1 | % Training plan: NetFlow |
---|
2 | % NSRC Network Monitoring and Management workshop |
---|
3 | |
---|
4 | Students |
---|
5 | : Classroom of 20-36 students in groups of 3 or 4. |
---|
6 | Pre-requisites |
---|
7 | : Students will already be able to ssh into VMs, edit files, and login |
---|
8 | to Cisco. They will have a basic understanding of IP datagrams and |
---|
9 | port numbers. |
---|
10 | Time available |
---|
11 | : Total of 3 to 3.5 hours, split into 2 sessions. |
---|
12 | |
---|
13 | Materials |
---|
14 | --------- |
---|
15 | * NMM lab with 5-9 groups of 4 VMs, each group behind a Dynamips Cisco |
---|
16 | * Student laptops with wifi access to lab and ssh client |
---|
17 | * Projector and laptop |
---|
18 | * Flipchart or whiteboard and pens |
---|
19 | * Presentations and exercises available to students |
---|
20 | |
---|
21 | Preparation |
---|
22 | ----------- |
---|
23 | * Web site with "BigFile" (arbitrary content, suggested size 20-50MB) |
---|
24 | * Anonymous FTP site with "BigFile". vsftpd is easiest way to install |
---|
25 | [FIXME: depends if drill-down exercise will do both HTTP and FTP] |
---|
26 | * Netflow running for several days on noc VM, receiving flows |
---|
27 | from gateway router |
---|
28 | * Scan through netflow data to identify a time period where there is |
---|
29 | 'interesting' traffic, with some large flows both inbound and outbound |
---|
30 | |
---|
31 | Objectives |
---|
32 | ========== |
---|
33 | |
---|
34 | General objective |
---|
35 | ----------------- |
---|
36 | |
---|
37 | To enable students to make use of NetFlow to analyse traffic within their |
---|
38 | networks. |
---|
39 | |
---|
40 | Specific objectives |
---|
41 | ------------------- |
---|
42 | |
---|
43 | After this session, students will be able to: |
---|
44 | |
---|
45 | * Describe flows and flow records |
---|
46 | * Identify the flows in a UDP or TCP exchange (i.e. demonstrate |
---|
47 | their understanding that flows are unidirectional) |
---|
48 | * List the two most commonly-used versions of netflow |
---|
49 | * Configure a Cisco router to send flow records |
---|
50 | * Install and configure nfdump and nfsen by following a worksheet |
---|
51 | * Locate the files of flow records created by nfdump |
---|
52 | * Use the nfsen web interface drill-down to identify the top sending |
---|
53 | machine and top receiving machine in a local network |
---|
54 | * Build simple filter queries such as "proto icmp", "src host 10.10.0.x", |
---|
55 | "dst net 10.10.0.0/16", "tcp and dst port 80" |
---|
56 | * Find the nfdump and nfsen documentation on the web |
---|
57 | |
---|
58 | They should also remember that traffic *to* a webserver has *dst* port 80, |
---|
59 | but traffic *from* a webserver has *src* port 80. |
---|
60 | |
---|
61 | Secondary objectives |
---|
62 | -------------------- |
---|
63 | |
---|
64 | It would also be useful for students to be able to: |
---|
65 | |
---|
66 | * Configure "top-talkers" and explain its output |
---|
67 | * Describe and configure profiles and channels in nfsen |
---|
68 | * Collect netflow records from multiple routers into one nfsen instance |
---|
69 | * Use more advanced filter queries, e.g. `in if 1` |
---|
70 | |
---|
71 | Tertiary objectives |
---|
72 | ------------------- |
---|
73 | |
---|
74 | More advanced students may wish to: |
---|
75 | |
---|
76 | * Install porttracker plugin |
---|
77 | * Configure a BGP-aware router to send AS info in netflow |
---|
78 | * Configure flow aggregation and flow sampling in the router |
---|
79 | * Configure softflowd |
---|
80 | |
---|
81 | Time is most likely not available, but can be provided as supplementary |
---|
82 | materials. |
---|
83 | |
---|
84 | Timeline |
---|
85 | ======== |
---|
86 | |
---|
87 | ---- ---------------- ---------------- |
---|
88 | Time Teacher activity Student activity |
---|
89 | ---- ---------------- ---------------- |
---|
90 | 0:00 Introduction, explain purpose of Listen |
---|
91 | netflow in contrast to cacti |
---|
92 | |
---|
93 | 0:05 Presentation Listen, ask questions |
---|
94 | - what is a flow? |
---|
95 | - Cisco definition of a flow. |
---|
96 | Picture showing some different |
---|
97 | coloured packets belonging to |
---|
98 | different flows. |
---|
99 | |
---|
100 | 0:10 Show some packet headers Identify which ones belong |
---|
101 | to the same flows. Give total |
---|
102 | packets and bytes per flow. |
---|
103 | |
---|
104 | 0:15 What does a flow record contain? Watch |
---|
105 | (simple diagram) |
---|
106 | |
---|
107 | 0:20 How can you generate flow records? Q: What other device might you |
---|
108 | - From a router already have which tracks usage |
---|
109 | - Using mirror port and softflowd of UDP/TCP traffic per port? |
---|
110 | (A: firewall. Some can generate |
---|
111 | netflow records, e.g. ASA, pfflowd) |
---|
112 | |
---|
113 | 0:30 Diagram to show how nfdump and nfsen Watch, ask questions |
---|
114 | fit together. Show some graphs, |
---|
115 | explain that these are *sums* of |
---|
116 | flows. For any further analysis |
---|
117 | it just shells out to nfdump. |
---|
118 | |
---|
119 | 0:45 Demo using nfsen to identify |
---|
120 | busiest downloaders and uploaders. |
---|
121 | This can be done live, or we |
---|
122 | could have a prepared screencast. |
---|
123 | |
---|
124 | - select interesting time period Identify small flows on screen, |
---|
125 | - look at totals for time period e.g. DNS. Identify web flows. |
---|
126 | - list raw flows |
---|
127 | - list flows with `proto tcp` |
---|
128 | |
---|
129 | - list flows `[src] host 10.10.0.x` Identify flows to/from a host |
---|
130 | |
---|
131 | - Top N, Stat Flow Records by Bytes Q: Why is just looking at the |
---|
132 | biggest flow not sufficient? |
---|
133 | |
---|
134 | - Top N, Stat Dst IP by Bytes Q: What's the problem with this? |
---|
135 | (best if demo can show both |
---|
136 | local and remote dest IPs). |
---|
137 | |
---|
138 | - Top N, Stat Dst IP by Bytes and Now, how would we find the biggest |
---|
139 | `dst net 10.10.0.0/16` sender of traffic from our net? |
---|
140 | How would we find the web sites |
---|
141 | which are being downloading the most? |
---|
142 | |
---|
143 | Only if class has not had their |
---|
144 | minds blown yet: |
---|
145 | - Show aggregate [X] protocol How much total TCP,UDP,UCMP? |
---|
146 | - Show aggregate [X] Src IP Same results as Stat Src IP |
---|
147 | - Aggregate both Src IP & Dst IP See one row for each unique |
---|
148 | Src/Dst IP combination in the data |
---|
149 | |
---|
150 | 1:05 Explain the key nfsen screens Questions |
---|
151 | - home |
---|
152 | - details (note: per-proto |
---|
153 | graphs, flows/pps/bps) |
---|
154 | |
---|
155 | 1:15 Show and explain some screens they Questions |
---|
156 | can add, without too much detail. |
---|
157 | - channels for proto, host,... |
---|
158 | - porttracker |
---|
159 | |
---|
160 | 1:25 Assist with labs Lab exercises: |
---|
161 | (if running early, labs can - export flows (10m?) |
---|
162 | start before break) - install and test nfdump (30m?) |
---|
163 | - install nfsen (20m?) |
---|
164 | - traffic generation (5m?) |
---|
165 | - nfsen drill-down following |
---|
166 | prescriptive worksheet (10m?) |
---|
167 | - nfsen drill-down having to |
---|
168 | work out another example (15m?) |
---|
169 | optional: |
---|
170 | - create channels for protocols |
---|
171 | - create channels for hosts |
---|
172 | (stacked or line) |
---|
173 | - install port tracker |
---|
174 | |
---|
175 | 2:55 Summary: Answer instructor questions |
---|
176 | ask students questions about each |
---|
177 | of the main objectives |
---|
178 | ---- ---------------- ---------------- |
---|
179 | |
---|
180 | Lab notes |
---|
181 | --------- |
---|
182 | |
---|
183 | The students will work in pairs. In each pair, one will configure the Cisco |
---|
184 | router to send flows to the second. The other will install nfdump and |
---|
185 | nfsen, with the assistance of the first. Both can use the web interface on |
---|
186 | the second VM to analyse the traffic, and both can use `show ip flow |
---|
187 | top-talkers`. Note that if there are three people in a group, then one |
---|
188 | person in the group will have to do everything. |
---|
189 | |
---|
190 | The 'channels' exercise should be self-contained with screenshots, so it's |
---|
191 | not necessary to go through this in the class presentation. The presentation |
---|
192 | could just show one screenshot of some graphs with channels. |
---|
193 | |
---|
194 | Students should also be encouraged to use the live nfsen instance on the noc |
---|
195 | VM to explore a more substantial data set, although we risk overload if too |
---|
196 | many people try this at once. |
---|
197 | |
---|
198 | Test |
---|
199 | ---- |
---|
200 | |
---|
201 | At the end of the week, the final exam could show a table of packets |
---|
202 | headers, and students need to identify which ones are in the same flows, and |
---|
203 | for each flow give the total number of packets and bytes. (Paper flowd :-) |
---|
204 | |
---|
205 | Extensions |
---|
206 | ---------- |
---|
207 | |
---|
208 | In a security workshop, an additional task might be to identify some |
---|
209 | simulated attack traffic generated by the instructor (e.g. flow of pings |
---|
210 | inbound to one VM in each group, preferably with spoofed source IPs :-) This |
---|
211 | can be done by creating loopback interface(s) on the noc VM and binding the |
---|
212 | pings to those) |
---|