Cisco路由器基于协议及MAC的流量分析之Netflow

　　这2天在研究，如何对Cisco路由器进行协议及MAC流量分析，方法总结如下：

　　端口设置netflow (基于协议)

　　a,Enabling NetFlow Export

　　interface{interface}{interface_number}

　　ip route-cache flow

　　bandwidth

　　b, Exporting NetFlow Data

　　Issue the following commands to export NetFlow data to the server on which NetFlow Analyzer is running

　　ip flow-export destination{hostname|ip_address}9996

　　ip flow-export source{interface}{interface_number}

　　ip flow-export version 5 [peer-as | origin-as]

　　snmp-server ifindex persist

　　c,Verifying Device Configuration

　　show ip flow export

　　show ip cache flow

　　show ip cache verbose flow

　　d,A Sample Device Configuration

　　router#enable

　　Password:*****

　　router#configure terminal

　　router-2621(config)#interface FastEthernet 0/1

　　router-2621(config-if)#ip route-cache flow

　　router-2621(config-if)#exit

　　router-2621(config)#ip flow-export destination 192.168.9.101 9996

　　router-2621(config)#ip flow-export source FastEthernet 0/1

　　router-2621(config)#ip flow-export version 5

　　router-2621(config)#ip flow-cache timeout active 1

　　router-2621(config)#ip flow-cache timeout inactive 15

　　router-2621(config)#snmp-server ifindex persist

　　router-2621(config)#^Z

　　router#write

　　router#show ip flow export

　　router#show ip cache flow

　　e,Turning off NetFlow

　　no ip flow-export destination{hostname|ip_address}{port_number}

　　no ip route-cache flow

　　测试实例：

　　CISCO_PPPOE#show ip cache flow

　　IP packet size distribution (2667212 total packets):

　　1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

　　.000 .342 .081 .015 .010 .002 .003 .003 .002 .002 .002 .003 .002 .003 .003

　　512 544 576 1024 1536 2048 2560 3072 3584 4096 4608

　　.003 .004 .006 .040 .464 .000 .000 .000 .000 .000 .000

　　IP Flow Switching Cache, 278544 bytes

　　33 active, 4063 inactive, 50346 added

　　1608792 ager polls, 0 flow alloc failures

　　Active flows timeout in 30 minutes

　　Inactive flows timeout in 15 seconds

　　IP Sub Flow Cache, 21640 bytes

　　6 active, 1018 inactive, 12031 added, 12031 added to flow

　　0 alloc failures, 0 force free

　　1 chunk, 1 chunk added

　　last clearing of statistics never

　　Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)

　　-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

　　TCP-Telnet 9 0.0 13 59 0.0 7.0 12.2

　　TCP-FTP 7 0.0

　　TCP-WWW 14563 0.0 17 1145 0.1 3.4 7.1

　　TCP-SMTP 8 0.0 11 67 0.0 3.1 10.2

　　TCP-X 314 0.0 1 40 0.0 0.0 15.4

　　TCP-other 6851 0.0 17 628 0.0 7.4 10.9

　　UDP-other 27164 0.0 83 703 1.7 21.9 15.4

　　ICMP 1398 0.0 4 155 0.0 10.9 15.5

　　Total: 50314 0.0 52 741 2.0 14.1 12.4