NETFLOW配置及软件

Netflow网络流量分析手册作者：聂晓亮（毛蛋哥）目录一、作者简介 (4)二、为什么会有这本书 (5)三、流量分析原理 (6)(一)原始流量分析方式 (6)(二)Netflow分析方式 (6)四、流量采样 (8)(一)在网络设备上开启Netflow功能 (8)(二)网络设备不支持Netflow (9)1.部署方式 (9)2.安装Fprobe (11)3.启动Fprobe (11)4.镜像流量至Fprobe服务器 (12)5.检测是否收到Netflow数据 (12)五、部署服务器 (13)(一)硬件需求 (13)(二)安装FreeBSD (13)(三)安装Nfsen (14)1.安装apache22 (14)2.安装php5 (14)3.安装nfsen (15)(四)安装PortTracker (15)(五)访问Nfsen (16)六、抓贼攻略 (18)(一)了解网络运行状况 (18)(二)什么协议吞了带宽 (22)(三)抓出罪魁祸首 (25)七、感谢 (30)一、作者简介本书作者聂晓亮，网名毛蛋哥。

2004年毕业于北京联合大学信息工程学院，热爱网络相关知识及摄影，机缘巧合参加了Cisco认证培训，并获得了一些成绩。

本书写于2008年10月，作者目前状态工作较为舒适，故有空闲时间完成此书。

聂晓亮（毛蛋哥）拥有自己的Blog及Wiki空间，其中记录了作者的工作、生活、学习。

作者希望通过此书以及Blog、Wiki同全世界的网络爱好者分享其知识与快乐。

聂晓亮（毛蛋哥）的Blog：聂晓亮（毛蛋哥）的Wiki：欢迎交流：pharaohnie@二、为什么会有这本书在工作的几年当中，经常有朋友和一些网友问我一些关于流量分析的问题，诸如：●我们局域网怎么这么慢，是不是有人在下BT？●192.168.0.1也没人用，怎么网卡疯狂闪烁，它在做什么？●老板让我查查服务器为什么总是那么大流量，可我不知道从何下手。

●公司出口带宽不够了，但一时有没那么多带宽预算，我在考虑是不是要关掉一些和公司业务无关的协议，但不知道应该关哪些协议。

1、Natflow原理：2、输出流信息的格式3、natflow用途a)网络监控b)应用监控c)用户监控d)网络规划e)安全分析f)记账3、netflow网络设备的配置和相关参数Cisco Netflow配置命令a)ip route-cache flow 在接口上配置Netflow采样。

b)ip flow-export destination ip_address port 将Netflow的采样信息输出到Netflow的流量分析系统上，这里2055是NI系统的Netflow默认端口号，如果是其他的Netflow系统可以在下面的命令行里更改端口号，NI系统也可以在全局配置下更改端口号。

c)ip flow-export source interface_name 配置发送Netflow采样信息的源接口，建议使用Loopback接口。

ip flow-export version 5 配置Netflow的版本号为5。

d)ip flow-cache timeout active x 生成告警和显示故障排除数据为x分钟。

snmp-server ifindex persist 全局启用ifIndex持续化(接口名)。

配置举例：router#configure terminalrouter(config)#interface FastEthernet 0/0router(config-if)#ip route-cache flowrouter(config-if)#exitrouter(config)#ip flow-export destination 10.10.10.25 2055router(config)#ip flow-export source loopback 0router(config)#ip flow-export version 5router(config)#ip flow-cache timeout active 1router(config)#snmp-server if验证命令show ip flow export 显示当前Netflow的配置。

网络流量分析NetFlow协议解析网络流量分析在网络安全和性能监控中起着重要的作用。

而NetFlow协议作为其中一种流量分析的关键工具，在网络管理领域中被广泛应用。

本文将对NetFlow协议进行详细解析，介绍其原理、功能和应用。

一、NetFlow协议简介NetFlow协议是由思科公司于1996年推出的一种网络流量分析技术。

它能够提供流量统计、流量分析和流量监控等功能。

NetFlow协议通过在路由器和交换机上收集、处理和导出流量数据，为网络管理员提供实时的流量信息和网络性能的评估。

二、NetFlow协议的工作原理NetFlow协议的工作原理可以分为三个阶段：数据收集、数据处理和数据导出。

1. 数据收集在网络中的路由器和交换机上，通过配置使其能够将经过设备的流量数据进行收集。

NetFlow支持两种收集方式：Full Flow和Sampled Flow。

Full Flow是指完整地收集每一个流量数据进行处理；Sampled Flow是指以一定的频率采样流量数据进行处理，减少处理开销。

2. 数据处理收集到的流量数据会经过设备内部的处理引擎进行处理。

处理引擎会提取关键信息，如源IP地址、目的IP地址、源端口、目的端口、协议类型等，并基于这些信息生成流记录。

3. 数据导出处理后的流记录会根据配置的规则进行导出。

导出方式有两种：NetFlow v5和NetFlow v9。

NetFlow v5是早期版本，具有广泛的兼容性；NetFlow v9则是最新版本，支持更多的字段，并且具有灵活的配置能力。

三、NetFlow协议的功能NetFlow协议具有以下几个主要功能：1. 流量统计NetFlow可以对流量进行实时统计，包括流量量、带宽利用率、流量峰值等。

这些统计数据可以帮助网络管理员了解网络的负载情况，有助于进行容量规划和性能优化。

2. 流量分析通过对收集到的流量数据进行分析，NetFlow可以帮助管理员发现网络中的异常情况和潜在安全威胁。

Configuring NetFlowRelease 12.1January 8, 2001This chapter describes how to configure NetFlow in Cisco IOS Release 12.1 and Release 12.0S. For acomplete description of NetFlow commands used in this chapter, refer to the Cisco IOS SwitchingServices Command Reference. For documentation on other commands that appear in this chapter, youcan use the command reference master index or search online.NetFlow ImplementationWith NetFlow, you can export data (traffic statistics) to a remote workstation for processing.NetFlow does not involve any connection-setup protocol either between routers or to any othernetworking device or end station and does not require any change externally—either to the traffic orpackets themselves or to any other networking device. Thus, NetFlow is completely transparent to theexisting network, including end stations and application software and network devices like LANswitches.Also,because NetFlow is performed independently on each internetworking device,it does notneed to be operational on each router in the work planners can selectively invoke NetFlow(and NetFlow data export) on a router or interface basis to gain traffic performance, control, oraccounting benefits in specific network locations.Note NetFlow does consume additional memory and CPU resources;therefore,it is important tounderstand the resources required on your router before enabling NetFlow.NetFlow Configuration Task ListTo configure NetFlow, complete the tasks in the following sections. At a minimum, you must enableNetFlow. The remaining tasks are optional.•Enabling NetFlow (Required)•Exporting NetFlow Statistics (Optional)•Customizing the Number of Entries in the NetFlow Cache (Optional)•Managing NetFlow Statistics (Optional)•Configuring IP Distributed Switching and NetFlow on VIP Interfaces (Optional)•Configuring an Aggregation Cache (Optional)Configuring NetFlowNetFlow Configuration Task List •Configuring NetFlow Policy Routing (Optional)Enabling NetFlowTo enable NetFlow,first configure the router for IP routing as described in the IP configuration chapters in the Cisco IOS IP and IP Routing Configuration Guide . After you configure IP routing, use thefollowing commands beginning in global configuration mode:Exporting NetFlow StatisticsNetFlow information can also be exported to network management applications.To configure the router to export NetFlow statistics maintained in the NetFlow cache to a workstation when a flow expires,use one of the following commands in global configuration mode:Customizing the Number of Entries in the NetFlow CacheNormally the size of the NetFlow cache will meet your needs. However, you can increase or decrease the number of entries maintained in the cache to meet the needs of your NetFlow traffic rates.The default is 64K flow cache entries.Each cache entry is approximately 64bytes of storage.Assuming a cache with the default number of entries,approximately 4MB of DRAM would be required.Each time a new flow is taken from the free-flow queue,the number of free flows is checked.If there are only a few free flows remaining,NetFlow attempts to age 30flows using an accelerated timeout.If there is only one free flow remaining,NetFlow automatically ages 30flows regardless of their age.The intent is to ensure free flow entries are always available.CommandPurpose Step 1interface type slot /port-adapter /port (Cisco7500 series routers)interface type slot /port (Cisco 7200 seriesrouters)Specifies the interface, and enter interface configuration mode.Step 2ip route-cache flow Enables mandPurpose ip flow-export ip-address udp-port [version 1]Configures the router to export NetFlow cache entries to aworkstation if you are using receiving software that requiresversion 1. Version 1 is the default.ip flow-export ip-address udp-port version 5[origin-as |peer-as ]Configures the router to export NetFlow cache entries to aworkstation if you are using receiving software that acceptsversion 5. Optionally specify origin or peer autonomoussystem (AS). The default is to export neither AS whichprovides improved performance.Configuring NetFlowNetFlow Configuration Task List To customize the number of entries in the NetFlow cache, use the following command in globalconfiguration mode:Command Purposeip flow-cache entries number Changes the number of entries maintained in the NetFlowcache. The number of entries can be 1024 to 524288.The default is 65536.Caution We recommend that you not change the NetFlow cache entries.Improper use of this featurecould cause network problems. To return to the default NetFlow cache entries, use theno ip flow-cache entries global configuration command.Managing NetFlow StatisticsYou can display and clear NetFlow Flow statistics consist of IP packet size distribution,IPNetFlow cache information,and flow information such as the protocol,total flow,flows per second,andso forth. The resulting information can be used to find out information about your router traffic. Tomanage NetFlow statistics, use either of the following commands in privileged EXEC mode:Command Purposeshow ip cache flow Displays the NetFlow statistics.clear ip flow stats Clears the NetFlow statistics.Configuring IP Distributed Switching and NetFlow on VIP InterfacesOn Cisco 7500 series routers with a Route Switch Processor (RSP) and with Versatile InterfaceProcessor(VIP)controllers,the VIP hardware can be configured to switch packets received by the VIPwith no per-packet intervention on the part of the RSP. This process is called distributed switching.Distributed switching decreases the demand on the RSP.The VIP hardware can also be configured for NetFlow, a new high-performance feature that cachesinformation about the flow. NetFlow data can also be exported to network management applications.Refer to the Cisco Product Catalog for information about VIP port adapters used for distributedswitching.To configure distributed switching on the VIP, first configure the router for IP routing as described inthis chapter and the various routing protocol chapters, depending on the protocols you use.After you configure IP routing, use the following commands beginning in global configuration mode:Command PurposeStep1interface type slot/port-adapter/port Specifies the interface, and enter interface configurationmode.Configuring NetFlowNetFlow Configuration Task List When the RSP or VIP is using NetFlow, it uses a flow cache instead of a destination network cache to switch IP packets.The flow cache uses source and destination network address,protocol,and source and destination port numbers to distinguish entries.To export NetFlow cache entries to a workstation when a flow expires, use the following command in global configuration mode:Configuring an Aggregation CacheTo configure an aggregation cache,you must enter aggregation cache configuration mode,and you must decide which type of aggregation scheme you would like to configure:autonomous system,Destination Prefix, Prefix, Protocol Prefix, or Source Prefix aggregation cache. Once you define the aggregation scheme, define the operational parameters for that scheme.Verifying Aggregation Cache Configuration and Data ExportTo verify the aggregation cache information, use the following command in EXEC mode:Step 2ip route-cache distributed Enables VIP distributed switching of IP packets on the interface.Step 3ip route-cache flow Enables Netflow.CommandPurpose CommandPurpose ip flow-export ip-address udp-port Configures the router to export NetFlow cache entries to aworkstation.CommandPurpose Step 1Router(config)#ip flow-aggregation cache as Enters aggregation cache configuration mode and enables anaggregation cache scheme (as, destination-prefix, prefix,protocol-port, or source-prefix)Step 2Router(config-flow-cache)#cache entries 2046Specifies the number (in this example,2046)of cache entriesto allocate for the autonomous system aggregation cache.Step 3Router(config-flow-cache)#cache timeout inactive 199Specifies the number of seconds (in this example, 199) thatan inactive entry is allowed to remain in the aggregationcache before it is deleted.Step 4Router(config-flow-cache)#cache timeout active 45Specifies the number of minutes (in this example,45)that anactive entry is active.Step 5Router(config-flow-cache)#export destination 10.42.41.1 9991Enables the data export.Step 6Router(config-flow-cache)#enabledEnables aggregation cache mandPurpose show ip cache flow aggregation Displays the aggregation cache information.Configuring NetFlowNetFlow Configuration Task List To confirm data export, use the following command in EXEC mode:Command Purposeshow ip flow export Displays the statistics for the data export including the main cache andall other enabled caches.Configuring NetFlow Policy RoutingAs long as policy routing is configured, NetFlow policy routing is enabled by default and cannot bedisabled.That is,NPR is the default policy routing mode.No configuration tasks are required to enablepolicy routing in conjunction with CEF, dCEF, or NetFlow. As soon as one of these features is turnedon, packets are automatically subject to policy routing in the appropriate switching path.There is one new,optional configuration command(set ip next-hop verify-availability).This commandhas the following restrictions:•It can cause some performance degradation.•CDP must be configured on the interface.•The direct next hop must be a Cisco device with CDP enabled.•It is not available in dCEF, due to the dependency of the CDP neighbor database.It is assumed that policy routing itself is already configured.If the router is policy routing packets to the next hop and the next hop happens to be down, the routerwill try unsuccessfully to use Address Resolution Protocol(ARP)for the next hop(which is down).Thisbehavior will continue forever.To prevent this situation,you can configure the router to first verify that the next hop(s)of the route mapis the router’s CDP neighbor(s) before routing to that next hop.This task is optional because some media or encapsulations do not support CDP,or it may not be a Ciscodevice that is sending the router traffic.To configure the router to verify that the next hop is a CDP neighbor before the router tries to policyroute to it, use the following command in route-map configuration mode:Command Purposeset ip next-hop verify-availability Causes the router to confirm that the next hop(s) of the route mapis a CDP neighbor(s) of the router.If the command shown is set and the next hop is not a CDP neighbor,the router looks to the subsequentnext hop, if there is one. If there is none, the packets simply are not policy routed.If the command shown is not set, the packets are either successfully policy routed or remain foreverunrouted.If you want to selectively verify availability of only some next hops, you can configure differentroute-map entries(under the same route-map name)with different criteria(using access list matching orpacket size matching), and use the set ip next-hop verify-availability command selectively.Configuring NetFlow NetFlow Configuration ExamplesMonitoring NetFlow Policy RoutingTypically,you would use existing policy routing and NetFlow show commands to monitor these features.For more information on these show commands,refer to the policy routing and NetFlow documentation.To display the route map Inter Processor Communication(IPC)message statistics in the RP or VIP,usethe following command in EXEC mode:Command Purposeshow route-map ipc Displays the route map IPC message statistics in the RP or VIP.NetFlow Configuration ExamplesThis section provides the following basic configuration examples:•NetFlow Configuration Example•NetFlow Aggregation Configuration Examples•NetFlow Policy Routing ExampleNetFlow Configuration ExampleThe following example shows how to modify the configuration of serial interface 3/0/0 to enableNetFlow and to export the flow statistics for further processing to UDP port0on a workstation with theIP address of 1.1.15.1. In this example, existing NetFlow statistics are cleared to ensure accurateinformation when the show ip cache flow command is executed to view a summary of the NetFlowstatistics.configure terminalinterface serial 3/0/0ip route-cache flowexitip flow-export 1.1.15.1 0 version 5 peer-asexitclear ip flow statsNetFlow Aggregation Configuration ExamplesThis section provides the following aggregation cache configuration examples:•Autonomous System Configuration Example•Destination Prefix Configuration Example•Prefix Configuration Example•Protocol Port Configuration Example•Source Prefix Configuration ExampleConfiguring NetFlowNetFlow Configuration ExamplesAutonomous System Configuration ExampleThe following example shows how to configure an autonomous system aggregation cache with a cachesize of 2046, an inactive timeout of 200 seconds, a cache active timeout of 45 minutes, an exportdestination IP address of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache asRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledDestination Prefix Configuration ExampleThe following example shows how to configure a Destination Prefix aggregation cache with a cache sizeof2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destinationIP address of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache destination-prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledPrefix Configuration ExampleThe following example shows how to configure a Prefix aggregation cache with a cache size of2046,aninactive timeout of200seconds,a cache active timeout of45minutes,an export destination IP addressof 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledProtocol Port Configuration ExampleThe following example shows how to configure a Protocol Port aggregation cache with a cache size of2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destination IPaddress of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache protocol-portRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledConfiguring NetFlow NetFlow Configuration ExamplesSource Prefix Configuration ExampleThe following example shows how to configure a Source Prefix aggregation cache with a cache size of2046,an inactive timeout of200seconds,a cache active timeout of45minutes,an export destination IPaddress of 10.42.42.1, and a destination port of 9992.Router(config)#ip flow-aggregation cache source-prefixRouter(config-flow-cache)#cache entries 2046Router(config-flow-cache)#cache timeout inactive 200Router(config-flow-cache)#cache timeout active 45Router(config-flow-cache)#export destination 10.42.42.1 9992Router(config-flow-cache)#enabledNetFlow Policy Routing ExampleThe following example configures CEF and NetFlow.It also configures policy routing to verify that nexthop 50.0.0.8 of route map test is a CDP neighbor before the router tries to policy route to it.If the first packet is being policy routed via route map test sequence 10, the subsequent packets of thesame flow always take the same route map test sequence 10, not route map test sequence 20, becausethey all match or pass access list 1 check.ip cefinterface ethernet0/0/1ip route-cache flowip policy route-map testroute-map test permit 10match ip address 1set ip precedence priorityset ip next-hop 50.0.0.8set ip next-hop verify-availabilityroute-map test permit 20match ip address 101set interface Ethernet0/0/3set ip tos max-throughputThis document published January 8, 2001. Last content update: January 7, 2004。

1NETFLOW支持设备：Cisco 800, 1700, 2600YesCisco 1800, 2800, 3800YesCisco 4500YesCisco 6500YesCisco7200, 7300, 7500YesCisco 7600YesCisco 10000, 12000, CRS-1YesCisco 2900, 3500, 3660, 3750Nonetflow是ios平台技术，也就是说路由器全系列都支持，而交换机平台则依赖于IOS版本和支持硬件，例如Cisco 2900, 3500, 3660, 3750就不支持我们关注交换网络核心设备：6500/7600 系列：1 启动netflowSwitch(config)# mls netflow2 启动netflow 的双向流量Switch(config)# mls flow ip destination-source 后面可接其他参数3、进入VLAN，启动接口Netflow（如果在物理接口上其3层，则直接进入物理接口）Switch(config)# interface vlan 5Switch(config-if)# ip flow-export ingress-----此处为ingress 可以配置engress 依赖ios版本Switch(config-if)# ip route-cache flow4 配置Netflow的数据源，如果没有配置Loopback的接口，可以采用物理接口，建议配置Loopback接口Switch(config)# ip flow-export source loopback 05 配置统计信息的输出目的，即采集服务器的ip和监听端口(config)#ip flow-export 10.1.200.201 99917. 配置输出版本，目前可支持版本1和5(config)#ip flow-export version 5下面为参考命令：Switch# show mls nde一般看到都是Netflow Data Export disabled 这说明Netflow都没有起来。

如何在网络设备上配置Netflow1.简介本文是讲解如何在思科的不同网络设备上配置Netflow的简明指南。

(注意：如果网络设备没有在此处列出，这并不表示该设备不被Mocha NTA所支持。

请咨询您的设备提供商以获知如何配置Netflow)2.在Cisco路由器或者三层交换设备上激活Netflow的导出/NDE下面提到的配置步骤我们建议最好由有经验的网络设备工程师来完成。

如果有疑问，请咨询您的网络管理员或者咨询Cisco公司的顾问，或者访问Cisco Netflow官方网站[1]来获取有关本主题的详细信息。

注意：如果您的3层交换机运行在混合模式，您需要使用MSFC (Multilayer switching feature card)配置IOS，使用CatOS配置超级引擎。

另外，对于Native IOS来说，还需要执行一些额外的命令，这些命令将在后面列出。

3.在IOS设备上激活Netflow3.1 在路由器的或者MSFC上进入配置模式(configure mode)，依次执行下面的命令：命令 解释ip cef 激活Cisco快速转发Cisco Express Forwarding(CEF)。

在大多数比较新的IOS版本上需要执行此步ip flow‐export destination <address> 9996 将address替换为NTA所在机器的IP。

端口9996是监控的默认端口ip flow‐export loopback 0 这里设置源接口，将为路由器发出的Netflow导出包设置源IP地址。

NTA将使用该地址做一些SNMP的访问。

如果有问题的话，也可以将此接口设置为以太网口或WAN口。

ip flow‐export version 5 [peer‐as|origin‐as]或者ip flow‐export version 9 [peer‐as|origin‐as] 设置Netflow导出版本。