10-01-2016 12:24 PM
hi
I'm using ntop as netflow collector on my network
I configured FNF on all my routers like that :
=============================================
!
flow exporter export-to-server
destination xxxxxxx
transport udp 2055
!
!
flow monitor my-flow-monitor
record netflow ipv4 original-input
exporter export-to-server
cache timeout active 60
!
...
interface "inside"
ip flow monitor my-flow-monitor input
================================================
it works well but it seems netflow (v9) exported doesn't integrate packet hearders... I need them for ntop
any idea how to add them in netflow (v9) export ?
thanks
nico
10-01-2016 08:31 PM
What type of packet headers are you looking for? The packet header of every single packet that comes in? NetFlow exports flows and not every single packet. If you want to look at every packet rather than the flows, you can create a span port to the server and monitor the traffic that way. Here is the whitepaper on NetFlow
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
What is an IP Flow?
Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.IP Packet attributes used by NetFlow:• IP source address
• IP destination address
• Source port
• Destination port
• Layer 3 protocol type
• Class of Service
• Router or switch interface
All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.
10-02-2016 12:55 AM
hi
I just would like to know if there is something in netflow packets that could identify application
I mean : when my ntop receives netflow, right now it just can detect application by the port used cause it seems netflow packets have only these information (+ ip src, dst, etc...)
So question is just : is it possible to add a bit more info in netflow packets permitting to ntop to identify application (ie : http on port 3000 should be detected as http and not unknown)
maybe with nbar ?
http://www.solarwinds.com/documentation/en/flarehelp/netflow/content/nta-set-up-nbar2-on-a-cisco-device.htm
thanks
10-03-2016 02:10 AM
Yes, NBAR will give you the application name and often times, even if the traffic is encrypted. If you get an AVC license, you can export even more detail with IPFIX: https://www.plixer.com/blog/cisco-avc/cisco-avc-flow-exports/
IPFIX is the standard for NetFlow and AVC will export details like round trip time, URL, URI, TCP window size, average packet size, retransmits and lots of VoIP details.
I hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide