Home page logo
/

nanog logo nanog mailing list archives

Re: Interesting netflow entry
From: Wil Schultz <wschultz () wilcomm net>
Date: Mon, 06 Feb 2006 16:30:33 -0800


Bill Nash wrote:

You may find it far simpler to just ask the person who owns the sources that those packets are. While this may not be politically feasible (insert network and privacy policies here), given the amount of VPN traffic that's encapsulated in UDP, that may be anything. The problem with netflow is that it does reveal many interesting, hypnotic patterns inside your network. Having spent my share of time on the receiving end of that lunacy, I can only offer this advice: Drinking from the firehose is only funny for a little while.

Depending on your deployment method (transit flow monitoring vs locally sourced, data center vs office campus, college campus vs four hippies with tin cans), identifying flows may be far easier if you have a network inventory to refer to. Even something as simple as parsing XML output from NMAP into a db will give you better insight into what your flows are.

Incidentally (because I ask everyone this), what's your flow volume (flows per second)?

- billn

Cannot get ahold of the machine until tomorrow. I did a 'wc' on 4 devices for 5 minutes and it comes out to just under 3600, about 11-12 per second...

-Wil


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault