A couple of weeks ago I began a series of blogs that introduced you to the new Flow Analytic tools that are available with Plixer International’s latest NetFlow and sFlow analysis tool, Scrutinizer v7.3.
Today I will be introducing you to the fourth of the new analytic tools now available with Scrutinizer v7.3. The Top Flows algorithm utilizes Flow Analytics – Top Flows, and checks to see if hosts involved with large numbers of flows have a large percentage of flows that are incomplete. This is determined by looking at the TCP flags field in each flow record.
If it is a TCP flow record and it does not have the FIN flag set, it could indicate a host that is not able to make a full connection to the host it is trying to reach. This is typical for things like port scans and even P2P applications. Another possibility is that a host just has a misconfigured application that needs to be addressed.
Read more »