I will try to simulate Cflowd v5 in this post. This feature is used usually in the Internet gateway router which ISP need to detects what transit packet flow through their routers. It can be bad or good packet 
.
In JUNOS, we are able to capture the life packet using TCPDUMP as mentioned in the previous post. So what is the different between TCPDUMP and CFlowd if both them able to capture the life packets?
TCPDUMP able to capture the packet destination to the router, but TCPDUMP cannot capture the transit packet which Cflowd can do that. so TCPDUMP is used for local packet, and Cflowd is used for transit packet. More further, Cflowd can be integrated to packet analyzer which is usefull to detects attacker IP address while TCPDUMP usually only usefull for debugging purposes.
There are 2 output method you can configure in the JUNOS. Method 1 is using RE based Cflowd and and method 2 is using PIC based Cflowd. In order to support PIC based Cflowd, you must have Service PIC interface such as MS-PIC, AS-PIC and Mo PIC. MS PIC is the next generation of AS PIC. MS PIC and AS PIC using interface SP while MO PIC using interface MO. Actually there are no different between both interface to support cflowd.
So, What is the different between RE based cflowd and PIC based Cflowd ? The different is related to sampling performance. RE based Cflowd use the RE to collects the packet flow which is coming from PFE. Remember that PFE and RE is connected using interface fxp1. The performance related with how much packet can be collected using RE and PIC. When you need to collected huge packet on cflowd, you will definitely need PIC based Cflowd. In other word, RE is used for low performance sampling and PIC is used for high performance sampling.
Personally, I used RE based Cflowd only for debugging purpose, and I used rate 10k.
Below is the summarize of Cflowd v5 flow Information.
v5 flow entry
Src addr: 10.53.127.1
Dst addr: 10.6.255.15
Nhop addr: 192.168.255.240
Input interface: 5
Output interface: 3
Pkts in flow: 15
Bytes in flow: 600
Start time of flow: 7230
End time of flow: 7271
Src port: 26629
Dst port: 179
TCP flags: 0×10
IP proto num: 6
TOS: 0xc0
Src AS: 7018
Dst AS: 11111
Src netmask len: 16
Dst netmask len: 0
Basic configuration:
Cflowd configuration
enugadi@M7i# show forwarding-options
sampling {
traceoptions {
file debug-flow;
}
input {
family inet {
rate 1;
run-length 0;
max-packets-per-second 65535;
}
}
output {
cflowd 192.168.150.100 {
port 2055;
version 5;
autonomous-system-type origin;
}
interface sp-0/1/0 {
source-address 172.16.40.1;
}
}
}
Service Interface configuration
enugadi@M7i# show interfaces sp-0/1/0
unit 0 {
family inet;
}
[edit]
enugadi@M7i# show interfaces ge-0/0/0.1
vlan-id 1;
family inet {
sampling {
input;
output;
}
address 10.0.4.14/30;
}
family iso;
family mpls;
Verification:
enugadi@M7i# run show services accounting flow
Service Accounting interface: sp-0/1/0, Local interface index: 133
Service name: (default sampling)
Interface state: Accounting
Flow information
Flow packets: 1664, Flow bytes: 107389
Flow packets 10-second rate: 0, Flow bytes 10-second rate: 64
Active flows: 0, Total flows: 33
Flows exported: 39, Flows packets exported: 24
Flows inactive timed out: 33, Flows active timed out: 6
If you find interface state is in “NOT ACCOUNTING“, you have to check services pic configuration and adding family INET to your service PIC configuration.
Example:
enugadi@M7i# show interfaces sp-0/1/0
unit 0 {
family inet;
}
enugadi@M7i# run show services accounting status Service Accounting interface: sp-0/1/0, Local interface index: 133 Service name: (default sampling) Interface state: Accounting Service ID: 0 Export interval (in seconds): 60, Export format: cflowd v5 Protocol: IPv4, Engine type: 188, Engine ID: 17 Route record count: 11, IFL to SNMP index count: 51, AS count: 3 Time set: Yes, Configuration set: Yes Route record set: Yes, IFL SNMP map set: Yes
I will try to simulate 10000 packets and let see what recorded on the flow server are:
enugadi@M7i# run ping 50.50.50.50 logical-router ce1 rapid count 10000 source 11.11.11.11 PING 50.50.50.50 (50.50.50.50): 56 data bytes
--- snipped ----
--- 50.50.50.50 ping statistics --- 10000 packets transmitted, 10000 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.942/1.141/44.862/1.629 ms
Since the flowd rate is 1, so every single packets flow will count in the database.
Let’s check the captured packet from CLI:
enugadi@M7i# run show services accounting flow-detail detail Service Accounting interface: sp-0/1/0, Local interface index: 133 Service name: (default sampling)
Interface state: Accounting
Protocol Input Source Source Output Destination Destination Packet Byte
interface address port interface address port count count
icmp(1) ge-0/0/1.24 11.11.11.11 0 ge-0/0/0.1 50.50.50.50 dls-monitor(2048) 10000 840
Exactly 10000 packet shown from CLI:
Lets check from cflowd server:
No. Time Source Destination Protocol Source Port Destination Port Info 5221 01:43:42.764561 172.16.40.1 192.168.150.100 CFLOW 44037 2055 total: 1 (v5) flow
Frame 5221 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: TeknorMi_5c:3e:9c (00:a0:a5:5c:3e:9c), Dst: Intel_04:fb:7b (00:16:6f:04:fb:7b)
Internet Protocol, Src: 172.16.40.1 (172.16.40.1), Dst: 192.168.150.100 (192.168.150.100)
User Datagram Protocol, Src Port: 44037 (44037), Dst Port: iop (2055)
Source port: 44037 (44037)
Destination port: iop (2055)
Length: 80
Checksum: 0xb6a3 [correct]
Cisco NetFlow/IPFIX
Version: 5
Count: 1
SysUptime: 3200060
Timestamp: Sep 20, 2008 08:52:44.427167000
FlowSequence: 26
EngineType: 188
EngineId: 17
00.. .... .... .... = SamplingMode: No sampling mode configured (0)
..00 0000 0000 0001 = SampleRate: 1
pdu 1/1
SrcAddr: 11.11.11.11 (11.11.11.11)
DstAddr: 50.50.50.50 (50.50.50.50)
NextHop: 10.0.4.13 (10.0.4.13)
InputInt: 117
OutputInt: 60
Packets: 10000
Octets: 840000
[Duration: 14.110000000 seconds]
SrcPort: 0
DstPort: 2048
padding
TCP Flags: 0x00
Protocol: 1
IP ToS: 0x00
SrcAS: 65412
DstAS: 65412
SrcMask: 32 (prefix: 11.11.11.11/32)
DstMask: 32 (prefix: 50.50.50.50/32)
padding
