The Network Security Group at Ohio State University has developed several tools for investigating incidents on their network. The first set of tools, collectively called flow-tools, utilizes NetFlow records from Cisco routers. The second toolset, called review, facilitates the examination of network traffic that has been captured using tcpdump. This chapter describes these tools along with the underlying technology; NetFlow and tcpdump.

Cisco Netflow Accounting and the OSU Flow-Tools Package

Ohio State University collects Cisco NetFlow logs from most of the routers that make up our backbone network. Cisco added NetFlow accounting to their router and switch product lines several years ago. NetFlow processing was initially added to support faster route look-ups on their routers. The accounting records that NetFlow processing can produce have been extremely useful in their own right, and now this is a feature that is used solely for its value in accounting and general network activity logging. These records can be extremely useful for incident response and other investigations, intrusion detection, firewall and network security assessment, and more traditional tasks like network planning and billing. ^[1]

The flow-tools package is a suite of programs for collecting, filtering, printing and analyzing Cisco flows. The tools are written to work as UNIX pipelined commands making it easy to perform data reduction without creating unnecessary intermediate files. The tools are grouped roughly as 'capture tools,' 'general analysis tools,' and 'security tools' in the following discussion. Mark Fullmer, a former network engineer at OSU, wrote...