In this post, we are going to look at sflow with IPv4 on a fortigate firewall.
1st build the
sflow collector details, I’m running sflowd on a unix host inside a network.
My sflow daemon is configured for port 7001 and uses udp.
config system sflow
set collector-ip 10.10.100.9
set collector-port 7001
end
Next we need to enable the
interface(s) for the sflow exportation & then we enable it.
(see orange sflow cfg )
config system interface
edit "NET01"
set vdom "root"
set ip x.x.x.2 255.255.255.0
set allowaccess ping https ssh
set
sample-rate 100
set polling-interval 10
set alias "EXT_NTWORK1 LAX"
config ipv6
set ip6-address
2001:xx:xx:1::20/64
set ip6-allowaccess ping https
ssh
end
set sflow-sampler enable
set interface "port1"
set vlanid 123
next
end
Now the fortigate will export sflow details to the collector
so that we can run analysis.
781 100.308855
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 780, 2 samples
782 100.431476
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 781, 1 samples
783 100.569314
10.10.100.1 -> 10.10.100.9 sFlow
V5, agent 10.10.100.1, sub-agent ID 0, seq 782, 1 samples
784 100.661278
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 783, 1 samples
785 100.802293
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 784, 1 samples
786 100.924704
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 785, 1 samples
787 101.029858
10.10.100.1 -> 10.10.100.9
sFlow V5, agent 10.10.100.1, sub-agent ID 0, seq 786, 1 samples
788 101.192785 10.10.100.1
-> 10.10.
InMon sFlow
datagram version:
5
address type:
IP_V4 (1)
agent address:
10.10.100.1 (10.10.100.1)
Sub-agent ID: 0
Sequence number:
1893
SysUptime: 225000
NumSamples: 1
Flow sample, seq
1893, Raw header
0000 0000 0000
0000 0000 .... .... .... = sFlow sample type enterprise: 0
.... .... ....
.... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)
Sample length:
132
Sample
sequence number: 1893
Source ID
type: ifIndex (0)
Source ID
index: 23
Sampling rate:
100
Sample pool: 188800
Dropped
packets: 0
Input
interface index: 0
0... .... ....
.... .... .... .... .... = Multiple outputs: No
Output
interface index: 23
Number of
records: 1
Sample type:
Raw header (1)
Recordlength: 92
Header
protocol: Ethernet (1)
Framelength:
74
Stripped
bytes: 4
Headerlength:
76
Header of
sampled packet: 00169C6F680000090F093C0208004500003C000040003F06...
Ethernet
II, Src: Fortinet_09:3c:02 (00:09:0f:09:3c:02), Dst: Cisco_6f:68:00
(00:16:9c:6f:68:00)
Destination: Cisco_6f:68:00 (00:16:9c:6f:68:00)^C
And here’s a l3
export, you can specify the sequence# if know by the
'sflow.sequence_number==XXXX', where XXXX is the sflow sequence number.
InMon sFlow
datagram version:
5
address type:
IP_V4 (1)
agent address:
10.10.100.1 (10.10.100.1)
Sub-agent ID: 0
Sequence number:
1891
SysUptime: 225000
NumSamples: 1
Flow sample, seq
1891, Raw header
0000 0000 0000
0000 0000 .... .... .... = sFlow sample type enterprise: 0
.... .... ....
.... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)
Sample length:
124
Sample
sequence number: 1891
Source ID
type: ifIndex (0)
Source ID
index: 23
Sampling rate:
100
Sample pool:
188600
Dropped packets:
0
Input
interface index: 23
0... .... ....
.... .... .... .... .... = Multiple outputs: No
Output
interface index: 0
Number of
records: 1
Sample type:
Raw header (1)
Recordlength:
84
Header protocol:
Ethernet (1)
Framelength:
66
Stripped
bytes: 4
Headerlength:
68
Header of
sampled packet: 00090F093C0200169C6F680008004500003402ED40007606...
Ethernet
II, Src: Cisco_6f:68:00 (00:16:9c:6f:68:00), Dst: Fortinet_09:3c:02
(00:09:0f:09:3c:02)
Destination: Fortinet_09:3c:02 (00:09:0f:09:3c:02)
Address: Fortinet_09:3c:02 (00:09:0f:09:3c:02)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
Source: Cisco_6f:68:00 (00:16:9c:6f:68:00)
Address: Cisco_6f:68:00 (00:16:9c:6f:68:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
Type:
IP (0x0800)
Internet
Protocol, Src: 71.34.5.116 (71.34.5.116), Dst: 192.0.2.107 (192.0.2.107)
Version: 4
Header
length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total
Length: 52
Identification: 0x02ed (749)
Flags:
0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time
to live: 118
Protocol: TCP (0x06)
Header
checksum: 0x3e6b [correct]
[Good: True]
[Bad : False]
Source: 71.34.5.116 (71.34.5.116)
Destination: 192.0.2.107 (192.0.2.107)
Transmission Control Protocol, Src Port: 52722 (52722), Dst Port: http
(80), Seq: 4114215056
Source
port: 52722 (52722)
Destination port: http (80)
[Stream index: 1774]
Sequence number: 4114215056
(relative sequence number)
Header length: 32 bytes
Flags:
0x02 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgement: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server
port http]
[Message: Connection establish request (SYN): server port http]
[Severity level: Chat]
[Group: Sequence]
.... ...0 = Fin: Not set
Window
size: 8192
Checksum: 0xd7a4 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes)
Maximum segment size: 1452 bytes
NOP
Window scale: 2 (multiply by 4)
NOP
NOP
SACK permitted
And lastly here’s a flow with data attached;
(see orange )
InMon sFlow
datagram version:
5
address type:
IP_V4 (1)
agent address:
10.10.100.1 (10.10.100.1)
Sub-agent ID: 0
Sequence number: 2
SysUptime: 0
NumSamples: 1
Flow sample, seq
2, Raw header
0000 0000 0000
0000 0000 .... .... .... = sFlow sample type enterprise: 0
.... .... ....
.... .... 0000 0000 0001 = sFlow sample type: Flow sample (1)
Sample length:
184
Sample
sequence number: 2
Source ID
type: ifIndex (0)
Source ID
index: 23
Sampling rate:
100
Sample pool:
300
Dropped
packets: 0
Input
interface index: 0
0... .... ....
.... .... .... .... .... = Multiple outputs: No
Output
interface index: 23
Number of records: 1
Sample type:
Raw header (1)
Recordlength:
144
Header
protocol: Ethernet (1)
Framelength:
967
Stripped
bytes: 4
Headerlength:
128
Header of
sampled packet: 00169C6F680000090F093C020800450003B967A940003F06...
Ethernet
II, Src: Fortinet_09:3c:02 (00:09:0f:09:3c:02), Dst: Cisco_6f:68:00
(00:16:9c:6f:68:00)
Destination: Cisco_6f:68:00 (00:16:9c:6f:68:00)
Address: Cisco_6f:68:00 (00:16:9c:6f:68:00)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
Source: Fortinet_09:3c:02 (00:09:0f:09:3c:02)
Address: Fortinet_09:3c:02 (00:09:0f:09:3c:02)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
Type:
IP (0x0800)
Internet
Protocol, Src: 192.0.2.115 (192.0.2.115), Dst: 108.245.201.14 (108.245.201.14)
Version: 4
Header
length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total
Length: 953
Identification: 0x67a9 (26537)
Flags:
0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time
to live: 63
Protocol: TCP (0x06)
Header
checksum: 0x23b4 [correct]
[Good: True]
[Bad : False]
Source: 192.0.2.115 (192.0.2.115)
Destination: 108.245.201.14 (108.245.201.14)
Transmission Control Protocol, Src Port: http (80), Dst Port: 63526
(63526), Seq: 2855808909, Ack: 3593181448
Source port: http (80)
Destination port: 63526 (63526)
[Stream index: 2]
Sequence number: 2855808909
(relative sequence number)
Acknowledgement number: 3593181448
(relative ack number)
Header
length: 20 bytes
Flags:
0x19 (FIN, PSH, ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 1... = Push: Set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...1 = Fin: Set
[Expert Info (Chat/Sequence): Connection finish (FIN)]
[Message: Connection finish (FIN)]
[Severity level: Chat]
[Group: Sequence]
Window
size: 66
Checksum: 0x646c [unchecked, not all data available]
[Good Checksum: False]
[Bad Checksum: False]
Hypertext
Transfer Protocol
Data
(74 bytes)
0000 f8 4e 0f 22 52
91 8b 98 ad 48 55 5c ca d9 ae 44
.N."R....HU\...D
0010 df 64 16 ed 39
80 77 31 97 10 27 ef d6 97 e1 b0
.d..9.w1..'.....
0020 9c 47 48 18 99
be ae 32 2a 10 0d 42 2f 29 12 c5
.GH....2*..B/)..
0030 cd dc a7 86 1d
42 dc 9c cf ae ac 11 dd e5 5f f4
.....B........_.
0040 91 a4 44 f8 16
88 54 8b 15 68
..D...T..h
Data: F84E0F2252918B98AD48555CCAD9AE44DF6416ED39807731...
[Length: 74]
As you can see sflow is great and can do and provide more
details than netflow. It can be intensive, so it’s always best to sample at a level that provides you just
enough details for your network flow analysis.
key take aways
- sflow provide l2 and l3 flow information ( headers )
- more details regarding the flow than netflow but......
- supports both ipv4 and ipv6 systems and ethernet or non-IP datagrams
- provides multicast information which is always a challenge in both netflow/sflow exports
- supports limited devices and systems ( not as popular as netflow )
- most newier devices such as ; firewall,proxy,slb,switches,routers support sflow
- requires polling and sampler rates to be set
- the S in Sflow means "sampled" and is a direct requirement
- sflow and netflow works very much different , and you can't compare these one on one
- as your data rate goes up, you sflow exportation will increase, it's direction porportional to traffic rate than netflow which works on flow cache information
Ken Felix
Freelance Network/Security Engineer
Kfelix –a-t- hyperfeed
---d-o-t--- com
^ ^
= ( @ @ ) =
*
~
No comments:
Post a Comment