Netflow, which has become a de-facto industry standard, is a network protocol developed by Cisco for collecting IP information and monitoring network traffic. Other vendors also support other alternative flow protocols like:
- Juniper® (Jflow)
- 3Com/HP® , Dell® , and Netgear® (s-flow)
- Huawei® (NetStream)
- Alcatel-Lucent® (Cflow)
- Ericsson® (Rflow)
By analizing the flow data you can draw a map of your traffic, sources and destinations, determine the normal flow values thus analyze ddos attacks, and much more.
A sample configuration for Huawei is:
ip netstream export version 9 ip netstream sampler fix-packets 1000 inbound ip netstream sampler fix-packets 1000 outbound ip netstream export sourceip netstream export host 9996 ip netstream export template timeout-rate 1 ip netstream timeout active 1 ip netstream timeout inactive 5 ip netstream tcp-flag enable ip netstream mpls-aware label-and-ip interface ip netstream inbound ip netstream sampler fix-packets 1000 inbound slot ip netstream sampler to slot self
In production, based on the configuration above, we realized that packet sequence numbers, from a NE40X series router, does not increase sequentially as defined in RFC3954:
“
Sequence Number
Incremental sequence counter of all Export Packets sent from
the current Observation Domain by the Exporter. This value
MUST be cumulative, and SHOULD be used by the Collector to
identify whether any Export Packets have been missed. were .....
Instead the sequence numbers were increasing by former flow record (21, 9 21, 16,21 ...) count,
NetStream V9:
1 0.000000 1.1.1.256 82.3.3.256 CFLOW 1326 SEQ:510215546 total: 21 (v9) records
3 0.100533 1.1.1.256 82.3.3.256 CFLOW 606 SEQ:510215567 total: 9 (v9) records
4 0.163794 1.1.1.256 82.3.3.256 CFLOW 1326 SEQ:510215576 total: 21 (v9) records
5 0.264529 1.1.1.256 82.3.3.256 CFLOW 1026 SEQ:510215597 total: 16 (v9) records
6 0.327319 1.1.1.256 82.3.3.256 CFLOW 1326 SEQ:510215613 total: 21 (v9) records
which can be formalized as:
- "SEQ2=SEQ1+counter"
In VRP, for Netstream to be compatible with RFC, sequence-mode configuration must be configured exclusively as it is not the default behavior.
system-view [HUAWEI] slot x [HUAWEI-slot-x] ip netstream export sequence-mode packet
As sequence numbers are followed by SourceID in collectors, using "cflow.source_id==4" filter in wireshark (for this specific case) we verified that the problem is gone.
If you examine the capture carefully, you might see that there still is a little problem which is: even the sequence ID is the same, there is an extra packet which's flow number is not lined up.
If you are working with a Huawei router, be careful that many features that you expect it to work in default, must be exclusively configured. I will share these commands in another post, hopefully.
You could contiue reading Part 2:
Posts
1 comments:
Making Money - Work/Tennis: The Ultimate Guide
The way you 출장안마 would expect from betting on the tennis matches of tennis is to gri-go.com bet on the player you like most. But หาเงินออนไลน์ you kadangpintar also need a different septcasino
Post a Comment