scrutinizer logo

Forensic Investigation with Flow Data

The Scrutinizer System

Scrutinizer™ is at the foundation of the Plixer incident response and behavior analysis architecture. It is available as a physical or virtual appliance, or as a windows download. Scrutinizer performs the collection, threat detection, and reporting of all flow technologies on a single platform. It delivers real-time situational awareness into the applications and their historical behaviors on the network.

Enterprise Visibility

  • Massive scalability, supporting dozens of distributed collectors
  • Capable of archiving and analyzing several million flows per second
  • Topology mapping with active links
  • Deduplication and stitching across collectors

Individual Appliance

  • A single flow collection system supporting over 2000 flow sources
  • Collect up to 200,000 flows per second
  • All flow technologies supported on a single system (i.e. NetFlow, sFlow, IPFIX, J-Flow, NetStream, etc.)

Flow Analytics

  • Forensic audit trail reporting
  • Threat Detection of odd traffic patterns
  • Threat reputation support
  • Threat Index™ indicates weighted threat severity over time.
  • Archiving of raw data for decades

Advanced Reporting

  • Additional reports for Cisco, Palo Alto, Citrix and dozens of other vendors
  • Behavior Baselines and alerting based on abnormalities, compared to historical trends
  • Custom threat detection algorithms
  • Integration with Cisco ISE or Microsoft for end user name identification
  • Design and build custom reports for exports from any vendor (e.g. Cisco NBAR, AVC, etc.)

Multi Tenancy

  • Support for hundreds of unique login accounts with access limited to specified data
  • Billing and invoicing support

FlowPro Defender™

  • Extends flow support in areas where NetFlow, sFlow, or IPFIX are not available
  • Detailed metrics on applications, response times, and usernames
  • Exports NetFlow and IPFIX

Flow Replicator

  • Eases the forwarding of flows from routers, switches, or servers to multiple collection systems
  • High speed architecture capable of 10GbE wire speeds
  • Leaves the originator address in tact
  • Available as in hardware or as virtual appliance

Additional Functions
Third Party Support and Cross Check is part of Advanced Reporting. It consolidates application alerts or errors and helps alleviate device naming inconsistencies between applications. The status of 3rd party applications is reflected in the Scrutinizer network maps.

Flowalyzer™: Real-Time Tool Kit for testing and configuring hardware or software for sending and receiving flow data.
Failover: For mission critical 100% availability.

    Recent NetFlow Analysis Blog Entries

    • Lately I’ve spoken to a few people in the field that are using Arista switches to get visibility into their networks using sFlow and thought I would write about Arista sFlow configuration. Arista switches offer a single sFlow agent that samples ingress traffic from all Ethernet as well as port channel interfaces. At Plixer we […]

      The post Arista sFlow Configuration appeared first on

    • This is a continuation of Flow Directionality Support : Part 1 which should be read first. My guess is that a flow collector vendor claiming to determine flow or NetFlow direction makes an educated guess from NetFlow v5 traffic on who initiated the connection using flow start times (using a single exporter so timestamps are […]

      The post NetFlow Directionality Support : Part 2 appeared first on

    • For a while now we have had IWAN NetFlow support built into our network incident response system, which collects and reports on NetFlow, IPFIX, sFlow, and all other flow derivatives. IWAN stands for Intelligent WAN and promises intelligent path control, application optimization, and secure connectivity to the Internet and branch locations while reducing the operating […]

      The post IWAN NetFlow Support appeared first on

    • In this blog, I want to talk to you about investigating zero-day attacks. A zero-day attack can be a huge menace on the network, since it can bypass a lot of your detection systems that currently have in place. It can also go unnoticed on the network for a very long time. NetFlow/IPFIX threat detection: Using NetFlow/IPFIX and a behavioral analysis […]

      The post Responding to zero day threats using NetFlow appeared first on


    "We have used Scrutinizer on multiple troubleshooting opportunities to isolate what type of traffic was causing the heavy utilization and also what offending devices were doing it. Scrutinizer has more than lived up to its expectations."

    Danny, Pension Benefit Guaranty Corp