[88468] in North American Network Operators' Group
Re: Interesting netflow entry
daemon@ATHENA.MIT.EDU (Bill Nash)
Mon Feb 6 18:27:52 2006
Date: Mon, 6 Feb 2006 18:19:59 -0500 (EST)
From: Bill Nash <billn@odyssey.billn.net>
To: Wil Schultz <wschultz@wilcomm.net>
Cc: nanog@nanog.org
In-Reply-To: <43E7CB37.8070305@wilcomm.net>
Errors-To: owner-nanog@merit.edu
On Mon, 6 Feb 2006, Wil Schultz wrote:
>
> Here is another pattern, sourced off of one the destinations:
>
[snip]
You may find it far simpler to just ask the person who owns the sources
that those packets are. While this may not be politically feasible (insert
network and privacy policies here), given the amount of VPN traffic that's
encapsulated in UDP, that may be anything. The problem with netflow is
that it does reveal many interesting, hypnotic patterns inside your
network. Having spent my share of time on the receiving end of that
lunacy, I can only offer this advice: Drinking from the firehose is only
funny for a little while.
Depending on your deployment method (transit flow monitoring vs locally
sourced, data center vs office campus, college campus vs four hippies with
tin cans), identifying flows may be far easier if you have a network
inventory to refer to. Even something as simple as parsing XML output from
NMAP into a db will give you better insight into what your flows are.
Incidentally (because I ask everyone this), what's your flow volume
(flows per second)?
- billn
