because flows are only reported on the inbound router interface. If you omit interfaces, you will lose some outbound traffic on those interfaces.
To verify that the router is exporting, run -
# sh ip flow export
To verify that the appliance is receiving flows, on the appliance, run -
tail /var/log/messages and check if this is reported -
May 25 07:25:00 netflowap flow-capture[4631]: STAT: now=1148556300 startup=1148552375 src_ip=10.3.1.1 dst_ip=10.3.1.56 d_ver=5 pkts=4902 flows=147060 lost=0 reset=0 filter_drops=0
src_ip should match the ip address of the router
To verify that flows are being processed, tail /var/log/flowscan. If using CuFlow, you should see this -
sleep 30...
sleep 30...
2006/05/25 07:25:16 working on file /var/netflow/ft-v05.2006-05-25.072000-0400...
2006/05/25 07:25:17 flowscan-1.020 CUFlow: Cflow::find took 1 wallclock secs ( 0.52 usr + 0.02 sys = 0.54 CPU) for 131959
flow file bytes, flow hit ratio: 4390/8940
2006/05/25 07:25:17 flowscan-1.020 CUFlow: report took 0 wallclock secs ( 0.00 usr 0.01 sys + 0.01 cusr 0.13 csys = 0.15 CPU)
sleep 30...
(please ignore this error if you see it in the logs -
Use of uninitialized value in numeric gt (>) at /usr/lib/perl5/site_perl/5.8.7/HTML/Table.pm line 1684.)
If JKFlow is in use, you should see -
sleep 30...
2006/05/25 18:25:11 working on file /var/netflow/ft-v05.2006-05-25.182000+0100...
2006/05/25 18:25:14 flowscan-1.020 JKFlow: Cflow::find took 3 wallclock secs ( 2.83 usr + 0.00 sys = 2.83 CPU) for 79140
flow file bytes, flow hit ratio: 6135/6135
2006/05/25 18:25:14 flowscan-1.020 JKFlow: report took 0 wallclock secs ( 0.40 usr + 0.30 sys = 0.70 CPU)
sleep 30...
Reporting
1. CUFlow Reports
To see reports, open http://ip-address-of-appliance/cgi-bin/CUGrapher.pl and select parameters you want reports on and click on "Generate Reports".
To see scoreboard, open http://ip-address-of-appliance/toptalkers.html for "Top Talkers" and http://ip-address-of-appliance/overall.html for overall talkers.
2. JKFlow Reports
To see reports, open http://ip-address-of-appliance/cgi-bin/JKGrapher.pl and select the direction and click on "Select". On the next page, select parameters you want reports on and click on "Generate Reports". Sample Report is in Guide.pdf.
Additional information in guide.pdf
4. None. All are GPL.


Vendor: jokoegwale

Date Created: 05/25/2006
Last Updated: 05/26/2006

Technical Specifications

Operating System:

Mandriva Linux 2006

VMware Tools installed: No

Size: 226MB

Allocated Memory (RAM): 256

Applications Installed:

Mandriva Linux 2006
Apache 2.0.54
RRDTool 1.2.13
flow-tools 0.66 (plus patches for gcc4)
Perl MOdules -
HTML:Table 2.04
Net::Patricia 1.014
Boulder::Stream 1.07
Config-Reader 0.5
cFlow 1.051
Korn Shell 5.2.14
FlowScan 1.006
CUflow 1.7
JKFlow 3.5.2
Support Files of Robert Galloway 1.1
Bison 2.0
Flex 2.5.4a
perl-devel 5.8.7


Virtual Appliance Account Information

Username: root
Password: Password1

Download link provided by the submitter, not VMware. Report broken downloads here.

<< BACK

  • Welcome, Guest
  • Login
    You must be a Communities member to submit entries.