I’m sure that you read my previous articles in this article series. If not, please read them before continue this to get a better understanding of developing a network monitoring tool using CISCO Netflow technology. There were 2 previous parts of this series.
Developing A Network Monitoring Tool Using CISCO NetFlow : Part 1
Developing A Network Monitoring Tool Using CISCO NetFlow: 2 – Analysis and Design

Let’s continue furthermore in today’s episode.

Implementation of NetFlow Data Collector and Analyzer

Methodology

Majority of the Remote Client Monitor and Administrating Tool is based on this increment. It contains about 50% functionality and about 50% of codes of the whole tool. It consumed about 50% allocated time for this project. This increment contains few subsystems as follows.

  • NetFlow data collector which collects data from NetFlow enabled router
  • NetFlow data analysers which can decapsulate exported NetFlow packets and analyse required data. This tool is only supported for NetFlow version 5. The author took the following data of NetFlow version 5 datagram for the development of other tool components as follows.
Byte Sequence
0-1version This byte sequence contains the version number of NetFlow. Because of this tool only support for NetFlow version 5, the first data that check-in this increment is this.
From the flow header
Byte Sequence
0-3srcaddr This byte sequence contains the source IP address of the packets. This is essential to determine the network of these packets. If the source IP address belongs to own network, the author chose these traffic as upload traffic.
4-7dstaddr This byte sequence contains the destination IP address of the packets. This is essential to determine the network of these packets. . If the source IP address belongs to own network, the author chose these traffic as download traffic.
20-13dOctets This byte sequence contains the total number of Layer 3 bytes in the packets of the flow. This used to calculate bandwidth. The author takes the total number of Layer 3 bytes in the packets per second as the packet size.
32-33srcport This byte sequence contains TCP/UDP source port number. The author chose the bandwidth per service according to this. For example, if the packet contains TCP port 80 or 8080 as source port it is treated as download web traffic. Because the port of web service of a server is port 80 or 8080. Normal clients aren’t opening these well-known ports.
34-35dstport This byte sequence contains TCP/UDP destination port number. The author chose the bandwidth per service according to this. For example, if the packet contains port 53 as source port it is treated as upload DNS traffic. Because the port of DNS service of a server is port 80. Normal clients aren’t opening these well-known ports such as port 80, port 53, and port 21.
From the flow record

I am using above mentioned NetFlow datagram records to calculate bandwidth as follows.

Bandwidth(Mbps)=(dOctets /t)× 8/(1024 ×1024)

dOctets=Size of packets in the flow in bytes
t=time period in seconds

t=t2-t1

t2=Bandwidth record time in seconds given by the system user,also used for graph generate time and bandwith save time.
t1=Server start time (after each and evry bandwidth calculation t1 is 0).
So,

t=t2

Example: for the time period of 5 seconds this tool monitored 10000 bytes in a packet of a traffic flow, bandwidth calculation as follows.

Bandwidth(Mbps)=(dOctets /t)× 8/(1024 ×1024)
Bandwidth=(10000 /5)× 8/(1024 ×1024) Mbps
Bandwidth=0.01525 Mbps

Calculated bandwidth saved for a .dat file for future references with the time in seconds. The bandwidth .dat files are for each type of bandwidth. For example, web upload traffic saved as “upload80.dat” . Currently, the tool saves,

  • Total network upload bandwidth as “upload.dat” and “download.dat”
  • · Web traffic upload and download as “upload80.dat” and “download80.dat”
  • · FTP traffic upload and download as “upload23.dat” and “download23.dat”
  • · DNS traffic upload and download as “upload53.dat” and “download53.dat”

Graphs for total network upload and download bandwidth and for each service depend on the above mentioned .dat files. In the graphs, the programmer took the time when the bandwidth recorded for X-axis and bandwidth in Mbps (Megabits per second) as the Y-axis. In a graph, there is both upload and download bandwidth. Total network bandwidth graph, Web bandwidth graph, FTP bandwidth graph and DNS bandwidth graph are included in this tool

Configurations

Prerequisite

  • The network administrator should find a router that supports NetFlow. Although most routers are supported NetFlow now, some of the routers still don’t support it.
  • The router must be configured for IP routing. To check it following command can be used.
    Router# show ip route
Packet tracer output for “show ip route” command
Packet tracer output for “show ip route” command
  • Make sure to check the availability of CEF(Cisco Express Forwarding) in the router. Most of the new CISCO routers support CEF. To check it following command can be used.
    Router# show ip cef
Packet tracer output for “show ip cef” command
Packet tracer output for “show ip cef” command
  • It is enabled by default it. If not the following command can be used to enable the CEF.
    Router(config)# ip cef

Router Commands

Following are the router commands. Let’s say IP of NetFlow data collector server is 192.168.1.2 on port 9001 and we need to capture data from FastEthernet 0/1. The server is connected to GigabitEthernet 0/1 and need to enable NetFlow version 5.

  • The 1st step is to configure an interface to monitor traffic. Routers support 2 methods to do it. When configuring NetFlow only need to use one method.
    Method 1
    Router(config)#interface fastethernet 0/1
    Router(config-if)#ip route-cache flow
    Router(config-if)#exit
    Method 2
    Router(config)#interface fastethernet 0/1
    Router (config-if)#ip flow ingress

    Router (config-if)#ip flow egress
  • The 2nd step is to configure router to send monitored data to the NetFlow collector server.
    Router(config)#ip flow-export destination 192.168.1.2 9001
    Router(config)#ip flow-export source Gigabitethernet0/1
    Router(config)#ip flow-export version 5
  • The 4th step is to set the flow active timeout between 1 and 60 minutes. This will breakdown long flows per minutes. The default timeout is 30 minutes.
    Router(config)#ip flow-cache timeout active 1
  • The last step is to set inactive time out between 10 and 600 seconds. This will allow finished flows to export periodically. The default timeout is 15 seconds.
    Router(config)#ip flow-cache timeout inactive 15

Validation of above configurations

  • Router(config)#show ip cache flow
Packet Tracer output for “show ip cache flow” command
Packet Tracer output for “show ip cache flow” command

Problems, Limitations and Solutions

When the author starts this problem, there was a significant problem to decapsulate NetFlow datagrams using Java. The found best solution for the problem is to use the jFlow java library.

Possible Future Developments

Following future increments can be done

  • Per IP based monitoring system.
    Currently, the tool only monitors traffic as the whole network. In the future, the tool can modify to monitor traffic per IP address. To achieve it, the tool needs to filter traffic flows per IP and need to store it as a separate .data file.

Leave a Comment

Your email address will not be published. Required fields are marked *