NFSEN Exercise - 2

1 Your router should be sending flows to

one PC in your group, and one PC in
your neighbor group. Confirm this!
2 Ensure NfSen is running by browsing on
the page and ensuring you an see the
graphs with no errors indiated
! "e will now see what type of traffi is
passing through the two routers
What we will do

#n the PC reei$ing flows, open the N%SEN

page and li& on 'li$e( on the top right of the
page and selet )New Profile *+ , You may
need to select several times as NfSen is picky.

Enter the name '-..P/.01%%2C( for the profile

name and additionally reate a new group alled
)group3+ where 3 is your group number

Selet indi$idual hannels and shadow profile.

-
2ndi$idual hannel , an reate hannels with own filters
-
Shadow profile , sa$e hard dis& spae by not reating
new data but instead analyses already olleted data
See next page for an example image
Create a Stat to graph specifc trafc
Cli& )Create Profile+
at the bottom of the
menu.
Cli& on the plus 456 sign ne7t to
'Channel 8ist( at the bottom of the page
then fill the ne7t page as below and li&
on '1dd Channel( at the bottom.
.he filter )any+ means 188 traffi. Selet
your soures in )1$ailable Soures+ and
press the )99+ to add them to )Seleted
Soures+
1dd another hannel by li&ing
the plus sign as before ne7t to
'Channel 8ist(. %ill the details as
shown on the left. 0eplae p2 with
a p number that is NOT receiving
flows in your group! 1lso, replae
the 2P address in the %ilter to
math the 2P of the PC in :uestion.
Ensure you hange the olor. You
an use the olor pi&er or enter
the $alue shown in this e7ample
Selet the two routers as the
soure then li& add hannel
"ith this, we will tra& how muh
-..P traffi is going to that PC.
.hat is how muh is atually being
downloaded. 2n a -..P download,
soure traffi is from port ;< always

Cli& the green ti& to

ati$ate your new profile.

Cli& on 8i$e then selet

the group you reated
and )-..P/.01%%2C+
you will see your profile.
.hen li& on the
)-ome+ menu item on
the upper left of the
NfSen sreen.
Actvate the profle
Download HTTP data to pcY
8og in on pY and use the wget ommand to
simulate an -..P download to pY.
ssh sysadm@pcY.ws.nsrc.org
$ cd /tmp
$ wget http://noc.ws.nsrc.org/downloads/BigFile
#ne the download ompletes you an delete the file=
$ rm /tmp/BigFile
$ exit 4to log off from pY6
Your graph will ta&e up to 1> min to update. ?o to ?raphs then
.raffi. .hen go to details and selet '8ine ?raph( at bottom
.his is a graph of the total traffi passing through the router
rtr3 vs the TT! "ownloa"s that pc# is ma$ing
See the trafc
NOC BOX
NOC BOX
rtrX
rtrX
NFSEN
Server
NFSEN
Server
pcY
pcY
Router is exportng fows to
the NFSEN Server and
NFSEN graphs
PCY is downoading a !e
over "##P via rtrX and is
the destnaton host a$a
%dst host&
#he NOC 'ox is running a
"##P server( )n a rea
networ$ this coud 'e an*
server on the )nternet
+e have tod NFSEN to graph tra,c where the source port is -.
and the destnaton host is /.(/.(X(Y( You can do the sa0e thing
'ac$ in *our networ$s and additona* graph a speci!c we' server
with %src host a('(c(d& eg FaceBoo$&s )P
Stop! Whats happening here
@
Per1or0 the exact sa0e steps 1ro0 side nu0'er
2 'ut this t0e3 change %"##P4#R5FF)C& to
%F#P4#R5FF)C&
@
#he F#P coud rando0i6e the ports so it 0a* not
'e source port 7.( +e do $now that it wi 'e a
port greater than /.78 so the !ter shoud read9
src port > 102 and dst host 10.10.!.Y
@
:a$e sure to seect the correct source 1ro0
5vaia'e Sources(
@
Now downoad the arge !e 1ro0 the noc 'ox via
;p to pcY(ws(nsrc(org(
@
See ne!t slide "or instr#ctons$
See an %TP download "ro& the '(C
Download %TP data to pcY
8og in on pY and use the "tp ommand to
generate %.P traffi from the no to pY.
ssh sysadm@pcY.ws.nsrc.org
$ "tp noc.ws.nsrc.org
#ame $noc.ws.nsrc.org:sysadm%: anonymo&s
'assword: (Yo&r)mail*ddress>
"tp> lcd /tmp
"tp> get BigFile 4long time to download6
"tp> +&it
$ rm /tmp/BigFile
Your graph will ta&e up to 1>min to update. ?o to ?raphs
then .raffi. .hen go to details and selet '8ine ?raph( at
bottom to see the results.
!art 2
@
<se the snmpwalk co00and on *our PC to deter0ine the
i1)ndex nu0'er o1 an inter1ace that *ou want to graph9
$ snmpwal, -.2c -c #et/anage rtr!.ws.nsrc.org i"0escr
IF-MIB::ifDescr.1 = STRING: FastEthernet0/0
1F2/1B::i"0escr.2 3 4561#7: Fast)thernet0/1
1F2/1B::i"0escr.8 3 4561#7: 9o1'2#&ll0
1F2/1B::i"0escr. 3 4561#7: #&ll0
1F2/1B::i"0escr.: 3 4561#7: ;oop<ac,0
@
#his 0eans that inter1ace F.=. has 'een assigned index nu0'er /(
+e can now use NFSEN to graph tra,c 1or this speci!c inter1ace
, #his inter1ace 0ust have %ip fow egress& or ingress ena'ed
, +ith %sn0p i!ndex persist& the index nu0'er is 0aintained
)raph a specifc inter"ace on the ro#ter
?i$e the Profile a suitable
name and add it to the same
?roup you reated earlier
Choose indi$idual hannels
and Shadow profile as before
and li& on )Create Profile+.
Add the inter"ace on '"Sen
Cli& on 8i$e and selet )New
Profile*+
.hen on the following sreen
li& on the plus sign ne7t to
Channel list
.his means graph all traffi passing 2N.#
interfae 1. Cli& )1dd Channel+ and li&
plus to add a seond hannel.
N#.E= 2nterfae )1+ refers to the inde7
number that was referring to interfae
)%astEthernet <A<+ on rtr3.
.his means graph all traffi
8E1B2N?A?#2N? #C. #% interfae 1.
Cli& )1dd Channel+ then ati$ate the
filter on the ne7t sreen by li&ingon
the green he&.
?i$e the graph time to generate.
Compare the graph with Cati(s graph
Your graph will ta&e up to 1> min to update. ?o to ?raphs then
.raffi. .hen go to details and selet '8ine ?raph( at bottom
.his is a graph of the total traffi passing through the router
rtr3 on interfae %astEthernet <A<.
See the trafc
rtrX
rtrX
N1Sen
N1Sen
Cact
Cact
NfSen is generating
graphs $ia Netflow for
the interfae
Cati is generating the
graph $ia SNDP for the
same interfae
"ith NfSen, we an use the Netflow features
to e7trat more data li&e whih 2P 1ddresses
are ati$e, what are the highest ports in use by
bytes, what are the 1S Numbers
omingAlea$ing our networ& and so muh
more!
Stop! Whats happening here
rtrX
rtrX
NFSEN
NFSEN
Cact
Cact
NfSen is generating
graphs $ia Netflow for
the interfae
Cati is generating the
graph $ia SNDP for the
same interfae
2f you are measuring the same interfae with
both Cati and NfSen, then you should obtain
similar graphs when omparing the bitsAs
Stop! Whats happening here
!art %
?o to Profile, selet the group you reated then selet
'-..P/.01%%2C(. .hen go to the 'Eetails( tab and selet '.ime
"indow( instead of '.ime Slot( beneath the graph. Choose a
part of the graph with ati$ity as abo$e.
*!tended 'e+low processing
Selet the options as on the left.
.his means, selet the .op 1<
%lows, #rder them by bytes from
the highest to the lowest and
display information of the soure
and destination ports and 2Ps.
.hen selet 'Proess(. 1nalyFe the
output you get whih will loo& li&e
the below sreen.
.ry the same with the GiH
Eiretional traffi option. "hat
do you seeI .ry playing with
the different options and see
what output you get. You an
also add the same filters on
the filter window ne7t to the
#ptions.
Try the following flters:
src host ,-.,-./.Y > 0eaning oo$ 1or fows 1or this host
src port 00 > 0eaning fows where the source port is 77
src port 00 or src port 1- > 0eaning fows o1 either port 77 or -.
src port 1- and in i" , > 0eaning fows o1 src port -. that passed via inter1ace /
dst net ,-.,-.-.-2,3 > 0eaning a fows where the destnaton networ$ is /.(/.(.(.=/?
src port 4 5--- > 0eaning a fows where the source port is greater than 2...
:an* 0ore !ters *ou coud use
@
2f you want to see 1S Number traffi for
?oogle(s 1S 1>1JK
2 src as 1:1=>
@
You an do the same for anyone(s 1S but
your router should ha$e the routing table
installed and ha$e ip flow-export version 9
origin-as onfigured
@
You an then graph eah of them using a
Stat as in the earlier e7erise
@
Dore filters here=
http=AAnfsen.soureforge.netALmoF.o2dJ>2<JM
&''(T(ON&)*O!T(ON&)
Donitor a speifi host

#n the )Profile+ menu

in NfSen selet )New
Profile*+

"hen done li& on

)Create Profile+ at the
bottom

You will see a

message )new profile
reated+

.hen li& on the plus

sign at the bottom to
begin adding hannels
6onitor a Specifc 7P
0eplae
1<.1<.1.2 with
the 2P of your
$irtual mahine.
Add a second channel and start to accept
Cli& on )1dd Channel+ and then li&
the green he& mar& to ati$ate the
new profile, ).roublesome/Cser+.

Selet a different olor for the seond hannel so

that the graphs an be distinguished

Note that the two filters are different

-
.he first filter will apture any flows pertaining to host
one p
-
.he seond filter will only apture flows where the host
the seond p is the EES.2N1.2#N host.
-
.o generate traffi to see on graph details for this
profile try transferring files from the first host to the
seond host.

Dore attributes an be added here li&e sr 1S, dst

1S, sr ports et based on the NfSen filter synta7
%ilters
See trends over t&e
+O,E TO E-E./(SE %
Port.ra&er Plugin