{"id":573,"date":"2010-06-04T17:08:36","date_gmt":"2010-06-04T21:08:36","guid":{"rendered":"http:\/\/www.braindeadprojects.com\/blog\/?p=573"},"modified":"2010-06-06T23:42:10","modified_gmt":"2010-06-07T03:42:10","slug":"netflowlive","status":"publish","type":"post","link":"http:\/\/www.braindeadprojects.com\/blog\/what\/netflowlive\/","title":{"rendered":"NetflowLive!"},"content":{"rendered":"

The good news is this – we’re now up to 30 subscribers on the neighborhood wifi.<\/p>\n

\"\"<\/a>
Currently 30 subscribers on the wireless<\/figcaption><\/figure>\n

With an average of 1.75 users online at any given moment:<\/p>\n

\"\"<\/a>
Users online at any given moment.<\/figcaption><\/figure>\n

I’ve also started working on writing a Netflow<\/a> analyzer application, based off a similar application I wrote for work.\u00a0 At the current time, this version\u00a0 only streams real-time connection endpoints and DNS statistics (last resolved sites, most resolved sites), as well as detects TCP SYN scans. Each flow record is also colorized (similar to what you would see in Wireshark<\/a>), to further categorize the type of connection.<\/p>\n

Instead of calling the gethostbyaddr()<\/em> function<\/a> on a destination IP\u00a0 (which simply pulls a PTR record, and in the world of vhosts is a poor representation of where a user is actually connecting),\u00a0 subscriber DNS queries are syslogged offsite and parsed.\u00a0 The Netflow Live application I’m building uses those parsed and stored queries to give a fairly accurate determination of what site is being visited when.<\/p>\n

Visited URLs could also be determined and logged\u00a0 if a transparent Squid proxy<\/a> was utilized on the Access Points. I have NO<\/strong> intention of doing this, however. I’m only concerned with endpoints and protocols being used. The number one protocol in use on the network:\u00a0 HTTP<\/a> (Shocking!)<\/p>\n

\"\"<\/a>
Netflow Live (streaming recent connections)<\/figcaption><\/figure>\n

For those of you unfamiliar with Netflow<\/a>, it’s a solution put forth by Cisco<\/a> for IP traffic profiling. The two main elements are an exporter (usually a router) and a collector (which the exporter sends flow data to). Netflow does not include data\u00a0 payloads<\/em> <\/strong>, ONLY a log of the endpoints used in each connection. (Think of it this way: When you make a long distance phone-call, you receive a monthly bill that details your phone number called another phone number at a specific time, for a specific duration. The phone company doesn’t actually have record of the conversation, however).<\/p>\n

The data collected does<\/strong> <\/em>include IP source and destination addresses, Transport layer source and destination ports, byte countes, packet counts, TCP flags, and MAC addresses. (Below is all the fields actually captured)<\/p>\n

\n

\"\"<\/a>
This is all the data that's actually stored from each connection.<\/figcaption><\/figure>\n

So what does this allow? Utilizing Netflow, I can determine subscribers on the network with certain network signatures for viruses<\/a>, detect some DoS attacks<\/a> and SYN scans<\/a>, and graph the most commonly used protocols on the network.<\/p>\n

I can also shape traffic based on determinations made by looking at the data. Is someone experiencing bad Skype<\/a> calls due to someone streaming video over HTTP? I can use the netflow data to reshape things as needed.<\/p>\n

So what’s in the works? Using NetGeo data, I plan on mapping connection endpoints on a US world map, allowing a visual display of where in the world most connections are destined.<\/p>\n

\n

\"\"<\/a>
Orion Netflow offers the same functionality I'm going for - but at a hefty pricetag.<\/figcaption><\/figure>\n

But next up:\u00a0 I\u00a0 need to fix the\u00a0 bug preventing a software reboot of the access points – hopefully I can get to that this weekend.<\/p>\n

Update\u00a0 6\/9\/2010<\/strong>:<\/p>\n

Jake Wilson pointed out<\/a> the free NetFlow analyzer Scrutinizer<\/em> by Plixer<\/a>. I’ve not had a chance to look it over yet – but check out this video<\/a> about the product.\u00a0 I first came across that video a month or two ago… it was like staring at the sun, initially I couldn’t tell if I liked it or not – but I watched it like 20 times that day.\u00a0 GREAT work guys, catchy AND entertaining.<\/p>\n","protected":false},"excerpt":{"rendered":"

The good news is this – we’re now up to 30 subscribers on the neighborhood wifi. With an average of 1.75 users online at any given moment: I’ve also started working on writing a Netflow analyzer application, based off a similar application I wrote for work.\u00a0 At the current time, this version\u00a0 only streams real-time … Continue reading NetflowLive!<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-573","post","type-post","status-publish","format-standard","hentry","category-what"],"_links":{"self":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/573"}],"collection":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/comments?post=573"}],"version-history":[{"count":52,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/573\/revisions"}],"predecessor-version":[{"id":664,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/posts\/573\/revisions\/664"}],"wp:attachment":[{"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/media?parent=573"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/categories?post=573"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.braindeadprojects.com\/blog\/wp-json\/wp\/v2\/tags?post=573"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}