Pular para o conteúdo
1337skills 1337skills - Folhas de Dicas

NetFlow Cheat Sheet

Overview

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow data. A flow is defined as a unidirectional sequence of packets sharing common properties: source/destination IP, source/destination port, IP protocol, type of service, and input interface. Routers and switches export flow records to a collector, providing detailed visibility into who is communicating, what protocols are being used, and how much bandwidth is consumed. NetFlow is the industry standard for network traffic accounting and analysis.

NetFlow has evolved through several versions: v1 (original), v5 (most widely deployed, fixed format), v9 (template-based, flexible), and IPFIX (Internet Protocol Flow Information Export, standardized version of v9). While NetFlow is a Cisco technology, similar protocols exist from other vendors including J-Flow (Juniper), sFlow (multi-vendor, sampled), and NetStream (Huawei). NetFlow data is essential for bandwidth monitoring, capacity planning, security analysis, DDoS detection, forensics, billing, and compliance. Popular collectors include nfsen, ntopng, SolarWinds, PRTG, and ElastiFlow.

Installation (Collector Tools)

nfdump/nfsen (Linux)

# Install nfdump (collector and analysis tool)
sudo apt update
sudo apt install nfdump

# Install nfsen (web frontend for nfdump)
sudo apt install nfsen

# Verify
nfcapd -V
nfdump -V

GoFlow2 (Modern Collector)

# Install GoFlow2
go install github.com/netsampler/goflow2@latest

# Or download binary
wget https://github.com/netsampler/goflow2/releases/latest/download/goflow2-linux-amd64
chmod +x goflow2-linux-amd64
sudo mv goflow2-linux-amd64 /usr/local/bin/goflow2

softflowd (NetFlow Generator from pcap)

# Generate NetFlow from packet capture
sudo apt install softflowd

# Generate from live interface
sudo softflowd -i eth0 -n 127.0.0.1:2055

# Generate from pcap file
sudo softflowd -r capture.pcap -n 127.0.0.1:2055

ElastiFlow (Elasticsearch-based)

# Docker-based deployment
docker run -d \
  --name elastiflow \
  -p 2055:2055/udp \
  -p 4739:4739/udp \
  -p 6343:6343/udp \
  -e EF_OUTPUT_ELASTICSEARCH_ENABLE=true \
  -e EF_OUTPUT_ELASTICSEARCH_ADDRESSES=elasticsearch:9200 \
  elastiflow/flow-collector:latest

Cisco Router Configuration

NetFlow v5

! Enable NetFlow on interface
interface GigabitEthernet0/0
 ip flow ingress
 ip flow egress

! Configure NetFlow export
ip flow-export version 5
ip flow-export destination 10.0.0.100 2055
ip flow-export source Loopback0

! Set flow cache parameters
ip flow-cache timeout active 1
ip flow-cache timeout inactive 15

! Verify
show ip flow export
show ip cache flow
show ip cache verbose flow

NetFlow v9

! Configure flow exporter
flow exporter EXPORTER-1
 destination 10.0.0.100
 source Loopback0
 transport udp 2055
 export-protocol netflow-v9
 template data timeout 60
 option interface-table
 option exporter-stats

! Configure flow monitor
flow monitor MONITOR-1
 exporter EXPORTER-1
 cache timeout active 60
 cache timeout inactive 15
 record netflow ipv4 original-input

! Apply to interface
interface GigabitEthernet0/0
 ip flow monitor MONITOR-1 input
 ip flow monitor MONITOR-1 output

! Verify
show flow exporter
show flow monitor
show flow monitor MONITOR-1 cache

Flexible NetFlow (IPFIX)

! Define flow record with custom fields
flow record CUSTOM-RECORD
 match ipv4 source address
 match ipv4 destination address
 match transport source-port
 match transport destination-port
 match ipv4 protocol
 match ipv4 tos
 match interface input
 collect counter bytes long
 collect counter packets long
 collect timestamp sys-uptime first
 collect timestamp sys-uptime last
 collect transport tcp flags

! Configure monitor with custom record
flow monitor CUSTOM-MONITOR
 record CUSTOM-RECORD
 exporter EXPORTER-1
 cache timeout active 60
 cache entries 65536

! Apply to interface
interface GigabitEthernet0/0
 ip flow monitor CUSTOM-MONITOR input

nfdump Analysis Commands

Collecting Flows

# Start NetFlow collector
nfcapd -w -D -l /var/cache/nfdump -p 2055

# Collect with rotation interval (5 minutes)
nfcapd -w -D -l /var/cache/nfdump -p 2055 -t 300

# Collect multiple sources (ident per router)
nfcapd -w -D -l /var/cache/nfdump/router1 -p 2055 -I router1
nfcapd -w -D -l /var/cache/nfdump/router2 -p 2056 -I router2

Analyzing Flows

# Read all flows from a file
nfdump -r /var/cache/nfdump/nfcapd.202401151200

# Read flows from time range
nfdump -R /var/cache/nfdump -t 2024/01/15.12:00:00-2024/01/15.13:00:00

# Top 10 talkers by bytes
nfdump -r nfcapd.file -s srcip/bytes -n 10

# Top talkers by flows
nfdump -r nfcapd.file -s srcip/flows -n 20

# Top destination ports
nfdump -r nfcapd.file -s dstport/bytes -n 10

# Top protocols
nfdump -r nfcapd.file -s proto/bytes

# Filter by IP address
nfdump -r nfcapd.file 'src ip 192.168.1.100'
nfdump -r nfcapd.file 'dst ip 10.0.0.1'

# Filter by port
nfdump -r nfcapd.file 'dst port 80 or dst port 443'

# Filter by protocol
nfdump -r nfcapd.file 'proto tcp'
nfdump -r nfcapd.file 'proto udp and dst port 53'

# Complex filters
nfdump -r nfcapd.file 'src ip 192.168.1.0/24 and dst port 443 and bytes > 1000000'

# Output format options
nfdump -r nfcapd.file -o long          # Detailed output
nfdump -r nfcapd.file -o csv           # CSV format
nfdump -r nfcapd.file -o json          # JSON format
nfdump -r nfcapd.file -o extended      # Extended output

# Custom output format
nfdump -r nfcapd.file -o "fmt:%sa %da %sp %dp %pr %byt %pkt"

# Aggregate flows
nfdump -r nfcapd.file -A srcip,dstip -s record/bytes -n 20

# Time window analysis
nfdump -R /var/cache/nfdump -t 2024/01/15.00:00:00-2024/01/16.00:00:00 \
  -s srcip/bytes -n 10

Statistical Analysis

CommandDescription
-s srcip/bytesTop source IPs by bytes
-s dstip/bytesTop destination IPs by bytes
-s srcip/flowsTop source IPs by flow count
-s dstport/bytesTop destination ports by bytes
-s srcport/bytesTop source ports by bytes
-s proto/bytesProtocol distribution by bytes
-s record/bytesTop flow records by bytes
-s srcas/bytesTop source AS numbers by bytes
-s dstas/bytesTop destination AS by bytes

Advanced Usage

Security Analysis

# Detect port scanning (many dst ports from one source)
nfdump -r nfcapd.file -s srcip/flows 'flags S and not flags ARFPU' -n 20

# Find large data transfers (exfiltration)
nfdump -r nfcapd.file 'bytes > 100000000' -o long -s record/bytes

# DNS tunneling detection (large DNS flows)
nfdump -r nfcapd.file 'dst port 53 and bytes > 10000' -s srcip/bytes

# ICMP anomalies
nfdump -r nfcapd.file 'proto icmp and packets > 100' -o long

# DDoS detection (many sources to one destination)
nfdump -r nfcapd.file -s dstip/flows -n 10
nfdump -r nfcapd.file 'dst ip 10.0.0.1' -s srcip/flows -n 50

# Find C2 beaconing (regular small flows)
nfdump -r nfcapd.file 'bytes < 1000 and dst port > 1024' \
  -A srcip,dstip,dstport -s record/flows -n 20

Automated Reporting

#!/bin/bash
# daily_report.sh - Generate daily NetFlow report
DATE=$(date -d yesterday +%Y/%m/%d)
DATADIR="/var/cache/nfdump"
REPORT="/var/reports/netflow-$(date -d yesterday +%F).txt"

echo "=== Daily NetFlow Report: $DATE ===" > $REPORT
echo "" >> $REPORT

echo "--- Top 20 Talkers (by bytes) ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
  -s srcip/bytes -n 20 >> $REPORT

echo "" >> $REPORT
echo "--- Top 20 Destinations ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
  -s dstip/bytes -n 20 >> $REPORT

echo "" >> $REPORT
echo "--- Protocol Distribution ---" >> $REPORT
nfdump -R $DATADIR -t ${DATE}.00:00:00-${DATE}.23:59:59 \
  -s proto/bytes >> $REPORT

Export to Other Formats

# Export to CSV for spreadsheet analysis
nfdump -r nfcapd.file -o csv > flows.csv

# Export to JSON for Elasticsearch
nfdump -r nfcapd.file -o json > flows.json

# Pipe to other tools
nfdump -r nfcapd.file -o csv | awk -F, '{print $4,$5,$10}' | sort -t' ' -k3 -rn | head

Configuration

nfsen Configuration

# /etc/nfsen/nfsen.conf
$BASEDIR = "/var/cache/nfsen";
$HTMLDIR = "/var/www/nfsen";
$PREFIX  = "/usr/bin";
$SUBDIRLAYOUT = 1;

%sources = (
    'router1'  => { 'port' => '2055', 'col' => '#0000ff' },
    'router2'  => { 'port' => '2056', 'col' => '#ff0000' },
    'switch1'  => { 'port' => '2057', 'col' => '#00ff00' },
);

$MAIL = { from => 'netflow@example.com', server => 'localhost' };

# Alert thresholds
@AlertThreshold = (
    { name => 'DDoS', type => 'threshold', field => 'flows',
      value => 100000, action => 'email:admin@example.com' },
);

Troubleshooting

IssueSolution
No flows receivedCheck UDP port open, verify exporter config
Incomplete flow dataCheck active/inactive timeouts on router
High collector CPUReduce export rate, increase rotation interval
Disk space growing fastSet data retention, enable compression
Version mismatchMatch collector version (v5/v9/IPFIX) to exporter
Missing bidirectional dataEnable both ingress and egress on interfaces
Sampled data inaccurateApply sampling multiplier in collector
Template timeout errorsIncrease template refresh interval

Verification Commands

# Check if flows are arriving
sudo tcpdump -i eth0 -n udp port 2055 -c 10

# Verify nfcapd is running
ps aux | grep nfcapd

# Check nfcapd files are being created
ls -la /var/cache/nfdump/

# Read latest capture file
nfdump -r $(ls -t /var/cache/nfdump/nfcapd.* | head -1) | head

# Cisco verification
show ip flow export
show ip cache flow
show flow monitor MONITOR-1 statistics