I know that I already blogged about being back from SharkFest 2009. I wanted to write about my favorite keynote speaker, Dr. Lawrence Roberts. He was one of the founders of the Internet and TCP/IP.

Overview of Internet growth
During his presentation he said that 80% of Internet traffic is caused by 5% of the people and most of the traffic created by this 5% is P2P.  He went on to point out that in 2008 22% of the population was online.  By 2018 it will be at 99%.

Read more »

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

I got back from SharkFest 2009 last night.  The people and training were awesome.  I learned about TCP windows, Nagel, Stevens graphs, and more … wow.  I definitely learned more about how WireShark can Go Deeper.

Check this out, I got to have lunch and discuss some stuff with Gerald Combs, the founder of WireShark.  I can prove it; here I am having my picture taken with him!

Read more »

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

I’m working with a customer’s Cisco ASA device and we are exporting NetFlow v9 to Scrutinizer to do some Cisco NetFlow traffic analysis. Fun stuff, but NetFlow Security Event Logging or NetFlow Event Logs isn’t just about traffic in and out of an interface. Some of the exports are more like syslogs. Up to 18 messages can be placed into a single NetFlow v9 packet.

Interested in trying it?

For those of you interested in ASA netflow I believe it is offered standard  on any code revision with the ASA 5580 series, on any lower numbered ASA models you will need ASA 8.2.x code to enable the feature.  Someone please tell me if this is incorrect.

Wireshark didn’t decode it
Hopefully someone at Cisco is working on the decodes for Wireshark.

Maybe I’ll bring it up at Wireshark Sharkfest in Palo Alto, Calif. next month! Yeeee HAAAAAA. I hope to see some of you there.

This isn’t your typical NetFlow
Three event types can trigger a NetFlow record.
* flow-create
* flow-denied
* flow-teardown

Of course a NetFlow collector IP address has to be entered into the ASA appliance, along with a a few other commands, for it to send flow records. Use the Modular Policy Framework to customize the details of NetFlow functionality.

Enabling NetFlow on the ASA

You will also need to define a Service policy pointing the flow data to the analyzer server. The below assumes your ASA is still using the default global policy.

policy-map global_policy
class class-default
flow-export event-type all destination x.x.x.x

The above is CLI, but NetFlow can be configured in the Cisco ASDM GUI by clicking:

• Configuration-Firewall->Service Policy Rules.
• Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.

Cisco ASA NetFlow commands for specific Events
Example: Log Flow Creation events between hosts 10.1.1.1 and 10.2.2.2
The Internal NetFlow Collector server is 192.168.100.1

ASA (config)#  flow-export destination inside 192.168.100.1 2055
ASA (config)# flow template timeout-rate 1
ASA (config)# access-list flow_export_acl permit ip host 10.1.1.1 host 10.2.2.2
ASA (config)# class-map flow_export_class
ASA (config-cmap)# match access-list flow_export_acl
ASA (config)# policy-map flow_export_policy
ASA (config-pmap)# class flow_export_class
ASA (config-pmap-c)# flow-export event-type flow-creation destination 192.168.100.1

Configuring NetFlow

This page was very helpful to determine the above configuration commands for NetFlow on the ASA 5580 using ASDM.

Displaying the NetFlow

Navigate to the graphical trends as shown below in the Status tab of Scrutinizer v7.

 

 

Limitation in v7

• Displays data in 1 minute intervals only as roll ups were not completed in time for the release.  Up to 5 hours in 1 minute intervals can be displayed by using the ‘Auto’ interval option.
• Interfaces do not show up in the Status tab. You must navigate to the templates as outlined above.
• This is fixed in the next release.

May 9th, 2012 UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

Jimmy D the Netflow Detective

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.

Do you already use Scrutinizer NetFlow Analyzer? Do you need training on how to use it or what it has to offer? We have various free training options available, for current users of Scrutinizer, or for those who are evaluating different Cisco NetFlow analyzers and want to see how Scrutinizer holds up to the competition.
Read more »

Greetings key SHARKFEST ’09 participants:
For those interested in WireShark training, there is a special promotion for $100 off the registration price of $695 running through April 15, 2009 (U.S. tax day).   Plixer is sponsoring the event and will be presenting Scrutinizer v7.

Join us for SHARKFEST ’09 Wireshark Network Analysis Training Summit | Get $100 off through April 15!

Taking place June 15-18, 2009 at Stanford University in Palo Alto, California. Register by April 15, 2009 with the code “SHARKFESTSP” to get a $100 USD discount off the $695 price. In addition, every paid registrant will receive a FREE AirPcap Classic adapter (SRP $198 USD). NOTE: If this code is used, no other discounts apply. For more information and to register, visit http://www.cacetech.com/sharkfest.09/.

Join the SHARKFEST ’09 conversation! Find us on Facebook and LinkedIn.

Maybe I’ll see you there. 

Michael Patterson
Founder and CEO

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Plixer International, Inc. today announces that it is sponsoring the 2009 Wireshark event being held in June.

Sanford, Maine (PRWEB) April 1, 2009 — Plixer International, NetFlow analysis software developer, has signed on to sponsor Wireshark’s yearly educational event. Sharkfest 2009 is being held in Stanford, California, at Stanford University.

“Wireshark and Scrutinizer complement each other nicely, and we felt this would be a great opportunity to introduce our latest version. Wireshark is being used by most of our customers for packet analysis. These same customers are using our free version of Scrutinizer, or our commercial edition, to analyze the NetFlow and sFlow data. They are complementary products.” Michael Patterson – Scrutinizer Product Manager.

Plixer International will be presenting on “Successful Ways to Use NetFlow and IPA SLA: Jitter” in the Advanced User track on Wednesday, June 17th from 10:45am to 12:15. Visit Plixer.com for more information on Plixer’s involvement in Sharkfest.

Plixer is offering a complementary copy of Scrutinizer NetFlow & sFlow Analyzer to those who attend the conference. Contact your Plixer representative for details.

Scrutinizer System Requirements:
System requirements can vary depending on specific product implementations. Operating platforms include Windows 2000/2003/XP.

Pricing:
Prices start at $995 for 2 routers and range up to $8,995 for unlimited routers.
The Scrutinizer Flow Analytics add-on module is available for $4,995.
For more information on Scrutinizer product pricing visit the Plixer Purchase Options page.

Evaluation:
Contact Plixer pre-sales support for an evaluation of Scrutinizer NetFlow & sFlow Analyzer and Scrutinizer Flow Analytics.

About Plixer International, Inc.
Plixer International, Inc. develops and markets network management and analysis tools to the global market. All of the tools are built from the ground up with valuable feature sets and ease of use in mind. Plixer tools have been used to analyze and troubleshoot irregular traffic patterns by IT professionals with some of the largest networks in the world, such as CNN, The Coca-Cola Company, Abercrombie & Fitch, Lockheed Martin, IBM, Regal Cinemas, Raytheon, Sony, and Eddie Bauer.

Brian

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!