SlideShare a Scribd company logo

Introduction to flow analysis

P
ProQSys

The document discusses flow analysis in networking, explaining how routers, firewalls, and switches export flow summaries to a collector for analysis and storage. It outlines the roles of exporters and collectors, the formats of flow exports, and the trade-offs between speed and forensic accuracy in reporting traffic. Additionally, it mentions specific products for flow collection and exporting capabilities.

Related topics:
Network SecurityNetwork Monitoring InsightsNetwork Analysis InsightsNetwork Management Insights
1 of 6
Downloaded 15 times
1
2
3
4
5
6
Introduction to Flow Analysis Vincent Berk February 3rd , 2011 VINCENT BERK Copyright © 2011 Process Query Systems, LLC
Overview Computers communicate over the network, in streams of thousands of packets. Actions, such as sending email, result in streams of related packets, called “flows”. Most routers, firewalls, and switches can report summaries of all their flows. This process of reporting on flows is called “exporting” of flows. Flows are exported to a “collector”, which may aggregate, plot, or store the flows. A collector is a separate program running on a network server. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
Exporter Exporters are routers, firewalls, or switches capable of forwarding flow summaries. Most top- and middle-tier networking hardware is capable of exporting flow summaries. If your hardware is not capable of exporting flows, a software exporter can be used. This is a program that runs on a computer which must be attached to a SPAN/TAP/Mirror port on a switch or router, and does the flow exporting. Exported flows are only traffic summaries, they do not contain any traffic content. For instance: a flow reports the connections to an email server, but not the content of the emails. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
Collector A collector is a server with software that can accept and interpret flow exports. Exporters send their flow summaries to collectors for storage and analysis. Most collectors summarize and aggregate the flows before storage, discarding the records. Although coarse, this approach is fastest. The cost is the loss of forensic accuracy. Some collectors store all flow records, alowing full recall, and precise filtering. The value of a flow product depends mostly on the implementation of the collector. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
Flow Formats Flow exports come in many formats. Some Manufacturers are compatible, others not. Adding flow capability to your network will increase the traffic load by 1% to 5%. Some flow formats are sampled. This means that only some flows are reported on. Forensic accuracy is lost to gain some speed. sFlow ® uses this strategy. Most flow formats report every flow, allowing full flow recall, if the collector supports this. NetFlow, Cflow, and Jflow use this strategy. If your hardware only supports flow sampling, you can always use a software exporter instead. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
For Additional Information: http://www.proquesys.com info@proquesys.com 603.727.4477 ProQueSys FlowTraq A full fidelity flow collector. Supports: IPv6, NetFlow v1/5/7/9, sFlow v2/4/5, automated alerting, scheduled reporting, user dashboards, GUI and CLI interfaces. ProQueSys Flow Exporter FREE downloadable software flow exporter. Supports: IPv6, exporting in NetFlow v5 and v9, VLAN, IFindex specification, exporters to 16 destinations at once. VINCENT BERK Copyright © 2011 Process Query Systems, LLC

More Related Content

PDF
Spirent TestCenter OpenFlow Controller Emulation
Malathi Malla
 
PPT
Facility Layout
Sanket Bhambal
 
PPTX
Facility layout ppt
Anju Rana
 
PPT
OpenFlow tutorial
openflow
 
PPT
Naveen nimmu sdn future of networking
suniltomar04
 
PPT
Naveen nimmu sdn future of networking
OpenSourceIndia
 
PDF
Complex Er[jl]ang Processing with StreamBase
darach
 
PPT
OpenFlow Tutorial
Ja-seop Kwak
 
Spirent TestCenter OpenFlow Controller Emulation
Malathi Malla
 
Facility Layout
Sanket Bhambal
 
Facility layout ppt
Anju Rana
 
OpenFlow tutorial
openflow
 
Naveen nimmu sdn future of networking
suniltomar04
 
Naveen nimmu sdn future of networking
OpenSourceIndia
 
Complex Er[jl]ang Processing with StreamBase
darach
 
OpenFlow Tutorial
Ja-seop Kwak
 

Similar to Introduction to flow analysis (20)

PDF
Monitoring&Logging - Stanislav Kolenkin
Kuberton
 
PPTX
Openflow overview
openflowhub
 
PDF
Looking at SDN with DDS Glasses
Angelo Corsaro
 
PPTX
Cloud Automation Manager
Nithin Babu
 
PDF
Network Security and Visibility through NetFlow
Lancope, Inc.
 
PDF
Music city data Hail Hydrate! from stream to lake
Timothy Spann
 
PDF
PortoTechHub - Hail Hydrate! From Stream to Lake with Apache Pulsar and Friends
Timothy Spann
 
PDF
Inside Flume
Cloudera, Inc.
 
PDF
Mahout low-overhead datacenter traffic management using end-host-based ...
João Gabriel Lima
 
PPTX
FlowER Erlang Openflow Controller
Holger Winkelmann
 
PDF
Analytics driven SDN and commodity switches
netvis
 
PDF
Fault Tolerance at Speed
C4Media
 
PPTX
Tapping Into the Health of Your Network
LiveAction Next Generation Network Management Software
 
PDF
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
darach
 
PPTX
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
PPT
Software defined network and Virtualization
idrajeev
 
PDF
Apache flume by Swapnil Dubey
Swapnil Dubey
 
PDF
software defined network, openflow protocol and its controllers
Isaku Yamahata
 
PPT
Chapter 11 Data Link Control 307 11.1 FRAMING 307 Fixed-Size Framing 308 Vari...
csehod2
 
PDF
OVS-LinuxCon 2013.pdf
DanielHanganu2
 
Monitoring&Logging - Stanislav Kolenkin
Kuberton
 
Openflow overview
openflowhub
 
Looking at SDN with DDS Glasses
Angelo Corsaro
 
Cloud Automation Manager
Nithin Babu
 
Network Security and Visibility through NetFlow
Lancope, Inc.
 
Music city data Hail Hydrate! from stream to lake
Timothy Spann
 
PortoTechHub - Hail Hydrate! From Stream to Lake with Apache Pulsar and Friends
Timothy Spann
 
Inside Flume
Cloudera, Inc.
 
Mahout low-overhead datacenter traffic management using end-host-based ...
João Gabriel Lima
 
FlowER Erlang Openflow Controller
Holger Winkelmann
 
Analytics driven SDN and commodity switches
netvis
 
Fault Tolerance at Speed
C4Media
 
Tapping Into the Health of Your Network
LiveAction Next Generation Network Management Software
 
StreamBase - Embedded Erjang - Erlang User Group London - 20th April 2011
darach
 
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
Software defined network and Virtualization
idrajeev
 
Apache flume by Swapnil Dubey
Swapnil Dubey
 
software defined network, openflow protocol and its controllers
Isaku Yamahata
 
Chapter 11 Data Link Control 307 11.1 FRAMING 307 Fixed-Size Framing 308 Vari...
csehod2
 
OVS-LinuxCon 2013.pdf
DanielHanganu2
 
Ad

Introduction to flow analysis

  • 1. Introduction to Flow Analysis Vincent Berk February 3rd , 2011 VINCENT BERK Copyright © 2011 Process Query Systems, LLC
  • 2. Overview Computers communicate over the network, in streams of thousands of packets. Actions, such as sending email, result in streams of related packets, called “flows”. Most routers, firewalls, and switches can report summaries of all their flows. This process of reporting on flows is called “exporting” of flows. Flows are exported to a “collector”, which may aggregate, plot, or store the flows. A collector is a separate program running on a network server. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
  • 3. Exporter Exporters are routers, firewalls, or switches capable of forwarding flow summaries. Most top- and middle-tier networking hardware is capable of exporting flow summaries. If your hardware is not capable of exporting flows, a software exporter can be used. This is a program that runs on a computer which must be attached to a SPAN/TAP/Mirror port on a switch or router, and does the flow exporting. Exported flows are only traffic summaries, they do not contain any traffic content. For instance: a flow reports the connections to an email server, but not the content of the emails. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
  • 4. Collector A collector is a server with software that can accept and interpret flow exports. Exporters send their flow summaries to collectors for storage and analysis. Most collectors summarize and aggregate the flows before storage, discarding the records. Although coarse, this approach is fastest. The cost is the loss of forensic accuracy. Some collectors store all flow records, alowing full recall, and precise filtering. The value of a flow product depends mostly on the implementation of the collector. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
  • 5. Flow Formats Flow exports come in many formats. Some Manufacturers are compatible, others not. Adding flow capability to your network will increase the traffic load by 1% to 5%. Some flow formats are sampled. This means that only some flows are reported on. Forensic accuracy is lost to gain some speed. sFlow ® uses this strategy. Most flow formats report every flow, allowing full flow recall, if the collector supports this. NetFlow, Cflow, and Jflow use this strategy. If your hardware only supports flow sampling, you can always use a software exporter instead. VINCENT BERK Copyright © 2011 Process Query Systems, LLC
  • 6. For Additional Information: http://www.proquesys.com info@proquesys.com 603.727.4477 ProQueSys FlowTraq A full fidelity flow collector. Supports: IPv6, NetFlow v1/5/7/9, sFlow v2/4/5, automated alerting, scheduled reporting, user dashboards, GUI and CLI interfaces. ProQueSys Flow Exporter FREE downloadable software flow exporter. Supports: IPv6, exporting in NetFlow v5 and v9, VLAN, IFindex specification, exporters to 16 destinations at once. VINCENT BERK Copyright © 2011 Process Query Systems, LLC