Home Blog Finding MAC addresses using Flexible NetFlow

Finding MAC addresses using Flexible NetFlow

    Rate this post

    Flexible Netflow

    So far, we have discussed NetFlow configuration for network devices from various vendors such as Cisco, Juniper, Huawei, VyOS. We have collected layer 3 and 4 traffic information such as source/destination IP addresses, UDP/TCP protocol and source/destination ports. An old NetFlow v5 perfectly suits this purpose and very likely it is supported by legacy network devices. However, very often Layer2 information is required to detect and analyze attacks that are targeting Layer2. In other words, we also need to collect MAC addresses and Virtual LAN (VLAN) IDs. This is the scenario when the Flexible NetFlow comes in handy.

    Flexible NetFlow allows users to configure and customize the information that is exported. It also enables the export of Layer2 fields such as MAC addresses and VLAN IDs from traffic. Let’s have a simple network topology consisting of Cisco multilayer switch that is configured as a Flexible NetFlow exporter (Picture 1). The switch collects information about inter-VLAN traffic between VLAN 10 and 20 (PC1, PC2, and PC3) and traffic sent from the VLAN subnets to the Internet. NetFlow records are exported to the collector, UDP port 2055. The ports Gi0/0 and Gi0/1 are configured as routed ports; all other interfaces are switch ports configured with access to either VLAN 10 or 20.

    Flexible NetFlow Diagram

    Picture 1: Network Topology

    Note: Before you start with the Flexible NetFlow configuration, you need to be sure that a NetFlow collector accepts layer 2 information and it can display it.


    1. Flexible NetFlow Configuration

    In general, Flexible NetFlow consists of 3 components:

    1) Flow Record
    2) Flow Exporter
    3) Flow Monitor

    The following is a set of commands for a Cisco multilayer switch in order to enable Flexible NetFlow on the interfaces VLAN 10 and VLAN 20, with the flows exported to the collector

    1.1 Customized Flow Record

    Create a new customized flow record MAC_RECORD. A customized flow record must have at least one match criterion for use as the key field and typically has at least one collect criterion for use as a nonkey field.

    flow record MAC_RECORD
     match datalink mac source address input
     match datalink mac destination address input
     match ipv4 protocol
     match ipv4 source address
     match ipv4 source mask
     match ipv4 destination address
     match ipv4 destination mask
     match transport source-port
     match transport destination-port
     match interface input
     match interface output
     collect counter bytes
     collect counter packets
     collect timestamp sys-uptime first
     collect timestamp sys-uptime last
    1.2 Flow Exporter

    Create a new flow exporter MAC_EXPORT. Define IP address and the UDP port of the NetFlow collector, the interface used for the flow export and the timeout for template export in seconds.

    flow exporter MAC_EXPORT
     description flexible NetFlow version 9
     source GigabitEthernet0/0
     transport udp 2055
     template data timeout 60
    1.3 Flow Monitor

    Create a new flow monitor MAC_MONITOR. Assign the flow record MAC_RECORD and the flow exporter MAC_EXPORT to the flow monitor.

    flow monitor MAC_MONITOR
     description MAC Addresses Monitor
     exporter MAC_EXPORT
     cache timeout active 30
     record MAC_RECORD
    1.4 Assign Flow Monitor to VLAN Interfaces

    Apply flow monitor MAC_MONITOR to input traffic for VLAN10 and 20 interfaces. In case you want NetFlow to cover unicast intra-VLAN traffic, you have to apply a flow monitor to physical switchports, e.g GigabitEthernet0/1.

    interface Vlan10
     ip flow monitor MAC_MONITOR input
     ip address
    interface Vlan20
     ip flow monitor MAC_MONITOR input
     ip address

    The first flow record in the NetFlow cache of the switch is depicted in Picture 2. It includes traffic statistics about ICMP packets sent from PC3 – in VLAN20 (MAC address 0CAC.5DC0.0500) to PC1 – in VLAN10. The MAC address 0CAC.5D2D.8014 is the MAC address of the VLAN20 interface. This is correct as Layer2 headers are always changed by a Level3 network device (router or a multilayer switch) when packets are forwarded between different Layer3 broadcast domains. The flow contains 29 ICMP packets (IP protocol 1) with 2436 bytes along with additional information such as timestamps and source/destination prefixes /24.Flow Record in Exporter’s Cache with ICMP Traffic

    Picture 2: Flow Record in Exporter’s Cache with ICMP Traffic

    TCP traffic (IP protocol 6) sent from the host PC3 (, VLAN20 to the Internet ( is depicted on Picture 3. More particularly, it is HTTPS traffic (destination TCP port 443) sent from PC3 via the interface GigabitEthernet1/0 to the network assigned to Akamai International B.V., BGP AS number 20940.

    Since broadcast traffic from hosts in a particular VLAN hits a VLAN interface of the switch, we can obtain information about broadcast traffic, as well. The flow record shown in Picture 4 depicts DHCP DISCOVER message sent from the host PC1 (0CAC.5DA1.1400), source UDP port 68, to all hosts in VLAN10, (MAC address FFFF.FFFF.FFFF), destination UDP port 67. This is the first message in a series of DORA (Discover, Offer, Request, Assign) messages that PC1 is using to obtain an IP address from DHCP server in VLAN10 subnet.


    Flow Record with HTTPS Traffic

    Picture 3: Flow Record with HTTPS Traffic

    Flow Record with DHCP Request Message

    Picture 4: Flow Record with DHCP Request Message

    If we need to show the volume of traffic leaving VLAN networks per host along with broadcast traffic, we can aggregate flow records based on the source MAC and IP address fields (Picture 5). The host (PC3) is a top talker with the most packet and byte counts but with the lowest number of flows equal 2.  The higher number of flows with a small number of bytes and packets for hosts in VLAN 10 ( indicates that the hosts perform a certain scan type (ICMP or TCP).

    Netflow-exporter# show flow monitor MAC_MONITOR cache aggregate datalink mac source address input ipv4 source address

    Aggregated Flow Records based on Source MAC and IP Addresses

    Picture 5: Aggregated Flow Records based on Source MAC and IP Addresses

    Notice the higher number of consecutive 1-packet flows with source IP address (MAC 0CAC.5D15.2100) and destination IP address from the subnet, destination TCP ports 80, 443 in the report Nmap_Scan_Internet.pdf. It confirms that PC2 is conducting a TCP scan in order to detect web servers in the IP address space assigned to Universidade Federal Rural do Rio de Janeiro. The number of bytes per flow is flat – always counting 60 Bytes.

    The second report MAC_flooding_attack.pdf shows a huge number of flows that count one packet with a constant number of 20 bytes. The source MAC address and source/destination IP addresses differ for each flow. Furthermore, flows are generated by a host in the VLAN 20. In fact, the report contains flow records collected during a MAC address flooding attack. The attack is conducted against the switch with the aim to consume a limited switch memory where learned MAC addresses are temporally stored. Once the CAM memory is full, the switch acts as a primitive hub, sending frames out of each port. As a result, an attacker can be successful in eavesdropping conversations or crashing the switch.


    Unlike IP addresses, that are very often dynamically allocated, MAC addresses are unique identifiers that can be used to reliably identify hosts in your network. Flexible NetFlow allows users to collect VLAN IDs or MAC addresses. Therefore, if your current NetFlow collector supports this feature, configure Flexible NetFlow to collect Layer 2 information. It gives you an ability to correlate IP and MAC addresses in the process of hosts identification.


    Leave a Reply