A couple of weeks ago I began a series of blogs that introduced you to the new Flow Analytic tools that are available with Plixer International’s latest NetFlow and sFlow analysis tool, Scrutinizer v7.3.

Today I will be introducing you to the fourth of the new analytic tools now available with Scrutinizer v7.3. The Top Flows algorithm utilizes Flow Analytics – Top Flows, and checks to see if hosts involved with large numbers of flows have a large percentage of flows that are incomplete. This  is determined by looking at the TCP flags field in each flow record.

If it is a TCP flow record and it does not have the FIN flag set, it could indicate a host that is not able to make a full connection to the host it is trying  to reach. This is typical for things like port scans and even P2P applications. Another possibility is that a host just has a misconfigured application that needs to be addressed.

The alert is reported as an Unfinished Flows Violation in the Theats Overview Window.

The set up for the Top Flows algorithm involves using the Flow Analytics Overview gadget to enable Top Flows, and then adding the devices that you want to monitor Top Flows from. It is suggested that core switches as well as Internet routers be included in this algorithm.

Uncheck the Disable box, and click on the router icon to add/remove devices.

From the Admin Tab, in the Flow Analytics link under Settings, there are two items that can be used to configure the alerting threshold for this algorithm.

1. Minimum connections – This allows you to configure how many connections a host must have in a 5 minute period before an alert is considered.
2. Minimum Flows – This number represents the minimum percentage of all flows that are unfinished. It is perfectly normal to occasionally have a flow that doesn’t finish, but when the percentage gets higher it is more likely that the host is doing something that you don’t want on your network.

I hope you enjoyed your introduction to the new analytic tools that are available in Scrutinizer v7.3. All of these Flow Analytic algorithms are intended to help our customers with improved network traffic analysis and network traffic monitoring.

-Scott

Tags: Flow analytic tools, NetFlow and sFlow analysis tool, Network Traffic Analysis, network traffic monitoring, Plixer International, port scans, Scrutinizer v7

This entry was posted on Monday, December 14th, 2009 at 5:19 pm and is filed under Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.