% Training plan: NetFlow % NSRC Network Monitoring and Management workshop Students : Classroom of 20-36 students in groups of 3 or 4. Pre-requisites : Students will already be able to ssh into VMs, edit files, and login to Cisco. They will have a basic understanding of IP datagrams and port numbers. Time available : Total of 3 to 3.5 hours, split into 2 sessions. Materials --------- * NMM lab with 5-9 groups of 4 VMs, each group behind a Dynamips Cisco * Student laptops with wifi access to lab and ssh client * Projector and laptop * Flipchart or whiteboard and pens * Presentations and exercises available to students Preparation ----------- * Web site with "BigFile" (arbitrary content, suggested size 20-50MB) * Anonymous FTP site with "BigFile". vsftpd is easiest way to install [FIXME: depends if drill-down exercise will do both HTTP and FTP] * Netflow running for several days on noc VM, receiving flows from gateway router * Scan through netflow data to identify a time period where there is 'interesting' traffic, with some large flows both inbound and outbound Objectives ========== General objective ----------------- To enable students to make use of NetFlow to analyse traffic within their networks. Specific objectives ------------------- After this session, students will be able to: * Describe flows and flow records * Identify the flows in a UDP or TCP exchange (i.e. demonstrate their understanding that flows are unidirectional) * List the two most commonly-used versions of netflow * Configure a Cisco router to send flow records * Install and configure nfdump and nfsen by following a worksheet * Locate the files of flow records created by nfdump * Use the nfsen web interface drill-down to identify the top sending machine and top receiving machine in a local network * Build simple filter queries such as "proto icmp", "src host 10.10.0.x", "dst net 10.10.0.0/16", "tcp and dst port 80" * Find the nfdump and nfsen documentation on the web They should also remember that traffic *to* a webserver has *dst* port 80, but traffic *from* a webserver has *src* port 80. Secondary objectives -------------------- It would also be useful for students to be able to: * Configure "top-talkers" and explain its output * Describe and configure profiles and channels in nfsen * Collect netflow records from multiple routers into one nfsen instance * Use more advanced filter queries, e.g. `in if 1` Tertiary objectives ------------------- More advanced students may wish to: * Install porttracker plugin * Configure a BGP-aware router to send AS info in netflow * Configure flow aggregation and flow sampling in the router * Configure softflowd Time is most likely not available, but can be provided as supplementary materials. Timeline ======== ---- ---------------- ---------------- Time Teacher activity Student activity ---- ---------------- ---------------- 0:00 Introduction, explain purpose of Listen netflow in contrast to cacti 0:05 Presentation Listen, ask questions - what is a flow? - Cisco definition of a flow. Picture showing some different coloured packets belonging to different flows. 0:10 Show some packet headers Identify which ones belong to the same flows. Give total packets and bytes per flow. 0:15 What does a flow record contain? Watch (simple diagram) 0:20 How can you generate flow records? Q: What other device might you - From a router already have which tracks usage - Using mirror port and softflowd of UDP/TCP traffic per port? (A: firewall. Some can generate netflow records, e.g. ASA, pfflowd) 0:30 Diagram to show how nfdump and nfsen Watch, ask questions fit together. Show some graphs, explain that these are *sums* of flows. For any further analysis it just shells out to nfdump. 0:45 Demo using nfsen to identify busiest downloaders and uploaders. This can be done live, or we could have a prepared screencast. - select interesting time period Identify small flows on screen, - look at totals for time period e.g. DNS. Identify web flows. - list raw flows - list flows with `proto tcp` - list flows `[src] host 10.10.0.x` Identify flows to/from a host - Top N, Stat Flow Records by Bytes Q: Why is just looking at the biggest flow not sufficient? - Top N, Stat Dst IP by Bytes Q: What's the problem with this? (best if demo can show both local and remote dest IPs). - Top N, Stat Dst IP by Bytes and Now, how would we find the biggest `dst net 10.10.0.0/16` sender of traffic from our net? How would we find the web sites which are being downloading the most? Only if class has not had their minds blown yet: - Show aggregate [X] protocol How much total TCP,UDP,UCMP? - Show aggregate [X] Src IP Same results as Stat Src IP - Aggregate both Src IP & Dst IP See one row for each unique Src/Dst IP combination in the data 1:05 Explain the key nfsen screens Questions - home - details (note: per-proto graphs, flows/pps/bps) 1:15 Show and explain some screens they Questions can add, without too much detail. - channels for proto, host,... - porttracker 1:25 Assist with labs Lab exercises: (if running early, labs can - export flows (10m?) start before break) - install and test nfdump (30m?) - install nfsen (20m?) - traffic generation (5m?) - nfsen drill-down following prescriptive worksheet (10m?) - nfsen drill-down having to work out another example (15m?) optional: - create channels for protocols - create channels for hosts (stacked or line) - install port tracker 2:55 Summary: Answer instructor questions ask students questions about each of the main objectives ---- ---------------- ---------------- Lab notes --------- The students will work in pairs. In each pair, one will configure the Cisco router to send flows to the second. The other will install nfdump and nfsen, with the assistance of the first. Both can use the web interface on the second VM to analyse the traffic, and both can use `show ip flow top-talkers`. Note that if there are three people in a group, then one person in the group will have to do everything. The 'channels' exercise should be self-contained with screenshots, so it's not necessary to go through this in the class presentation. The presentation could just show one screenshot of some graphs with channels. Students should also be encouraged to use the live nfsen instance on the noc VM to explore a more substantial data set, although we risk overload if too many people try this at once. Test ---- At the end of the week, the final exam could show a table of packets headers, and students need to identify which ones are in the same flows, and for each flow give the total number of packets and bytes. (Paper flowd :-) Extensions ---------- In a security workshop, an additional task might be to identify some simulated attack traffic generated by the instructor (e.g. flow of pings inbound to one VM in each group, preferably with spoofed source IPs :-) This can be done by creating loopback interface(s) on the noc VM and binding the pings to those)