NTG异常流量监测系统原理讲解
合集下载
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
From/To
Time of Day Port Utilization
Application
QoS
• Next Hop Address(0) • Source AS Number (0) • Dest. AS Number (0) • Source Prefix Mask (0) • Dest. Prefix Mask (0)
• •
Netflow V7
exclusively supports Cisco Catalyst 5000 series switches with a NetFlow feature card (NFFC). Not compatible with Cisco routers.
• •
Netflow V8
2.
Expiration
• Inactive timer expired (15 sec is default) • Active timer expired (30 min (1800 sec) is default) • NetFlow cache is full (oldest flows are expired) •RST or FIN TCP Flag
NetFlow Data Exported
认真 务实 敬业 求精
Netflow
Traffic Analysis and Monitoring for Network Planning
Usage Information
Router Feature Acceleration
• Empowers users with the ability to characterize their IP data flows • The who, what, where, when, and how much IP traffic questions are answered
认真
务实
敬业
求精
Netflow V1 Flow Record
Usage
• Packet Count • Byte Count • Start Timestamp • End Timestamp • Input Interface Port • Output Interface Port • Type of Service • TCP Flags(Cumulative OR) • Protocol
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
• Next Hop Address • Source AS Number • Dest. AS Number • Source Prefix Mask • Dest. Prefix Mask
Idle 4
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800
Version 5
• Flow_sequesce • Engine_type • Engine_id • Sampling_interval Version 8 • Aggregation • Agg_version (=2) • Count(No. of FlowSet) • Source ID
•Aggregation: Aggregation method being used
3.
Aggregation?
e.g. Protocol-Port Aggregation Scheme becomes
4. 5.
Export Version
Non-Aggregated Flows – export Version 5 or 9
Protocol Pkts SrcPort DstPort Bytes/Pkt 11 11000 00A2 00A2 1528
• Router_sc
Routing and Peering
Short-cut Router
认真
务实
敬业
求精
Netflow Sampling Sampled – GSR only
For speeds higher than OC-3 strongly recommended
Only used in V5 and V9 Range from 10 to 16382 (packets) Default interval is 4 billion (to protect the router from being choked by a misconfiguration)
认真 务实 敬业 求精
NetFlow
Using UDP to send multiple flow records in one packet
Header • Sequence Number • Record Count • Version Number Flow Record Flow Record Flow Record Flow Record
认真
务实
敬业
求精
Netflow V9
A export format
Flexible and extensible
Still a push model
Sent the template regularly (configurable) Independent of the underlying protocol, it is ready for any reliable protocol (ie: TCP, SCTP)
Aggregated Flows – export Version 8 or 9 Payload (flows)
Export Packet
认真
务实
敬业
求精
Heade r
Transport Protocol
Netflow Datagram
认真
务实
敬业
求精
Netflow Versions
• • •
1.
SrcIf Fa1/0 Fa1/0 Fa1/0 Fa1/0
Create and update flows in NetFlow Cache
SrcIPadd 173.100.21.2 173.100.3.2 173.100.20.2 173.100.6.2 DstIf Fa0/0 Fa0/0 Fa0/0 Fa0/0 DstIPadd 10.0.227.12 10.0.227.12 10.0.227.12 10.0.227.12 Protocol 11 6 11 6 TOS 80 40 80 40 Flgs 10 0 10 0 Pkts 11000 2491 10000 2210 SrcPort SrcMsk SrcAS 00A2 /24 5 15 /26 196 00A1 /24 180 19 /30 180 DstPort 00A2 15 00A1 19 DstMsk /24 /24 /24 /24 DstAS 15 15 15 15 NextHop 10.0.23.2 10.0.23.2 10.0.23.2 10.0.23.2 Bytes/Pkt Active 1528 1745 740 41.5 1428 1145.5 1040 24.5 Idle 4 1 3 14
Adds router-based aggregation schemes.
Netflow V9
Flexible, extensible file export format to enable easier support of additional fields & technologies; coming out now MPLS, Multicast, & BGP Next Hop
QoS
认真
务实
敬业
求精
Netflow V5 Flow Record
Usage
• Packet Count • Byte Count • Start Timestamp • End Timestamp • Input Interface Port • Output Interface Port • Type of Service • TCP Flags(Cumulative OR) • Protocol
• Source IP Address • Destination IP Address • Source TCP/UDP Port • Destination TCP/UDP Port
From/To
Time of Day Port Utilization
Application
• Next Hop Address Routing and Peering
Formats
• Version 1 (V1) • Version 5 (V5) • Version 7 (V7) • Version 8 (V8) • Version 9 (V9) • Versions 2, 3, 4, and 6 were not released
认真
务实
敬业
求精
NetFlow Sequence Router
百度文库
From/To
Time of Day Port Utilization
Application
QoS
Routing and Peering
认真
务实
敬业
求精
Netflow V7 Flow Record
Usage
• Packet Count • Byte Count • Start Timestamp • End Timestamp • Input Interface Port (0) • Output Interface Port • Type of Service(1st pkt) • TCP Flags(0) • Protocol
Netflow V1
the original format supported in the initial NetFlow releases.
Netflow V5
Adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers.
Understanding NetFlow
Topics
Netflow Overview Netflow Datagram
Deploy Netflow
认真
务实
敬业
求精
Netflow Overview
认真
务实
敬业
求精
Flow
Seven Keys Define a Flow:
1. Source Address 2. Destination Address 3. Source Port 4. Destination Port 5. Layer 3 Protocol 6. TOS Byte (DSCP) 7. Input Interface
认真
务实
敬业
求精
Netflow Headers
Version 1 • • • • • Version Count (No. of Records) SysUptime Unix_secs Unix_nsecs •Version: Netflow Version Number •Count: The number of records in PDU Version 7 •Flow_sequence: Sequence number total flows seen Version 9 •Sampling_interval: the sampling type (2 bits) and interval