#NMAP SHOW MAC ADDRESS MAC#
Picture 5: Aggregated Flow Records based on Source MAC and IP Addresses Netflow-exporter# show flow monitor MAC_MONITOR cache aggregate datalink mac source address input ipv4 source address The higher number of flows with a small number of bytes and packets for hosts in VLAN 10 (192.168.10.0/24) indicates that the hosts perform a certain scan type (ICMP or TCP). The host 192.168.20.1 (PC3) is a top talker with the most packet and byte counts but with the lowest number of flows equal 2. If we need to show the volume of traffic leaving VLAN networks per host along with broadcast traffic, we can aggregate flow records based on the source MAC and IP address fields (Picture 5). Picture 4: Flow Record with DHCP Request Message Picture 3: Flow Record with HTTPS Traffic
#NMAP SHOW MAC ADDRESS SERIES#
This is the first message in a series of DORA (Discover, Offer, Request, Assign) messages that PC1 is using to obtain an IP address from DHCP server in VLAN10 subnet. The flow record shown in Picture 4 depicts DHCP DISCOVER message sent from the host PC1 (0CAC.5DA1.1400), source UDP port 68, to all hosts in VLAN10, (MAC address ), destination UDP port 67. Since broadcast traffic from hosts in a particular VLAN hits a VLAN interface of the switch, we can obtain information about broadcast traffic, as well.
More particularly, it is HTTPS traffic (destination TCP port 443) sent from PC3 via the interface GigabitEthernet1/0 to the network assigned to Akamai International B.V., BGP AS number 20940. TCP traffic (IP protocol 6) sent from the host PC3 (192.168.20.1/24), VLAN20 to the Internet (2.21.77.152) is depicted on Picture 3. Picture 2: Flow Record in Exporter’s Cache with ICMP Traffic The flow contains 29 ICMP packets (IP protocol 1) with 2436 bytes along with additional information such as timestamps and source/destination prefixes /24. This is correct as Layer2 headers are always changed by a Level3 network device (router or a multilayer switch) when packets are forwarded between different Layer3 broadcast domains. The MAC address 0CAC.5D2D.8014 is the MAC address of the VLAN20 interface.
It includes traffic statistics about ICMP packets sent from PC3 – 192.168.20.1 in VLAN20 (MAC address 0CAC.5DC0.0500) to PC1 – 192.168.10.1 in VLAN10. The first flow record in the NetFlow cache of the switch is depicted in Picture 2. A customized flow record must have at least one match criterion for use as the key field and typically has at least one collect criterion for use as a nonkey field. 1.1 Customized Flow RecordĬreate a new customized flow record MAC_RECORD. The following is a set of commands for a Cisco multilayer switch in order to enable Flexible NetFlow on the interfaces VLAN 10 and VLAN 20, with the flows exported to the collector 192.168.30.10. In general, Flexible NetFlow consists of 3 components:ġ) Flow Record 2) Flow Exporter 3) Flow Monitor Picture 1: Network Topology Note: Before you start with the Flexible NetFlow configuration, you need to be sure that a NetFlow collector accepts layer 2 information and it can display it. The ports Gi0/0 and Gi0/1 are configured as routed ports all other interfaces are switch ports configured with access to either VLAN 10 or 20. NetFlow records are exported to the collector 192.168.30.10/24, UDP port 2055. The switch collects information about inter-VLAN traffic between VLAN 10 and 20 (PC1, PC2, and PC3) and traffic sent from the VLAN subnets to the Internet. Let’s have a simple network topology consisting of Cisco multilayer switch that is configured as a Flexible NetFlow exporter (Picture 1). It also enables the export of Layer2 fields such as MAC addresses and VLAN IDs from traffic.
This is the scenario when the Flexible NetFlow comes in handy.įlexible NetFlow allows users to configure and customize the information that is exported. In other words, we also need to collect MAC addresses and Virtual LAN (VLAN) IDs.
However, very often Layer2 information is required to detect and analyze attacks that are targeting Layer2. An old NetFlow v5 perfectly suits this purpose and very likely it is supported by legacy network devices. We have collected layer 3 and 4 traffic information such as source/destination IP addresses, UDP/TCP protocol and source/destination ports. So far, we have discussed NetFlow configuration for network devices from various vendors such as Cisco, Juniper, Huawei, VyOS.
0 kommentar(er)
