Overview

This documentation is a wiki. Feel free to edit or comment!

Nfsight is a client/server discovery tool running on top of Netflow. The goal is to help administrators to gain visibility over their network by automatically listing every new servers detected passively within a perimeter of interest (typically the organization network where flows are collected). The program has two components: a back-end algorithm written in Perl to analyze Netflow data, and a front-end web interface written in PHP to help administrators browsing the server activity. The back-end is a plugin for the NfSen framework (http://nfsen.sf.net).

[Installation]

[Functionalities]

About Client/Server Detection

Netflow is made of unidirectional flows. The goal of the backend [Algorithm] is to merge pairs of unidirectional flows to generate bidirectional flows. The main challenge addressed by the backend algorithm is to give the correct orientation to the bidirectional flows generated. For this, the backend algorithm uses a set of heuristics combined with Bayesian inference. As such, the algorithm learns over time and increase the accuracy of server detection.

End Points Classification

Every unidirectional and bidirectional flows have two end points:

• A source end point, identified by {source IP; Protocol; Destination Port}
• A destination end point, identified by {destination IP; Protocol; Destination Port}

Note: For source end point, the Destination Port is recorded, not the Source Port which is assumed to be randomly selected. End points are labeled according to the following rules:

• Client end points are the source of unidirectional or bidirectional flows
• Server end points are the destination of valid bidirectional flows
• Invalid end points are the destination of unidirectional flows or invalid bidirectional flows
• Scanner end points are the source of unidirectional or invalid bidirectional flows having contacted more than 5 distinct destination end points

Note: The validity of a bidirectional flow applies only for TCP flows and consists in checking the coherence in TCP flags and number of packets.

Note: End points are also classified according to their location: internal or external (defined by the perimeter of the organization network). To save on storage space, not all end points are reported to the front-end. Currently, only internal servers and internal/external scanners are stored.

Data Aggregation

The backend algorithm works on 5 minute flow files. End points detected after each 5 minute batch are stored in a database and aggregated. There are three levels of data granularity:

• Minute scale, for data analyzed from 5 minute flow files
• Hour scale, for data aggregated per hour
• Day scale, for data aggregated per day

Visualization and Color Code

When running a query on the server discovery data, a visualization table is displayed. Each line represent an end point and the table is divided in 3 sections:

• IP, protocol and ports identifying end point are on the left section
• Detection accuracy and metrics for each end point are on the central section
• Time series of activity are on the right section.

Source (client/scanner) and destination (server) end points are differentiated according to the background color of the port number. Gray indicates server, while red indicates client/scanner.
Time series of end point activity are made of colored table cells. Each cell represents, according to the scale: 5 minute, 1 hour or 1 day. The saturation of the color of each cell indicates the number of flows. The cells are colored according to the following rules:

• RED unanswered / scanner activity
• BLUE client activity
• GREEN server activity

The proportion of red/blue or red/green in each square indicates the number of invalid/valid bidirectional flows collected for the represented end point and time slot.
Hovering over a table cell will pop up a summary of activity during that time window. Clicking on the cell will bring up a detailed dump of the Netflow which comprise the measurement for that period.

Collaboration

Users can add comments on three different objects:

• Users can save a given view by clicking on “save this view” in the client/server visualization page
• Users can comment on IP addresses by clicking on them on the client/server visualization page
• Users can comment on services by clicking on port number on the client/server visualization page

A knowledge base of network services is currently under development and can be accessed on the page Settings.

---

[Anonymous]

[Anonymous]

[Anonymous]