Track1Agenda: exercise3-nfsen-top-talkers.htm

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  <meta http-equiv="Content-Style-Type" content="text/css" />
  <meta name="generator" content="pandoc" />
  <title>Using NfSen to identify top talkers</title>
  <style type="text/css">code{white-space: pre;}</style>
  <link rel="stylesheet" href="handout.css" type="text/css" />
</head>
<body>
<div id="header">
<h1 class="title">Using NfSen to identify top talkers</h1>
<h3 class="date">Network Monitoring and Management</h3>
</div>
<div id="TOC">
<ul>
<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
<li><a href="#assumptions"><span class="toc-section-number">1.2</span> Assumptions</a></li>
</ul></li>
<li><a href="#generate-some-traffic"><span class="toc-section-number">2</span> Generate some traffic</a></li>
<li><a href="#exploring-flow-records"><span class="toc-section-number">3</span> Exploring flow records</a><ul>
<li><a href="#navigate-to-detail-page"><span class="toc-section-number">3.1</span> Navigate to Detail page</a></li>
<li><a href="#select-time-window"><span class="toc-section-number">3.2</span> Select time window</a></li>
<li><a href="#list-individual-flows"><span class="toc-section-number">3.3</span> List individual flows</a></li>
<li><a href="#flows-tofrom-one-host"><span class="toc-section-number">3.4</span> Flows to/from one host</a></li>
</ul></li>
<li><a href="#largest-flows"><span class="toc-section-number">4</span> Largest flows</a></li>
<li><a href="#inbound-traffic-grouped-by-receiver-ip-address"><span class="toc-section-number">5</span> Inbound traffic grouped by receiver IP address</a><ul>
<li><a href="#outbound-traffic-grouped-by-sender-ip-address"><span class="toc-section-number">5.1</span> Outbound traffic grouped by sender IP address</a></li>
</ul></li>
<li><a href="#analysing-traffic-to-a-single-host"><span class="toc-section-number">6</span> Analysing traffic to a single host</a><ul>
<li><a href="#ip-address-information"><span class="toc-section-number">6.1</span> IP address information</a></li>
</ul></li>
<li><a href="#additional-exercise-aggregating-flows"><span class="toc-section-number">7</span> Additional exercise: aggregating flows</a></li>
</ul>
</div>
<h1 id="introduction"><a href="#introduction"><span class="header-section-number">1</span> Introduction</a></h1>
<h2 id="goals"><a href="#goals"><span class="header-section-number">1.1</span> Goals</a></h2>
<ul>
<li>Use NfSen to find out which hosts are generating the most inbound and outbound traffic on your network</li>
</ul>
<h2 id="assumptions"><a href="#assumptions"><span class="header-section-number">1.2</span> Assumptions</a></h2>
<p>Your router is sending netflow records to one of your PCs, and that PC is running nfsen to collect this data. If you are working in a pair, then you should both point your web browser to whichever PC is receiving the flows:</p>
<p><a href="http://pcX.ws.nsrc.org/nfsen/nfsen.php">http://pcX.ws.nsrc.org/nfsen/nfsen.php</a></p>
<h1 id="generate-some-traffic"><a href="#generate-some-traffic"><span class="header-section-number">2</span> Generate some traffic</a></h1>
<p>Firstly, we need to generate some traffic passing through your router. On either of your PCs (it doesn't have to be the one running nfsen), login and type the following commands:</p>
<pre><code>$ cd /tmp
$ wget http://noc.ws.nsrc.org/downloads/BigFile
$ rm BigFile</code></pre>
<p>It will take around 5 minutes before this shows as a spike in nfsen.</p>
<h1 id="exploring-flow-records"><a href="#exploring-flow-records"><span class="header-section-number">3</span> Exploring flow records</a></h1>
<p>Now let's use Netflow to explore the traffic flows in the network, with the aim of finding out who was been downloading the most data. Look carefully at the output generated at each step - ask an instructor to explain if you don't understand what you see.</p>
<h2 id="navigate-to-detail-page"><a href="#navigate-to-detail-page"><span class="header-section-number">3.1</span> Navigate to Detail page</a></h2>
<p>The nfsen home page shows a matrix of graphs: flows per second on the left, packets per second in the middle, bits per second on the right. Click on the top-right graph (bits per second, one day view) to get to the Detail page.</p>
<h2 id="select-time-window"><a href="#select-time-window"><span class="header-section-number">3.2</span> Select time window</a></h2>
<p>Change from &quot;Single Timeslot&quot; to &quot;Time Window&quot;:</p>
<p><img src="images/nf-time-window.png" alt="Selecting time window" /><br /> Once you have done this, the vertical line in the graph window can be split. Pull the left half to the left and the right half to the right, to select the time period of interest. Then you should see some summary statistics for the time period you have selected:</p>
<div class="figure">
<img src="images/nf-statistics.png" alt="Summary statistics" /><p class="caption">Summary statistics</p>
</div>
<h2 id="list-individual-flows"><a href="#list-individual-flows"><span class="header-section-number">3.3</span> List individual flows</a></h2>
<p>Select &quot;List Flows&quot;, make sure all the Aggregate boxes are not checked, and then click <code>process</code>. This will display some flows at the beginning of the time period.</p>
<div class="figure">
<img src="images/nf-list-flows.png" alt="List flows" /><p class="caption">List flows</p>
</div>
<p>Increase the limit from 20 flows to 100 flows. Notice that much network traffic consists of large numbers of very small flows - for example a DNS query/response will be two flows, one from client to DNS server, and one back again.</p>
<p>By selecting &quot;bi-directional&quot; you can get nfsen to associate the inbound and outbound flows into a single line:</p>
<div class="figure">
<img src="images/nf-bidirectional.png" alt="Bi-directional flows" /><p class="caption">Bi-directional flows</p>
</div>
<p>However it's still too much work to wade through this looking for interesting traffic. Uncheck the &quot;Bi-directional&quot; box before continuing.</p>
<h2 id="flows-tofrom-one-host"><a href="#flows-tofrom-one-host"><span class="header-section-number">3.4</span> Flows to/from one host</a></h2>
<p>If we know which host we want to examine, we can apply a filter to show only those flows to and from that host. Do this by entering &quot;host 10.10.X.Y&quot; in the filter box, and then pressing <code>process</code> again. (Replace 10.10.X.Y with the address of one of your PCs)</p>
<div class="figure">
<img src="images/nf-flows-host.png" alt="Flows to and from one host" /><p class="caption">Flows to and from one host</p>
</div>
<p>This is a little better, but we would still have to wade through lots of small flows to find anything significant. We need to take a different approach.</p>
<h1 id="largest-flows"><a href="#largest-flows"><span class="header-section-number">4</span> Largest flows</a></h1>
<p>The next thing we can do is to get nfsen to sort the flows by number of bytes. Remove any filter from the Filter box; select &quot;Stat TopN&quot;, stat &quot;Flow Records&quot;, order by &quot;Bytes&quot;. Ensure all the aggregate boxes are all unchecked, then press <code>process</code></p>
<div class="figure">
<img src="images/nf-topn-bytes.png" alt="Find top flows by bytes" /><p class="caption">Find top flows by bytes</p>
</div>
<div class="figure">
<img src="images/nf-topn-bytes-output.png" alt="Output: top flows by bytes" /><p class="caption">Output: top flows by bytes</p>
</div>
<p>This is a definite improvement, as the flows with the largest number of bytes are shown first. However there's a problem - we are still looking at individual flows. It's possible that many small flows to the same host would add up to a large amount of traffic, but we wouldn't see them at the top of this list.</p>
<h1 id="inbound-traffic-grouped-by-receiver-ip-address"><a href="#inbound-traffic-grouped-by-receiver-ip-address"><span class="header-section-number">5</span> Inbound traffic grouped by receiver IP address</a></h1>
<p>What we want to see is a single line for each host in our network, showing the total amount of traffic delivered to that host.</p>
<p>To do this, Stat &quot;DST IP Address&quot;, order by &quot;bytes&quot;.</p>
<div class="figure">
<img src="images/nf-topn-dest.png" alt="Group flows by DST IP Address" /><p class="caption">Group flows by DST IP Address</p>
</div>
<p>This is now much closer to what we want: there is one line for each destination IP address, and they are ordered by total bytes, largest first.</p>
<p>But there is still one problem - can you see what it is? We are seeing a mixture of inbound flows (where the destination IP is inside our network) and outbound flows (where the destination IP is on the Internet). We are only interested in the inbound flows, so apply a filter which shows only traffic to your group's network: &quot;dst net 10.10.X.0/24&quot; (replacing X with your group number)</p>
<div class="figure">
<img src="images/nf-topn-dst-local.png" alt="Flows to local network, grouped by DST IP Address" /><p class="caption">Flows to local network, grouped by DST IP Address</p>
</div>
<div class="figure">
<img src="images/nf-topn-dst-local-output.png" alt="Output: Flows to local network, grouped by DST IP Address" /><p class="caption">Output: Flows to local network, grouped by DST IP Address</p>
</div>
<p>At last we have what we want. The first record you see should tell you the local machine which has downloaded the most traffic in the period selected.</p>
<h2 id="outbound-traffic-grouped-by-sender-ip-address"><a href="#outbound-traffic-grouped-by-sender-ip-address"><span class="header-section-number">5.1</span> Outbound traffic grouped by sender IP address</a></h2>
<p>Question: what changes would you have to make to this query to find out which machines in your network are <em>uploading</em> the most traffic to the Internet?</p>
<h1 id="analysing-traffic-to-a-single-host"><a href="#analysing-traffic-to-a-single-host"><span class="header-section-number">6</span> Analysing traffic to a single host</a></h1>
<p>Now that we know which host has downloaded the most traffic, we might want to see where it has been downloading from.</p>
<p>Let's start by looking at the top flows to that host. Change the filter to &quot;dst host 10.10.X.Y&quot; (the IP address you just found). Then select Stat &quot;Flow Records&quot;, order by &quot;bytes&quot;, and <code>process</code>.</p>
<div class="figure">
<img src="images/nf-dst-host-flows.png" alt="Largest flows to one host" /><p class="caption">Largest flows to one host</p>
</div>
<p>You should now see the flows inbound to that host, largest first. But again, we're only seeing large individual flows; a collection of small flows may add together to a large amount of traffic.</p>
<p>Since we are only looking at flow records to one particular destination IP address, we can group these records by source IP address.</p>
<div class="figure">
<img src="images/nf-dst-host-srcs.png" alt="Flows to one host, grouped by SRC IP address" /><p class="caption">Flows to one host, grouped by SRC IP address</p>
</div>
<div class="figure">
<img src="images/nf-dst-host-srcs-output.png" alt="Output: Flows to one host, grouped by SRC IP address" /><p class="caption">Output: Flows to one host, grouped by SRC IP address</p>
</div>
<p>And now we have one row for each IP address this host has been downloading from, with the total number of bytes downloaded from each IP, largest total first.</p>
<h2 id="ip-address-information"><a href="#ip-address-information"><span class="header-section-number">6.1</span> IP address information</a></h2>
<p>By clicking on an IP address, you will get some information from reverse DNS and whois.</p>
<div class="figure">
<img src="images/nf-whois.png" alt="Whois information" /><p class="caption">Whois information</p>
</div>
<h1 id="additional-exercise-aggregating-flows"><a href="#additional-exercise-aggregating-flows"><span class="header-section-number">7</span> Additional exercise: aggregating flows</a></h1>
<p>nfsen offers some other ways to summarise the flows, using the Aggregate checkboxes. In this example we'll look again at traffic inbound to your network.</p>
<p>When you click one or more of the Aggregate boxes, nfsen combines all flows that share the same values of the attribute(s) you have selected.</p>
<p>To start this exercise, set the filter to &quot;dst net 10.10.X.0/24&quot; (X = your group). Select &quot;Stat TopN&quot;, Stat &quot;Flow Records&quot;, order by &quot;bytes&quot;. Then try the following aggregates, remembering to click <code>process</code> after each one.</p>
<ul>
<li><p>Check &quot;proto&quot;. You should get just one row each for TCP, UDP and ICMP, showing the total amount of traffic using each protocol. Sometimes this may show other protocols are active on your network (e.g. protocol 50 = IPSEC ESP; in Linux the file <code>/etc/protocols</code> has a list of them)</p></li>
<li><p>Check both &quot;proto&quot; and &quot;srcPort&quot;. This tells nfsen to combine together flows which have the same proto <em>and</em> the same srcPort. Depending on what activity has been going on, you may see one line giving the total for TCP port 80, one line for TCP port 443, one line for UDP port 53, and so on.</p></li>
<li><p>Check &quot;srcIP&quot; by itself. This gives one row for each distinct source IP address, and is the same as selecting Stat SRC IP.</p></li>
<li><p>Check both &quot;srcIP&quot; and &quot;dstIP&quot;. You will get one row for each unique pair of srcIP and dstIP seen, with the total traffic between those two endpoints.</p></li>
</ul>
<p>How would you change the filter to look at outbound traffic, rather than inbound traffic?</p>
<p>If you have a router with a full BGP table, you can aggregate netflow records by AS number. This is a useful way to find out what networks you are exchanging the most traffic with.</p>
</body>
</html>