Netflow

Contents

The NETFLOW/IPFIX protocol allows you to monitor data flows within an IP network. This protocol allows you to easily observe when, where, and what traffic flows are being processed by the network, as well as identify the entities responsible for processing them. By gaining insights into the behavior of these traffic flows improvements can be made to the IP network and its actions can be better accounted for.

NETFLOW/IPFIX exports IP flow information in packets, encapsulated in UDP, adhering to a specific format. The particular format used depends on the version of the protocol configured, with options for our devices including NETFLOW version 5, version 9 or IPFIX (Netflow version 10). Additionally, there is an option to encrypt these packets using the Datagram Transport Layer Security (DTLS) protocol before transmitting them.

The UDP packets are received by a collector server, which interprets them and stores flows in a database. The network administrator can then access this database to obtain graphics and statistics on the traffic processed by the router.

Regardless of the flow exporting protocol and version used, the router creates an internal flow cache. Each flow consists of a unidirectional group of packets that share the following parameters:

• Source IP address.

• Destination IP address.

• IP protocol.

• Source port (for UDP/TCP/SCTP protocols or type/code for ICMP protocol).

• Destination port (for UDP/TCP/SCTP protocols).

• IP header TOS field.

• Input interface SNMP Index.

• Output interface SNMP Index.

Note

If any of these parameters differ, the packet is considered to belong to a different flow.

Configuration

The NETFLOW/IPFIX subsystem processes a packet if it enters the router through an interface where the flow ingress command is enabled, or if it is sent or forwarded by an interface where the flow egress command is enabled. These options can be configured using the following commands:

set interfaces <kind> <name> flow ingress [ selector <selector> ]
set interfaces <kind> <name> flow egress [ selector <selector> ]

Optionally, you can specify a traffic selector to ensure that only IP packets matching the access list are processed.

Note

Here you can find more information about traffic selectors.

To configure NETFLOW/IPFIX you need to use the following command tree:

set system netflow <...>

The only required option is destination, which indicates the export destination domain name (i.e., the collector). Multiple values can be configured (up to 5 destinations).

Options local-address, local-interface and local-vrf can be used to configure output options for exported flows.

The protocol option helps configure the NETFLOW/IPFIX version to be used. By default, IPFIX (version 10) is used.

When the NETFLOW/IPFIX subsystem processes a packet, it searches for a matching flow in the cache. If a match is found, the flow is updated by increasing the packet and byte counters, and the lifetime is refreshed. If no matching flow is found, a new flow is created and added to the cache. The router exports a flow record when it determines that a flow has expired and is removed from the cache.

A flow is considered expired if no packets associated with it have been routed for a specific period of time (15 seconds, by default). This can be customized using the following command:

set system netflow timeout inactive <seconds>

Additionally, a flow is considered finished if it has been active for a prolonged duration (30 minutes, by default, although 1 minute is recommended for better resolution and lower delay). This can be changed through the following command:

set system netflow timeout active <seconds>

Several configuration options can be enabled in order to collect extra information in the exported flow records.

Examples:

• app-id includes the application ID.

• dns-host includes the FQDN that dns-inspect picks up.

• http-host, http-ref, http-ua and http-url include different HTTP fields.

• ssl-server includes the SSL Server name.

Here, you can find some examples related to system netflow.

Monitoring

Operational command system netflow show status can be used to display some general NETFLOW information.

Example:

admin@DUT0$ system netflow show status
ipt_NETFLOW 2.6, srcversion C7171DDDBA03CBB4C9AD070; dir
Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 6).
Timeouts: active 1800s, inactive 15s. Maxflows 2000000
Flows: active 14 (peak 14 reached 0d0h0m ago), mem 494K, worker delay 25/250 [1..25] (100 ms, 0 us, 13:0 [cpu1]).
Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 334 pkt, 34 K, InPDU 0, 0.
Rate: 6522 bits/sec, 5 packets/sec; Avg 1 min: 4743 bps, 2 pps; 5 min: 1746 bps, 0 pps
cpu#     pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes>
Total      5;      0    394     22 [1.00],    0    0    0    0, traffic: 416, 0 MB, drop: 0, 0 K
cpu0       5;      0    298     17 [1.00],    0    0    0    0, traffic: 315, 0 MB, drop: 0, 0 K
cpu1       0;      0     96      5 [1.00],    0    0    0    0, traffic: 101, 0 MB, drop: 0, 0 K
Export: Rate 0 bytes/s; Total 6 pkts, 0 MB, 8 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows.
sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0

It displays information about the protocol version, configuration parameters and flow statistics.

Operational command system netflow show stats can be used to display statistics about processed packets. The detailed option can also be used to display information about configured traffic selectors.

Example:

admin@DUT0$ system netflow show stats

--------------------------------------------------------------
iface   mode    pkts match  pkts eval  bytes match  bytes eval
--------------------------------------------------------------
eth3   egress          227        227        28894       28894
eth3   ingress         370        370        44236       44236
--------------------------------------------------------------
Total                  597        597        73130       73130

Operational command system netflow show flows can be used to display the flows present in the cache. The detailed option can also be used to display an extensive report (including additional fields such as, flow status, ToS value, TCP flags, IP options, timestamps, etc.).

Example:

admin@DUT0$ system netflow show flows

-----------------------------
Field     Description
-----------------------------
iif       Input interface
oif       Output interface
src       Source IP:PORT
dst       Destination IP:PORT
protocol  Protocol identifier
pkts      Packets counter
bytes     Bytes counter


-----------------------------------------------------------------------------
iif  oif  src                    dst                    protocol  pkts  bytes
-----------------------------------------------------------------------------
5    0    192.168.215.40:54791   192.168.215.255:137    137       1     78
0    5    192.168.213.18:37316   1.0.0.1:2055           2055      1     1284
5    0    192.168.213.200:17500  192.168.215.255:17500  17500     1     172
5    0    192.168.215.40:137     192.168.215.255:137    137       6     468
5    0    0.0.0.0:68             255.255.255.255:67     67        73    26248
0    5    192.168.213.18:22      192.168.214.239:54334  54334     9     4588
5    0    0.0.0.0:68             255.255.255.255:67     67        6     1929
5    0    192.168.214.239:54334  192.168.213.18:22      22        16    1108
5    0    192.168.215.40:138     192.168.215.255:138    138       3     606
5    0    192.168.213.19:0       192.168.213.18:2048    2048      254   21336
5    0    192.168.212.74:62976   255.255.255.255:62976  62976     1     345
0    5    192.168.213.18:0       192.168.213.19:0       0         337   28308
5    0    192.168.214.239:59012  192.168.213.18:22      22        1     52
5    0    169.254.100.100:0      224.0.0.1:4352         4352      1     32
5    0    192.168.215.243:137    192.168.215.255:137    137       1     78
5    0    192.168.215.40:57621   192.168.215.255:57621  57621     1     72
0    5    192.168.213.18:22      192.168.214.239:59012  59012     1     232

Command Summary

Configuration commands

• system netflow

• system netflow app-id

• system netflow connmark

• system netflow connmark mark <u32>

• system netflow connmark mark <u32> name <txt>

• system netflow connmark vrf-mark <id>

• system netflow connmark vrf-mark <id> name <txt>

• system netflow debug <u32>

• system netflow destination <fqdn|ipv4|ipv6>

• system netflow destination <fqdn|ipv4|ipv6> dont-verify-server

• system netflow destination <fqdn|ipv4|ipv6> dtls

• system netflow destination <fqdn|ipv4|ipv6> port <u32>

• system netflow dns-host

• system netflow engine-id <u32>

• system netflow exportcpu <u32>

• system netflow hashsize <u32>

• system netflow http-host

• system netflow http-ref

• system netflow http-ua

• system netflow http-url

• system netflow local-address <ipv4|ipv6>

• system netflow local-interface <ifc>

• system netflow local-vrf <id>

• system netflow mark <u32>

• system netflow maxflows <u32>

• system netflow protocol <id>

• system netflow refresh-rate <u32>

• system netflow send-buffer <u32>

• system netflow ssl-server

• system netflow timeout

• system netflow timeout active <u32>

• system netflow timeout inactive <u32>

• system netflow timeout rate <u32>

• system netflow vrf-mark <id>

• system netflow vrf-mark <id> name <id>

Operational commands

• system netflow show flows

• system netflow show flows json

• system netflow show flows detailed

• system netflow show flows detailed json

• system netflow show stats

• system netflow show stats json

• system netflow show stats detailed

• system netflow show stats detailed json

• system netflow show status