First, Ipfix and NetFlow
First, IPFIX
The full name IP flow information export, namely the IP stream information output, is the international standard of network traffic monitoring. Ipfix is a working group of the IETF, whose main task is to develop a standard protocol for measuring flow information in IP networks, called the Ipfix protocol. Because of the IETF's authority in the Internet industry, Ipfix has set up a series of RFC standards, which are important documents for professional network traffic monitoring products and their enterprises. Official website: http://datatracker.ietf.org/wg/ipfix/
Second, the flow
General definition: A stream is a series of packets that have the same properties through a certain observer point in the network. Attributes include endpoint, direction, time granularity, protocol hierarchy; The endpoint refers to the start and end point of the flow, the direction can be unidirectional or bidirectional, the time granularity index is the sending start time and the termination time of the packet, and the protocol hierarchy includes the network layer protocol. Flow record: A record that contains useful information about a stream.
Definition of Ipfix Convection: A series of IP packets that pass through the observation point within a certain time interval. IP packets that belong to the same stream have some of the following common properties:
1. Some IP layer header fields (for example, destination IP address), Transport Layer header fields (such as destination ports), or Application Layer header fields (such as RTP header fields);
2. Some characteristics of the package itself (for example, MPLS tag number);
3. Fields related to packet processing by the router (for example, next hop IP address, output interface).
NetFlow Flow definition: Flow is a one-way sequence of packets between two terminals. NetFlow defines a stream through the following 7 fields: Source IP address, destination IP address, source port number, destination port number, transport protocol type, IP type of Service (i.e. TOS, DSCP), input interface (IFINDEX). DSCP (Differentiated Services Code point): Differentiates service codes, which define different levels of service and are a combination of "precedence" and "Service type" fields.
Whenever a router/switch receives a packet, it scans the field of the stream to determine whether the packet belongs to an existing stream. If the stream is already present, the bytes and packets are accumulated, and if the stream does not exist, a new stream is generated in the cache, the bytes and packets are initialized, and the stream record is escalated in the appropriate format if the flow is determined to be complete.
The start time of the stream is easy to judge, i.e. the time of the first packet of the new stream. How to determine the end time of a stream is more difficult. NetFlow flow end time to determine the way: ① transport protocol has a connection end flag (TCP FIN or RST), ② no traffic more than 15 seconds (for the UDP protocol, or TCP both sides of the line); ③ Stream cache expires every 30 minutes, for long-lived activity flows, periodic output stream records, Guaranteed timely output stream information (15 seconds/30 minutes is the router default time); the ④ cache is full.
After the flow record is obtained, it is classified and aggregated, and the amount of data is compressed.
Third, NetFlow
Netflow technology was invented by Cisco in 1996 and registered as a U.S. patent in May. NetFlow is first used for network equipment to speed up data exchange, and synchronous implementation of high-speed forwarding of IP data flow measurement and statistics. After years of technological evolution, NetFlow originally used for data exchange acceleration function has been gradually implemented by the dedicated ASIC chip in the network equipment, and the IP data flow measurement and statistics function has been more mature, forming a special stream exchange technology. NetFlow has been integrated into most vendors ' routers and switches to become the fact standard for traffic monitoring, which is widely used in network management. Easy to configure, easy to install, no additional equipment required.
But NetFlow still has its disadvantages. NetFlow consumes the CPU and storage resources of the router and has an impact on the forwarding performance of the device. The volume of data recorded by the stream is still very large, non-independent devices, insufficient processing power. Therefore, the 100~1000:1 sampling ratio is generally used to monitor coarse particle size and loss of flow
Details of the information. The data content provided by the device itself is limited, and the strategy and customization capabilities are relatively poor. The NetFlow functionality is integrated in the device, the software achieves poor performance, the hardware is less flexible, and the cost of upgrading the board for a large number of deployed routers is high. NetFlow Business and application identification relies heavily on the TCP/UDP port number to identify the ever-changing business.
Second, CentOS 6.9 installation Yaf send Ipfix
1. Required Dependencies for installation
>yum install-y glib2-devel libpcap-devel zlib-devel
2. SOURCE Installation libfixbuf-1.7.1.tar.gz
: http://tools.netsa.cert.org/fixbuf/download.html
>tar-zxvf libfixbuf-1.7.1.tar.gz
>CD libfixbuf-1.7.1
>./configure && make && make install
3. SOURCE Installation Yaf
Yaf:http://tools.netsa.cert.org/yaf/download.html
2.8.4 versions are used here
>tar-zxvf yaf-2.8.4.tar.gz
>CD yaf-2.8.4
>./configure && make && make install
4. Verify that the YAF is installed successfully
[[Email protected]~]# YAF//indicates successful installation
Command-Line argument error:
Refusing to read from terminal on stdin
Use the--help for usage.
Third, Yaf send Ipv4,ipv6 's Ipfix
View native IP can be found, this machine has IPV4 and IPV6 address, so you can send Ipfix stream to IPV4 and IPV6 corresponding network segment
#Yaf--live=pcap--in=eth0--out=10.30.30.217--ipfix-port 2055--ipfix=udp
Command explanation: Sends a UDP-based Ipfix stream to the 10.30.30.217 2055 port via the native eth0 port
#yaf--live=pcap--in=eth0--out=2002:ac14:1414:0:250:56ff:fea2:12a7--ipfix-port 2055--ipfix=udp--force-ip6-export
Command explanation: Send IPV6 Ipfix stream to 2002:ac14:1414:0:250:56ff:fea2:12a7 2055 port via the eth0 port on the machine
View ipfix-flow for sending remote machine (--OUT=IP) Resolution
[Linux] CentOS 6.9 under Yaf send IPV4 and IPV6 ipfix