Track2Agenda: plan-netflow.txt

File plan-netflow.txt, 8.2 KB (added by trac, 6 years ago)
Line 
1% Training plan: NetFlow
2% NSRC Network Monitoring and Management workshop
3
4Students
5:   Classroom of 20-36 students in groups of 3 or 4.
6Pre-requisites
7:   Students will already be able to ssh into VMs, edit files, and login
8    to Cisco. They will have a basic understanding of IP datagrams and
9    port numbers.
10Time available
11:   Total of 3 to 3.5 hours, split into 2 sessions.
12
13Materials
14---------
15* NMM lab with 5-9 groups of 4 VMs, each group behind a Dynamips Cisco
16* Student laptops with wifi access to lab and ssh client
17* Projector and laptop
18* Flipchart or whiteboard and pens
19* Presentations and exercises available to students
20
21Preparation
22-----------
23* Web site with "BigFile" (arbitrary content, suggested size 20-50MB)
24* Anonymous FTP site with "BigFile". vsftpd is easiest way to install
25  [FIXME: depends if drill-down exercise will do both HTTP and FTP]
26* Netflow running for several days on noc VM, receiving flows
27  from gateway router
28* Scan through netflow data to identify a time period where there is
29  'interesting' traffic, with some large flows both inbound and outbound
30
31Objectives
32==========
33
34General objective
35-----------------
36
37To enable students to make use of NetFlow to analyse traffic within their
38networks.
39
40Specific objectives
41-------------------
42
43After this session, students will be able to:
44
45* Describe flows and flow records
46* Identify the flows in a UDP or TCP exchange (i.e. demonstrate
47  their understanding that flows are unidirectional)
48* List the two most commonly-used versions of netflow
49* Configure a Cisco router to send flow records
50* Install and configure nfdump and nfsen by following a worksheet
51* Locate the files of flow records created by nfdump
52* Use the nfsen web interface drill-down to identify the top sending
53  machine and top receiving machine in a local network
54* Build simple filter queries such as "proto icmp", "src host 10.10.0.x",
55  "dst net 10.10.0.0/16", "tcp and dst port 80"
56* Find the nfdump and nfsen documentation on the web
57
58They should also remember that traffic *to* a webserver has *dst* port 80,
59but traffic *from* a webserver has *src* port 80.
60
61Secondary objectives
62--------------------
63
64It would also be useful for students to be able to:
65
66* Configure "top-talkers" and explain its output
67* Describe and configure profiles and channels in nfsen
68* Collect netflow records from multiple routers into one nfsen instance
69* Use more advanced filter queries, e.g. `in if 1`
70
71Tertiary objectives
72-------------------
73
74More advanced students may wish to:
75
76* Install porttracker plugin
77* Configure a BGP-aware router to send AS info in netflow
78* Configure flow aggregation and flow sampling in the router
79* Configure softflowd
80
81Time is most likely not available, but can be provided as supplementary
82materials.
83
84Timeline
85========
86
87---- ----------------                     ----------------
88Time Teacher activity                     Student activity
89---- ----------------                     ----------------
900:00 Introduction, explain purpose of     Listen
91     netflow in contrast to cacti
92
930:05 Presentation                         Listen, ask questions
94     - what is a flow?
95     - Cisco definition of a flow.
96     Picture showing some different
97     coloured packets belonging to
98     different flows.
99
1000:10 Show some packet headers             Identify which ones belong
101                                          to the same flows. Give total
102                                          packets and bytes per flow.
103
1040:15 What does a flow record contain?     Watch
105     (simple diagram)
106
1070:20 How can you generate flow records?   Q: What other device might you
108     - From a router                      already have which tracks usage
109     - Using mirror port and softflowd    of UDP/TCP traffic per port?
110                                          (A: firewall. Some can generate
111                                          netflow records, e.g. ASA, pfflowd)
112
1130:30 Diagram to show how nfdump and nfsen Watch, ask questions
114     fit together. Show some graphs,
115     explain that these are *sums* of
116     flows. For any further analysis
117     it just shells out to nfdump.
118
1190:45 Demo using nfsen to identify
120     busiest downloaders and uploaders.
121     This can be done live, or we
122     could have a prepared screencast.
123
124     - select interesting time period     Identify small flows on screen,
125     - look at totals for time period     e.g. DNS. Identify web flows.
126     - list raw flows
127     - list flows with `proto tcp`
128
129     - list flows `[src] host 10.10.0.x`  Identify flows to/from a host
130
131     - Top N, Stat Flow Records by Bytes  Q: Why is just looking at the
132                                          biggest flow not sufficient?
133
134     - Top N, Stat Dst IP by Bytes        Q: What's the problem with this?
135                                          (best if demo can show both
136                                          local and remote dest IPs).
137
138     - Top N, Stat Dst IP by Bytes and    Now, how would we find the biggest
139       `dst net 10.10.0.0/16`             sender of traffic from our net?
140                                          How would we find the web sites
141                                          which are being downloading the most?
142
143     Only if class has not had their
144     minds blown yet:
145     - Show aggregate [X] protocol        How much total TCP,UDP,UCMP?
146     - Show aggregate [X] Src IP          Same results as Stat Src IP
147     - Aggregate both Src IP & Dst IP     See one row for each unique
148                                          Src/Dst IP combination in the data
149
1501:05 Explain the key nfsen screens        Questions
151     - home
152     - details (note: per-proto
153       graphs, flows/pps/bps)
154
1551:15 Show and explain some screens they   Questions
156     can add, without too much detail.
157     - channels for proto, host,...
158     - porttracker
159
1601:25 Assist with labs                     Lab exercises:
161     (if running early, labs can          - export flows (10m?)
162     start before break)                  - install and test nfdump (30m?)
163                                          - install nfsen (20m?)
164                                          - traffic generation (5m?)
165                                          - nfsen drill-down following
166                                            prescriptive worksheet (10m?)
167                                          - nfsen drill-down having to
168                                            work out another example (15m?)
169                                          optional:
170                                          - create channels for protocols
171                                          - create channels for hosts
172                                            (stacked or line)
173                                          - install port tracker
174 
1752:55 Summary:                             Answer instructor questions
176     ask students questions about each
177     of the main objectives
178---- ----------------                     ----------------
179
180Lab notes
181---------
182
183The students will work in pairs. In each pair, one will configure the Cisco
184router to send flows to the second.  The other will install nfdump and
185nfsen, with the assistance of the first.  Both can use the web interface on
186the second VM to analyse the traffic, and both can use `show ip flow
187top-talkers`.  Note that if there are three people in a group, then one
188person in the group will have to do everything.
189
190The 'channels' exercise should be self-contained with screenshots, so it's
191not necessary to go through this in the class presentation. The presentation
192could just show one screenshot of some graphs with channels.
193
194Students should also be encouraged to use the live nfsen instance on the noc
195VM to explore a more substantial data set, although we risk overload if too
196many people try this at once.
197
198Test
199----
200
201At the end of the week, the final exam could show a table of packets
202headers, and students need to identify which ones are in the same flows, and
203for each flow give the total number of packets and bytes.  (Paper flowd :-)
204
205Extensions
206----------
207
208In a security workshop, an additional task might be to identify some
209simulated attack traffic generated by the instructor (e.g.  flow of pings
210inbound to one VM in each group, preferably with spoofed source IPs :-) This
211can be done by creating loopback interface(s) on the noc VM and binding the
212pings to those)