[88469] in North American Network Operators' Group
Re: Interesting netflow entry
daemon@ATHENA.MIT.EDU (Wil Schultz)
Mon Feb 6 19:31:11 2006
Date: Mon, 06 Feb 2006 16:30:33 -0800
From: Wil Schultz <wschultz@wilcomm.net>
Reply-To: wschultz@wilcomm.net
To: Bill Nash <billn@odyssey.billn.net>
Cc: nanog@nanog.org
In-Reply-To: <Pine.LNX.4.64.0602061805280.8783@odyssey.billn.net>
Errors-To: owner-nanog@merit.edu
Bill Nash wrote:
> You may find it far simpler to just ask the person who owns the
> sources that those packets are. While this may not be politically
> feasible (insert network and privacy policies here), given the amount
> of VPN traffic that's encapsulated in UDP, that may be anything. The
> problem with netflow is that it does reveal many interesting, hypnotic
> patterns inside your network. Having spent my share of time on the
> receiving end of that lunacy, I can only offer this advice: Drinking
> from the firehose is only funny for a little while.
>
> Depending on your deployment method (transit flow monitoring vs
> locally sourced, data center vs office campus, college campus vs four
> hippies with tin cans), identifying flows may be far easier if you
> have a network inventory to refer to. Even something as simple as
> parsing XML output from NMAP into a db will give you better insight
> into what your flows are.
>
> Incidentally (because I ask everyone this), what's your flow volume
> (flows per second)?
>
> - billn
>
Cannot get ahold of the machine until tomorrow. I did a 'wc' on 4
devices for 5 minutes and it comes out to just under 3600, about 11-12
per second...
-Wil
