Evil_TTL> show | s

NetFlow

Category:Cisco Systems -> Routing and Switching

NetFlow-10.JPG

   
ProductStatusPlatform
Orion NetFlow Traffic Analyzer (NTA)ShareWareWindows
PRTG Network MonitorShareWareWindows
NetFlow AnalyzerShareWare/FreeWareWindows,Linux

Also see:

Fluke NetFlow Tracker
Scrutinizer
Flowc
Webview Netflow Reporter
NfSen


Netflow V5 and V9 tester tool by Paessler: File:netflowtester_V2.0_V1.1.1.zip

Netflow on Cisco ISR

ip cef   
interface <if-name>  
  
ip route-cache flow 
  ip flow ingress 
// optional 
  
ip flow egress // optional 
  
no ip mroute-cache // optional 
 
ip flow-export // with parameters like version 5 peer-as bgp-nexthop  
ip flow-export destination 1.2.3.4 9999  (IPport

Another example:

flow exporter NETFLOW_EXPORTER_1
 destination 1.2.3.4
 source Loopback0
 transport udp 2055
 export
-protocol netflow-v5

flow exporter NETFLOW_EXPORTER_2
 destination 5.6.7.8
 source Loopback0
 transport udp 2055
 export
-protocol netflow-v5

flow monitor NETFLOW_TOOLS
 exporter NETFLOW_EXPORTER_1
 exporter NETFLOW_EXPORTER_2
 cache timeout active 60
 record netflow
-original

interface GigabitEthernet0/0/0
 ip flow monitor NETFLOW_TOOLS input
 ip flow monitor NETFLOW_TOOLS output 

IANA Assigned Internet Protocol Numbers:

0 HOPOPT IPv6 Hop-by-Hop Option Y [RFC2460]
1 ICMP Internet Control Message  [RFC792]
2 IGMP Internet Group Management  [RFC1112]
3 GGP Gateway
-to-Gateway  [RFC823]
4 IPv4 IPv4 encapsulation  [RFC2003]
5 ST Stream  [RFC1190][RFC1819]
6 TCP Transmission Control  [RFC793]
7 CBT CBT  [Tony_Ballardie]
8 EGP Exterior Gateway Protocol  [RFC888][David_Mills]
9 IGP any 
private interior gateway (used by Cisco for their IGRP)  [Internet_Assigned_Numbers_Authority]
10 BBN
-RCC-MON BBN RCC Monitoring  [Steve_Chipman]
11 NVP
-II Network Voice Protocol  [RFC741][Steve_Casner]
12 PUP PUP  [Boggs
D., JShochETaft, and RMetcalfe"PUP: An Internetwork Architecture"XEROX Palo Alto Research CenterCSL-79-10July 1979also in IEEE Transactions on CommunicationVolume COM-28Number 4April 1980.][[XEROX]]
13 ARGUS 
(deprecatedARGUS  [Robert_W_Scheifler]
14 EMCON EMCON  [
<mystery contact>]
15 XNET Cross Net Debugger  [Haverty
J., "XNET Formats for Internet Protocol Version 4"IEN 158October 1980.][Jack_Haverty]
16 CHAOS Chaos  [J_Noel_Chiappa]
17 UDP User Datagram  [RFC768][Jon_Postel]
18 MUX Multiplexing  [Cohen
D. and JPostel"Multiplexing Protocol"IEN 90USC/Information Sciences InstituteMay 1979.][Jon_Postel]
19 DCN
-MEAS DCN Measurement Subsystems  [David_Mills]
20 HMP Host Monitoring  [RFC869][Bob_Hinden]
21 PRM Packet Radio Measurement  [Zaw_Sing_Su]
22 XNS
-IDP XEROX NS IDP  ["The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification"AA-K759B-TKDigital Equipment CorporationMaynardMAAlso as: "The Ethernet - A Local Area Network"Version 1.0Digital Equipment CorporationIntel CorporationXerox CorporationSeptember 1980. And: "The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specifications"DigitalIntel and XeroxNovember 1982. And: XEROX"The Ethernet, A Local Area Network: Data Link Layer and Physical Layer Specification"X3T51/80-50Xerox CorporationStamfordCT., October 1980.][[XEROX]]
23 TRUNK
-1 Trunk-1  [Barry_Boehm]
24 TRUNK
-2 Trunk-2  [Barry_Boehm]
25 LEAF
-1 Leaf-1  [Barry_Boehm]
26 LEAF
-2 Leaf-2  [Barry_Boehm]
27 RDP Reliable Data Protocol  [RFC908][Bob_Hinden]
28 IRTP Internet Reliable Transaction  [RFC938][Trudy_Miller]
29 ISO
-TP4 ISO Transport Protocol Class 4  [RFC905][<mystery contact>]
30 NETBLT Bulk Data Transfer Protocol  [RFC969][David_Clark]
31 MFE
-NSP MFE Network Services Protocol  [ShuttleworthB., "A Documentary of MFENet, a National Computer Network"UCRL-52317Lawrence Livermore LabsLivermoreCaliforniaJune 1977.][Barry_Howard]
32 MERIT
-INP MERIT Internodal Protocol  [Hans_Werner_Braun]
33 DCCP Datagram Congestion Control Protocol  [RFC4340]
34 3PC Third Party Connect Protocol  [Stuart_A_Friedberg]
35 IDPR Inter
-Domain Policy Routing Protocol  [Martha_Steenstrup]
36 XTP XTP  [Greg_Chesson]
37 DDP Datagram Delivery Protocol  [Wesley_Craig]
38 IDPR
-CMTP IDPR Control Message Transport Proto  [Martha_Steenstrup]
39 TP
++ TP++ Transport Protocol  [Dirk_Fromhein]
40 IL IL Transport Protocol  [Dave_Presotto]
41 IPv6 IPv6 encapsulation  [RFC2473]
42 SDRP Source Demand Routing Protocol  [Deborah_Estrin]
43 IPv6
-Route Routing Header for IPv6 Y [Steve_Deering]
44 IPv6
-Frag Fragment Header for IPv6 Y [Steve_Deering]
45 IDRP Inter
-Domain Routing Protocol  [Sue_Hares]
46 RSVP Reservation Protocol  [RFC2205][RFC3209][Bob_Braden]
47 GRE Generic Routing Encapsulation  [RFC2784][Tony_Li]
48 DSR Dynamic Source Routing Protocol  [RFC4728]
49 BNA BNA  [Gary Salamon]
50 ESP Encap Security Payload Y [RFC4303]
51 AH Authentication Header Y [RFC4302]
52 I
-NLSP Integrated Net Layer Security TUBA  [K_Robert_Glenn]
53 SWIPE 
(deprecatedIP with Encryption  [John_Ioannidis]
54 NARP NBMA Address Resolution Protocol  [RFC1735]
55 MOBILE IP Mobility  [Charlie_Perkins]
56 TLSP Transport Layer Security Protocol using Kryptonet key management  [Christer_Oberg]
57 SKIP SKIP  [Tom_Markson]
58 IPv6
-ICMP ICMP for IPv6  [RFC2460]
59 IPv6
-NoNxt No Next Header for IPv6  [RFC2460]
60 IPv6
-Opts Destination Options for IPv6 Y [RFC2460]
61  any host internal protocol  [Internet_Assigned_Numbers_Authority]
62 CFTP CFTP  [Forsdick
H., "CFTP"Network MessageBolt Beranek and NewmanJanuary 1982.][Harry_Forsdick]
63  any local network  [Internet_Assigned_Numbers_Authority]
64 SAT
-EXPAK SATNET and Backroom EXPAK  [Steven_Blumenthal]
65 KRYPTOLAN Kryptolan  [Paul Liu]
66 RVD MIT Remote Virtual Disk Protocol  [Michael_Greenwald]
67 IPPC Internet Pluribus Packet Core  [Steven_Blumenthal]
68  any distributed file system  [Internet_Assigned_Numbers_Authority]
69 SAT
-MON SATNET Monitoring  [Steven_Blumenthal]
70 VISA VISA Protocol  [Gene_Tsudik]
71 IPCV Internet Packet Core Utility  [Steven_Blumenthal]
72 CPNX Computer Protocol Network Executive  [David Mittnacht]
73 CPHB Computer Protocol Heart Beat  [David Mittnacht]
74 WSN Wang Span Network  [Victor Dafoulas]
75 PVP Packet Video Protocol  [Steve_Casner]
76 BR
-SAT-MON Backroom SATNET Monitoring  [Steven_Blumenthal]
77 SUN
-ND SUN ND PROTOCOL-Temporary  [William_Melohn]
78 WB
-MON WIDEBAND Monitoring  [Steven_Blumenthal]
79 WB
-EXPAK WIDEBAND EXPAK  [Steven_Blumenthal]
80 ISO
-IP ISO Internet Protocol  [Marshall_T_Rose]
81 VMTP VMTP  [Dave_Cheriton]
82 SECURE
-VMTP SECURE-VMTP  [Dave_Cheriton]
83 VINES VINES  [Brian Horn]
84 TTP Transaction Transport Protocol  [Jim_Stevens]
84 IPTM Internet Protocol Traffic Manager  [Jim_Stevens]
85 NSFNET
-IGP NSFNET-IGP  [Hans_Werner_Braun]
86 DGP Dissimilar Gateway Protocol  [M
/A-COM Government Systems"Dissimilar Gateway Protocol Specification, Draft Version"Contract noCS901145November 161987.][Mike_Little]
87 TCF TCF  [Guillermo_A_Loyola]
88 EIGRP EIGRP  [RFC7868]
89 OSPFIGP OSPFIGP  [RFC1583][RFC2328][RFC5340][John_Moy]
90 Sprite
-RPC Sprite RPC Protocol  [WelchB., "The Sprite Remote Procedure Call System"Technical ReportUCB/Computer Science Dept., 86/302University of California at BerkeleyJune 1986.][Bruce Willins]
91 LARP Locus Address Resolution Protocol  [Brian Horn]
92 MTP Multicast Transport Protocol  [Susie_Armstrong]
93 AX.25 AX.25 Frames  [Brian_Kantor]
94 IPIP IP
-within-IP Encapsulation Protocol  [John_Ioannidis]
95 MICP 
(deprecatedMobile Internetworking Control Pro.  [John_Ioannidis]
96 SCC
-SP Semaphore Communications SecPro.  [Howard_Hart]
97 ETHERIP Ethernet
-within-IP Encapsulation  [RFC3378]
98 ENCAP Encapsulation Header  [RFC1241][Robert_Woodburn]
99  any 
private encryption scheme  [Internet_Assigned_Numbers_Authority]
100 GMTP GMTP  [[RXB5]]
101 IFMP Ipsilon Flow Management Protocol  [Bob_Hinden][November 1995
1997.]
102 PNNI PNNI over IP  [Ross_Callon]
103 PIM Protocol Independent Multicast  [RFC7761][Dino_Farinacci]
104 ARIS ARIS  [Nancy_Feldman]
105 SCPS SCPS  [Robert_Durst]
106 QNX QNX  [Michael_Hunter]
107 A
/N Active Networks  [Bob_Braden]
108 IPComp IP Payload Compression Protocol  [RFC2393]
109 SNP Sitara Networks Protocol  [Manickam_R_Sridhar]
110 Compaq
-Peer Compaq Peer Protocol  [Victor_Volpe]
111 IPX
-in-IP IPX in IP  [CJ_Lee]
112 VRRP Virtual Router Redundancy Protocol  [RFC5798]
113 PGM PGM Reliable Transport Protocol  [Tony_Speakman]
114  any 0
-hop protocol  [Internet_Assigned_Numbers_Authority]
115 L2TP Layer Two Tunneling Protocol  [RFC3931][Bernard_Aboba]
116 DDX D
-II Data Exchange (DDX)  [John_Worley]
117 IATP Interactive Agent Transfer Protocol  [John_Murphy]
118 STP Schedule Transfer Protocol  [Jean_Michel_Pittet]
119 SRP SpectraLink Radio Protocol  [Mark_Hamilton]
120 UTI UTI  [Peter_Lothberg]
121 SMP Simple Message Protocol  [Leif_Ekblad]
122 SM 
(deprecatedSimple Multicast Protocol  [Jon_Crowcroft][draft-perlman-simple-multicast]
123 PTP Performance Transparency Protocol  [Michael_Welzl]
124 ISIS over IPv4   [Tony_Przygienda]
125 FIRE   [Criag_Partridge]
126 CRTP Combat Radio Transport Protocol  [Robert_Sautter]
127 CRUDP Combat Radio User Datagram  [Robert_Sautter]
128 SSCOPMCE   [Kurt_Waber]
129 IPLT   [[Hollbach]]
130 SPS Secure Packet Shield  [Bill_McIntosh]
131 PIPE 
Private IP Encapsulation within IP  [Bernhard_Petri]
132 SCTP Stream Control Transmission Protocol  [Randall_R_Stewart]
133 FC Fibre Channel  [Murali_Rajagopal][RFC6172]
134 RSVP
-E2E-IGNORE   [RFC3175]
135 Mobility Header  Y [RFC6275]
136 UDPLite   [RFC3828]
137 MPLS
-in-IP   [RFC4023]
138 manet MANET Protocols  [RFC5498]
139 HIP Host Identity Protocol Y [RFC7401]
140 Shim6 Shim6 Protocol Y [RFC5533]
141 WESP Wrapped Encapsulating Security Payload  [RFC5840]
142 ROHC Robust Header Compression  [RFC5858]
143
-252  Unassigned  [Internet_Assigned_Numbers_Authority]
253  
Use for experimentation and testing Y [RFC3692]
254  
Use for experimentation and testing Y [RFC3692]
255 Reserved   [Internet_Assigned_Numbers_Authority] 

Netflow on ASA

access-list global_mpc extended permit ip any any
!
flow-export destination inside 192.168.1.13 2055
!
class-
map global_class
  match access
-list global_mpc
!
policy-map global_policy
  
class inspection_default
   inspect dns migrated_dns_map_1
     inspect ftp
     inspect h323 h225
     inspect h323 ras
     inspect netbios
     inspect rsh
     inspect rtsp
     inspect skinny
     inspect esmtp
     inspect sqlnet
     inspect sunrpc
     inspect tftp
     inspect sip
     inspect xdmcp
     inspect icmp
  
class global_class
   flow
-export event-type all destination 192.168.1.13 

Netflow on Layer 3 switches

mls netflow  // enable netflow on PFC (captures statistics for flows routed in hardware) 

To see the traffic arriving on the switch ports that belong to VLAN, you need to enable layer 3 Netflow to display the information on the VLAN interface.

Layer 3 Switched Netflow commands:

ip flow ingress  // Enables Netflow on SVI interface
ip flow ingresslayer2-switched <vlanX,vlanY,vlanZ// Enables NetFlow for Layer 2-switched traffic on the PFC
ip flow ingress infer-fields // Capture the input and output interfaces for logical interfaces 

Export:

ip flow-export version # <5,9,etc>
ip flow-export destination <IP> <port
mls flow ip <mask>  // configure flow mask on PFC (hardware switched) 

This is the list of flow masks available.

source-only — A less-specific flow mask. One entry for each source IP address is maintained. All flows from a given source IP address use this entry.
destination — Like source-only, a less-specific flow mask. One entry for each destination IP address is maintained. All flows to a given destination IP address use this entry.
destination-source — A more-specific flow mask. One entry for each source and destination IP address pair. All flows between same source and destination IP addresses use this entry.
destination-source-interface — A more-specific flow mask. Adds the source VLAN Simple Network Management Protocol (SNMP) ifIndex to the information in the destination-source flow mask.
full — A more-specific flow mask. The PFC creates and maintains a separate cache entry for each IP flow. A full entry includes the source IP address, destination IP address, protocol, and protocol interfaces.
interface-full — The most-specific flow mask. Adds the source VLAN SNMP ifIndex to the information in the full-flow mask.

Here is a diagram that illustrates the different mls masking options available in the Catalyst 6500:

Neflow_6500.jpg

L3 interfaces will need the following command entered in order to flow:
ip flow ingress or ip flow egress or both i suppose depending on your application

Flexible Netflow

Example from Cisco website for inbound and outbound directions:

flow record CUSTOM-FNF-RECORD-IN
 match flow direction
 match 
interface input
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination
-port
 match transport source
-port
 collect counter bytes
 collect counter packets
 collect 
interface output
 collect transport tcp flags

flow record CUSTOM
-FNF-RECORD-OUT
 match flow direction
 match 
interface output
 match ipv4 destination address
 match ipv4 protocol
 match ipv4 source address
 match ipv4 tos
 match transport destination
-port
 match transport source
-port
 collect counter bytes
 collect counter packets
 collect 
interface input
 collect transport tcp flags

flow monitor CUSTOM
-FNF-MONITOR-IN
 description 
DO NOT MODIFYUSED BY LIVEACTION.
 
exporter CUSTOM-FNF-EXPORTER
 cache timeout inactive 10
 cache timeout active 60
 record CUSTOM
-FNF-RECORD-IN

flow monitor CUSTOM
-FNF-MONITOR-OUT
 description 
DO NOT MODIFYUSED BY LIVEACTION.
 
exporter CUSTOM-FNF-EXPORTER
 cache timeout inactive 10
 cache timeout active 60
 record CUSTOM
-FNF-RECORD-OUT

vlan configuration 180
 ip flow monitor CUSTOM
-FNF-MONITOR-IN input
 ip flow monitor CUSTOM
-FNF-MONITOR-OUT output 

To show NetFlow cache:

sh flow monitor <monitor_namecache format table
sh ip cache flow
sh ip cache verbose flow 
By privilege15