SlideShare a Scribd company logo

Go with the flow

Kamal Rathaur, profile picture
Kamal Rathaur

This document contains information about Kamal Rathaur and netflow analysis. It discusses: 1) Kamal Rathaur's background and certifications in information security, digital forensics, and incident response. 2) What netflow data is and how it provides metadata on network traffic without packet contents. 3) The components of a netflow collection and analysis system including exporters, collectors, storage, and analysis consoles. 4) Best practices for planning a netflow deployment including identifying critical data, network diagrams, export and capture points, and compliance. 5) The nfdump suite of open source tools for collecting, processing, and analyzing netflow data including nfcap

Technology
1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
@Rathaur_Kamal
 Infosec Enthusiast  Incident Response/Digital Forensics Analyst  Speaker/Volunteer at Null and OWASP chapters  AM – IT Security (Just a position, for the records)   Travelling, Trekking, Infosec brainstorming  GCFA Certified, SANS Lethal Forensicator Award
 A series of packets on a network that have common attributes  Just metadata – No contents  Much like a phone bill – You know, who called who but not what was said  Is not a replacement for full packet capture
Go with the flow
Go with the flow
 Exporter – Uses UDP (Standard port 2055) for sending packets to Collectors  Collectors – Positioning is the key  Storage – Understand the requirements and the size of storage based on the need  Analysis Console – usually a thin client – browser based. Performance hungry
 Identify the critical data  Understand the network diagram  Identify choke and critical nodes  Identify critical datacenters  Plan Netflow exporters and packet capture points  Confirm legal and regulatory compliance  Security teams may prefer to use their own Netflow server and storage solution
nfcapd - netflow capture daemon nfdump - netflow dump nfprofile - netflow profiler nfreplay - netflow replay nfclean.pl - cleanup old data ft2nfdump - optional binary
 A set of tools to collect and process netflow data  Supports netflow versions v1, v5, v7, v9 and IPFIX  Fully IPv6 compatible  Stores netflow data in time sliced files – rotates typically every 5 minutes i.e. 288 files per day in nfcapd.YYYYMmddhhmm format  Command line based tool compatible to tcpdump  Top N statistics for packets, bytes, IP addresses, ports… Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2005-08-30 06:59:52.338 0.001 UDP 36.249.80.226:3040 -> 92.98.219.116:1434 1 404 1
Go with the flow
 NfSen is a graphical web based front end for the Nfdump netflow tools  Graph specific profiles • Track hosts, ports etc. from live data • Profile hosts involved in incidents from history data  Analyze a specific time window  Web based  Automatic alerting  Flexible extensions using plugins
Go with the flow
Demo Time
 Understand the netflow basics  Netflow Analysis with open source tools  Ideas for setting up test lab  Testing and Deployment in VM  Replicate to Production environment
Go with the flow
Thank You!

More Related Content

PDF
Delegation-based Authentication and Authorization for the IP-based IoT
Joon Young Park
 
DOCX
Poll mode driver integration into dpdk
Vipin Varghese
 
PDF
Lithe: Lightweight Secure CoAP for the Internet of Things
Joon Young Park
 
PDF
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
PPTX
Mmap failure analysis
Vipin Varghese
 
PDF
nextcomputing-packet-continuum
blabadini
 
PDF
Accelerating Networked Applications with Flexible Packet Processing
Open-NFP
 
PDF
Measuring a 25 and 40Gb/s Data Plane
Open-NFP
 
Delegation-based Authentication and Authorization for the IP-based IoT
Joon Young Park
 
Poll mode driver integration into dpdk
Vipin Varghese
 
Lithe: Lightweight Secure CoAP for the Internet of Things
Joon Young Park
 
Linux Kernel Cryptographic API and Use Cases
Kernel TLV
 
Mmap failure analysis
Vipin Varghese
 
nextcomputing-packet-continuum
blabadini
 
Accelerating Networked Applications with Flexible Packet Processing
Open-NFP
 
Measuring a 25 and 40Gb/s Data Plane
Open-NFP
 

What's hot (20)

PDF
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
PPTX
Network based file carving
GTKlondike
 
PPTX
Dpdk – IoT packet analyzer
Vipin Varghese
 
PDF
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
PPTX
Forensic Analysis - Empower Tech Days 2013
Islam Azeddine Mennouchi
 
PDF
LF_DPDK17_DPDK support for new hardware offloads
LF_DPDK
 
PPTX
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu
 
PDF
Telco junho cost-effective approach for telco network analysis in 5_g_final
Junho Suh
 
PDF
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung
 
PDF
P4, EPBF, and Linux TC Offload
Open-NFP
 
PDF
Network Measurement with P4 and C on Netronome Agilio
Open-NFP
 
PDF
How Robinhood Built a Real-Time Anomaly Detection System to Monitor and Mitig...
InfluxData
 
PDF
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project
 
PDF
Apache Solr as a compressed, scalable, and high performance time series database
Florian Lautenschlager
 
PDF
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas
 
PDF
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
NECST Lab @ Politecnico di Milano
 
PPTX
Debug generic process
Vipin Varghese
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
PPTX
Monitoring and Alerting with InfluxDB 2.0 | Deniz Kusefoglu & Nate Isley | In...
InfluxData
 
PDF
Ceph Day Shanghai - On the Productization Practice of Ceph
Ceph Community
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Anne Nicolas
 
Network based file carving
GTKlondike
 
Dpdk – IoT packet analyzer
Vipin Varghese
 
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
Forensic Analysis - Empower Tech Days 2013
Islam Azeddine Mennouchi
 
LF_DPDK17_DPDK support for new hardware offloads
LF_DPDK
 
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu
 
Telco junho cost-effective approach for telco network analysis in 5_g_final
Junho Suh
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung
 
P4, EPBF, and Linux TC Offload
Open-NFP
 
Network Measurement with P4 and C on Netronome Agilio
Open-NFP
 
How Robinhood Built a Real-Time Anomaly Detection System to Monitor and Mitig...
InfluxData
 
Using IO Visor to Secure Microservices Running on CloudFoundry [OpenStack Sum...
IO Visor Project
 
Apache Solr as a compressed, scalable, and high performance time series database
Florian Lautenschlager
 
Kernel Recipes 2013 - Nftables, what motivations and what solutions
Anne Nicolas
 
OXiGen: Automated FPGA design flow from C applications to dataflow kernels - ...
NECST Lab @ Politecnico di Milano
 
Debug generic process
Vipin Varghese
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Monitoring and Alerting with InfluxDB 2.0 | Deniz Kusefoglu & Nate Isley | In...
InfluxData
 
Ceph Day Shanghai - On the Productization Practice of Ceph
Ceph Community
 
Ad

Viewers also liked (7)

PDF
Scalable Monitoring & Alerting
Franklin Angulo
 
PDF
Managing Tech Teams (Dev StackUp)
Franklin Angulo
 
PDF
An Introduction to Rearview - Time Series Based Monitoring
VictorOps
 
PDF
Graphite
Adrian Moisey
 
PDF
Stop pulling the plug
Kamal Rathaur
 
PDF
Osint
Kamal Rathaur
 
PDF
Collecting metrics with Graphite and StatsD
itnig
 
Scalable Monitoring & Alerting
Franklin Angulo
 
Managing Tech Teams (Dev StackUp)
Franklin Angulo
 
An Introduction to Rearview - Time Series Based Monitoring
VictorOps
 
Graphite
Adrian Moisey
 
Stop pulling the plug
Kamal Rathaur
 
Osint
Kamal Rathaur
 
Collecting metrics with Graphite and StatsD
itnig
 
Ad

Similar to Go with the flow (20)

PPTX
Open source network forensics and advanced pcap analysis
GTKlondike
 
PDF
Go with the Flow
Bangladesh Network Operators Group
 
PDF
Go with the Flow-v2
Zobair Khan
 
PDF
Network Security and Visibility through NetFlow
Lancope, Inc.
 
PDF
Network Security: Experiment of Network Health Analysis At An ISP
CSCJournals
 
PDF
Flow Monitoring Tools, What do we have, What do we need?
CSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
PPTX
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
DOCX
Task 803   - 1 page Instructions Distinguish between full con.docx
rudybinks
 
DOCX
Chapter 3. sensors in the network domain
Phu Nguyen
 
PPTX
Leverage the Network to Detect and Manage Threats
Cisco Canada
 
PDF
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
PPT
Network Security Data Visualization
amiable_indian
 
PDF
Flow questions and answers
ProQSys
 
PDF
Analytics and Visualization in your Secured Infrastructure Network.
Kapil Sabharwal
 
PDF
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
InfluxData
 
PDF
Network traffic analysis course
TECHNOLOGY CONTROL CO.
 
PDF
25.3.10 packet tracer explore a net flow implementation
Freddy Buenaño
 
PDF
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
PDF
Just two clicks away - from monitoring and reporting to root-cause analysis
Savvius, Inc
 
Open source network forensics and advanced pcap analysis
GTKlondike
 
Go with the Flow
Bangladesh Network Operators Group
 
Go with the Flow-v2
Zobair Khan
 
Network Security and Visibility through NetFlow
Lancope, Inc.
 
Network Security: Experiment of Network Health Analysis At An ISP
CSCJournals
 
Flow Monitoring Tools, What do we have, What do we need?
CSUC - Consorci de Serveis Universitaris de Catalunya
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
Task 803   - 1 page Instructions Distinguish between full con.docx
rudybinks
 
Chapter 3. sensors in the network domain
Phu Nguyen
 
Leverage the Network to Detect and Manage Threats
Cisco Canada
 
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
Network Security Data Visualization
amiable_indian
 
Flow questions and answers
ProQSys
 
Analytics and Visualization in your Secured Infrastructure Network.
Kapil Sabharwal
 
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
InfluxData
 
Network traffic analysis course
TECHNOLOGY CONTROL CO.
 
25.3.10 packet tracer explore a net flow implementation
Freddy Buenaño
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
Leszek Mi?
 
Just two clicks away - from monitoring and reporting to root-cause analysis
Savvius, Inc
 

Recently uploaded (20)

PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
A Presentation on Touch Screen Technology
memembruh336
 
project resource management chapter-09.pdf
ssuser00e6e21
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 

Go with the flow

  • 2.  Infosec Enthusiast  Incident Response/Digital Forensics Analyst  Speaker/Volunteer at Null and OWASP chapters  AM – IT Security (Just a position, for the records)   Travelling, Trekking, Infosec brainstorming  GCFA Certified, SANS Lethal Forensicator Award
  • 3.  A series of packets on a network that have common attributes  Just metadata – No contents  Much like a phone bill – You know, who called who but not what was said  Is not a replacement for full packet capture
  • 6.  Exporter – Uses UDP (Standard port 2055) for sending packets to Collectors  Collectors – Positioning is the key  Storage – Understand the requirements and the size of storage based on the need  Analysis Console – usually a thin client – browser based. Performance hungry
  • 7.  Identify the critical data  Understand the network diagram  Identify choke and critical nodes  Identify critical datacenters  Plan Netflow exporters and packet capture points  Confirm legal and regulatory compliance  Security teams may prefer to use their own Netflow server and storage solution
  • 8. nfcapd - netflow capture daemon nfdump - netflow dump nfprofile - netflow profiler nfreplay - netflow replay nfclean.pl - cleanup old data ft2nfdump - optional binary
  • 9.  A set of tools to collect and process netflow data  Supports netflow versions v1, v5, v7, v9 and IPFIX  Fully IPv6 compatible  Stores netflow data in time sliced files – rotates typically every 5 minutes i.e. 288 files per day in nfcapd.YYYYMmddhhmm format  Command line based tool compatible to tcpdump  Top N statistics for packets, bytes, IP addresses, ports… Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2005-08-30 06:59:52.338 0.001 UDP 36.249.80.226:3040 -> 92.98.219.116:1434 1 404 1
  • 11.  NfSen is a graphical web based front end for the Nfdump netflow tools  Graph specific profiles • Track hosts, ports etc. from live data • Profile hosts involved in incidents from history data  Analyze a specific time window  Web based  Automatic alerting  Flexible extensions using plugins
  • 14.  Understand the netflow basics  Netflow Analysis with open source tools  Ideas for setting up test lab  Testing and Deployment in VM  Replicate to Production environment