Add Applications to Monitoring Session

Gigamon supports the following GigaSMART applications:

■   Sampling
■   Slicing
■   Masking
■   NetFlow

You can optionally use these applications to optimize the traffic sent from your instances to the monitoring tools.

Note:  If you have opted to send the traffic to a physical node such as a GigaVUE H Series box, then these GigaSMART operations will not be visible in the monitoring session page.

Sampling

Sampling lets you sample the packets randomly based on the configured sampling rate and then forwards the sampled packets to the monitoring tools.

To add a sampling application:

1.   Drag and drop Sample from APPLICATIONS to the graphical workspace.

Figure 1 Dragging the Sample Application
2. Click Sample and select Details.

Figure 2 Selecting Details
3. In the Alias field, enter a name for the sample.

Figure 3 Viewing Sample Application Quick View
4. For State, select the On check box to determine that the application is sampling packets randomly. Select the Off check box to determine that the application is not currently sampling the packets. The state can be changed at anytime whenever required.
5. From the Sampling Type drop-down list, select the type of sampling:
o   Random Simple — The first packet is selected randomly. The subsequent packets are also selected randomly based on the rate specified in the Sampling Rate field.

For example, if the first packet selected is 5 and the sampling rate is 1:10, after the 5th packet a random 10 packets are selected for sampling.

o   Random Systematic —The first packet is selected randomly. Then, every nth packet is selected, where n is the value specified in the Sampling Rate field.

For example, if the first packet selected is 5 and the sampling rate is 1:10, then every 10th packet is selected for sampling: 15, 25, 35, and so on.

6. In the Sampling Rate field, enter the ratio of packets to be selected. The default ratio is 1:1.
7. Click Save.

Slicing

Packet slicing lets you truncate packets after a specified header and slice length, preserving the portion of the packet required for monitoring purposes.

To add a slicing application:

1.   Drag and drop Slice from APPLICATIONS to the graphical workspace.

Figure 4 Dragging the Slice Application
2. Click the Slice application and select Details.

Figure 5 Selecting Details
3. In the Alias field, enter a name for the slice.

Figure 6 Viewing Slice Application Quick View
4. For State, select the On check box to determine that the application is slicing packets. Select the Off check box to determine that the application is not currently slicing the packets. The state can be changed at a later time whenever required.
5. In the Slice Length field, specify the length of the packet that must be sliced.
6. From the Protocol drop-down list, specify an optional parameter for slicing the specified length of the protocol. The options are as follows:
o   None
o   IPv4
o   IPv6
o   UDP
o   TCP
7. Click Save.

Masking

Masking lets you overwrite specific packet fields with a specified pattern so that sensitive information is protected during network analysis.

To add a masking application:

1.   Drag and drop Mask from APPLICATIONS to the graphical workspace.

Figure 7 Dragging the Mask Application
2. Click the Mask application and select Details.

Figure 8 Selecting Details
3. In the Alias field, enter a name for the mask.

Figure 9 Viewing Mask Application Quick View
4. For State, select the On check box to determine that the application is masking packets. Select the Off check box to determine that the application is not currently masking the packets. The state can be changed at anytime whenever required.
5. In the Mask offset field, enter the offset from which the application should start masking data following the pattern specified in the Pattern field.

The value can be specified in terms of either a static offset, that is, from the start of the packet or a relative offset, that is, from a particular protocol layer as specified in the Protocol field.

6. In the Mask length field, enter the length of the packet that must be masked.
7. In the Mask pattern field, enter the pattern for masking the packet. The value of the pattern is from 0 to 255.
8. From the Protocol drop-down list, specifies an optional parameter for masking packets on the data coming from the selected protocol.
9. Click Save.

NetFlow

NetFlow collects IP network traffic on all interfaces where NetFlow monitoring is enabled. It gathers information about the traffic flows and exports the NetFlow records, which includes data and templates, to at least one NetFlow collector. The application that serves as a NetFlow collector receives the NetFlow data sent from exporters, processes the information, and provides data visualization and security analytics.

The following are the key benefits of NetFlow application:

■   Compresses network information into a single flow record.
■   Facilitates up to 99% reduction in data transferred.
■   Accelerates the migration of mission-critical workloads.
■   Provides summarized information on traffic source and destination, congestion, and class of service.
■   Identifies and classifies DDOS attacks, viruses, and worms in real-time.
■   Secures network against internal and external threats.
■   Identifies top consumers and analyzes their statistics.
■   Reduces the cost of security monitoring.
■   Analyzes the network flows based on algorithms and behavior rather than signature matching.
■   Analyzes east-west traffic between flows within and across VPCs.

The NetFlow application contains key elements that specify what to match in the flow, such as all packets with the same source and destination port, or the packets that come in on a particular interface. For information about Match/Key fields, refer to Match/Key Fields. A NetFlow record is the output generated by NetFlow. A flow record contains non-key elements that specify what information to collect for the flow, such as when the flow started or the number of bytes in the flow. For information about Match/Key fields, refer to Collect/Non-Key Fields.

Figure 10 shows an example of a NetFlow application created on a GigaVUE V Series node in the monitoring session.

Figure 10 NetFlow on GigaVUE V Series Node

The NetFlow record generation is performed on GigaVUE V Series node running the NetFlow application. In Figure 10, incoming packets from G-vTAP containers are sent to the GigaVUE V Series node. In the GigaVUE V Series node, one map sends the TCP packet to the version 5 NetFlow application. Another map sends the UDP packet to a sampling application. The map rules and applications such as slice, mask, and sample can only be applied prior to sending the data to NetFlow.

A NetFlow application examines the incoming packets and creates a single or multiple flows from the packet attributes. These flows are cached and exported based on the active and inactive cache timeout specified in the Netflow application configuration.

The flow records can be sent to a tunnel or to a NAT device for flow inspection. NAT allows the NetFlow records to be directly transmitted to a collector without a tunnel. For more information about NAT, refer to Network Address Translation (NAT) .

The Netflow application exports the flows using the following export versions:

■   version 5—The fields in the NetFlow record are fixed.
■   version 9—The fields are configurable, thus a template is created. The template contains information on how the fields are organized and in what order. It is sent to the collector before the flow record, so the collector knows how to decode the flow record. The template is sent periodically based on the configuration.
■   IPFIX—The extended version of version 9 supports variable length fields as well as enterprise-defined fields.

Match/Key Fields

NetFlow v9 and IPFIX records allow you to configure Match/Key elements.

The supported Match/Key elements are outlined in the following table:

Table 1: Match/Key Elements

 

Description

Supported NetFlow Versions

Data Link

 

 

Destination MAC

Configures the destination MAC address as a key field.

v9 and IPFIX

Egress Dest MAC

Configures the post Source MAC address as a key field.

IPFIX

Ingress Dest MAC

Configures the IEEE 802 destination MAC address as a key field.

IPFIX

Source MAC

Configures the IEEE 802 source MAC address as a key field.

v9 and IPFIX

IPv4

 

 

ICMP Type Code

Configures the type and code of the IPv4 ICMP message as a key field.

v9 and IPFIX

IPv4 Dest IP

Configures the IPv4 destination address in the IP packet header as a key field.

v9 and IPFIX

IPv4 ICMP Code

Configures the code of the IPv4 ICMP message as a key field.

IPFIX

IPv4 ICMP Type

Configures the type and code of the IPv4 ICMP message as a key field.

IPFIX

IPv4 Options

Configures the IPv4 options in the packets of the current flow as a key field.

IPFIX

IPv4 Src IP

Configures the IPv6 source address in the IP packet header as a key field.

v9 and IPFIX

IPv4 Total Length

Configures the total length of the IPv4 packet as a key field.

IPFIX

Network

 

 

IP CoS

Configures the IP Class Of Service (CoS) as a key field.

v9 and IPFIX

IP DSCP

Configures the value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services field as a key field.

IPFIX

IP Header Length

Configures the length of the IP header as a key field.

IPFIX

IP Precedence

Configures the value of the IP Precedence as a key field.

IPFIX

IP Protocol

Configures the value of the protocol number in the IP packet header as a key field.

v9 and IPFIX

IP Total Length

Configures the total length of the IP packet as a key field.

IPFIX

IP TTL

For IPv4, configures the value of Time to Live (TTL) as a key field.

For IPv6, configures the value of the Hop Limit field as a key field.

IPFIX

IP Version

Configures the IP version field in the IP packet header as a key field.

v9 and IPFIX

IPv6

 

 

IPv6 Dest IP

Configures the IPv6 destination address in the IP packet header as a key field.

v9 and IPFIX

IPv6 Flow Label

Configures the value of the IPv6 flow label field in the IP packet header as a key field.

v9 and IPFIX

IPv6 ICMP Code

Configures the code of the IPv6 ICMP message as a key field.

IPFIX

IPv6 ICMP Type

Configures the type of the IPv6 ICMP message as a key field.

IPFIX

IPv6 ICMP Type Code

Configures the type and code of the IPv6 ICMP message as a key field.

IPFIX

IPv6 Payload Length

Configures the value of the payload length field in the IPv6 header as a key field.

IPFIX

IPv6 Src IP

Configures the IPv6 source address in the IP packet header as a key field.

v9 and IPFIX

Transport

 

 

L4 Dest Port

Configures the destination port identifier in the transport header as a key field.

v9 and IPFIX

L4 Src Port

Configures the source port identifier in the transport header as a key field.

v9 and IPFIX

TCP AcK Number

Configures the acknowledgment number in the TCP header as a key field.

IPFIX

TCP Dest Port

Configures the destination port identifier in the TCP header as a key field.

IPFIX

TCP Flags

Configures the TCP control bits observed for the packets of this flow as a key field.

v9 and IPFIX

TCP Header Length

Configures the length of the TCP header as a key field.

IPFIX

TCP Seq Number

Configures the sequence number in the TCP header as a key field.

IPFIX

TCP Src Port

Configures the source port identifier in the TCP header as a key field.

IPFIX

TCP Urgent

Configures the urgent pointer in the TCP header as a key field.

IPFIX

TCP Window Size

Configures the window field in the TCP header as a key field.

IPFIX

UDP Dest Port

Configures the destination port identifier in the UDP header as a key field.

IPFIX

UDP Src Port

Configures the source port identifier in the TCP header as a key field.

IPFIX

Collect/Non-Key Fields

NetFlow v9 and IPFIX records allow you to configure Collect/Non-Key elements.

The supported Collect/Non-Key elements are outlined in the following table:

Table 2: Collect/Non-Key Elements

 

Description

Supported NetFlow Versions

Counter

 

 

Byte Count

Configures the number of octets since the previous report in incoming packets for the current flow as a non-key field.

v9 and IPFIX

Packet Count

Configures the number of incoming packets since the previous report for this flow as a non-key field.

v9 and IPFIX

Data Link

 

 

Destination MAC

Configures the destination MAC address as a non-key field.

v9 and IPFIX

Egress Des MAC

Configures the post source MAC address as a non-key field.

IPFIX

Ingress Des MAC

Configures the IEEE 802 destination MAC address as a non-key field.

IPFIX

Source MAC

Configures the IEEE 802 source MAC address as a non-key field.

v9 and IPFIX

Timestamp

 

 

Flow End Millisec

Configures the absolute timestamp of the last packet of current flow in milliseconds as a non-key field.

IPFIX

Flow End Sec

Configures the flow start SysUp time as a non-key field.

IPFIX

Flow End Time

Configures the flow end SysUp time as a non-key field.

v9 and IPFIX

Flow Start Millisec

Configures the value of the IP Precedence as a non-key field.

IPFIX

Flow Start Sec

Configures the absolute timestamp of the first packet of this flow as a non-key field.

IPFIX

Flow Startup Time

Configures the flow start SysUp time as a non-key field.

v9 and IPFIX

Flow

 

 

Flow End Reason

Configures the reason for Flow termination as a non-key field.

IPFIX

IPv4

 

 

ICMP Type Code

Configures the type and code of the IPv4 ICMP message as a non-key field.

v9 and IPFIX

IPv4 Dest IP

Configures the IPv4 destination address in the IP packet header as a non-key field.

v9 and IPFIX

IPv4 ICMP Code

Configures the code of the IPv4 ICMP message as a non-key field.

IPFIX

IPv4 ICMP Type

Configures the type of the IPv4 ICMP message as a non-key field.

IPFIX

IPv4 Options

Configures the IPv4 options in the packets of the current flow as a non-key field.

IPFIX

IPv4 Src IP

Configures the IPv6 source address in the IP packet header as a non-key field.

v9 and IPFIX

IPv4 Total Length

Configures the total length of the IPv4 packet as a non-key field.

IPFIX

Network

 

 

IP CoS

Configures the IP Class Of Service (CoS) as a key field.

v9

IP Protocol

Configures the value of the protocol number in the IP packet header as a key field.

v9

IP Version

Configures the IP version field in the IP packet header as a key field.

v9

IPv6

 

 

IPv6 Dest IP

Configures the IPv6 destination address in the IP packet header as a key field.

v9

IPv6 Flow Label

Configures the value of the IPv6 flow label field in the IP packet header as a key field.

v9

IPv6 Src IP

Configures the IPv6 source address in the IP packet header as a key field.

v9

Transport

 

 

L4 Dest Port

Configures the destination port identifier in the transport header as a non-key field.

v9 and IPFIX

L4 Src Port

Configures the source port identifier in the transport header as a non-key field.

v9 and IPFIX

TCP AcK Number

Configures the acknowledgment number in the TCP header as a non-key field.

IPFIX

TCP Dest Port

Configures the destination port identifier in the TCP header as a non-key field.

IPFIX

TCP Flags

Configures the TCP control bits observed for the packets of this flow as a non-key field.

v9 and IPFIX

TCP Header Length

Configures the length of the TCP header as a non-key field.

IPFIX

TCP Seq Number

Configures the sequence number in the TCP header as a non-key field.

IPFIX

TCP Src Port

Configures the source port identifier in the TCP header as a non-key field.

IPFIX

TCP Urgent

Configures the urgent pointer in the TCP header as a non-key field.

IPFIX

TCP Window Size

Configures the window field in the TCP header as a non-key field.

IPFIX

UDP Dest Port

Configures the destination port identifier in the UDP header as a non-key field.

IPFIX

UDP Src Port

Configures the source port identifier in the UDP header as a non-key field.

IPFIX

Add Version 5 NetFlow Application

To add a version 5 NetFlow application:

1.   Drag and drop NetFlow from APPLICATIONS to the graphical workspace.

Figure 11 Dragging the NetFlow Application
2. Click the NetFlow application and select Details. A quick view is displayed for configuring the NetFlow application.

Figure 12 Selecting Details
3. In the Alias field, enter a name for the v5 NetFlow application.
Figure 13 Viewing v5 NetFlow Application Quick View
4. For State, select the On check box to determine that the application is currently running. Select the Off check box to determine that the application is currently not running. The state can be changed at anytime whenever required.
5. From the NetFlow version drop-down list, select v5.
6. In Active cache timeout, enter the number of seconds that an active flow record must remain in the cache before it is exported and removed. The default value is 1800 seconds.
7. In Inactive cache timeout, enter the number of seconds an inactive flow record must remain in the cache before it times out. The default value is 15 seconds.
8. Click Save.

For some examples demonstrating the NetFlow application configuration in the GigaVUE V Series nodes, refer to NetFlow Examples.

Add Version 9 and IPFIX NetFlow Application

To add a v9 and IPFIX NetFlow application:

1.   Drag and drop NetFlow from APPLICATIONS to the graphical workspace.

Figure 14 Dragging the NetFlow Application
2. Click the NetFlow application and select Details. A quick view is displayed for configuring the NetFlow application.

Figure 15 Selecting NetFlow Details
3. In the Alias field, enter a name for the NetFlow application.
Figure 16 Viewing NetFlow Application Quick View
4. For State, select the On check box to determine that the application is generating NetFlow records from the packets coming from the G-vTAP containers. Select the Off check box to determine that the application is not currently generating NetFlow records. The state can be changed at anytime whenever required.
5. From the NetFlow version drop-down list, select the version you want to use to generate the NetFlow records. The default version selected is v5.
6. In the Source ID field, enter the observation domain to isolate the traffic. The NetFlow application uses source ID to segregate the records into categories. For example, you can assign source ID 1 for traffic coming over TCP. This results in generating a separate NetFlow record for TCP data. Similarly, you can assign Source ID 2 for traffic coming over UDP. This results in generating a separate NetFlow record for UDP data.
7. From the Match fields drop-down list, select the parameters that identify what you want to collect from the incoming packets. The Match fields displayed in the drop-down list are based on the NetFlow version selected in step 5. Refer to Match/Key Fields.
8. From the Collect fields drop-down list, select the parameters that identify what you want to collect from the NetFlow records. The Collect fields displayed in the drop-down list are based on the NetFlow version selected in step 5. Refer to Collect/Non-Key Fields.
9. In Active cache timeout, enter the number of seconds that an active flow record must remain in the cache before it is exported and removed. The default value is 1800 seconds.
10. In Inactive cache timeout, enter the number of seconds an inactive flow record must remain in the cache before it times out. The default value is 15 seconds.
11. In Template refresh interval, enter the frequency at which the template must be sent to the tool. The default value is 1800 seconds.
12. Click Save.

For some examples demonstrating the NetFlow application configuration in the GigaVUE V Series nodes, refer to NetFlow Examples.

Network Address Translation (NAT)

NAT allows the NetFlow records to be directly transmitted to a collector without a tunnel. It lets you configure the destination IP of one or more collectors and the source IP of the GigaVUE V Series node interface through which the NetFlow records are sent out. The NetFlow records are exported to the collector over UDP protocol with the configurable source IP and destination IP.

Note:  Only one NAT can be added per monitoring session.

Add NAT

To add a NAT device:

1.   Drag and drop NAT to the graphical workspace.
Figure 17 Adding NAT
2. Click NAT and select Details. A quick view is displayed for configuring a NAT device.
Figure 18 Selecting Details
3. In the Alias field, enter a name for the NAT device.
Figure 19 Configuring NAT
4. (Optional) In Local Subnet, enter a local subnet IP address that you want to assign to the NetFlow record. By default, GigaVUE V Series node auto generates a default local subnet. The subnet that you enter will override the default subnet.
5. (Optional) In Routes, define the routes to send the flow records to NetFlow collectors. Enter the following:
a. In Destination IP, enter the IP address of the NetFlow collector. For example, if Splunk is the NetFlow collector, enter the IP address of Splunk.
b. In Node Interface Subnet CIDR, enter the GigaVUE V Series node interface subnet Cidr for routing the NetFlow records out from GigaVUE V Series node.
c. Click + to add more routes. Repeat steps a and b to enter the destination IP and node interface CIDR.
6. Click Save.

Link NetFlow Application to NAT

To create a link from a NetFlow application to a NAT device:

1.   Drag and drop a link from the NetFlow application to a NAT device. A Link quick view is displayed. It is a header transformation operation that lets you configure the IPv4 destination IP of the NetFlow collector.
Figure 20 Creating a Link from NetFlow to NAT
2. In the Alias field, enter a name for the link.
3. From the Transformations drop-down list, select any one of the header transformations:
o   IPv4 Destination
o   ToS
o   Destination Port

Note:  Only the above three header transformations are allowed on the link from the NetFlow application to a NAT device.

4. In IPv4 Destination, enter the IP address of the NetFlow collector.
5. (Optional) By default, the Destination Port is 2055. To change the destination port, enter a port number.
6. Click Save. The transformed link is displayed in Orange.
Figure 21 Linking NetFlow to NAT
7. Repeat steps 7 to 10 to send additional NetFlow records to NAT.

NetFlow Examples

This section provides some examples demonstrating the NetFlow application configuration in the GigaVUE V Series nodes.

■   Example 1

Example 1

In this example, a pass all map is created and the entire traffic from a VPC is sent to a tool for full packet inspection. At the same time, a NetFlow application is added to generate flow records for flow inspection.

1.   Create a monitoring session. For steps, refer to Create Monitoring Session.
Figure 22 Creating a Monitoring Session
2. In the monitoring session, create a Pass all map. A pass all map sends all the traffic received from the G-vTAP containers to the tunnel endpoint or NAT. For steps, refer to Create a Map.
Figure 23 Creating a Pass All Map
3. Drag and drop a tunnel from Tunnels. A tunnel encapsulates the flow records and then sends them to the tools for full packet inspection.
Figure 24 Adding a Tunnel
4. Create a link from the Pass-all map to the tunnel endpoint. The traffic from the Pass-all map is forwarded to the tunnel endpoint that is connected to a tool.
Figure 25 Creating a Link from Pass-all Map to Tunnel_Endpoint
5. Drag and drop a v5 NetFlow application.
Figure 26 Adding a link from Pass-all Map to Tunnel_Endpoint
6. Click the NetFlow application and select Details. The Application quick view is displayed. For steps to configure the v5 NetFlow application, refer to Add Version 5 NetFlow Application.
Figure 27 Configuring the NetFlow Application
7. Create a link from the Pass all map to the v5 NetFlow application.
Figure 28 Adding a link from Pass-all Map to v5_NetFlow
8. Drag and drop NAT to the graphical workspace. A quick view to configure the NAT device is displayed. For steps to configure the NAT device, refer to Add NAT .
Figure 29 Adding a NAT Device
9. Create a link from the v5 NetFlow application to NAT. The link must be configured with the destination IP address of the NetFlow collector and the GigaVUE V Series node interface. For steps to configure the link, refer to Link NetFlow Application to NAT.
Figure 30 Adding a Link from v5 NetFlow Application to NAT
10. Click on the link created from the v5 NetFlow application to NAT. The information about the NetFlow collector destination IP and port is displayed.
Figure 31 Viewing the Transformation Dialog Box