Wednesday, 13 June 2012

The Cisco Netflow 7-Tuple

A flow is identified as a unidirectional stream of packets which all have the same combination of seven fields (or 7 tuple)
 

Source IP address

Destination IP address

Source port number

Destination port number

Layer 3 protocol type

ToS byte

Input logical interface (ifIndex) 

Even if there is only one different field in the tuple then it is considered as a new flow. A flow record can contains other accounting/data fields (such as the AS number). The which that depend on the version record format that you configure for export. 

One easy way to see this in action is to use SSH. SSH sets the type of services bits based on the type of traffic being sent. IE

For the IP Type of Service field [RFC0791], it is recommended that interactive sessions (those having a user terminal or forwarding X11 connections) use the IPTOS_LOWDELAY, and non-interactive connections use IPTOS_THROUGHPUT. [See here]

From ip.h we can see that

IPTOS_LOWDELAY             0x10 is used for interactive sessions
IPTOS_THROUGHPUT        0x08 is used for file transfers

If you do a tcpdump of a ssh interactive session or a file transfer you quickly notice that the SSH sets TOS values as follows:

SSH Authentication / Negotiation packets  = TOS 0x0
SSH Interactive packets = TOS 0x10
SSH File transfer packets = TOS 0x08


Consider the network diagram below where a single router connects two hosts. This network (and the setup details) can be found in my post about understanding netflow and nfsen.



If you start up a SCP session (it file transfer) between ZZZ and ABC you can see that four flows are recorded on the router:

rtr01#show ip cache flow | i 10.48.254.73
Fa0/1         10.48.254.73    Fa0/0         10.48.0.220     06 0016 94FC    19K
Fa0/1         10.48.254.73    Fa0/0         10.48.0.220     06 0016 94FC    17
Fa0/0         10.48.0.220     Fa0/1         10.48.254.73    06 94FC 0016    13K
Fa0/0         10.48.0.220     Fa0/1         10.48.254.73    06 94FC 0016    12


The two flows with low packet counts (17 & 12) are the authentication flows and the other two are data transfer.



No comments:

Post a Comment