Thursday, 27 April 2017

Hacky on-the-spot netflow

Sometimes it would be really useful to see what flows are active over a link, i.e. what is talking to what, but you don't have a netflow collector available (or the time to set one up). I was in this situation recently and discovered that it's possible to get most of the useful information out of netflow using just a Linux box and some scripting. Easy peasy.

1 - Configure Netflow on the Router / Firewall

There's not much to say about this, it varies from platform to platform, vendor to vendor, but you just need to set the device up to send Netflow version 5 to your "collector" box.

A couple of examples are here

Older IOS (12.x):

mls flow ip interface-full
ip flow-export version 5
ip flow-export destination x.x.x.x yyyy
interface Gix/x
  ip flow ingress
  mls netflow sampling

Juniper SRX:

set system ntp server
set interfaces fe-0/0/1 unit 0 family inet sampling input
set interfaces fe-0/0/1 unit 0 family inet sampling output
set forwarding-options sampling input rate 1024
set forwarding-options sampling family inet output flow-server x.x.x.x port yyyy
set forwarding-options sampling family inet output flow-server x.x.x.x version 5

2 - Capture the Netflow Packets

Use tcpdump / tshark / wireshark / whatever to capture the packets on the "collector" box. The only thing to be careful of is that you don't allow tcpdump to truncate / slice the packets, e.g.:

tcpdump -i eth0 -s 0 -w capfile.cap udp port yyyy and not icmp

The capture can be done on any box which your sampler can forward traffic to and from which you can retrieve the file back to a *nix box with tshark installed. If you have tshark installed on the capture box then you can also use it to dump the flows out.

3 - Dump the Flow Data with tshark

This can be done on the collector box if tshark is available or can be done elsewhere if not. Basically we ask tshark to dump out verbose packet contents then use standard *nix utilities to mangle the output:

tshark -r capfile.cap -nnV | grep -e '       \(...Addr:\|...Port:\|Protocol:\)' | tr '\n' ' ' | sed 's/       SrcAddr:/\n/g;' | awk '{print $1 "\t" $4 "\t" $7 "\t" $9 "\t" $10 $11}' | sed 's/Protocol:6/TCP/g; s/Protocol:17/UDP/g; s/Protocol:1/ICMP/g;'

This prints out the flows as reported by your router / firewall in tab separated columns as follows: Source IP, Destination IP, Source port, Destination port, IP Protocol

For example:    24010   53      UDP     0       771     ICMP    54832   443     TCP

Of course this can be tailored to match whatever fields interest you (for example you may want to include ingress and egress interfaces to show traffic direction or byte counts to get an idea of flow size) but this will cover the basics.