How Cisco Netwflow playes with packet

A Cisco NetFlow record can contain a wide variety of information about the traffic in a given flow. NetFlow version 5 (one of the most commonly used versions, followed by version 9) contains the following:

• Version number
• Sequence number
• Input and output interface snmp indices
• Timestamps for the flow start and finish time
• Number of bytes and packets observed in the flow
• Layer 3 headers:
  • Source & destination IP addresses
  • Source and destination port numbers
  • IP protocol
  • Type of Service (ToS) value
• In the case of TCP flows, the union of all TCP flags observed over the life of the flow.

Note: netflow summarizes the entire connection in single packet. It implies that if myip has accesses 198.133.129.25 on 80 port then entire transaction will have only one packet.

For Example

1. If myip is accessing yahoo.com at port 80

source ip = yahoo.com
source port = 80
destination ip = myip
destination port = any random port

2. If outsiderip is accessing myip at port 80

source ip = outsiderip
source port = any random port
destination ip = myip
destination port = 80

The important thing to notice over here is that destination ip will always be the local network ip. It means that my ip is local ip for my gateway router and it will always come in destination ip.


The best tool available to use this fantastic feature is ehnt (Extreme Happy Netflow Tool) . This tool uses two command line executables ehntserv and ehnt.

ehntserv is the server application which captures the netflow flow packet thrown by cisco device on specified port .
ehnt is the client application which takes the human readable packets from ehntserv application.

Usage: ehntserv [ -u <udpport> ] [ -t <tcpport> ]
-u <udpport> Listen on UDP port <udpport> for netflow packets. Default 4444
-t <tcpport> Listen on TCP port <tcpport> for client connections. Default 4444
-s <bufsize> Set tcp/udp buffer size. Default 196608
-d Debug. Don't become a daemon, displays all messages on stdout, displays lots of extra information

Usage: ehnt [ [option 1] [option 2] ... [option n] ]
Options:
-0 <ASN> Replace AS number 0 occurences with this AS number
-a <ASN> Only display flows to/from this AS number
-b Display big flows (only shows flows with the most bytes
or packets received so far)
-c <count> Exit after <count> flows are received.
-h Display the cruft you are reading.
-i <interval> How long to wait between report generations (in minutes)
-l <lines> The length of your display in lines. Defaults to 24. Usa a
larger number if you want top mode to display more lines.
-m <mode> The name of the mode of operation to use:
- 'dump' display flow detail
- 'shortdump' flow details in a more compact fashion
- 'colondump' flow details in somewhat machine-readable fashion
- 'top' generates reports of top average utilization
-n <intnum> Specify the interface by SNMP ifIndex number
-p <port> Only display flows to/from this tcp or udp port number
-P <proto> Only display flows using this IP protocol number
-r <router> Only display flows reported by this router IP address
-s <server:port>
The hostname or IP address and port number of the ehnt server
-t <topmode> The type of report to generate when in top mode:
- 'as' AS report
- 'proto' Protocol report
- 'tcpport' TCP port report
- 'udpport' UDP port report
-v Display version number
-x <prefix> Only display flows to/from this IP prefix
The format for <prefix> is 'address/length', for example
1.2.3.4/30 or 10.0.0.0/8