SlideShare a Scribd company logo

Flow monitoring explained - From packet capture to data analysis - the use of IPFIX Exporter

A
Annika Wickert

This document discusses how Freie Netze München used IPFIX and ElastiFlow to monitor their network traffic and make better peering decisions. They exported encrypted IPFIX data from DE-CIX routers via UDP to ElastiFlow, which provided analytics on traffic flows. This identified their top sources and destinations by ASN, mainly eyeball networks, cloud providers, and content providers. Freie Netze München was then able to set up direct peering sessions with most of these ASNs to improve routing resilience and learn more about their network traffic patterns.

Internet
1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Flow monitoring explained From packet capture to data analysis - the use of IPFIX Exporter DE-CIX 2021
Annika Wickert ● Second Chair of Board Freie Netze München e.V. ● Senior Network Engineer / OpenSource since 2010 ● Twitter @awlnx / Github @awlx 2 Who am I?
3 FFMUC? • Freie Netze München e.V. since 2014 • Community Freifunk München since 2004 • Wifi • #FFMEET • DoH/DoT/DNSCrypt/DNS • Streaming
4 Preface • FFMUC moved from donated uplinks to its own ASN (AS212567) • 2 datacenters, each announcing a /48 IPv6 and a /24 IPv4 • Due to RIB/FIB limitations only with default routes from transit • DE-CIX offered (remote-)peering in FRA and MUC
5 Motivation • Peering with the DE-CIX Route Server(RS) is great, and yields many routes • Some prefixes however are only announced on direct sessions • Route Servers remove some resilience from the internet, since they become a SPOF (though DE-CIX RS has been stable) • We’re nerds and want to play & learn So, where is our traffic going? Who should we peer with?
6 Setup Munich Icons: icons8.com DE-CIX FRA Remote Peering
7 IPFIX Ingest Munich Icons: icons8.com DE-CIX FRA Remote Peering IPFIX Export UDP DTLS wrapper DTLS encrypted IPFIX Data unified flow collector
8 What is IPFIX? • IP Flow Information Export (RFC7011) • (sampled) information about traffic flows • Transported via UDP • contains information like ■ Source / Destination IP ■ Source / Destination Port ■ Packet Size
9 IPFIX Export at DE-CIX • IPFIX data is generated by the DE-CIX platform and sent to a destination IP • Sampling Rate 10.000:1 • Since IPFIX data contains plain flows it’s encrypted using DTLS • The receiver decrypts the DTLS encrypted UDP datagrams and forwards the plain IPFIX data to a flow pipeline(such as elastiflow) • Can be configured in the DE-CIX Portal
10 ElastiFlow ● ElastiFlow is a open source network performance analytics platform ● ingests IPFIX/NETFLOW/sFLOW into Elasticsearch ● Enriches flow-data with GeoIP and threat Information ● Provides beautiful pre-built dashboards & sankey diagrams ● Soon offers obfuscation of flow data (only show /24 or /48, not exact prefix) ○ Important for us since we value our users privacy ● Offers commercial support ● Very good community support too :)
11 ElastiFlow @ FFMUC
12 ElastiFlow @ FFMUC
13 ElastiFlow @ FFMUC
14 Better peering decisions ● Based on flow information we were able to confirm our Top ASNs ● To no surprise they were mainly ○ Eyeball Networks ○ Cloud Providers ○ Content Providers / CDNs ● We’ve set up direct sessions with most of them
15 Resources ● DTLS IPFIX Wrapper https://github.com/DE-CIX/udp-dtls-wrapper ● ElastiFlow https://elastiflow.com/
16 Questions? Feedback? Support? ● @freifunkMUC ● ffmuc.net/kontakt/ ● ffmuc.net/spenden/ ● peering@fnmuc.net

More Related Content

What's hot (20)

PDF
Netty - a pragmatic introduction
Raphael Stary
 
PDF
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
PDF
Welcome talk unleashing the future of open-source enterprise cloud computing
NETWAYS
 
PDF
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 
PDF
Firewalls and Virtualization - pfSense Hangout June 2014
Netgate
 
PDF
An SFU/MCU integration for heterogeneous environments
Giacomo Vacca
 
PDF
Network Address Translation - pfSense Hangout July 2014
Netgate
 
PDF
Firewall and NAT Fundamentals - pfSense Hangout January 2014
Netgate
 
PDF
Leveraging Network Offload to Accelerate SDN and NFV Deployments
Netronome
 
PDF
WebRTC Standards & Implementation Q&A - The Internals of WebRTC Browsers Impl...
Amir Zmora
 
PDF
Janus/HOMER/HEPIC @ OpenSIPS18
Lorenzo Miniero
 
PPTX
Varnish TLS
Varnish Software
 
PDF
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Andrew Denner
 
ODP
WUG #009 - OpenVNet 0.7 presentation
Axsh Co. LTD
 
PPTX
Implementation Lessons using WebRTC in Asterisk
Moises Silva
 
PDF
Protocol Labs, David Dias, TADSummit 2018
Alan Quayle
 
PDF
HTTP/1, HTTP/2 and HTTP/3
acme
 
PPTX
BGP FlowSpec experience and future developments
Pavel Odintsov
 
PDF
OSBConf 2016: Backup of Scale - Bareos Active Clients and Puppet - Tobias Groß
NETWAYS
 
PDF
WebRTC Standards & Implementation Q&A - Legacy API Support Changes
Amir Zmora
 
Netty - a pragmatic introduction
Raphael Stary
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 
Welcome talk unleashing the future of open-source enterprise cloud computing
NETWAYS
 
OAuth and STUN, TURN in WebRTC context RFC7635
Mihály Mészáros
 
Firewalls and Virtualization - pfSense Hangout June 2014
Netgate
 
An SFU/MCU integration for heterogeneous environments
Giacomo Vacca
 
Network Address Translation - pfSense Hangout July 2014
Netgate
 
Firewall and NAT Fundamentals - pfSense Hangout January 2014
Netgate
 
Leveraging Network Offload to Accelerate SDN and NFV Deployments
Netronome
 
WebRTC Standards & Implementation Q&A - The Internals of WebRTC Browsers Impl...
Amir Zmora
 
Janus/HOMER/HEPIC @ OpenSIPS18
Lorenzo Miniero
 
Varnish TLS
Varnish Software
 
Central Iowa Linux Users Group May 2020 Meeting: WireGuard
Andrew Denner
 
WUG #009 - OpenVNet 0.7 presentation
Axsh Co. LTD
 
Implementation Lessons using WebRTC in Asterisk
Moises Silva
 
Protocol Labs, David Dias, TADSummit 2018
Alan Quayle
 
HTTP/1, HTTP/2 and HTTP/3
acme
 
BGP FlowSpec experience and future developments
Pavel Odintsov
 
OSBConf 2016: Backup of Scale - Bareos Active Clients and Puppet - Tobias Groß
NETWAYS
 
WebRTC Standards & Implementation Q&A - Legacy API Support Changes
Amir Zmora
 

Similar to Flow monitoring explained - From packet capture to data analysis - the use of IPFIX Exporter (20)

PPTX
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
PDF
Kentik Network@Scale (Dan Ellis)
gvillain
 
PPT
Adaptive Traffic Sampling and Management Platform
Amir Krifa
 
PPTX
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
PPT
Botprobe - Reducing network threat intelligence big data
DATA SECURITY SOLUTIONS
 
PDF
Analytics and Visualization in your Secured Infrastructure Network.
Kapil Sabharwal
 
PDF
PLNOG 5: Elżbieta Jasińska - Plot Your Network
PROIDEA
 
PDF
Technical and Operational Aspects of Regional Internet Exchange Model
APNIC
 
PDF
WINS: Peering and IXPs
APNIC
 
PDF
PITA 27th AGM & Business Forum Expo 23: Internet Exchange Points
APNIC
 
PDF
PacNOG 31: Internet Exchange Points
APNIC
 
PPT
Intelligent Network Services through Active Flow Manipulation
Tal Lavian Ph.D.
 
PDF
Network Security and Visibility through NetFlow
Lancope, Inc.
 
PPTX
Leveraging Endpoint Flexibility in Data-Intensive Clusters
Ran Ziv
 
PDF
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
InfluxData
 
PPTX
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
PDF
NetFlow Monitoring for Cyber Threat Defense
Cisco Canada
 
PDF
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
PPTX
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
Outlyer
 
DOCX
Chapter 3. sensors in the network domain
Phu Nguyen
 
Application Visibility and Experience through Flexible Netflow
Cisco DevNet
 
Kentik Network@Scale (Dan Ellis)
gvillain
 
Adaptive Traffic Sampling and Management Platform
Amir Krifa
 
Packet Analysis - Course Technology Computing Conference
Cengage Learning
 
Botprobe - Reducing network threat intelligence big data
DATA SECURITY SOLUTIONS
 
Analytics and Visualization in your Secured Infrastructure Network.
Kapil Sabharwal
 
PLNOG 5: Elżbieta Jasińska - Plot Your Network
PROIDEA
 
Technical and Operational Aspects of Regional Internet Exchange Model
APNIC
 
WINS: Peering and IXPs
APNIC
 
PITA 27th AGM & Business Forum Expo 23: Internet Exchange Points
APNIC
 
PacNOG 31: Internet Exchange Points
APNIC
 
Intelligent Network Services through Active Flow Manipulation
Tal Lavian Ph.D.
 
Network Security and Visibility through NetFlow
Lancope, Inc.
 
Leveraging Endpoint Flexibility in Data-Intensive Clusters
Ran Ziv
 
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
InfluxData
 
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
NetFlow Monitoring for Cyber Threat Defense
Cisco Canada
 
Traffic analysis for Planning, Peering and Security by Julie Liu
MyNOG
 
The Network Knows—Avi Freedman, CEO & Co-Founder of Kentik
Outlyer
 
Chapter 3. sensors in the network domain
Phu Nguyen
 
Ad

Recently uploaded (20)

PPTX
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
PPTX
internet básico presentacion es una red global
70965857
 
PDF
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
DOCX
Custom vs. Off-the-Shelf Banking Software
KristenCarter35
 
PPTX
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
PDF
Apple_Environmental_Progress_Report_2025.pdf
yiukwong
 
PDF
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
PPTX
ONLINE BIRTH CERTIFICATE APPLICATION SYSYTEM PPT.pptx
ShyamasreeDutta
 
PPTX
L1A Season 1 Guide made by A hegy Eng Grammar fixed
toszolder91
 
PPTX
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
PPTX
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
PPT
introductio to computers by arthur janry
RamananMuthukrishnan
 
PPT
Agilent Optoelectronic Solutions for Mobile Application
andreashenniger2
 
PPTX
04 Output 1 Instruments & Tools (3).pptx
GEDYIONGebre
 
PPT
introduction to networking with basics coverage
RamananMuthukrishnan
 
PPTX
Orchestrating things in Angular application
Peter Abraham
 
PPTX
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
PPT
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
PPTX
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
PPT
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
英国假毕业证诺森比亚大学成绩单GPA修改UNN学生卡网上可查学历成绩单
Taqyea
 
internet básico presentacion es una red global
70965857
 
Build Fast, Scale Faster: Milvus vs. Zilliz Cloud for Production-Ready AI
Zilliz
 
Custom vs. Off-the-Shelf Banking Software
KristenCarter35
 
原版西班牙莱昂大学毕业证(León毕业证书)如何办理
Taqyea
 
Apple_Environmental_Progress_Report_2025.pdf
yiukwong
 
The-Hidden-Dangers-of-Skipping-Penetration-Testing.pdf.pdf
naksh4thra
 
ONLINE BIRTH CERTIFICATE APPLICATION SYSYTEM PPT.pptx
ShyamasreeDutta
 
L1A Season 1 Guide made by A hegy Eng Grammar fixed
toszolder91
 
L1A Season 1 ENGLISH made by A hegy fixed
toszolder91
 
Optimization_Techniques_ML_Presentation.pptx
farispalayi
 
introductio to computers by arthur janry
RamananMuthukrishnan
 
Agilent Optoelectronic Solutions for Mobile Application
andreashenniger2
 
04 Output 1 Instruments & Tools (3).pptx
GEDYIONGebre
 
introduction to networking with basics coverage
RamananMuthukrishnan
 
Orchestrating things in Angular application
Peter Abraham
 
PE introd.pptxfrgfgfdgfdgfgrtretrt44t444
nepmithibai2024
 
Computer Securityyyyyyyy - Chapter 1.ppt
SolomonSB
 
Presentation3gsgsgsgsdfgadgsfgfgsfgagsfgsfgzfdgsdgs.pptx
SUB03
 
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
Ad

Flow monitoring explained - From packet capture to data analysis - the use of IPFIX Exporter

  • 1. Flow monitoring explained From packet capture to data analysis - the use of IPFIX Exporter DE-CIX 2021
  • 2. Annika Wickert ● Second Chair of Board Freie Netze München e.V. ● Senior Network Engineer / OpenSource since 2010 ● Twitter @awlnx / Github @awlx 2 Who am I?
  • 3. 3 FFMUC? • Freie Netze München e.V. since 2014 • Community Freifunk München since 2004 • Wifi • #FFMEET • DoH/DoT/DNSCrypt/DNS • Streaming
  • 4. 4 Preface • FFMUC moved from donated uplinks to its own ASN (AS212567) • 2 datacenters, each announcing a /48 IPv6 and a /24 IPv4 • Due to RIB/FIB limitations only with default routes from transit • DE-CIX offered (remote-)peering in FRA and MUC
  • 5. 5 Motivation • Peering with the DE-CIX Route Server(RS) is great, and yields many routes • Some prefixes however are only announced on direct sessions • Route Servers remove some resilience from the internet, since they become a SPOF (though DE-CIX RS has been stable) • We’re nerds and want to play & learn So, where is our traffic going? Who should we peer with?
  • 7. 7 IPFIX Ingest Munich Icons: icons8.com DE-CIX FRA Remote Peering IPFIX Export UDP DTLS wrapper DTLS encrypted IPFIX Data unified flow collector
  • 8. 8 What is IPFIX? • IP Flow Information Export (RFC7011) • (sampled) information about traffic flows • Transported via UDP • contains information like ■ Source / Destination IP ■ Source / Destination Port ■ Packet Size
  • 9. 9 IPFIX Export at DE-CIX • IPFIX data is generated by the DE-CIX platform and sent to a destination IP • Sampling Rate 10.000:1 • Since IPFIX data contains plain flows it’s encrypted using DTLS • The receiver decrypts the DTLS encrypted UDP datagrams and forwards the plain IPFIX data to a flow pipeline(such as elastiflow) • Can be configured in the DE-CIX Portal
  • 10. 10 ElastiFlow ● ElastiFlow is a open source network performance analytics platform ● ingests IPFIX/NETFLOW/sFLOW into Elasticsearch ● Enriches flow-data with GeoIP and threat Information ● Provides beautiful pre-built dashboards & sankey diagrams ● Soon offers obfuscation of flow data (only show /24 or /48, not exact prefix) ○ Important for us since we value our users privacy ● Offers commercial support ● Very good community support too :)
  • 14. 14 Better peering decisions ● Based on flow information we were able to confirm our Top ASNs ● To no surprise they were mainly ○ Eyeball Networks ○ Cloud Providers ○ Content Providers / CDNs ● We’ve set up direct sessions with most of them
  • 15. 15 Resources ● DTLS IPFIX Wrapper https://github.com/DE-CIX/udp-dtls-wrapper ● ElastiFlow https://elastiflow.com/
  • 16. 16 Questions? Feedback? Support? ● @freifunkMUC ● ffmuc.net/kontakt/ ● ffmuc.net/spenden/ ● [email protected]