<HTML><HEAD><TITLE>flow-tools-examples</TITLE><METANAME="GENERATOR"CONTENT="Modular DocBook HTML Stylesheet Version 1.71"></HEAD><BODYCLASS="REFENTRY"BGCOLOR="#FFFFFF"TEXT="#000000"LINK="#0000FF"VLINK="#840084"ALINK="#0000FF"><H1><ANAME="AEN1"><SPANCLASS="APPLICATION">flow-tools-examples</SPAN></A></H1><DIVCLASS="REFNAMEDIV"><ANAME="AEN6"></A><H2>Name</H2><SPANCLASS="APPLICATION">flow-tools-examples</SPAN>&nbsp;--&nbsp;Example usage of flow-tools.</DIV><DIVCLASS="REFSECT1"><ANAME="AEN10"></A><H2>EXAMPLE - Configuring Cisco IOS Router</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN12"></A><P></P><P>NetFlow is configured on each input interface, then global commands areused to specify the export destination.  To ensure a consistant sourceaddress address Loopback0 is configured as the export source.<PRECLASS="PROGRAMLISTING">ip cef distributedip flow-export version 5 origin-asip flow-export destination 10.0.0.100 5004ip flow-export source Loopback0interface Loopback0 ip address 10.1.1.1 255.255.255.255interface FastEthernet0/1/0  ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip route-cache flow ip route-cache distributed&#13;</PRE>Many other options exist such as aggregated NetFlow and sampled NetFlow whichare detailed at <AHREF="http://www.cisco.com"TARGET="_top">http://www.cisco.com</A>.</P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN16"></A><H2>EXAMPLE - Configuring Cisco CatIOS Switch</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN18"></A><P></P><P>Some Cisco Catalyst switches support a different implementation of NetFlowthat is performed on the supervisor.  With the cache based forwarding modelwhich is implemented in the Catalyst 55xx with Route Switch Module (RSM)and NetFlow Feature Card (NFFC), the RSM processes the first flow and theremaining packets in the flow are forwarded by the Supervisor.  This isalso implemented in the early versions of the 65xx with MSFC.  Thedeterministic forwarding model used in the 65xx with MSFC2 do not useNetFlow to determine the forwarding path, the flow cache is only usedfor statistics as in the current IOS implementations.  In all of of the above configurations flow exports arrive from both the RSM/MSFC andthe Supervisor engines as distinct streams.  In the worst cast the RSMexports in version 5 and the Supervisor exports in version 7.Fortunately flow-capture and flow-receive can sort all this out by processing flows from both sources and converting them to a common export format.</P><P>The router side running IOS is configured identically to the examplegiven above.  The CatIOS NetFlow Data Export configuration follows:</P><P><PRECLASS="PROGRAMLISTING">set mls flow fullset mls nde version 7set mls nde 10.0.0.1 9800set mls nde enable</PRE></P><P>When the 65xx is running in Native mode, from a users perspective the switch is only running IOS.</P><P>More detailed examples can be found on Cisco's web site <AHREF="http://www.cisco.com"TARGET="_top">http://www.cisco.com</A>.</P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN26"></A><H2>EXAMPLE - Configuring Juniper Router</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN28"></A><P></P><P>Juniper supports flow exports by the routing engine sampling packetheaders and aggregating them into flows.  Packet sampling is done by defining a firewall filter to accept and sample all traffic, applying that rule to the interface, then configuring the samplingforwarding option.<PRECLASS="PROGRAMLISTING">interfaces {    ge-0/3/0 {        unit 0 {            family inet {                filter {                    input all;                    output all;                }                address 10.0.0.1/24;            }        }    }firewall {    filter all {        term all {            then {                sample;                accept;            }        }    }}forwarding-options {    sampling {        input {            family inet {                rate 100;            }        }        output {            cflowd 10.0.0.100 {                port 9800;                version 5;            }        }    }}</PRE></P><P>Other options exist such as aggregated flows which are detailed at <AHREF="http://www.juniper.net"TARGET="_top">http://www.juniper.net</A>.</P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN33"></A><H2>EXAMPLE - Network topology and <TTCLASS="FILENAME">flow.acl</TT></H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN36"></A><P></P><P>The network topology and flow.acl will be used for many of the examplesthat follow.  Flows are collected and stored in <TTCLASS="FILENAME">/flows/R</TT>.<PRECLASS="SCREEN">&#13;                       ISP-A       ISP-B                         +           +                          +         +            IP=10.1.2.1/24 +       + IP=10.1.1.1/24                 ifIndex=2  +     +  ifIndex=1       interface=serial1/1   +   +   interface=serial0/0                             -----                             | R | Campus Router                             -----                             +   +           IP=10.1.4.1/24   +     +   IP=10.1.3.1/24                ifIndex=4  +       +  ifIndex=3    interface=Ethernet1/1 +         + interface=Ethernet0/0                         +           +                       Sales      Marketing&#13;</PRE><PRECLASS="PROGRAMLISTING">ip access-list standard sales permit 10.1.4.0 0.0.0.255ip access-list standard not_sales deny 10.1.4.0 0.0.0.255ip access-list standard marketing permit 10.1.3.0 0.0.0.255ip access-list standard not_marketing deny 10.1.3.0 0.0.0.255ip access-list standard campus permit 10.1.4.0 0.0.0.255ip access-list standard campus permit 10.1.3.0 0.0.0.255ip access-list standard not_campus deny 10.1.4.0 0.0.0.255ip access-list standard not_campus deny 10.1.3.0 0.0.0.255ip access-list standard evil_hacket permit host 10.6.6.6ip access-list standard spoofer permit host 10.9.9.9ip access-list standard multicast 224.0.0.0 15.255.255.255</PRE></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN41"></A><H2>EXAMPLE - Finding spoofed addresses</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN43"></A><P></P><P>A common problem on the Internet is the use of "spoofed" (addressesthat are not assigned to an organization) for use in DoS attacks or compromising servers that rely on the source IP address for authentication.</P><P>Display all flow records that originate from the campus and are sentto the Internet but are not using legal addresses.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-print</B></P><P>Summary of the destinations of the internally spoofed addresses sorted by octets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f8 -S2</B></P><P>Summary of the sources of the internally spoofed addresses sorted by flows.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f9 -S1</B></P><P>Summary of the internally spoofed sources and destination pairs sorted by packets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Snot_campus -I1,2 | flow-stat -f10 -S4</B></P><P>Display all flow records that originate external to the campus that havecampus addresses.  Many times these can be attackers trying to exploit hostbased authentication mechanisms like unix r* commands.  Another commonsource is mobile clients which send packets with their campus addressesbefore obtaining a valid IP.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-print</B></P><P>Summary of the destinations of the externally spoofed addresses sorted by octets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Scampus -i1,2 | flow-stat -f8 -S2</B></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN63"></A><H2>EXAMPLE - Locate hosts using or running services</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN65"></A><P></P><P>Find all SMTP servers active during the collection periodthat have established connections to the Internet.  Summarize sortedby octets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -I1,2 -P25 | flow-stat -f9 -S2</B></P><P>Find all outbound NNTP connections to the Internet.  Summarize with sourceand destination IP sorted by octets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -I1,2 -P119 | flow-stat -f10 -S3</B></P><P>Find all inbound NNTP connections to the Internet.  Summarize with sourceand destination IP sorted by octets.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -i1,2 -P119 | flow-stat -f10 -S3</B></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN75"></A><H2>EXAMPLE - Multicast usage</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN77"></A><P></P><P>Summarize Multicast S,G where sources are on campus.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Dmulticast -I1,2 | flow-stat -f10 -S3</B></P><P>Summarize Multicast S,G where sources are off campus.</P><P><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -Dmulticast -i1,2 | flow-stat -f10 -S3</B></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN84"></A><H2>EXAMPLE - Find scanners</H2><DIVCLASS="INFORMALEXAMPLE"><ANAME="AEN86"></A><P></P><P>Find SMTP scanners with flow-dscan.  This will also find SMTP clients whichtry to contact many servers.  This behavior is characterized by a recent Microsoft worm.</P><P><PCLASS="LITERALLAYOUT"><BCLASS="COMMAND">touch dscan.suppress.src dscan.suppress.dst</B><br><br><BCLASS="COMMAND">flow-cat /flows/R | flow-filter -P25 | flow-dscan -b</B><br>&#13;</P></P><P></P></DIV></DIV><DIVCLASS="REFSECT1"><ANAME="AEN92"></A><H2>AUTHOR</H2><P>Mark Fullmer<TTCLASS="EMAIL">&#60;<AHREF="mailto:maf@splintered.net">maf@splintered.net</A>&#62;</TT></P></DIV><DIVCLASS="REFSECT1"><ANAME="AEN99"></A><H2>SEE ALSO</H2><P><SPANCLASS="APPLICATION">flow-tools</SPAN>(1)</P></DIV></BODY></HTML>