cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1512
Views
0
Helpful
3
Replies

netflow v9 / packet headers / ntop

nvanhaute
Level 1
Level 1

hi

I'm using ntop as netflow collector on my network

I configured FNF on all my routers like that :

 =============================================
 !
 flow exporter export-to-server
 destination xxxxxxx
 transport udp 2055
 !
 !
 flow monitor my-flow-monitor
 record netflow ipv4 original-input
 exporter export-to-server
 cache timeout active 60
 !
 ...
 interface "inside"
 ip flow monitor my-flow-monitor input
 ================================================

it works well but it seems netflow (v9) exported doesn't integrate packet hearders...  I need them for ntop

any idea how to add them in netflow (v9) export ?

thanks

nico

3 Replies 3

cwhite0013
Level 1
Level 1

What type of packet headers are you looking for? The packet header of every single packet that comes in? NetFlow exports flows and not every single packet. If you want to look at every packet rather than the flows, you can create a span port to the server and monitor the traffic that way. Here is the whitepaper on NetFlow

 http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

What is an IP Flow?

Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.
IP Packet attributes used by NetFlow:

• IP source address

• IP destination address

• Source port

• Destination port

• Layer 3 protocol type

• Class of Service

• Router or switch interface

All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache.

hi

I just would like to know if there is something in netflow packets that could identify application

I mean : when my ntop receives netflow, right now it just can detect application by the port used cause it seems netflow packets have only these information (+ ip src, dst, etc...)

So question is just : is it possible to add a bit more info in netflow packets permitting to ntop to identify application (ie : http on port 3000 should be detected as http and not unknown)

maybe with nbar ?

http://www.solarwinds.com/documentation/en/flarehelp/netflow/content/nta-set-up-nbar2-on-a-cisco-device.htm

thanks

Yes, NBAR will give you the application name and often times, even if the traffic is encrypted. If you get an AVC license, you can export even more detail with IPFIX: https://www.plixer.com/blog/cisco-avc/cisco-avc-flow-exports/ 

IPFIX is the standard for NetFlow and AVC will export details like round trip time, URL, URI, TCP window size, average packet size, retransmits and lots of VoIP details.

I hope this helps. 

Review Cisco Networking for a $25 gift card