Overview, Flow record types, Collecting flow records – H3C Technologies H3C Intelligent Management Center User Manual

1

1.Overview

User Behavior Auditor (UBA) is an IMC service component used to audit flow records that are generated

by network devices. By analyzing flow records, UBA obtains information about network behaviors of

users, which helps you to optimize network resources and regulate network behaviors.

Flow record types

Network devices use flow records to record network user behaviors. The UBA server can receive these

flow records, analyze them, and then generate audit reports. UBA supports the following types of flow

records:

•

NAT 1.0—Records NAT session information, including IP address and port number translation, user

access, and network flows.

•

Flow 3.0—Records users' access to networks based on flows. Each flow is identified by a 5-tuple of

the source IP address, destination IP address, source port, destination port, and protocol number.

•

NetStream V5/V9 (H3C/HP devices)—Records users' access to networks based on flows. Each

flow is identified by a 7-tuple of the source IP address, destination IP address, source port,

destination port, and protocol number, Type of Service (ToS), and inbound or outbound interface.

•

NetFlow V5/V9 (Cisco devices)—Records users' access to networks based on flows. The

NetFlow-enabled router or switch will examine each packet based on seven key fields: source and

destination IP address, source and destination port, Layer 3 protocol type, ToS byte, and input
logical interface). If packets share identical contents in each of the seven fields, the router or switch

will assume these packets to be part of the same flow.

•

DIG—For a device that does not support NAT 1.0, Flow 3.0, NetStream V5/V9, or NetFlow V5/V9,

configure port mirroring on the device to mirror the traffic to be analyzed to the probe server. The

probe server collects statistics of the received mirrored traffic and generates DIG logs. For more

information about installing and configuring probes, see HP Intelligent Management Center Probe
Installation Guide.

Collecting flow records

1.

Identify the source data devices that will generate flow records according to the areas that you
want to capture network flow data for.
For example, if you want to monitor network behaviors of the financial department staff, use the
convergence layer switches or routers of the financial department network as the source data

devices.

2.

Choose traffic flow-based traffic statistics technologies according to your needs.
For example, if you want to monitor user behaviors of accessing external networks, use Flow or
NAT. If you want to monitor network behaviors between internal network users, use NetStream,

NetFlow, or DIG probe.

NOTE:

Support for flow-based traffic statistics technologies depends on the vendor and the device model.