REDES DE DATOS II

Network Monitoring
SNMP& Netflow

Alberto Arellano A. Ing. Msc.

[email protected]
CCNA – CCNP – CCSP – LPI - JNCIA
Simple Network Management
Protocol (SNMP)
 What is it?
• A Protocol that Facilitates the exchange of management information
between network devices.
 Why was it developed?
• To control and monitor status of network devices
 How is it beneficial?
• Enables network administrators to:
• Manage network performance
• Find and solve network problems
• Plan for network growth
SNMP Versions
• SNMPv1 - RFC 1028 (1998)
• SNMPv2 – RFC 3412 (2002)
• SNMPv3 – RFC 3414 (2002)

Version Authentication Data Protection Unique Features

SNMPv1 Community String None 32-bits counters
SNMPv2c Community String None 64-bits counters, add bulk
request and inform
message types
SNMPv3 Username SHA or MD5 Add user authentication,
DES data integrity, encryption
3DES and restricted views.
AES-128, AES-192,
AES-256
 Components in an SNMP System

• SNMP agent: This software runs on the hardware or service being

monitored, collecting data about disk space, bandwidth use and other
important network performance metrics.

• SNMP-managed network nodes: These are the network devices and

services upon which the agents run
Components in an SNMP System
• Management information base (MIB): This database is a text file (.mib)
that itemizes and describes all objects on a particular device that can be
queried or controlled using SNMP. OIDs or Object Identifiers uniquely
identify managed objects in the MIB
Components in an SNMP System

MIB Browser
Components in an SNMP System
• SNMP manager: The network management system (NMS) is a
software platform that functions as a centralized console to which
agents feed information.
SNMP Manager - OpenSource
SNMP Messages

A trap, also known as a fault or an exception, is a type of

synchronous interrupt caused by an extraordinary
condition in computing systems.
SNMP Ports

• The Manager sends requests to Agent’s UDP Port 161.

• Each of the requests sends one SNMP command (GET, GETNEXT,
GETBULK, SET, etc) with the specified OID (Object ID)
• TRAP is initiated by the SNMP Agent who sends events in the form of
SNMP Command (TRAPS or INFORM) to the SNMP Manager’s port 162
SNMP Traps
• Traps are unsolicited messages alerting the SNMP manager to a
condition or event on the network. Trap-directed notifications reduce
network and agent resources by eliminating the need for some of
SNMP polling requests.
• The figure illustrates the use of an SNMP trap to alert the network
administrator that interface G0/0/0 has failed. The NMS software can
send the network administrator a text message, pop up a window on
the NMS software, or turn the router icon red in the NMS GUI.
What is a Flow?
Flow technologies, such as NetFlow, sFlow, jFlow, IPFIX, and
others, are used to describe traffic on the network. These
technologies export data which describes conversations occurring
across the specific network device. Flow incorporates a sampling
configuration, which allows a specific percentage of conversations
to export from the device.
Introduction to NetFlow
• Developed by Cisco in 1996 as a packet forwarding
mechanism
 Outdated by CEF
 Statistical Reporting became relevant to customers
• Reporting is based on Flow and not necessarily per-
packet (UnsampledFlow vs. Sampled)
• Various versions exist version 1 through 9, with 5 being
the most popular and 9 being the most functional
 Traditional NetFlow(TNF) – fixed info to identify a flow
 Flexible Netflow(FNF) –user defines how to identify a
flow
• NetStream (Huawei)
• JFLOW (Juniper)
• cFlowd (Alcatel – Nokia)
• Traffic Flow (Mikrotik)
IP Flow
An IP Flow is made up of a set of 5 attributes and can have up to 7
total. The Attributes of each IP Packet are as follows:
• IP source address
• IP destination address
• Source port
• Destination port
• Layer 3 protocol type
• Class of Service
• Router or switch interface
NetFlow = VISIBILITY
Versions of NetFlow

RFC 3954 RFC 5101

Versions of NetFlow

RFC 3954 RFC 5101

How to Collect NetFlow Data
Monitoring NetFlow requires three components:

• Flow exporter: a network device (a router or firewall) in

charge of obtaining flow data and exports it to a flow collector
• Flow collector: a device that collects the exported flow data
• Flow analyzer: an application that examines and analyses the
flow data collected by the flow collector
NetFlow Analyzer Platforms

MANAGE ENGINE NETFLOW ANALYZER

NetFlow Analyzer Platforms

CISCO STEALTHWATCH ENTERPRISE

NetFlow Analyzer Platforms

NTOPNG/NPROBE
Configure Netflow 9 – Cisco
Router
Flexible Netflow is comprised of 3 components:
• Flow Record
• Flow Exporter
• Flow Monitor

The following is a set of commands that are issued on a Cisco Router

to enable Flexible Netflow on the Fast0/1 interface and export to the
machine 192.168.10.100 (IP Address of Netflow Analyzer Server) on
port 2055 (UDP port to export Netflow packets).
Configure Netflow 9 – Cisco Router
• Create Flow Record

Router(config)#flow record LAN1record

Router(config-flow-record)#match ipv4 source address
Router(config-flow-record)#match ipv4 destination address
Router(config-flow-record)#match ipv4 protocol
Router(config-flow-record)#match transport source-port
Router(config-flow-record)#match transport destination-port
Router(config-flow-record)#match ipv4 tos
Router(config-flow-record)#match interface input
Router(config-flow-record)#collect interface output
Router(config-flow-record)#collect counter bytes
Configure Netflow 9 – Cisco Router
• Create Flow Exporter

Router(config)#flow exporter LAN1export

Router(config-flow-exporter)#destination 192.168.10.100
Router(config-flow-exporter)#source gigabit 0/1
Router(config-flow-exporter)#transport udp 2055
Router(config-Flow-exporter)#template data timeout 60
• Create Flow Monitor

Router(config)#flow monitor LAN1monitor

Router(config-flow-monitor)#record LAN1record
Router(config-flow-monitor)#exporter LAN1export
Router(config-flow-exporter)#cache timeout active 60
Router(config-Flow-exporter)#cache timeout inactive 15
Configure Netflow 9 – Cisco Router
• Associating the Monitor to interface

Router(config)#interface fast 0/1

Router(config-if)#ip Flow monitor LAN1monitor input

Router# copy run start (write)

Router# show flow exporter LAN1export

Netflow lab - CISCO
Install NTOPNG
apt update -y
apt upgrade -y

wget http://apt.ntop.org/buster/all/apt-ntop.deb

dpkg -i apt-ntop.deb
apt update -y

apt install pfring-dkms nprobe ntopng n2disk cento -y

systemctl status ntopng

systemctl start notpng
systemctl enable notpng
CHECK NTOPNG IS RUNNING
Edit NTOPng Config File
nano /etc/ntopng/ntopng.conf
Create ntop.start FILE

# ##systemctl restart ntopng

Check Status NTOPng
NTOPng Dashboard
Configure NAT Overload -- CISCO
Check Internet Conectivity
Check NTOPng Dashboard
Configure NETFLOW

NTOPng Server
Display Flows Export
Display Flow Cache
Configure NPROBE -- NTOPng
Enable nprobe
# nprobe -i none -n none -3 2055 --zmq tcp://172.20.20.50:1234
START NTOPng
# ntopng -i tcp://172.20.20.50:1234
Check NTOPng Dashboard
Check NTOPng Dashboard
Solarwinds Real-Time Netflow Analyze
Netwlow lab - Mikrotik
ENABLE TRAFFIC FLOW MIKROTIK
ADD TARGET – COLLECTOR TRAFFIC
DashBoard NtopNG