Category:Cisco Systems -> Routing and Switching
Product | Status | Platform |
---|---|---|
Orion NetFlow Traffic Analyzer (NTA) | ShareWare | Windows |
PRTG Network Monitor | ShareWare | Windows |
NetFlow Analyzer | ShareWare/FreeWare | Windows,Linux |
Also see:
Fluke NetFlow Tracker
Scrutinizer
Flowc
Webview Netflow Reporter
NfSen
Netflow V5 and V9 tester tool by Paessler: File:netflowtester_V2.0_V1.1.1.zip
Netflow on Cisco ISR
ip cef
interface <if-name>
ip route-cache flow
ip flow ingress // optional
ip flow egress // optional
no ip mroute-cache // optional
ip flow-export // with parameters like version 5 peer-as bgp-nexthop
ip flow-export destination 1.2.3.4 9999 (IP, port)
Another example:
flow exporter NETFLOW_EXPORTER_1
destination 1.2.3.4
source Loopback0
transport udp 2055
export-protocol netflow-v5
flow exporter NETFLOW_EXPORTER_2
destination 5.6.7.8
source Loopback0
transport udp 2055
export-protocol netflow-v5
flow monitor NETFLOW_TOOLS
exporter NETFLOW_EXPORTER_1
exporter NETFLOW_EXPORTER_2
cache timeout active 60
record netflow-original
interface GigabitEthernet0/0/0
ip flow monitor NETFLOW_TOOLS input
ip flow monitor NETFLOW_TOOLS output
IANA Assigned Internet Protocol Numbers:
0 HOPOPT IPv6 Hop-by-Hop Option Y [RFC2460]
1 ICMP Internet Control Message [RFC792]
2 IGMP Internet Group Management [RFC1112]
3 GGP Gateway-to-Gateway [RFC823]
4 IPv4 IPv4 encapsulation [RFC2003]
5 ST Stream [RFC1190][RFC1819]
6 TCP Transmission Control [RFC793]
7 CBT CBT [Tony_Ballardie]
8 EGP Exterior Gateway Protocol [RFC888][David_Mills]
9 IGP any private interior gateway (used by Cisco for their IGRP) [Internet_Assigned_Numbers_Authority]
10 BBN-RCC-MON BBN RCC Monitoring [Steve_Chipman]
11 NVP-II Network Voice Protocol [RFC741][Steve_Casner]
12 PUP PUP [Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, "PUP: An Internetwork Architecture", XEROX Palo Alto Research Center, CSL-79-10, July 1979; also in IEEE Transactions on Communication, Volume COM-28, Number 4, April 1980.][[XEROX]]
13 ARGUS (deprecated) ARGUS [Robert_W_Scheifler]
14 EMCON EMCON [<mystery contact>]
15 XNET Cross Net Debugger [Haverty, J., "XNET Formats for Internet Protocol Version 4", IEN 158, October 1980.][Jack_Haverty]
16 CHAOS Chaos [J_Noel_Chiappa]
17 UDP User Datagram [RFC768][Jon_Postel]
18 MUX Multiplexing [Cohen, D. and J. Postel, "Multiplexing Protocol", IEN 90, USC/Information Sciences Institute, May 1979.][Jon_Postel]
19 DCN-MEAS DCN Measurement Subsystems [David_Mills]
20 HMP Host Monitoring [RFC869][Bob_Hinden]
21 PRM Packet Radio Measurement [Zaw_Sing_Su]
22 XNS-IDP XEROX NS IDP ["The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification", AA-K759B-TK, Digital Equipment Corporation, Maynard, MA. Also as: "The Ethernet - A Local Area Network", Version 1.0, Digital Equipment Corporation, Intel Corporation, Xerox Corporation, September 1980. And: "The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications", Digital, Intel and Xerox, November 1982. And: XEROX, "The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification", X3T51/80-50, Xerox Corporation, Stamford, CT., October 1980.][[XEROX]]
23 TRUNK-1 Trunk-1 [Barry_Boehm]
24 TRUNK-2 Trunk-2 [Barry_Boehm]
25 LEAF-1 Leaf-1 [Barry_Boehm]
26 LEAF-2 Leaf-2 [Barry_Boehm]
27 RDP Reliable Data Protocol [RFC908][Bob_Hinden]
28 IRTP Internet Reliable Transaction [RFC938][Trudy_Miller]
29 ISO-TP4 ISO Transport Protocol Class 4 [RFC905][<mystery contact>]
30 NETBLT Bulk Data Transfer Protocol [RFC969][David_Clark]
31 MFE-NSP MFE Network Services Protocol [Shuttleworth, B., "A Documentary of MFENet, a National Computer Network", UCRL-52317, Lawrence Livermore Labs, Livermore, California, June 1977.][Barry_Howard]
32 MERIT-INP MERIT Internodal Protocol [Hans_Werner_Braun]
33 DCCP Datagram Congestion Control Protocol [RFC4340]
34 3PC Third Party Connect Protocol [Stuart_A_Friedberg]
35 IDPR Inter-Domain Policy Routing Protocol [Martha_Steenstrup]
36 XTP XTP [Greg_Chesson]
37 DDP Datagram Delivery Protocol [Wesley_Craig]
38 IDPR-CMTP IDPR Control Message Transport Proto [Martha_Steenstrup]
39 TP++ TP++ Transport Protocol [Dirk_Fromhein]
40 IL IL Transport Protocol [Dave_Presotto]
41 IPv6 IPv6 encapsulation [RFC2473]
42 SDRP Source Demand Routing Protocol [Deborah_Estrin]
43 IPv6-Route Routing Header for IPv6 Y [Steve_Deering]
44 IPv6-Frag Fragment Header for IPv6 Y [Steve_Deering]
45 IDRP Inter-Domain Routing Protocol [Sue_Hares]
46 RSVP Reservation Protocol [RFC2205][RFC3209][Bob_Braden]
47 GRE Generic Routing Encapsulation [RFC2784][Tony_Li]
48 DSR Dynamic Source Routing Protocol [RFC4728]
49 BNA BNA [Gary Salamon]
50 ESP Encap Security Payload Y [RFC4303]
51 AH Authentication Header Y [RFC4302]
52 I-NLSP Integrated Net Layer Security TUBA [K_Robert_Glenn]
53 SWIPE (deprecated) IP with Encryption [John_Ioannidis]
54 NARP NBMA Address Resolution Protocol [RFC1735]
55 MOBILE IP Mobility [Charlie_Perkins]
56 TLSP Transport Layer Security Protocol using Kryptonet key management [Christer_Oberg]
57 SKIP SKIP [Tom_Markson]
58 IPv6-ICMP ICMP for IPv6 [RFC2460]
59 IPv6-NoNxt No Next Header for IPv6 [RFC2460]
60 IPv6-Opts Destination Options for IPv6 Y [RFC2460]
61 any host internal protocol [Internet_Assigned_Numbers_Authority]
62 CFTP CFTP [Forsdick, H., "CFTP", Network Message, Bolt Beranek and Newman, January 1982.][Harry_Forsdick]
63 any local network [Internet_Assigned_Numbers_Authority]
64 SAT-EXPAK SATNET and Backroom EXPAK [Steven_Blumenthal]
65 KRYPTOLAN Kryptolan [Paul Liu]
66 RVD MIT Remote Virtual Disk Protocol [Michael_Greenwald]
67 IPPC Internet Pluribus Packet Core [Steven_Blumenthal]
68 any distributed file system [Internet_Assigned_Numbers_Authority]
69 SAT-MON SATNET Monitoring [Steven_Blumenthal]
70 VISA VISA Protocol [Gene_Tsudik]
71 IPCV Internet Packet Core Utility [Steven_Blumenthal]
72 CPNX Computer Protocol Network Executive [David Mittnacht]
73 CPHB Computer Protocol Heart Beat [David Mittnacht]
74 WSN Wang Span Network [Victor Dafoulas]
75 PVP Packet Video Protocol [Steve_Casner]
76 BR-SAT-MON Backroom SATNET Monitoring [Steven_Blumenthal]
77 SUN-ND SUN ND PROTOCOL-Temporary [William_Melohn]
78 WB-MON WIDEBAND Monitoring [Steven_Blumenthal]
79 WB-EXPAK WIDEBAND EXPAK [Steven_Blumenthal]
80 ISO-IP ISO Internet Protocol [Marshall_T_Rose]
81 VMTP VMTP [Dave_Cheriton]
82 SECURE-VMTP SECURE-VMTP [Dave_Cheriton]
83 VINES VINES [Brian Horn]
84 TTP Transaction Transport Protocol [Jim_Stevens]
84 IPTM Internet Protocol Traffic Manager [Jim_Stevens]
85 NSFNET-IGP NSFNET-IGP [Hans_Werner_Braun]
86 DGP Dissimilar Gateway Protocol [M/A-COM Government Systems, "Dissimilar Gateway Protocol Specification, Draft Version", Contract no. CS901145, November 16, 1987.][Mike_Little]
87 TCF TCF [Guillermo_A_Loyola]
88 EIGRP EIGRP [RFC7868]
89 OSPFIGP OSPFIGP [RFC1583][RFC2328][RFC5340][John_Moy]
90 Sprite-RPC Sprite RPC Protocol [Welch, B., "The Sprite Remote Procedure Call System", Technical Report, UCB/Computer Science Dept., 86/302, University of California at Berkeley, June 1986.][Bruce Willins]
91 LARP Locus Address Resolution Protocol [Brian Horn]
92 MTP Multicast Transport Protocol [Susie_Armstrong]
93 AX.25 AX.25 Frames [Brian_Kantor]
94 IPIP IP-within-IP Encapsulation Protocol [John_Ioannidis]
95 MICP (deprecated) Mobile Internetworking Control Pro. [John_Ioannidis]
96 SCC-SP Semaphore Communications Sec. Pro. [Howard_Hart]
97 ETHERIP Ethernet-within-IP Encapsulation [RFC3378]
98 ENCAP Encapsulation Header [RFC1241][Robert_Woodburn]
99 any private encryption scheme [Internet_Assigned_Numbers_Authority]
100 GMTP GMTP [[RXB5]]
101 IFMP Ipsilon Flow Management Protocol [Bob_Hinden][November 1995, 1997.]
102 PNNI PNNI over IP [Ross_Callon]
103 PIM Protocol Independent Multicast [RFC7761][Dino_Farinacci]
104 ARIS ARIS [Nancy_Feldman]
105 SCPS SCPS [Robert_Durst]
106 QNX QNX [Michael_Hunter]
107 A/N Active Networks [Bob_Braden]
108 IPComp IP Payload Compression Protocol [RFC2393]
109 SNP Sitara Networks Protocol [Manickam_R_Sridhar]
110 Compaq-Peer Compaq Peer Protocol [Victor_Volpe]
111 IPX-in-IP IPX in IP [CJ_Lee]
112 VRRP Virtual Router Redundancy Protocol [RFC5798]
113 PGM PGM Reliable Transport Protocol [Tony_Speakman]
114 any 0-hop protocol [Internet_Assigned_Numbers_Authority]
115 L2TP Layer Two Tunneling Protocol [RFC3931][Bernard_Aboba]
116 DDX D-II Data Exchange (DDX) [John_Worley]
117 IATP Interactive Agent Transfer Protocol [John_Murphy]
118 STP Schedule Transfer Protocol [Jean_Michel_Pittet]
119 SRP SpectraLink Radio Protocol [Mark_Hamilton]
120 UTI UTI [Peter_Lothberg]
121 SMP Simple Message Protocol [Leif_Ekblad]
122 SM (deprecated) Simple Multicast Protocol [Jon_Crowcroft][draft-perlman-simple-multicast]
123 PTP Performance Transparency Protocol [Michael_Welzl]
124 ISIS over IPv4 [Tony_Przygienda]
125 FIRE [Criag_Partridge]
126 CRTP Combat Radio Transport Protocol [Robert_Sautter]
127 CRUDP Combat Radio User Datagram [Robert_Sautter]
128 SSCOPMCE [Kurt_Waber]
129 IPLT [[Hollbach]]
130 SPS Secure Packet Shield [Bill_McIntosh]
131 PIPE Private IP Encapsulation within IP [Bernhard_Petri]
132 SCTP Stream Control Transmission Protocol [Randall_R_Stewart]
133 FC Fibre Channel [Murali_Rajagopal][RFC6172]
134 RSVP-E2E-IGNORE [RFC3175]
135 Mobility Header Y [RFC6275]
136 UDPLite [RFC3828]
137 MPLS-in-IP [RFC4023]
138 manet MANET Protocols [RFC5498]
139 HIP Host Identity Protocol Y [RFC7401]
140 Shim6 Shim6 Protocol Y [RFC5533]
141 WESP Wrapped Encapsulating Security Payload [RFC5840]
142 ROHC Robust Header Compression [RFC5858]
143-252 Unassigned [Internet_Assigned_Numbers_Authority]
253 Use for experimentation and testing Y [RFC3692]
254 Use for experimentation and testing Y [RFC3692]
255 Reserved [Internet_Assigned_Numbers_Authority]
Netflow on ASA
access-list global_mpc extended permit ip any any
!
flow-export destination inside 192.168.1.13 2055
!
class-map global_class
match access-list global_mpc
!
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
class global_class
flow-export event-type all destination 192.168.1.13
Netflow on Layer 3 switches
mls netflow // enable netflow on PFC (captures statistics for flows routed in hardware)
To see the traffic arriving on the switch ports that belong to VLAN, you need to enable layer 3 Netflow to display the information on the VLAN interface.
Layer 3 Switched Netflow commands:
ip flow ingress // Enables Netflow on SVI interface
ip flow ingresslayer2-switched <vlanX,vlanY,vlanZ> // Enables NetFlow for Layer 2-switched traffic on the PFC
ip flow ingress infer-fields // Capture the input and output interfaces for logical interfaces
Export:
ip flow-export version # <5,9,etc>
ip flow-export destination <IP> <port>
mls flow ip <mask> // configure flow mask on PFC (hardware switched)
This is the list of flow masks available.
source-only — A less-specific flow mask. One entry for each source IP address is maintained. All flows from a given source IP address use this entry.
destination — Like source-only, a less-specific flow mask. One entry for each destination IP address is maintained. All flows to a given destination IP address use this entry.
destination-source — A more-specific flow mask. One entry for each source and destination IP address pair. All flows between same source and destination IP addresses use this entry.
destination-source-interface — A more-specific flow mask. Adds the source VLAN Simple Network Management Protocol (SNMP) ifIndex to the information in the destination-source flow mask.
full — A more-specific flow mask. The PFC creates and maintains a separate cache entry for each IP flow. A full entry includes the source IP address, destination IP address, protocol, and protocol interfaces.
interface-full — The most-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the full-flow mask.
Here is a diagram that illustrates the different mls masking options available in the Catalyst 6500:
L3 interfaces will need the following command entered in order to flow:
ip flow ingress or ip flow egress or both i suppose depending on your application
Flexible Netflow
Example from Cisco website for inbound and outbound directions:
flow record CUSTOM-FNF-RECORD-IN
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output
collect transport tcp flags
flow record CUSTOM-FNF-RECORD-OUT
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
collect transport tcp flags
flow monitor CUSTOM-FNF-MONITOR-IN
description DO NOT MODIFY. USED BY LIVEACTION.
exporter CUSTOM-FNF-EXPORTER
cache timeout inactive 10
cache timeout active 60
record CUSTOM-FNF-RECORD-IN
flow monitor CUSTOM-FNF-MONITOR-OUT
description DO NOT MODIFY. USED BY LIVEACTION.
exporter CUSTOM-FNF-EXPORTER
cache timeout inactive 10
cache timeout active 60
record CUSTOM-FNF-RECORD-OUT
vlan configuration 180
ip flow monitor CUSTOM-FNF-MONITOR-IN input
ip flow monitor CUSTOM-FNF-MONITOR-OUT output
To show NetFlow cache:
sh flow monitor <monitor_name> cache format table
sh ip cache flow
sh ip cache verbose flow