Beruflich Dokumente
Kultur Dokumente
Flowc-1.4.3
• System requirements
o Software
o Hardware
• Package structure
o src/
o scripts/
o examples/
o www/
• Installation
o Flowd and web interface installing
o RRD scripts installing
• Cisco router configuration
o Configuring SNMP and NTP
o Configuring Netflow switching
o Configuring Netflow export
• Flowd configuration
o Global parameters
o AS sets
o Routers
o Traffic counters
o IPaddr counters
o AS counters
o flowd.conf example
• ISP billing
o Overview
o Billing strategies
o Netflow database structure
o Customers traffic counters
• Flowc optimization
o MySQL
o Flowd
o Routers flow cache
• Security
o Netflow packets spoofing
o DOS attacks
System requirements
Software
Flowc was tested on FreeBSD 4.* and Linux OS 2.4.*. For storage accumulated Netflow
accounting information it use MySQL. It provides flexible and fast access and data
manipulation. You always have ability to write own SQL request to database for
extracting necessary traffic information. Because Netflow accounting packets contain
SNMP id for routers interface identifying, and interfaces SNMP id may changes
frequently (after router reboot or adding/deleting logical interface), flowc require SNMP
library (UCD-SNMP or /NET-SNMP packages). The best and simplest way for building
traffic reports is using perl scripts and web interface. For this purpose flowc require
Apache HTTP server, PHP4 compiled as apache module and Perl5 with DBI module with
MySQL support. Flowc package contains some predefined most required in real life
traffic reports (perl and php scripts), but you always have ability to modify it for own
purpose. For graphical monitoring flowc parameters (Netflow accounting traffic,
processed flows, flowd routers cache utilization, total routers switched bytes and packets)
flowc use RRD-Tool package.
Hardware
Flowc is lightweight software and it don't require powerful hardware with the exception
MySQL server. MySQL server is most exigent Flowc component, especially for high
volume Netflow accounting traffic. In last case, additional MySQL tunning and Flowc
optimization is needed (see Flowc optimization). For Netflow collector host with flowc
installed you can approximately calculate required hardware resources.
• CPU. Pentium II-300MHz is more than enough for routers with heavy loaded
external links with total capacity up to 10Mbps. For links with total capacity
100Mbps or more Pentium III is required. You need to monitor flowd (flowc
daemon) CPU usage via top utility or Flowc rrd scripts. Flowd CPU usage must
be less than 50%, otherwise netflow packets lost may happen. In my case I have
three routers with total external link capacity about 100Mps. In average, routers
switch 40000 packets per second. My netflow collector running on Celeron
600MHz, and eats 2% CPU.
• Memory
Flowd use memory for flows aggregation (flows cache) and traffic counters. If
physical memory is not enough, flowd swaping occur, as result netflow
accounting packets may be lost if you have high volume of Netflow accounting.
Flowd periodically (by default dump interval is once per hour) flush flows cache
contents to disk. Flow cache size must be enough for storing netflow accounting
during dump interval. Otherwise if flows cache utilization exceed 95% flowd
performs autodump, and dump file growth rapidly. The approximately formula for
calculation flows cache size is 100000 records (40bytes x 100000 = 4Mb) per
1Mbit/s (10000 active flows) heavy loaded external routers interface bandwidth.
The exact value you can obtain by graphical monitoring flowd routers cache
utilization. Standard and ip traffic counters use approximately 160 bytes per filter
string, and AS counter use 512Kbytes of memory.
• Disk space
src/
The src directory contains sources of flowc binaries:
After start, flowd forks in two process. The child process performs Netflow
processing, the parent process look after child process, and restart it after 2
seconds in case of child sudden death.
• loader is a MySQL loader. It loads new records from dump files created by flowd
in MySQL database. After the loader added ordinary record in DB, the
LAST_FILE_OFFSET field in 'routers' table will be incremented. This field
contains last added record offset in router dump file. After start, the loader begins
record load process from that offset. If you created new dump file or rotated old
dump file, the routers.LAST_FILE_OFFSET field must be set to zero for
appropriate router. ("flowd -k rotate" command automatically reset
routers.LAST_FILE_OFFSET field after successlful rotation). MySQL DB must
be created before loader start. The 'routers' table creates automatically by flowd at
startup if it don't exists. The loader must be periodicaly executed via cron.
• Usage: loader [-r router_name [start_date [finish_date
[traf_counters_filename]]]
• start and finish dates have the following format:
yyyymmdd-HHMMSS
• where:
• yyyy - year in four digits presentation
• mm - month (01-12)
• dd - day of month (01-31)
• HH - hours (00-59)
• MM - minutes (00-59)
• SS - seconds (00-59)
NOTE: If you are using partial data loading (with start_date option) the
last_file_offset field in ROUTERS table leaves untouched for specified router.
WARNING! Before running partial data loading, check the timezone settings.
Incorrect timezone settings will be cause of data lost or dublication.
If you want to load data for certain traffic counters (without loading to default
'flows' table and updating last_file_offset field in ROUTERS table) you can list
counters names in external file and use it as foth argument
(traf_counters_filename). It usefull if you have added new traffic counters
(customers) in the middle of a month and want to load data for corresponding
traffic counters flows tables begins from first month day. Because loader creates
lock file for each loading dump file, more than one copy of loader process can run
in any time. Each process will works with one routers dump file.
• counter connects to flowd via UNIX Domain socket, reads and displays internal
traffic counters packets and octets values and flowd statistic. See the flowd.conf
example for configuring traffic counters and examples/ directory if you are going
to graphical traffic representation.
• Usage: counter [-s] [-t] [-i] [-a] [-d]
• options:
• -s - display flowd statistic
• -t - display traffic counters
• -i - display ip address counters
• -a - display AS counters
• -d - display all traffic counters structure
including MySQL counters
• test binds to specified UDP port, listens and displays on terminal content of all
incoming NetFlow packets without any processing. It may be used for debuging
purposes.
• Usage: test -p port
scripts/
The scripts directory contains MySQL scripts.
• upgrade-1.4.3.sql This script used for upgrade database structire from old version
to 1.4.3 version.
examples/
This directory contains examples of scripts.t may be used in real life
• mrtg_rrd/ contains scripts and flowd.conf examples in case if you are going to
implement graphical traffic counters representation via MRTG or RRD Tool
www/
This directory contains scripts for traffic reports, billing web interface and flowd grahicas
monitoring.
• billing web interface to ISP traffic billing system. see the xxxxx for detail
description
• rrd scripts for flowd graphical monitoring. See the xxxxx for detail description
• reports This directory contains scripts used for generation html traffic reports
Installation
• 2. Run configure script. This script check your system and authomaticaly creates
all needed files:
• $ cd flowc-1.4.3
• $ ./configure
•
• The following main options is available:
•
• --prefix=PREFIX install architecture-independent files in
PREFIX
• default prefix is /usr/local/cisco
•
• --with-snmp[=PATH] UCD-SNMP or NET-SNMP package base
directory (configure
• trying to find package is /usr /usr/local
/usr/ucd-snmp
• and /usr/local/ucd-snmp directories)
•
• --with-mysql[=PATH] MySQL base directory (configure trying to
find package
• in /usr /usr/local /usr/mysql and
/usr/local/mysql
• directories)
•
• --with-flowd-conf=PATH flowd config file location.
/etc/flowd.conf is default
•
• --with-web=PATH web interface (reports, billing system)
base directory
•
• --enable-traff-counters enable traffic counters, enabled by
default
•
• --enable-ascii-addr store IP addresses in DB as ASCII,
default is binary
• network byte order (aka big-endian)
•
• --enable-aggregation aggreagtion TCP connection, enabled by
default
•
• --enable-store-ports store TCP/UDP port numbers in database,
enabled by
• default
•
• --enable-store-as store AS numbers in database, disabled by
default
•
• --enable-long-streams use 64-bit digits for storage in DB
packet & octets
• counters for individual flow
(appropriately for routers
• which handle huge traffic). By default
32-bit digits
• --enable-new-dbrotate the name of old flows MySQL DB table
after DB
• rotation based on date (f.e. flows-
20020501-21:00:00)
instead a "flows_old" as in 1.4 and older
releases.
For reducing database disk space I recommend use the binary storage. Also the
binary storage type allows address range manipulation in SQL requests, using
comarison operators ">", "<". But in case of manual SQL database requests, at
first you have to convert an IP address in to binary representation host order (for
details see FAQ). PHP report scripts included in flowc distribution detect storage
type automatically. If information about port numbers is not important for you
(like a classical IP accounting) choose --disable-store-ports or --enable-store-
ports=no option. It reduces the total database size. After start, configure offers
you specify MySQL DB access parameters and authomaticaly builds example of
flowd configuration file: src/flowd.conf, DB structure creator:
scripts/create_tables, report builders (if option --with-reports was specified) :
reports/analyser.pl and reports/config.php3. 32-bit digits used for packet and
octets values storage in DB. Because in real life a single flow (f.e. individual TCP
session) carries traffic less than 4294967295 bytes (2^32), for reduceing database
space 32-bit counters used by default. The --enable-long-streams option in
configure script allows to use 64-bit counters. NOTE: MySQL uses 64-bit digits
for sum() operation, therefore report scripts work correct for 32-bit octets and
packets values summarization.
$ gmake
• 4. Create MySQL database, if it need edit the scripts/create_tables script and run
it. It creates all needed mysql tables and fix mysql access permission for netflow
MySQL user.
• $ mysqladmin -u root -p create netflow
• $ vi scripts/create_tables
• $ scripts/create_tables
• 5. Copy the example of the flowd configuration file generated by configure script
to its location (/etc/flowd.conf is the default location) and edit it. Because the
CISCO NetFlow handle incoming packets only (it is switching tech- nology), you
need to turn "ip route-cache flow" on all interfaces. Also, you need specify
"internal" interfaces, traffic information from wich will be stored.
• $ cp src/flowd.conf /etc
$ vi /etc/flowd.conf
$ gmake install
• 7. If you compiled with --web option, set 'register_globals' option in your system
php.ini file to 'On'.
Before RRD scripts installation, install RRD-Tool package, compile and configure flowd
(describe all needed routers in flowd.conf or MySQL database). Suppose you configure
flowc with --with-web=/usr/local/httpd/netflow option, then installation process will be
look like:
# cd www/rrd
• 2. Edit create.pl, poll.pl and 1day.cgi.pl. May be you need to correct RRD-Tool
base directory (by deault it is /usr/local), path to counter program in poll.pl (by
default it is /usr/local/cisco/bin/counter) and WORKDIR (by default it is
/usr/local/httpd/netflow/rrd).
where router1 router2 ... routerN are routers names as declared in flowd.conf file.
WARNING! Don't use names more than 10 characters, otherwise you will have
problems with RRD.
# cd /usr/local/httpd/netflow/rrd
# sh create.sh
• 8. Restart Apache:
• # apachectl restart
• 11. See results from web browser. You have to see something like this
Flowd configuration
flowd.conf is main configuration file for flowd, loader and counter programs. By default
it locates in /etc directory, but you can change it location via --with-flowd-conf configure
option (see Installation). Flowd.conf is a simple text file. All empty strings are ignored.
All text after '#' character is ignored. All key words is case insensitive. As separator you
can use space or TAB characters. flowd.conf contains following parts, that must be
defined in following order:
Global parameters
AS sets
Routers section
Traffic counters, IPAddr counters, AS counters
Global parameters
Parameter Dafault value Description
debug off The flowd daemon redirects all error messages to
syslog. If debug option in config file is set to 'on',
flowd runs in foreground and all debug information and
error messages will be displayed on the stderr too.
pid_file /var/run/flowd.pid After start, flowd forks in two process. The child
process performs Netf low processing, the parent
process look after child process, and restart it afte r 2
seconds in case of child sudden death. This file
contains process id of the child process.
dump_interval 1 hour how often flowd flush aggregated flows cache in to
dump file (in seconds)
listen_address 0.0.0.0:3000 Format: [address:]port. flowd must be binded for that
ip address and UDP port for listening UDP Netflow
packets from routers.
redirect Format: address:port. Optional parameter. If you
specify it, flowd will send copy of all netflow traffic to
specified host and port. Flowd construct UDP packet,
preserve original source address and source port
number and redirect it to other collector before
processing. It option usefull if you have two netflow
collectors, first for production purpose, the second for
testing purpose. On production collector you need to
configure redirection netflow traffic to test collector.
See the src/flowd.conf for syntax.
db_host MySQL database access settings (MySQL server
db_name hostname or IP address, netflow database name,
db_user userneme and password)
db_passwd
wait_loader on When loader is running all dump files and DB
manipulations are disabled. If wait_loader is 'off', the
"flowd -k rotate" or "flowd -k rotate_db" command
return immediately with appropriative error message. If
wait_loader set to 'on', then the "flowd -k rotate" or
"flowd -k rotate_db" commands will wait loader finish.
load_default on If set to 'on', then loader will be load all data from
dump file to 'flows' SQL table. Otherwise only data
that satisfy traffic_counters with load or load_only
options filter conditions will be load to 'flows' table.
load_tc on loader will be load data from dump file to 'flows' SQL
table in addion to 'flows-trafcounter_name' table if data
satisfy traffic_counter with 'load' or 'load_only' filter
conditions.
server_port well know TCP servers ports more than 1024. They are
used for TCP port aggregation. You can define a lot of
ports, one server_port definition per line.
AS sets
If you have deal with large AS lists, using AS sets is preferable method. You can specify
large AS list once in flowd.conf or external file and apply it to many traffic counters or
external interfaces statements instead src_as or dst_as parameters. AS set store AS list in
sorted order and use binary search algorithm for fast AS lookup. AS set definition must
begins with letter (not from digit or '*' symbol). You can define AS set as list AS
numbers separated by space or TAB or specify external file name that contain AS number
list (one number per line):
as-set name ‹filename› | ASnumber1 ASnumber2 ...
for example:
as-set UA "/etc/ukras.txt"
as-set xxx 13032 3252 3254 6666
Routers
Routers section in flowd.conf describes Netflow enabled routers and must be defined
before any traffic counters statements. It has following syntax:
router ‹router_name›
{
‹parameter1›
‹parameter2›
...
‹parameterN›
}
where parameters are:
Default
Parameter Description
value
data_file File in which flowd dumps aggregated Netflow
accounting information. It is a binary file, it structure
defined in src/global.h (struct Flow). Dump file locked
by flowd after flowd start. loader program use this file as
data source for uploading to MySQL database.
rotate_level Data_file rotation level. After dump files rotation ("flowd
-k rotate"), old dump files will be renamed with ".0"
suffix, a previous ".0" file will be renamed with ".1"
suffix, etc. Rotate_level parameter defines how many
1 backup dump file you can have. For example, if data_file
is /var/flowc/router and rotate_level set to 3, you will
have /var/flowc/router.0, /var/flowc/router.1,
/var/flowc/router.2 files after 3 or more dump files
rotation ("flowd -k rotate")
router_address Router can have a dozen of interfaces, but as source
address in Netflow UDP packets used IP address of
nearest to Netflow collector host (in term of routing)
routers interface, or address of interface specified in "ip
flow-export source " command. After receiveing Netflow
packet, flowd checks router_address parameter for all
routers defined in flowd.conf (and MySQL db). In case
of match, packet will be processed and stored in flows
chache allocated for this router, otherwise packet will be
ignored and warning message in syslog.
community Flowd need to know SNMP Id of all routers interfaces,
because it used as interface identifiers in Netflow
packets. For this purpose flowd read routers SNMP
interface table at startup, if router reboot detected or by
user request ("flowd -k rebuild"). SNMP community
string must be defined the same as on router. For
configuring SNMP see here.
flow_cache_size Flow cache memory size (in records) used for flows
aggregation. The reccomended value is 100000, but you
can increase or decrease it depends of routers traffic. If
no free memory in cache, flowd performs autodump.
This increases dump file size. You need to monitoring
flow cache utilization and adjust this value according
your network traffic.
external_interface1 External interfaces list. It used for minimization stored
external_interface2 netflow information. All packets switched between pair
.......... of Internal interfaces are ignored by flowd. All packets
external_interfaceN switched between Internal-External or External-External
interfaces processed by flowd. External interface
definition has syntax specified bellow:
Parameter Description
interface is a valid external interface defined for this router above
Internet protocols 0 - IP, 1 - ICMP 6 -TCP, 17 - UDP (see the
protocol
/etc/protocols)
In - for incoming packets, Out - for outgoing packets, Any - for any
direction
direction
src_as source AS number. Range 0 to 65535. "*" means any AS number
dst_as destination AS number. Range 0 to 65535. "*" means any AS number
src_AS_Set source AS list (it must defined before in flowd.conf)
dst_AS_Set destination AS list (it must defined before in flowd.conf)
Zero in src_addr, src_port, dst_addr or dst_port fields means a wildcard value (any valid
address or port)
Traffic counters
Traffic counters is a key component of flowc. It consists of traffic filter rules and used for
real time traffic accounting. Also it can be used by the loader program for customers
traffic separation with further loading to specific flows tables. Bytes and packets counters
for traffic counter renewed immediatelly after receiveing Netflow packet from router.
You can fecth bytes and packets counter values accumulated by flowd via 'counter'
program running with '-t' option. You can specify traffic counters by two ways: directly
defined it in flowd.conf or dynamically configured from MySQL DB. The last method
will be explained detail in traffic billling section. In flowd.conf traffic counters defined
the following manner:
traffic_counter name [loader option] [hit action]
{
filter statement1
...
filter statementN
}
where:
Parameter Description
name Traffic counter name, must be unique.
loader option options for loader program, "load" or "load_only". "load" means load data
that satisfy traffic_counter filter conditions from dump file to separate SQL
table "flows-name" instead default table "flows". Traffic counters with
"load_only" used when you want to load data that satisfy traffic_counter
filter conditions from dump file to separate SQL table "flows-name" but
without any flowd processing. Packets and bytes counters for those
counters will be always set to zero. By default no loader option applied.
hit action "stop" means stop processing NetFlow packet by next traffic_counters if
packet satisfy traffic_counter filter conditions. By default no hit actions
applied, it assumes continue processing NetFlow packet by next
traffic_counters.
where:
Parameter Description
router_name is a name of router defined above in routers section
interface is a valid external interface defined for this router above
protocol Internet protocols 0 - IP, 1 - ICMP 6 -TCP, 17 - UDP (see the
/etc/protocols)
direction In - for incoming packets, Out - for outgoing packets, Any - for any
direction
src_as source AS number. Range 0 to 65535. "*" means any AS number
dst_as destination AS number. Range 0 to 65535. "*" means any AS number
src_AS_Set source AS list (it must defined before in flowd.conf)
dst_AS_Set destination AS list (it must defined before in flowd.conf)
match_action Set it to "Stop" if you don't want to account this traffic (ignore this traffic
or by other words immediately exit from this traffic_counter) or "Pass"
otherwise. By default, the "Pass" action assumes.
SRC_NET and DST_NET can be defined in two manner, standard or as address range:
src_addr[/src_masklen] or start_src_addr-end_src_addr
and
dst_addr[/dst_masklen] or start_dst_addr-end_dst_addr
Zero in src_addr, src_port, dst_addr or dst_port fields means a wildcard value (any valid
address or port). You can specify ports range in src_port and dst_port fields. For tarffic
counters example see the flowd.conf examples
IPaddr counters
It intend for realtime IP adress pool traffic calculation on per address basis. It useful if
you have IP address pool (dialup, VPN, ...) and want to implement individual IP address
accounting scheme without using huge amount of standard traffic counters (one traffic
counter for each IP addres from pool). The counter program running with -i option (or
without any options) display ip_addr_counters packets and octets values. IPaddr counters
has following syntax:
ipaddr_counter name side
{
filter statement1
...
filter statementN
}
where:
Parameter Description
name ip address counter name
side Defines "active" side. If it set to "src" then ip addresses from source
address range filter statements will be accounted. Otherwise, if it set to
"dst", destination address range from filter statements will be used. Of
cource, all filter statements must have identical src or dst (depends of side
option) address range portition ("active" address portition). Warning!
Single address used in ip address counter eats 16 bytes of memory, avoid
using large address pools. It adversely affect on system performance.
Note: using whole IPv4 address space (0/0 as address/mask) as active
side for ip address counters prohibited.
filter statement filter statements has the same syntax and meaning as in standard traffic
counters except that all filter statements must has the same structure of
src or dst (depends of side parameter) address portition (other words all
filter statements must use same IP address pool).
AS counters
It intend for realtime traffic accounting on per AS basis. It useful if you want to keep
track in real time per AS traffic flows without using huge amount of standard traffic
counters (65536 counters) The counter program running with -a option (or without any
options) display as_counters packets and octets values. AS counters has following syntax:
as_counter name side
{
filter statement1
...
filter statementN
}
where:
Parameter Description
name AS counter name
side Defines "active" side. If it set to "src" then source AS will be accounted.
Otherwise, if it set to "dst", destination AS numbers be used. Warning!
Single as counter eats 1Mbyte of memory (65536*16), avoid using many
as counter name. It adversely affect on system performance.
filter statement filter statements has the same syntax and meaning as in standard traffic
counters except that all filter statements must has the same structure of
src or dst (depends of side parameter) address portition (other words all
filter statements must use same IP address pool).
flowd.conf example
debug off
pid_file /var/run/flowd.pid
dump_interval 3600
listen_address 3000
redirect 195.19.104.9:5000
db_host db.wolf.tambov.ru
db_name netflow
db_user netflow
db_passwd xxx
wait_loader on
load_default on
load_tc on
as-set UA "/var/flowc/ukras.txt"
as-set ExtAS 6877 13228 6850 3267 5568 9162
router router1
{
data_file /var/flowc/router1.data
rotate_level 3
router_address 1.2.3.4
community public
flow_cache_size 50000
external_interface serial0/4 # main uplink
external_interface serial1/0.1 # backup
external_interface serial1/1
external_interface "ATM1/0.1-aal5 layer"
external_interface "ATM1/0.2-aal5 layer" 193.25.87.0/23 0
0 0 0 any * *
external_interface "ATM1/0.2-aal5 layer" 194.44.0.0/16 0 0
0 0 out * *
}
traffic_counter Customer1_In
{
router1 "ATM1/0.2-aal5 layer" 0 0 193.25.97.151 0 0 in * *
router1 "FastEthernet0/0.11-ISL vLAN subif" 0 0 193.125.79.151
0 0 in * *
router1 ethernet2/1 0 0 193.25.97.178 0 0 in * * Stop
router1 ethernet2/1 0 0 193.25.97.0/27 0 0 in * *
router1 ethernet2/1 0 0 193.25.97.128/29 0 0 in * *
router1 ethernet2/1 0 0 193.25.97.95-193.25.97.99 0 0 in * *
}
traffic_counter HTTP_Out
{
router1 serial1/1 0 80 0 0 6 out
router1 serial1/1 0 8080 0 0 6 out
router1 serial1/1 0 8000 0 0 6 out
}