A while ago I had a customer ask me about getting MAC addresses using Flexible NetFlow.  Yes, it is possible but, two issues come into play when getting it to work properly.
• The router must support Flexible NetFlow export
• The collector must accept and display it

Configure The Router
The router must be configured to export MAC addresses.  Here is how we did it:

Step 1: Create a flow record and define fields that you want to export. Give it a name. Called MAC-ATTACK here. I  have also included various other fields. You can ALSO export output MACs. This can show you if the router changed the MAC.

• flow record MAC_ATTACK
• description MAC address flow monitor
• match application name
• collect ipv4 id
• collect ipv4 source address
• collect ipv4 source prefix
• collect ipv4 source mask
• collect ipv4 destination address
• collect ipv4 destination mask
• collect transport source-port
• collect transport destination-port
• collect transport tcp source-port
• collect transport tcp destination-port
• collect transport udp source-port
• collect transport udp destination-port
• collect interface input
• collect interface output
• collect counter bytes
• collect counter packets
• collect timestamp sys-uptime first
• collect timestamp sys-uptime last
• collect datalink mac source address input
• collect datalink mac destination address input

Step 2: Create an exporter

• flow exporter my-happy-funtime-exporter
• description flexible NF v9
• destination 66.186.184.205
• source FastEthernet0/1
• transport udp 2055
• template data timeout 60

Step 3: Create a flow monitor

This tells the router what flow record and exporter to use:

• flow monitor My-flow-monitor
• description app traffic analysis
• record app-traffic-analysis
• exporter export-to-scrut7

Step 4:  Add Monitor to the desired interfaces

• interface FastEthernet0/0
  ip flow monitor My-flow-monitor input
• interface FastEthernet0/1
  ip flow monitor My-flow-monitor  input

Step 5: Enjoy the MAC goodness

The NetFlow Collector Must Accept It
The NetFlow collector must accept these new NetFlow packets containing MAC addresses. What’s more, the NetFlow reporting interface must allow you to view and search for the source and destination MAC addresses.  Here is our initial interface to this data:

Notice to the far right in the image above ‘vlandId’ cool stuff!  You can sort and search on any column, below I’m searching for a MAC address:

I can also see the respective IP address for the MAC and trend the traffic for the IP.  All of this with the free version of Scrutinizer!

“The ability to correlate end-users’ identities, as well as IP and MAC addresses, with anomalous network traffic patterns is important for enterprise IT security professionals,” said Phil Hochmuth, senior analyst with Yankee Group.

Scrutinizer v7 supports Flexible NetFlow and is able to receive and store Cisco NSEL (i.e. NetFlow Security Event Logs) and PSAMP, etc.  Because of this, our collector is able to receive and display anything kicked out that is in a NetFlow v9 format.  However, sometimes we don’t know how to display the data if the information isn’t in the template or if the records aren’t included as one of our defaults.  If you are having trouble displaying your unique NetFlow v9 data, please send a WireShark packet trace to me and make sure the capture includes a template!

Scrutinizer Has It Covered

Michael Patterson
Scrutinizer Product Manager
Click to download Scrutinizer now!
Join NetFlow Developments on Linkedin.com

Tags: Cisco, Flexible NetFlow, MAC Address, MAC_ATTACK, NetFlow Collector, NetFlow Security Event Logs, NetFlow v9, NSEL, PSAMP

This entry was posted on Monday, September 21st, 2009 at 1:42 pm and is filed under NetFlow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.