This software collects netflow traffic information (this protocol is supported by router switches such as Cisco and Kaichuang) and displays it on the screen in real time. And can carry out log query and traffic statistics. Netflow technology collects traffic information on routers or layer 3 switches and then sends it to the collection host, which is much more efficient than packet capture methods such as sniffer. Unlike RMON, which only has traffic statistics, netflow has detailed access logs.
This program can be used for network communication log recording and real-time monitoring in network management, log query, traffic statistics and security analysis, and query statistics according to network protocol, source and destination port numbers, source and destination IP addresses, IP service bits and TCP flag bits. It can also be used as an auxiliary test and verification tool for network system integration and network application development and debugging.
Second, the system requirements
1 or above operating system, WINDOWS 2000 or WINDOWS XP.
2. CPU above P31.0 (or equivalent) is recommended to be above P4 2.0 when the traffic is heavy.
More than 3.5 12MB memory. When the traffic is heavy, it is recommended to have more than 1GB of memory.
4. The best screen resolution is 1024x768.
Third, the program configuration and use
1. This program can be run directly without installation. The operating environment is Microsoft WINDOWS 2000 or above, and the best screen resolution is 1024x768. After the program runs and receives the traffic message, it will generate a flowlog subdirectory to store the log file.
2. For software registration, please contact the software author and tell the program author the machine code, company name, user name, contact phone number and email address. If it is not registered, the ip address and byte number of the traffic record will be randomly displayed and stored as "unregistered".
3. When the traffic is busy, you can press the "Close Monitoring" and "Open Monitoring" buttons. After the monitoring is turned off, the screen will no longer scroll to display the traffic records, which can improve the speed of traffic collection, but the records have been stored on the disk, which will not affect the query and traffic statistical analysis.
Four, CISCO Cisco series router switch NETFLOW configuration
1. Configure the network stream version in the global configuration state:
(Configuration) #ip Streams-Export Version 5
This command configures netflow to version 5.
This program only supports netflow versions V 1 and V5 for the time being.
2. Configure the network streaming server address and port number in the global configuration state:
(configuration) #ip flow-export destination xxx.xxx.xxx.xxx 55888
Where xxx.xxx.xxx.xxx is the netflow server address, that is, the IP address of the host running the program, and 55888 is the service port number.
3. On each interface of CISCO series router switches (for example, interface FastEthernet 0/0; /0; Interface fastethernet0/ 1, etc. ) configuration:
(Configure -if)#ip Routing-Cache Flow
4. Set the time zone in the global configuration state.
(Configuration) # Clock Time Zone Beijing 8
This command is configured for Beijing time and +8 time zone.
5. Set the date and time in the enabled state
# Clock set17: 05: 00 August 6, 2003
This command is configured as August 6, 2003 17: 05: 00.
Note: You should assign the time zone first, and then set the date and time. At the same time, the computer receiving the netflow message should also be configured to the corresponding time zone. Some cisco models need to reset the date and time after power failure.
For the configuration methods of other models of netflow, please refer to the instructions of the corresponding products.
Verb (abbreviation for verb) Description of the acquisition field.
1 date
This stream records the date of occurrence, and the date of the traffic collected by this program is output by the router. Please set the date and time of the router correctly.
2. Start time of flow
Record the start time of the router's output stream. The normal version is accurate to the second, and the standard version is accurate to one thousandth of a second.
3. The end time of the stream
The end time of the stream recorded by the router is accurate to the second in the normal version and to the thousandth of a second in the standard version or above.
4. Source ip address
This stream records the ip address of the sender.
5. Target ip address
This stream records the ip address of the receiver.
6. Source mask length
This stream records the mask length of the sender ip address.
7. Destination mask length
This stream records the mask length of the ip address of the receiver.
8. Source port number
This stream records the sender's network protocol port number.
9. Destination port number
This stream records the network protocol port number of the receiver.
10, protocol
The network protocol used in this stream record has been converted into udp, tcp, icmp… and other characters, which is convenient for monitoring and viewing.
1 1, TOS service location
This stream records the TOS (Service Type) service type field in the IP packet header. For the convenience of monitoring and viewing, it has been converted into binary bit form.
The service type (TOS) field consists of 8 bits. The first three bits are the priority subfield (now ignored). The meanings of the 4th to 7th bits are: minimum delay, maximum throughput, maximum reliability and minimum cost respectively, and the last 8th bit is fixed at 0. If all of them are 0, it means normal operation and no special packet processing.
12, TCP flag bit
TCP flag field of this stream record. For the convenience of monitoring and viewing, it has been converted into binary bit form.
The TCP-FLAGS field consists of 6 bits, from left to right, such as URG, ACK, PSH, RST, SYN, FIN, etc.
The emergency pointer is valid.
Confirm that the serial number is valid. For non-TCP protocols, this bit is also set to 1.
P.S.H.: The receiver should give this message segment to the application layer as soon as possible.
Reconnect.
Synchronization serial number, used to start the connection.
F I N: the initiator completes the sending task.
13, package quantity
This stream records the number of data packets transmitted.
14, number of bytes
This stream records the number of bytes of data transmission.
15, area code of source autonomous region
This stream records the routing protocol autonomous region code of the sender.
16, area code of destination autonomous region
This stream records the autonomous region code of the receiver routing protocol.
17, physical entrance
This stream records the physical port number input from the network stream output device (router).
The fastethernet0/0 port number of cisco2600 is 1.
Fastethernet0/ 1 port number is 2.
18, physical exit
This stream records the physical port number output from the netflow output device (router).
The fastethernet0/0 port number of cisco2600 is 1.
Fastethernet0/ 1 port number is 2.
19, next-hop routing address
This stream records the address of the next destination or intermediate router that goes out from the netflow output device (router).
20. Network flow output address
The address of the network stream output device (router) recorded by this stream. When sending traffic records from multiple network stream output devices, this field can be used to distinguish different network stream output devices. However, when the traffic is very large, it is best that one acquisition host only receives the traffic records sent by one netflow output device.
2 1, network flow version number
The network stream version number recorded by this stream.
Six, important matters needing attention
1, when the traffic is too large, the configuration of the acquisition host should be as high as possible, with CPU P4 above 2.8, memory above 1G and high-speed hard disk above 120G.
2. When the traffic is too large, the acquisition host should try not to run other applications, especially other network applications.
3. When there are more than 65,438+00,000 traffic records per minute (a network communication usually produces one traffic record from connection establishment to closure, for example, downloading hundreds of megabytes may only produce one traffic record), because the screen display is an output bottleneck, real-time monitoring should be turned off to ensure the collection efficiency. After the real-time monitoring is turned off, the acquisition ability will be improved by dozens of times (depending on the host and network speed). At the same time, turning off the display in power management also improves the acquisition ability.
4. When the traffic is too large, don't send the traffic information of multiple routers (switches) to a collector.
5. When the traffic is too large, don't query and count on the traffic collector. You can copy the folder containing the traffic collector and the flowlog log folder generated by it to another host, and make inquiries and statistics on another host. Log query and traffic statistics do not need a registration code.
6. In order to ensure traffic collection, the priority of traffic collection thread is the highest, and the priority of query and statistics is lower. When the collection is busy, it is very time-consuming to query and count on the collection host. At this time, you can also press the "Pause Collection" button to stop the collection, but the flow record must be lost during the pause.
7. The log file is very large. When copying and saving, you can compress it first, and the compression rate can reach about 20 times. The program stores a traffic record file every hour. When copying, do not copy the traffic record file of this hour that is currently being recorded. The program uses the start time to record, query and count, and the start and end time of a traffic record may be quite different. Therefore, when the traffic recording is started in the last hour, the log file of the last hour will be opened when the traffic recording is finished in the next hour, so it is best not to copy or manually open the log file of the last two hours.
8. Whether the processing capacity is sufficient when the traffic is extremely large, please try it yourself.