Home » Data Protection » Network Security

Packets: Go with the Flow

Packet flows can help you monitor your network, trace a hacker's footsteps and see how your VPN is used

December 01, 2004 — CSO — Packet flows are quickly becoming one of the most powerful tools to understand network dynamics and a variety of network-based security incidents. Flows are powerful because they are compact and easy to acquire, but nevertheless track the movements of every single packet that travels over your network. As a result, you can use flows not only to diagnose network inefficiencies and bottlenecks, but also to trace the source of virus infections and even gauge the extent of a hacker's snooping.

A packet flow is really nothing more than a record of how many packets, traveling between two specific computers, crossed a particular point on your network. But this record has an incredible amount of detail.

For example, a single flow record might indicate that between 6:15:03 and 6:15:08 a total of 531 packets moved from port 80 on computer HUT1 to port 5535 on computer DESK2. Since port 80 is reserved for Web servers, you might reasonably expect from this flow record that the computer HUT1 was running a Web server from which PANDA2 downloaded a webpage. That's probably good news if HUT1 is one of the servers on your department's intranet. It's bad news if HUT1 is the CEO's laptop and PANDA2 is an unknown computer connected to your wireless network.

The most popular format for flow records is the Cisco NetFlow, a format that is generated automatically by many Cisco routers. Here's how it works: The job of every router on the Internet is to look at each packet it receives, decide which of the router's neighbors would be the appropriate next hop and send the packet along. For a home router with just two interfaces, routing is relatively easy. Packets either go to the home LAN or to an upstream Internet provider. But for a medium-size corporate router that has five or 10 different interfaces, routing decisions can become quite complex. Rather than recomputing the next hop for every packet, the router computes the answer once and saves it in a piece of high-speed memory called the route cache.

Each entry in the route cache corresponds to an individual packet flow. Of course, a router's route cache isn't infinitely large; whenever a new flow starts up, the router needs to take the oldest flow out of the cache to make room. A few years ago, these expired cache entries were thrown away. But Cisco and others realized they could be useful, so now most routers make it possible to send the old cache entries to a logging server.Monitor the FlowThe first significant use of flow data was for billing by ISPs. With appropriate post-processing, it's not hard to determine total data sent within a particular time and to measure peak throughput.