Network Flow analysis by Michael W. Lucas - Book review

Management schools teach you that someone or something is effective if they do the right things and they are efficient if they do the things right. The book "network flow analysis" by Michael W. Lucas (edited by no starch press and available in Amazon) is effective, it shows the thing you need to know about netflows, and efficient, it has the right lightweight format, although sometimes I have missed some explanatory drawings for those who learn visually.



The book is divided into an introduction and 9 chapters. Michael first explains the reason of the book in the intro and the difference between what network management tools give to the network expert and what working with network flows can provide.

I started then the book with chapter 1, where I really appreciated that the flow system architecture is right after the definition of a network flow. This avoids confusion and saves time to the reader. Actually, this topic of saving time to the reader and leading them to the point is a constant throughout the entire book. As a little suggestion, I would have added in this chapter a little disclaimer for the reader stating that some TCP/IP networking concepts should already be known by the reader (well, actually, surely readers will be network specialists).

Chapter 2 is the howto 101 to install and start operating with network sensors and collectors using the free flow-tools available in Google code. As a side note, I really liked to see in the book real command lines. This is the reason why I will keep the book close to my machine; it can really be used as a basic manual to install softflowd as a software-based network flow sensor and flow-capture as a flow collector. In addition to this, it was good to be reminded that the -arp switch in ifconfig enables a network interface without participating in arp.

Chapter 3 introduces the use of flow-cat and flow-print to view flows. In this chapter the junior network admin starts realising the potential value of net flows. My only "but" for this entire chapter is the reference to hexadecimal output. For future editions, I would propose to highlight and insert a little explanation when talking about flow-print -f 0 adding interface numbers by printing port and protocol info in hex.

Once the foundations have been laid out, chapter 4 refers to real life aspects of net flows such as filtering. For that, Michael proposes the use of flow-nfilter, building filters out of primitives, knowing that each primitive can only include one type of match. The bonus point for this chapter would be a nice little diagram showing how primitives relate to filters.

Chapter 5 follows the logical thread started by chapter 4: After filtering comes reporting. Actually, this is also a constant feature in this book. The reader never gets lost. It is easy to understand and follow the proposed script along the pages of the book. We learn how to use flow-cat in combination with flow-report and, later on, with flow-nfilter. This is one of the strong points of Michael's book. It is sure that smart network admins will come back to chapter 5 (and 6) regularly during their work time.

Chapter 6, at first glance, can be seen as hard core: Perl comes into the picture! However, Michael gives effectively readers through the jungle of installing Cflow.pm, so that FlowScan can work, while mentioning useful tools such as flowdumper, a tool that shows everything in the flow record. This chapter also mentions the difference between FlowScan and CUFLow.

Chapter 7 presents a collection of three tools: FlowViewer, FlowGrapher and FlowTracker. The first one is a web interface for flow-print and flow-nfilter, optimal mainly for network admins. The second one uses arbitrary flow data and the third one generates RDD-graphs based on flow data. This chapter introduces these tools and provides a basic manual, enough to start playing with them. Probably chapters 7 and 8 could trigger an entire new book on visualising net flows.

Chapter 8 is the step by step basic manual to use gnuplot, the generic graphical representation tool in Linux, in this occasion, certainly, for network flow data, but in itself, this chapter is a useful guide for anyone willing to start off "the gnuplot experience".

Chapter 9 belongs to the "swiss army knife" subset of this book (together with chapters 5 and 6). Once everything is installed, implemented and running. What do we do with it? Well, this chapter answers this question in a very practical way.

I have released a series of tweets (http://twitter.com/itsecuriteer) with a small number of valuable pearls coming out from reading this effective book. All in all, I agree with Mr. Bretjlich's comments about the book (see http://taosecurity.blogspot.com/2010/08/consider-reading-network-flow-analysis.html): A five-star book on network flows.

Finally, a little piece of advice, please read the afterword on page 189, where the author refer to key non-technical skills that all admins should have (and practise ;-)

Happy October reading!