Download - Netflow Analysis using Elastic Stack - 조인중
![Page 3: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/3.jpg)
What is NetFlow?
• Cisco router feature that provides the ability to collect IP network traffic information on interfaces
• Main components – Flow Exporter
– Flow collector (logstash)
– Analysis application (elasticsearch)
– Visualization (kibana or whatever works)
Source: Wikipedia
![Page 4: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/4.jpg)
NetFlow Architecture
Source: Wikipedia
![Page 5: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/5.jpg)
NetFlow Protocol (v5 header)
Source: https://www.plixer.com/support/netflow_v5.html
![Page 6: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/6.jpg)
NetFlow Protocol (v5 record)
Source: https://www.plixer.com/support/netflow_v5.html
![Page 7: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/7.jpg)
What we can do with NetFlow
• Application usage analysis
• Troubleshoot network problem
• Track down bandwidth hogs
• Detect abnormal traffic usage
• Detect hosts infected by malwares
• …
![Page 8: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/8.jpg)
Elastic Stack - NetFlow
• Logstash: NetFlow collector
• Elasticsearch: NetFlow storage & analysis
• Kibana: Visualization
![Page 9: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/9.jpg)
System Architecture
이보다 더 간단할 수 없다.
![Page 10: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/10.jpg)
Logstash Configuration (input)
![Page 11: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/11.jpg)
Logstash Configuration (filter)
Enrichment with geolocation info
Calculate estimated traffic volume (need to consider sampling rate)
![Page 12: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/12.jpg)
Logstash Configuration (output)
![Page 13: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/13.jpg)
Template for NetFlow data
![Page 14: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/14.jpg)
Collected data sample
![Page 15: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/15.jpg)
Demo! Demo!! Demo!!!
![Page 16: Netflow Analysis using Elastic Stack - 조인중](https://reader034.vdocuments.mx/reader034/viewer/2022051318/58ed7a991a28abcf4c8b459d/html5/thumbnails/16.jpg)
Thank you.