FlowScan in Solaris

greenbeansneedlesΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

69 εμφανίσεις

Cisco NetFlow Accounting with
FlowScan in Solaris

Topics Presentation


Description NetFlow & FlowScan


Role of report module in FlowScan


JKFlow module Design


-
Why a new module?


-
Principe of JKFlow


-
What can this module more?


-
Principe of JKFlow


Demo!

The Book

Contains:


1: Technical explanation:

Technology of NetFlow & FlowScan


2: In detail:

JKFlow report module


-
configuration


-
working (for Perl
-
fanatics)

Purpose of Final Work


Implementation NetFlow service profiling
bandwidth monitoring system



Flows received from

central WAN
-
routers



Collection/Analyse in

Solaris 8, 9 (x86)

NetFlow protocol


Flow accounting protocol Cisco routers


Flow Records: src/dst IP, port, tos, bytes, ...


PDU via UDP poort 2055 (default)

FlowScan


FlowScan

= Framework NetFlow system

-
NetFlow collector

-
Analyse/Reporting of flows

-
Presentation of the reports


Perl
-
scripts combines these tools to a complete
system

FlowScan
Design

Cisco Router
Cfllowdmux
Shared
Memory
Patched
Cfllowd
Database
CGI-perl scripts, PHP, ASP,
JSP/Servlets
(
JKGrapher
)
Voorstelling data
eindgebruiker
FlowScan
flowfiles
flowfiles
flowfiles
Flow Exports
Iedere 5 minuten
Analyse & rapportering
module (
JKFlow
)
RRD Tools
Webserver
Components:



Cflowd


FlowScan + report module


RRDTool


Makefile/CGI
-
script

Report module


Analyse Flows =
>

Counters


Counters => RRDTool
databases


Default:


CampusIO

(services)


SubnetIO

(subnetten)


Others:


CarrierIn


CUFlow

FlowScan
Analyse & report
module (
JKFlow
)
Constraints


No analyses possible for subnets:


-
CampusIO

only services global


-
SubnetIO

only total for each subnet


Other modules don’t deliver the wanted
functionality either:



-
CarrierIn

only inbound, services global


-
CUFlow

for each router, services global


CUFlow module


CUFlow

= Report module + CGI
-
script


Analysing using a global set of
protocols/services of different routers


Only total for subnets


Top
-
10, HTML statistics

New: JKFlow module


Started as a rewrite of
CUFlow


+Added Subnet monitoring of protocols/services


+Separated sets of protocols/services for each


router/subnet


+Redundant code removed


Became an independed Perl
-
module located at

URL:
http://users.telenet.be/jurgen.kobierczynski

Principe JKFlow: Hashes


Hash = Assiociative Array



%fruit =

(

apples => 3,




oranges => 6


);


print $fruit{apples};


shows: 3



Hash
-
tree = Reference of a hash into a hash



$hashref =

{

a => {

b => 2,






c => 3 },





d => 4



};



print $hashref
-
>{a}{b};


shows: 2



Hashes in JKFlow


Uniform structure of Hash
-
trees for counters


Using references to these structures


$Ref
-
>


Reuse of routines

JKFlow Framework


I needed a framework to get the desired
flexibility to integrate all desired features


I’ve found this in XML



Perl + XML =



XML::Simple module XML => Hash

JKFlow.xml

JKFlow.xml elements


1: <all>, <router(s)>, <subnet(s)>, <network(s)>


2: <direction>


3: <application>, <services>, <ftp>, <protocols>,
<tos>, <multicast>, <total>



(
2) & (3) can be defined in (1) & (2)

Directions


Direction =

Selection of Source/Destination subnets


Including/excluding Subnets possible

fromsubnet

tosubnet

fromsubnet

notosubnet

nofromsubnet

Recursive Directions


Directions can be nested inside Directions


Each Direction has its own set of protocols and services to
monitor


<direction name="BE
-
NL“ …>


<direction name="BE
-
NL desktops“…>






</direction>




</direction>



Where could you use this feature for?

...for subnet monitoring!

Applications


Merge several services together as ‘one’ service

example:

<application name=“web”>80/tcp,443/tcp</application>

FTP


State monitoring of FTP control sessions for detection of
Active/Passive FTP
-
sessions

example:

<ftp/>

JKGrapher

CGI
-
script


CGI
-
script for reading of

RRDTool files created by
JKFlow



Based on CUGrapher



1:
-
first preselection of
routers/subnets/networks


After this you will get a website with a form where you
can select protocols/services of the selected
routers/subnets, of which you want to see a graphic.

Demo


Parsing of flowfiles by JKFlow, generation
of RRDTool files


JKGrapher interface