Netflow
These scenarios demonstrate how to configure and use NetFlow to collect and export local TCP flows, covering different modes and configuration options.
Test NetFlow Scenario
Description
These examples demonstrate how to configure and use NetFlow to collect and export locally generated TCP flows across different configuration modes.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h0m ago), mem 491K, worker delay 25/250 [1..25] (28 ms, 0 us, 0:0 [cpu0]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 823 bps, 0 pps; 5 min: 387 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 153 24 [1.00], 0 0 0 0, traffic: 223, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 0; 0 42 12 [1.00], 0 0 0 0, traffic: 66, 0 MB, drop: 0, 0 K cpu2 0; 0 105 12 [1.00], 0 0 0 0, traffic: 135, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 35 pkts, 0 MB, 20 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 4: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.327 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.327/0.327/0.327/0.000 ms
Step 5: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.188 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.188/0.188/0.188/0.000 ms
Step 6: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 7: Run the command system netflow show flows detailed on DUT0 and check whether the output matches the following regular expressions:
3\s+0\s+192.168.1.2:\d+\s+192.168.1.1:8080\s+6(\s+\S+){5}\s+[1-9]\d* 0\s+3\s+192.168.1.1:8080\s+192.168.1.2:\d+\s+6(\s+\S+){5}\s+[1-9]\d*Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ------------------------------------------------------------------------------------------------------------------------------------------------- 1 c3af 0 3 0 192.168.1.2:57534 192.168.1.1:8080 6 0.0.0.0 0x0 0x1b 0x0 0xf1000000 12 732 389 30 2 a0ff 0 0 3 192.168.1.1:8080 192.168.1.2:57534 6 0.0.0.0 0x0 0x1b 0x0 0xf1000000 10 628 389 30
Step 8: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 10 18 628 1440 eth1 ingress 12 13 732 816 -------------------------------------------------------------- Total 22 31 1360 2256
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow destination 10.215.168.1 dtls set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h1m ago), mem 491K, worker delay 25/250 [1..25] (52 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 2720 bits/sec, 5 packets/sec; Avg 1 min: 970 bps, 0 pps; 5 min: 436 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 4; 0 173 26 [1.00], 0 0 0 0, traffic: 245, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 1; 0 49 12 [1.00], 0 0 0 0, traffic: 73, 0 MB, drop: 0, 0 K cpu2 3; 0 118 14 [1.00], 0 0 0 0, traffic: 150, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 0 bytes/s; Total 38 pkts, 0 MB, 22 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 1, other 0
Step 4: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.515 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.515/0.515/0.515/0.000 ms
Step 5: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.188 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.188/0.188/0.188/0.000 ms
Step 6: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 7: Run the command system netflow show flows detailed on DUT0 and check whether the output matches the following regular expressions:
3\s+0\s+192.168.1.2:\d+\s+192.168.1.1:8080\s+6(\s+\S+){5}\s+[1-9]\d* 0\s+3\s+192.168.1.1:8080\s+192.168.1.2:\d+\s+6(\s+\S+){5}\s+[1-9]\d*Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow ------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last ------------------------------------------------------------------------------------------------------------------------------------------------- 1 1735 0 0 3 192.168.1.1:8080 192.168.1.2:41778 6 0.0.0.0 0x0 0x1b 0x0 0xf1000000 13 784 462 41 2 1a4c 0 3 0 192.168.1.2:41778 192.168.1.1:8080 6 0.0.0.0 0x0 0x1b 0x0 0xf1000000 14 836 462 41
Step 8: Run the command system conntrack show on DUT0 and check whether the output matches the following regular expressions:
dst=10.215.168.1.*dport=4740.*packets=[1-9]\d*Show output
udp 17 29 src=10.215.168.64 dst=10.215.168.1 sport=57604 dport=4740 packets=1 bytes=340 [UNREPLIED] src=10.215.168.1 dst=10.215.168.64 sport=4740 dport=57604 packets=0 bytes=0 mark=0 use=1 udp 17 29 src=127.0.0.1 dst=127.0.0.1 sport=48843 dport=2055 packets=1 bytes=236 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=2055 dport=48843 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 9: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 13 21 784 1616 eth1 ingress 14 15 836 920 -------------------------------------------------------------- Total 27 36 1620 2536
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 flow egress selector TCP_SEL set interfaces ethernet eth1 flow ingress selector TCP_SEL set system conntrack app-detect app-id-storage chained set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system netflow app-id set system netflow destination 10.215.168.1 set system netflow engine-id 1111 set traffic selector TCP_SEL rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.1.2/24 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run the command system netflow show status on DUT0 and check whether the output matches the following regular expressions:
Protocol\sversion\s10\s\(ipfix\) Export:.*Errors 0 pkts sock0:\s127.0.0.1:2055,.*err: sndbuf reached 0, connect 0, cberr \d+, other 0Show output
ipt_NETFLOW 2.6, srcversion 5B9ED46B79C1F0FD97E2716; dir Protocol version 10 (ipfix), refresh-rate 20, timeout-rate 30, (templates 0, active 1). Timeouts: active 1800s, inactive 15s. Maxflows 2000000 Flows: active 0 (peak 4 reached 0d1h1m ago), mem 491K, worker delay 25/250 [1..25] (20 ms, 0 us, 0:0 [cpu2]). Hash: size 62967 (mem 491K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 0 pkt, 0 K, InPDU 0, 0. Rate: 0 bits/sec, 0 packets/sec; Avg 1 min: 392 bps, 0 pps; 5 min: 400 bps, 0 pps cpu# pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes> Total 0; 0 198 28 [1.00], 0 0 0 0, traffic: 272, 0 MB, drop: 0, 0 K cpu0 0; 0 2 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K cpu1 0; 0 55 12 [1.00], 0 0 0 0, traffic: 79, 0 MB, drop: 0, 0 K cpu2 0; 0 137 16 [1.00], 0 0 0 0, traffic: 171, 0 MB, drop: 0, 0 K cpu3 0; 0 4 0 [1.00], 0 0 0 0, traffic: 11, 0 MB, drop: 0, 0 K Export: Rate 52 bytes/s; Total 43 pkts, 0 MB, 24 flows; Errors 0 pkts; Traffic lost 30 pkts, 1 Kbytes, 4 flows. sock0: 127.0.0.1:2055, sndbuf 212992, filled 1, peak 1; err: sndbuf reached 0, connect 0, cberr 0, other 0
Step 4: Ping the IP address 192.168.1.2 from DUT0:
admin@DUT0$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=1.06 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.064/1.064/1.064/0.000 ms
Step 5: Ping the IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.207 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.207/0.207/0.207/0.000 ms
Step 6: Initiate a tcp connection from DUT1 to DUT0 and exchange messages between both endpoints
admin@DUT0$ monitor test connection server 8080 tcp admin@DUT1$ monitor test connection client 192.168.1.1 8080 tcp
Step 7: Run the command system netflow show flows detailed on DUT0 and check whether the output matches the following regular expressions:
3\s+0\s+192.168.1.2:\d+\s+192.168.1.1:8080\s+6(\s+\S+){5}\s+[1-9]\d* 0\s+3\s+192.168.1.1:8080\s+192.168.1.2:\d+\s+6(\s+\S+){5}\s+[1-9]\d* \[L3:\d+;L4:8080\]Show output
------------------------------------------------------------------------------------------ Field Description ------------------------------------------------------------------------------------------ # Numeric flow identifier hash Hash of the flow a Shows if the flow is pending of being exported iif Input interface oif Output interface src Source IP:PORT dst Destination IP:PORT protocol Protocol identifier nexthop Next-hop [Layer 4:Port] tos Type of service identificator tcpflags TCP flags options Optional IP options tcpoptions TCP Options (MSS, Window Scaling, Selective Acknowledgements, Timestamps, Nop) pkts Packets counter bytes Bytes counter ts_first Timestamp of fist packet that passed through the flow ts_last Timestamp of last packet that passed through the flow --------------------------------------------------------------------------------------------------------------------------------------------------------------- # hash a iif oif src dst protocol nexthop tos tcpflags options tcpoptions pkts bytes ts_first ts_last --------------------------------------------------------------------------------------------------------------------------------------------------------------- 1 1b20 0 3 0 192.168.1.2:51998 192.168.1.1:8080 6 0.0.0.0[L3:6;L4:8080] 0x0 0x1b 0x0 0xf1000000 10 628 376 28 2 af7c 0 0 3 192.168.1.1:8080 192.168.1.2:51998 6 0.0.0.0[L3:6;L4:8080] 0x0 0x1b 0x0 0xf1000000 9 576 376 28
Step 8: Run the command system netflow show stats on DUT0 and check whether the output matches the following regular expressions:
eth1\s+egress\s+[1-9]\d* eth1\s+ingress\s+[1-9]\d*Show output
-------------------------------------------------------------- iface mode pkts match pkts eval bytes match bytes eval -------------------------------------------------------------- eth1 egress 9 18 576 1524 eth1 ingress 10 11 628 712 -------------------------------------------------------------- Total 19 29 1204 2236