Saturday, May 19, 2007

Argus 3.0: Cisco Netflow

Cisco netflow is invented initially to speed up the route with its flow cache, but it appears to be very useful this day where Cisco Netflow is used in different area. One of my interest field is examining the network flow data to track the malicious events but you are free to do any kind of interesting research with the netflow data in hand.

Cisco has improved and add new features to its IOS, I have found few new features for Netflow that looks pretty interesting to me where you can capture more useful information. The most commonly used Netflow version is 5, I would like to try out version 9(shiny?If any of you use version 9, I would like to hear from you) however argus doesn't identify Netflow version 9 yet thus I remain to use the solid Netflow version 5. So here I start to export Cisco Netflow data to argus collector(probe). Login to the Cisco Router, I run the following commands -

ios#config t
ios(config)#ip flow-capture packet-length
ios(config)#ip flow-capture ttl
ios(config)#ip flow-capture icmp
ios(config)#ip flow-capture ip-id

I choose to export the Netflow version 5 data from network interface GigabitEthernet 0/0 to my argus collector( port 9996.

ios(config)#ip flow-export source GigabitEthernet0/0
ios(config)#ip flow-export version 5
ios(config)#ip flow-export destination 9996
ios(config)#ip flow-top-talkers
ios(config)#interface GigabitEthernet 0/0

Enable it at the interface GigabitEthernet 0/0 for both ingress and egress flows -

ios(config-if)#ip route-cache flow
ios(config-if)#ip flow ingress
ios(config-if)#ip flow egress

Save it to survive reboot -

ios#copy run start

Once I have done the Cisco router configuration part, I login to my argus collector and do the following -

shell>rasplit -CS 9996 -M time 60m -n \
-w /nsm/argus/log/Net-DMZ/%Y/%m/%d/argus_%H:%M:%S

rasplit is one of argus client tools that can split resulting output into consecutive sections of records based on different criteria. The options -CS 9996 is to connect to port 9996 and identify the input as Cisco Netflow format. The interesting thing here is it will split the data hourly(-M time 60m) and log it to its respected directory.

To read the Netflow data, what you need to do is just change to directory /nsm/argus/log/Net-DMZ/2007/05/19(as for today) and read them with ra or racluster.

All for now, have fun with the flow!

Cheers (;])


Anonymous said...

So what does the output look like? What version of IOS did you run this on?

Mustafa AKSU said...

Yes, you will feel blind without it after start to use NetFlow. It is your network and of course you want to know what is going on it. But Cisco has a surprise for us. NetFlow is not supported on all devices. Please have a look on this NetFlow supported platforms

sodut said...

hello there!
nice post BTW.

I'm a newbie in Linux and I would like to know about your netflow collector, argus.

How do you develop it?

Please have a look at my blog and review my writings under the Final IT project tag