Home page logo
/

nanog logo nanog mailing list archives

Re: Interesting netflow entry
From: Bill Nash <billn () odyssey billn net>
Date: Mon, 6 Feb 2006 18:19:59 -0500 (EST)



On Mon, 6 Feb 2006, Wil Schultz wrote:


Here is another pattern, sourced off of one the destinations:


[snip]

You may find it far simpler to just ask the person who owns the sources that those packets are. While this may not be politically feasible (insert network and privacy policies here), given the amount of VPN traffic that's encapsulated in UDP, that may be anything. The problem with netflow is that it does reveal many interesting, hypnotic patterns inside your network. Having spent my share of time on the receiving end of that lunacy, I can only offer this advice: Drinking from the firehose is only funny for a little while.

Depending on your deployment method (transit flow monitoring vs locally sourced, data center vs office campus, college campus vs four hippies with tin cans), identifying flows may be far easier if you have a network inventory to refer to. Even something as simple as parsing XML output from NMAP into a db will give you better insight into what your flows are.

Incidentally (because I ask everyone this), what's your flow volume (flows per second)?

- billn


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]