1. The document provides instructions for using NfSen to monitor and graph network traffic flows. It describes how to create profiles and channels to track specific HTTP, FTP, and interface traffic between routers and PCs.
2. Steps are provided to simulate traffic like file downloads and monitor resulting graphs over time. Extended flow processing options are also described to analyze top flows by bytes, ports, and IP addresses.
3. Various filters are demonstrated like tracking traffic by source/destination host, port, interface, or autonomous system to isolate specific communication paths. This allows identification of active hosts, popular ports and protocols, and traffic sources/destinations.
1. The document provides instructions for using NfSen to monitor and graph network traffic flows. It describes how to create profiles and channels to track specific HTTP, FTP, and interface traffic between routers and PCs.
2. Steps are provided to simulate traffic like file downloads and monitor resulting graphs over time. Extended flow processing options are also described to analyze top flows by bytes, ports, and IP addresses.
3. Various filters are demonstrated like tracking traffic by source/destination host, port, interface, or autonomous system to isolate specific communication paths. This allows identification of active hosts, popular ports and protocols, and traffic sources/destinations.
1. The document provides instructions for using NfSen to monitor and graph network traffic flows. It describes how to create profiles and channels to track specific HTTP, FTP, and interface traffic between routers and PCs.
2. Steps are provided to simulate traffic like file downloads and monitor resulting graphs over time. Extended flow processing options are also described to analyze top flows by bytes, ports, and IP addresses.
3. Various filters are demonstrated like tracking traffic by source/destination host, port, interface, or autonomous system to isolate specific communication paths. This allows identification of active hosts, popular ports and protocols, and traffic sources/destinations.
one PC in your group, and one PC in your neighbor group. Confirm this! 2 Ensure NfSen is running by browsing on the page and ensuring you an see the graphs with no errors indiated ! "e will now see what type of traffi is passing through the two routers What we will do
#n the PC reei$ing flows, open the N%SEN
page and li& on 'li$e( on the top right of the page and selet )New Profile *+ , You may need to select several times as NfSen is picky.
Enter the name '-..P/.01%%2C( for the profile
name and additionally reate a new group alled )group3+ where 3 is your group number
Selet indi$idual hannels and shadow profile.
- 2ndi$idual hannel , an reate hannels with own filters - Shadow profile , sa$e hard dis& spae by not reating new data but instead analyses already olleted data See next page for an example image Create a Stat to graph specifc trafc Cli& )Create Profile+ at the bottom of the menu. Cli& on the plus 456 sign ne7t to 'Channel 8ist( at the bottom of the page then fill the ne7t page as below and li& on '1dd Channel( at the bottom. .he filter )any+ means 188 traffi. Selet your soures in )1$ailable Soures+ and press the )99+ to add them to )Seleted Soures+ 1dd another hannel by li&ing the plus sign as before ne7t to 'Channel 8ist(. %ill the details as shown on the left. 0eplae p2 with a p number that is NOT receiving flows in your group! 1lso, replae the 2P address in the %ilter to math the 2P of the PC in :uestion. Ensure you hange the olor. You an use the olor pi&er or enter the $alue shown in this e7ample Selet the two routers as the soure then li& add hannel "ith this, we will tra& how muh -..P traffi is going to that PC. .hat is how muh is atually being downloaded. 2n a -..P download, soure traffi is from port ;< always
Cli& the green ti& to
ati$ate your new profile.
Cli& on 8i$e then selet
the group you reated and )-..P/.01%%2C+ you will see your profile. .hen li& on the )-ome+ menu item on the upper left of the NfSen sreen. Actvate the profle Download HTTP data to pcY 8og in on pY and use the wget ommand to simulate an -..P download to pY. ssh sysadm@pcY.ws.nsrc.org $ cd /tmp $ wget http://noc.ws.nsrc.org/downloads/BigFile #ne the download ompletes you an delete the file= $ rm /tmp/BigFile $ exit 4to log off from pY6 Your graph will ta&e up to 1> min to update. ?o to ?raphs then .raffi. .hen go to details and selet '8ine ?raph( at bottom .his is a graph of the total traffi passing through the router rtr3 vs the TT! "ownloa"s that pc# is ma$ing See the trafc NOC BOX NOC BOX rtrX rtrX NFSEN Server NFSEN Server pcY pcY Router is exportng fows to the NFSEN Server and NFSEN graphs PCY is downoading a !e over "##P via rtrX and is the destnaton host a$a %dst host& #he NOC 'ox is running a "##P server( )n a rea networ$ this coud 'e an* server on the )nternet +e have tod NFSEN to graph tra,c where the source port is -. and the destnaton host is /.(/.(X(Y( You can do the sa0e thing 'ac$ in *our networ$s and additona* graph a speci!c we' server with %src host a('(c(d& eg FaceBoo$&s )P Stop! Whats happening here @ Per1or0 the exact sa0e steps 1ro0 side nu0'er 2 'ut this t0e3 change %"##P4#R5FF)C& to %F#P4#R5FF)C& @ #he F#P coud rando0i6e the ports so it 0a* not 'e source port 7.( +e do $now that it wi 'e a port greater than /.78 so the !ter shoud read9 src port > 102 and dst host 10.10.!.Y @ :a$e sure to seect the correct source 1ro0 5vaia'e Sources( @ Now downoad the arge !e 1ro0 the noc 'ox via ;p to pcY(ws(nsrc(org( @ See ne!t slide "or instr#ctons$ See an %TP download "ro& the '(C Download %TP data to pcY 8og in on pY and use the "tp ommand to generate %.P traffi from the no to pY. ssh sysadm@pcY.ws.nsrc.org $ "tp noc.ws.nsrc.org #ame $noc.ws.nsrc.org:sysadm%: anonymo&s 'assword: (Yo&r)mail*ddress> "tp> lcd /tmp "tp> get BigFile 4long time to download6 "tp> +&it $ rm /tmp/BigFile Your graph will ta&e up to 1>min to update. ?o to ?raphs then .raffi. .hen go to details and selet '8ine ?raph( at bottom to see the results. !art 2 @ <se the snmpwalk co00and on *our PC to deter0ine the i1)ndex nu0'er o1 an inter1ace that *ou want to graph9 $ snmpwal, -.2c -c #et/anage rtr!.ws.nsrc.org i"0escr IF-MIB::ifDescr.1 = STRING: FastEthernet0/0 1F2/1B::i"0escr.2 3 4561#7: Fast)thernet0/1 1F2/1B::i"0escr.8 3 4561#7: 9o1'2#&ll0 1F2/1B::i"0escr. 3 4561#7: #&ll0 1F2/1B::i"0escr.: 3 4561#7: ;oop<ac,0 @ #his 0eans that inter1ace F.=. has 'een assigned index nu0'er /( +e can now use NFSEN to graph tra,c 1or this speci!c inter1ace , #his inter1ace 0ust have %ip fow egress& or ingress ena'ed , +ith %sn0p i!ndex persist& the index nu0'er is 0aintained )raph a specifc inter"ace on the ro#ter ?i$e the Profile a suitable name and add it to the same ?roup you reated earlier Choose indi$idual hannels and Shadow profile as before and li& on )Create Profile+. Add the inter"ace on '"Sen Cli& on 8i$e and selet )New Profile*+ .hen on the following sreen li& on the plus sign ne7t to Channel list .his means graph all traffi passing 2N.# interfae 1. Cli& )1dd Channel+ and li& plus to add a seond hannel. N#.E= 2nterfae )1+ refers to the inde7 number that was referring to interfae )%astEthernet <A<+ on rtr3. .his means graph all traffi 8E1B2N?A?#2N? #C. #% interfae 1. Cli& )1dd Channel+ then ati$ate the filter on the ne7t sreen by li&ingon the green he&. ?i$e the graph time to generate. Compare the graph with Cati(s graph Your graph will ta&e up to 1> min to update. ?o to ?raphs then .raffi. .hen go to details and selet '8ine ?raph( at bottom .his is a graph of the total traffi passing through the router rtr3 on interfae %astEthernet <A<. See the trafc rtrX rtrX N1Sen N1Sen Cact Cact NfSen is generating graphs $ia Netflow for the interfae Cati is generating the graph $ia SNDP for the same interfae "ith NfSen, we an use the Netflow features to e7trat more data li&e whih 2P 1ddresses are ati$e, what are the highest ports in use by bytes, what are the 1S Numbers omingAlea$ing our networ& and so muh more! Stop! Whats happening here rtrX rtrX NFSEN NFSEN Cact Cact NfSen is generating graphs $ia Netflow for the interfae Cati is generating the graph $ia SNDP for the same interfae 2f you are measuring the same interfae with both Cati and NfSen, then you should obtain similar graphs when omparing the bitsAs Stop! Whats happening here !art % ?o to Profile, selet the group you reated then selet '-..P/.01%%2C(. .hen go to the 'Eetails( tab and selet '.ime "indow( instead of '.ime Slot( beneath the graph. Choose a part of the graph with ati$ity as abo$e. *!tended 'e+low processing Selet the options as on the left. .his means, selet the .op 1< %lows, #rder them by bytes from the highest to the lowest and display information of the soure and destination ports and 2Ps. .hen selet 'Proess(. 1nalyFe the output you get whih will loo& li&e the below sreen. .ry the same with the GiH Eiretional traffi option. "hat do you seeI .ry playing with the different options and see what output you get. You an also add the same filters on the filter window ne7t to the #ptions. Try the following flters: src host ,-.,-./.Y > 0eaning oo$ 1or fows 1or this host src port 00 > 0eaning fows where the source port is 77 src port 00 or src port 1- > 0eaning fows o1 either port 77 or -. src port 1- and in i" , > 0eaning fows o1 src port -. that passed via inter1ace / dst net ,-.,-.-.-2,3 > 0eaning a fows where the destnaton networ$ is /.(/.(.(.=/? src port 4 5--- > 0eaning a fows where the source port is greater than 2... :an* 0ore !ters *ou coud use @ 2f you want to see 1S Number traffi for ?oogle(s 1S 1>1JK 2 src as 1:1=> @ You an do the same for anyone(s 1S but your router should ha$e the routing table installed and ha$e ip flow-export version 9 origin-as onfigured @ You an then graph eah of them using a Stat as in the earlier e7erise @ Dore filters here= http=AAnfsen.soureforge.netALmoF.o2dJ>2<JM &''(T(ON&)*O!T(ON&) Donitor a speifi host
#n the )Profile+ menu
in NfSen selet )New Profile*+
"hen done li& on
)Create Profile+ at the bottom
You will see a
message )new profile reated+
.hen li& on the plus
sign at the bottom to begin adding hannels 6onitor a Specifc 7P 0eplae 1<.1<.1.2 with the 2P of your $irtual mahine. Add a second channel and start to accept Cli& on )1dd Channel+ and then li& the green he& mar& to ati$ate the new profile, ).roublesome/Cser+.
Selet a different olor for the seond hannel so
that the graphs an be distinguished
Note that the two filters are different
- .he first filter will apture any flows pertaining to host one p - .he seond filter will only apture flows where the host the seond p is the EES.2N1.2#N host. - .o generate traffi to see on graph details for this profile try transferring files from the first host to the seond host.
Dore attributes an be added here li&e sr 1S, dst
1S, sr ports et based on the NfSen filter synta7 %ilters See trends over t&e +O,E TO E-E./(SE % Port.ra&er Plugin