Netflow
Netflow is a common tool for collecting informatin about connections going in and out of a network. It is often used forensically to see if, in hindsight, the network has been in contact with bad ip addresses.
Most setup includes probes that run on routers or servers that transmit to a centralized server. This is similar in design to how logs are handled, except that probes are not installed on all devices.
The name "netflow" is the cisco name, and what was used in the old versions. The corresponding RFC is rfc 7011 and is about "IPFIX".
References:
- Netflow on wikipedia
- Gigamon on netflow (vendor link)
- youtube from ZCorum on netflow (vendor link)
- Auvik on netflow (vendor link, but better)
netflow using ntopng
Ntop is an open source implementation of netflow. It is the concentrator with an appropriate web interface. In the same family is nprobe, which is the probe to be installed on e.g. a router.
- On a debian VM, install ntopng
- Go to the website to see the connections (default is localhost port 3000)
- Generate more traffic by visiting sites.
Note: We ought to set up a probe on the router, but due to a technical issue, this is postponed.