| 1 | % Training plan: NetFlow |
|---|
| 2 | % NSRC Network Monitoring and Management workshop |
|---|
| 3 | |
|---|
| 4 | Students |
|---|
| 5 | : Classroom of 20-36 students in groups of 3 or 4. |
|---|
| 6 | Pre-requisites |
|---|
| 7 | : Students will already be able to ssh into VMs, edit files, and login |
|---|
| 8 | to Cisco. They will have a basic understanding of IP datagrams and |
|---|
| 9 | port numbers. |
|---|
| 10 | Time available |
|---|
| 11 | : Total of 3 to 3.5 hours, split into 2 sessions. |
|---|
| 12 | |
|---|
| 13 | Materials |
|---|
| 14 | --------- |
|---|
| 15 | * NMM lab with 5-9 groups of 4 VMs, each group behind a Dynamips Cisco |
|---|
| 16 | * Student laptops with wifi access to lab and ssh client |
|---|
| 17 | * Projector and laptop |
|---|
| 18 | * Flipchart or whiteboard and pens |
|---|
| 19 | * Presentations and exercises available to students |
|---|
| 20 | |
|---|
| 21 | Preparation |
|---|
| 22 | ----------- |
|---|
| 23 | * Web site with "BigFile" (arbitrary content, suggested size 20-50MB) |
|---|
| 24 | * Anonymous FTP site with "BigFile". vsftpd is easiest way to install |
|---|
| 25 | [FIXME: depends if drill-down exercise will do both HTTP and FTP] |
|---|
| 26 | * Netflow running for several days on noc VM, receiving flows |
|---|
| 27 | from gateway router |
|---|
| 28 | * Scan through netflow data to identify a time period where there is |
|---|
| 29 | 'interesting' traffic, with some large flows both inbound and outbound |
|---|
| 30 | |
|---|
| 31 | Objectives |
|---|
| 32 | ========== |
|---|
| 33 | |
|---|
| 34 | General objective |
|---|
| 35 | ----------------- |
|---|
| 36 | |
|---|
| 37 | To enable students to make use of NetFlow to analyse traffic within their |
|---|
| 38 | networks. |
|---|
| 39 | |
|---|
| 40 | Specific objectives |
|---|
| 41 | ------------------- |
|---|
| 42 | |
|---|
| 43 | After this session, students will be able to: |
|---|
| 44 | |
|---|
| 45 | * Describe flows and flow records |
|---|
| 46 | * Identify the flows in a UDP or TCP exchange (i.e. demonstrate |
|---|
| 47 | their understanding that flows are unidirectional) |
|---|
| 48 | * List the two most commonly-used versions of netflow |
|---|
| 49 | * Configure a Cisco router to send flow records |
|---|
| 50 | * Install and configure nfdump and nfsen by following a worksheet |
|---|
| 51 | * Locate the files of flow records created by nfdump |
|---|
| 52 | * Use the nfsen web interface drill-down to identify the top sending |
|---|
| 53 | machine and top receiving machine in a local network |
|---|
| 54 | * Build simple filter queries such as "proto icmp", "src host 10.10.0.x", |
|---|
| 55 | "dst net 10.10.0.0/16", "tcp and dst port 80" |
|---|
| 56 | * Find the nfdump and nfsen documentation on the web |
|---|
| 57 | |
|---|
| 58 | They should also remember that traffic *to* a webserver has *dst* port 80, |
|---|
| 59 | but traffic *from* a webserver has *src* port 80. |
|---|
| 60 | |
|---|
| 61 | Secondary objectives |
|---|
| 62 | -------------------- |
|---|
| 63 | |
|---|
| 64 | It would also be useful for students to be able to: |
|---|
| 65 | |
|---|
| 66 | * Configure "top-talkers" and explain its output |
|---|
| 67 | * Describe and configure profiles and channels in nfsen |
|---|
| 68 | * Collect netflow records from multiple routers into one nfsen instance |
|---|
| 69 | * Use more advanced filter queries, e.g. `in if 1` |
|---|
| 70 | |
|---|
| 71 | Tertiary objectives |
|---|
| 72 | ------------------- |
|---|
| 73 | |
|---|
| 74 | More advanced students may wish to: |
|---|
| 75 | |
|---|
| 76 | * Install porttracker plugin |
|---|
| 77 | * Configure a BGP-aware router to send AS info in netflow |
|---|
| 78 | * Configure flow aggregation and flow sampling in the router |
|---|
| 79 | * Configure softflowd |
|---|
| 80 | |
|---|
| 81 | Time is most likely not available, but can be provided as supplementary |
|---|
| 82 | materials. |
|---|
| 83 | |
|---|
| 84 | Timeline |
|---|
| 85 | ======== |
|---|
| 86 | |
|---|
| 87 | ---- ---------------- ---------------- |
|---|
| 88 | Time Teacher activity Student activity |
|---|
| 89 | ---- ---------------- ---------------- |
|---|
| 90 | 0:00 Introduction, explain purpose of Listen |
|---|
| 91 | netflow in contrast to cacti |
|---|
| 92 | |
|---|
| 93 | 0:05 Presentation Listen, ask questions |
|---|
| 94 | - what is a flow? |
|---|
| 95 | - Cisco definition of a flow. |
|---|
| 96 | Picture showing some different |
|---|
| 97 | coloured packets belonging to |
|---|
| 98 | different flows. |
|---|
| 99 | |
|---|
| 100 | 0:10 Show some packet headers Identify which ones belong |
|---|
| 101 | to the same flows. Give total |
|---|
| 102 | packets and bytes per flow. |
|---|
| 103 | |
|---|
| 104 | 0:15 What does a flow record contain? Watch |
|---|
| 105 | (simple diagram) |
|---|
| 106 | |
|---|
| 107 | 0:20 How can you generate flow records? Q: What other device might you |
|---|
| 108 | - From a router already have which tracks usage |
|---|
| 109 | - Using mirror port and softflowd of UDP/TCP traffic per port? |
|---|
| 110 | (A: firewall. Some can generate |
|---|
| 111 | netflow records, e.g. ASA, pfflowd) |
|---|
| 112 | |
|---|
| 113 | 0:30 Diagram to show how nfdump and nfsen Watch, ask questions |
|---|
| 114 | fit together. Show some graphs, |
|---|
| 115 | explain that these are *sums* of |
|---|
| 116 | flows. For any further analysis |
|---|
| 117 | it just shells out to nfdump. |
|---|
| 118 | |
|---|
| 119 | 0:45 Demo using nfsen to identify |
|---|
| 120 | busiest downloaders and uploaders. |
|---|
| 121 | This can be done live, or we |
|---|
| 122 | could have a prepared screencast. |
|---|
| 123 | |
|---|
| 124 | - select interesting time period Identify small flows on screen, |
|---|
| 125 | - look at totals for time period e.g. DNS. Identify web flows. |
|---|
| 126 | - list raw flows |
|---|
| 127 | - list flows with `proto tcp` |
|---|
| 128 | |
|---|
| 129 | - list flows `[src] host 10.10.0.x` Identify flows to/from a host |
|---|
| 130 | |
|---|
| 131 | - Top N, Stat Flow Records by Bytes Q: Why is just looking at the |
|---|
| 132 | biggest flow not sufficient? |
|---|
| 133 | |
|---|
| 134 | - Top N, Stat Dst IP by Bytes Q: What's the problem with this? |
|---|
| 135 | (best if demo can show both |
|---|
| 136 | local and remote dest IPs). |
|---|
| 137 | |
|---|
| 138 | - Top N, Stat Dst IP by Bytes and Now, how would we find the biggest |
|---|
| 139 | `dst net 10.10.0.0/16` sender of traffic from our net? |
|---|
| 140 | How would we find the web sites |
|---|
| 141 | which are being downloading the most? |
|---|
| 142 | |
|---|
| 143 | Only if class has not had their |
|---|
| 144 | minds blown yet: |
|---|
| 145 | - Show aggregate [X] protocol How much total TCP,UDP,UCMP? |
|---|
| 146 | - Show aggregate [X] Src IP Same results as Stat Src IP |
|---|
| 147 | - Aggregate both Src IP & Dst IP See one row for each unique |
|---|
| 148 | Src/Dst IP combination in the data |
|---|
| 149 | |
|---|
| 150 | 1:05 Explain the key nfsen screens Questions |
|---|
| 151 | - home |
|---|
| 152 | - details (note: per-proto |
|---|
| 153 | graphs, flows/pps/bps) |
|---|
| 154 | |
|---|
| 155 | 1:15 Show and explain some screens they Questions |
|---|
| 156 | can add, without too much detail. |
|---|
| 157 | - channels for proto, host,... |
|---|
| 158 | - porttracker |
|---|
| 159 | |
|---|
| 160 | 1:25 Assist with labs Lab exercises: |
|---|
| 161 | (if running early, labs can - export flows (10m?) |
|---|
| 162 | start before break) - install and test nfdump (30m?) |
|---|
| 163 | - install nfsen (20m?) |
|---|
| 164 | - traffic generation (5m?) |
|---|
| 165 | - nfsen drill-down following |
|---|
| 166 | prescriptive worksheet (10m?) |
|---|
| 167 | - nfsen drill-down having to |
|---|
| 168 | work out another example (15m?) |
|---|
| 169 | optional: |
|---|
| 170 | - create channels for protocols |
|---|
| 171 | - create channels for hosts |
|---|
| 172 | (stacked or line) |
|---|
| 173 | - install port tracker |
|---|
| 174 | |
|---|
| 175 | 2:55 Summary: Answer instructor questions |
|---|
| 176 | ask students questions about each |
|---|
| 177 | of the main objectives |
|---|
| 178 | ---- ---------------- ---------------- |
|---|
| 179 | |
|---|
| 180 | Lab notes |
|---|
| 181 | --------- |
|---|
| 182 | |
|---|
| 183 | The students will work in pairs. In each pair, one will configure the Cisco |
|---|
| 184 | router to send flows to the second. The other will install nfdump and |
|---|
| 185 | nfsen, with the assistance of the first. Both can use the web interface on |
|---|
| 186 | the second VM to analyse the traffic, and both can use `show ip flow |
|---|
| 187 | top-talkers`. Note that if there are three people in a group, then one |
|---|
| 188 | person in the group will have to do everything. |
|---|
| 189 | |
|---|
| 190 | The 'channels' exercise should be self-contained with screenshots, so it's |
|---|
| 191 | not necessary to go through this in the class presentation. The presentation |
|---|
| 192 | could just show one screenshot of some graphs with channels. |
|---|
| 193 | |
|---|
| 194 | Students should also be encouraged to use the live nfsen instance on the noc |
|---|
| 195 | VM to explore a more substantial data set, although we risk overload if too |
|---|
| 196 | many people try this at once. |
|---|
| 197 | |
|---|
| 198 | Test |
|---|
| 199 | ---- |
|---|
| 200 | |
|---|
| 201 | At the end of the week, the final exam could show a table of packets |
|---|
| 202 | headers, and students need to identify which ones are in the same flows, and |
|---|
| 203 | for each flow give the total number of packets and bytes. (Paper flowd :-) |
|---|
| 204 | |
|---|
| 205 | Extensions |
|---|
| 206 | ---------- |
|---|
| 207 | |
|---|
| 208 | In a security workshop, an additional task might be to identify some |
|---|
| 209 | simulated attack traffic generated by the instructor (e.g. flow of pings |
|---|
| 210 | inbound to one VM in each group, preferably with spoofed source IPs :-) This |
|---|
| 211 | can be done by creating loopback interface(s) on the noc VM and binding the |
|---|
| 212 | pings to those) |
|---|