Provided by: flow-tools_0.68-12.3build2_amd64 bug

flow-tools-examples(1)               General Commands Manual               flow-tools-examples(1)

NAME

       flow-tools-examples — Example usage of flow-tools.

EXAMPLE - Configuring Cisco IOS Router

       NetFlow  is  configured  on each input interface, then global commands are used to specify
       the export destination.  To ensure  a  consistant  source  address  address  Loopback0  is
       configured as the export source.

       ip cef distributed
       ip flow-export version 5 origin-as
       ip flow-export destination 10.0.0.100 5004
       ip flow-export source Loopback0

       interface Loopback0
        ip address 10.1.1.1 255.255.255.255

       interface FastEthernet0/1/0
        ip address 10.0.0.1 255.255.255.0
        no ip directed-broadcast
        ip route-cache flow
        ip route-cache distributed

       Many other options exist such as aggregated NetFlow and sampled NetFlow which are detailed
       at  (link to URL http://www.cisco.com) .

EXAMPLE - Configuring Cisco CatIOS Switch

       Some Cisco Catalyst switches  support  a  different  implementation  of  NetFlow  that  is
       performed  on  the supervisor.  With the cache based forwarding model which is implemented
       in the Catalyst 55xx with Route Switch Module (RSM) and NetFlow Feature Card  (NFFC),  the
       RSM  processes  the  first flow and the remaining packets in the flow are forwarded by the
       Supervisor.  This is also implemented in the early versions of the 65xx  with  MSFC.   The
       deterministic forwarding model used in the 65xx with MSFC2 do not use NetFlow to determine
       the forwarding path, the flow cache is only used for statistics  as  in  the  current  IOS
       implementations.   In all of of the above configurations flow exports arrive from both the
       RSM/MSFC and the Supervisor engines as distinct  streams.   In  the  worst  cast  the  RSM
       exports  in  version  5 and the Supervisor exports in version 7.  Fortunately flow-capture
       and flow-receive can sort  all  this  out  by  processing  flows  from  both  sources  and
       converting them to a common export format.

       The  router  side  running  IOS is configured identically to the example given above.  The
       CatIOS NetFlow Data Export configuration follows:

       set mls flow full
       set mls nde version 7
       set mls nde 10.0.0.1 9800
       set mls nde enable

       When the 65xx is running in Native mode, from a  users  perspective  the  switch  is  only
       running IOS.

       More detailed examples can be found on Cisco's web site
        (link to URL http://www.cisco.com) .

EXAMPLE - Configuring Juniper Router

       Juniper  supports  flow  exports  by  the  routing  engine  sampling  packet  headers  and
       aggregating them into flows.  Packet sampling is done by defining  a  firewall  filter  to
       accept  and  sample all traffic, applying that rule to the interface, then configuring the
       sampling forwarding option.

       interfaces {
           ge-0/3/0 {
               unit 0 {
                   family inet {
                       filter {
                           input all;
                           output all;
                       }
                       address 10.0.0.1/24;
                   }
               }
           }

       firewall {
           filter all {
               term all {
                   then {
                       sample;
                       accept;
                   }
               }
           }
       }

       forwarding-options {
           sampling {
               input {
                   family inet {
                       rate 100;
                   }
               }
               output {
                   cflowd 10.0.0.100 {
                       port 9800;
                       version 5;
                   }
               }
           }
       }

       Other options exist such  as  aggregated  flows  which  are  detailed  at   (link  to  URL
       http://www.juniper.net) .

EXAMPLE - Network topology and flow.acl

       The  network  topology  and  flow.acl  will  be used for many of the examples that follow.
       Flows are collected and stored in /flows/R.

                               ISP-A       ISP-B
                                +           +
                                 +         +
                   IP=10.1.2.1/24 +       + IP=10.1.1.1/24
                        ifIndex=2  +     +  ifIndex=1
              interface=serial1/1   +   +   interface=serial0/0
                                    -----
                                    | R | Campus Router
                                    -----
                                    +   +
                  IP=10.1.4.1/24   +     +   IP=10.1.3.1/24
                       ifIndex=4  +       +  ifIndex=3
           interface=Ethernet1/1 +         + interface=Ethernet0/0
                                +           +
                              Sales      Marketing

       ip access-list standard sales permit 10.1.4.0 0.0.0.255
       ip access-list standard not_sales deny 10.1.4.0 0.0.0.255
       ip access-list standard marketing permit 10.1.3.0 0.0.0.255
       ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255
       ip access-list standard campus permit 10.1.4.0 0.0.0.255
       ip access-list standard campus permit 10.1.3.0 0.0.0.255
       ip access-list standard not_campus deny 10.1.4.0 0.0.0.255
       ip access-list standard not_campus deny 10.1.3.0 0.0.0.255
       ip access-list standard evil_hacket permit host 10.6.6.6
       ip access-list standard spoofer permit host 10.9.9.9
       ip access-list standard multicast 224.0.0.0 15.255.255.255

EXAMPLE - Finding spoofed addresses

       A common problem on the Internet is the use of "spoofed" (addresses that are not  assigned
       to an organization) for use in DoS attacks or compromising servers that rely on the source
       IP address for authentication.

       Display all flow records that originate from the campus and are sent to the  Internet  but
       are not using legal addresses.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print

       Summary of the destinations of the internally spoofed addresses sorted by octets.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2

       Summary of the sources of the internally spoofed addresses sorted by flows.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1

       Summary of the internally spoofed sources and destination pairs sorted by packets.

       flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4

       Display all flow records that originate external to the campus that have campus addresses.
       Many times these can be attackers trying to exploit host based  authentication  mechanisms
       like  unix  r*  commands.  Another common source is mobile clients which send packets with
       their campus addresses before obtaining a valid IP.

       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print

       Summary of the destinations of the externally spoofed addresses sorted by octets.

       flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2

EXAMPLE - Locate hosts using or running services

       Find  all  SMTP  servers  active  during  the  collection  period  that  have  established
       connections to the Internet.  Summarize sorted by octets.

       flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2

       Find all outbound NNTP connections to the Internet.  Summarize with source and destination
       IP sorted by octets.

       flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3

       Find all inbound NNTP connections to the Internet.  Summarize with source and  destination
       IP sorted by octets.

       flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3

EXAMPLE - Multicast usage

       Summarize Multicast S,G where sources are on campus.

       flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3

       Summarize Multicast S,G where sources are off campus.

       flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3

EXAMPLE - Find scanners

       Find SMTP scanners with flow-dscan.  This will also find SMTP clients which try to contact
       many servers.  This behavior is characterized by a recent Microsoft worm.

       touch dscan.suppress.src dscan.suppress.dst
       flow-cat /flows/R | flow-filter -P25 | flow-dscan -b

AUTHOR

       Mark Fullmer maf@splintered.net

SEE ALSO

       flow-tools(1)

                                                                           flow-tools-examples(1)