Nagios Network Analyzer

Nicholas Scott

nscott@nagios.com

Itinerary

Quick (Maybe) Netflow Introduction

How NNA fits into the picture

NNA Features

NNA Use Cases

Questions

Itinerary 1. Brief introduction of Netflow 2. How NNA fits into a Network 3. NNA Features 4. NNA Use Cases 5. Questions

Netflow What is Netflow?

What is Netflow?

- Originally developed by Cisco- Analyzes every packet flowing through an interface- Information gleaned varies on Netflow version- When it analyzes it groups like streams into flows, can be though of like a conversation

Netflow What is a flow?

A grouping of packets that share:Interface Index

Source Address

Destination Address

Source Port

Source Address

IP Type of Service

Cisco Netflow v5 definition Not a hard/fast standard

Netflow General Architecture

RouterANetworkSystem

TrafficGenerators

Netflow Collector

The idea is: Traffic flows through some NetflowExporter, and gets sent to a collector.

Software Netflow export is available.

Netflow On Versions

v5 and v9 are the most popular

IPv6 is not supported by v5

IPFIX will take it from here

- They all control the format of what is send back to the collector- v5 on your grandma's router- Also determine what constitutes a flow- Contain different information, IPFIX and Netflow v9 are user specifiable- IPFIX is based off of Netflow v9 and is the new standard

Netflow Packet Information

Input interface index used by SNMP (ifIndex in IF-MIB).

Output interface index or zero if the packet is dropped.

Timestamps for the flow start and finish time

Number of bytes and packets observed in the flow

Source & destination IP addresses

Source and destination port numbers for TCP,UDP, SCTP

ICMP Type and Code.

IP protocol

Type of Service (ToS) value

IP address of the immediate next-hop

Source & destination IP masks (prefix lengths in the CIDR notation)

Netflow v5 packet information

IPFIX and v9 are much more customizable in what they can send, such as MPLS information, and once again, IPv6 information

Reflect on the introspection this can give you for each sets of packets

Take a step back and realize how much data this. Or don't, it hurts sometimes.

Netflow On Flow Standards

Lots of incredibly similar standards:jFlow, rFlow, cflowd, etc

sFlow is differentSamples packets

Uses statistical analysis

Scales well

Can lose traffic information

Used by many vendors

Lots of vendors were scared of Cisco Netflow trademark

Click to edit the outline text format

Second Outline Level

Third Outline Level

Fourth Outline Level

Fifth Outline Level

Sixth Outline Level

Seventh Outline Level

Eighth Outline Level

Ninth Outline Level

Click to edit the title text format

Click to edit the title text format

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelEighth Outline LevelNinth Outline Level