Detecting social media traffic on your network can be a painless process when using certain NetFlow and IPFIX exports. In this blog I will be going over both the benefits and the technologies that are associated with this level of network visibility. Here’s a common scenario while troubleshooting a network issue: a certain interface on your network devices is saturated and you are tasked with finding out what is causing it. This blog will help uncover some easy steps you can take to do this.

Cisco AVC NetFlow

Technologies like Cisco AVC give you access to NBAR(2) exports IPFIX Exportsthrough NetFlow, which in turn provides you with layer 7 application recognition. This means that instead of seeing plain port 80 HTTP traffic going to a large CDN, you will instead get the service or application that is in use (i.e. NetflixFacebook, Skype). You can even tag this traffic in certain categories to lump traffic as business critical or non-business critical; this will help justify putting certain policies in place to make sure your day-to-day operations are not affected. With this knowledge, you can set up QoS policies to prioritize your critical apps and ensure users never experience slowness with them.

Malware Detection through NetFlow

If you keep up to date with our blog, I’m sure you have noticed a lot of posts covering the topic of network security. I will touch on that here because I believe it is important to note. Just like personal applications, social media introduce new security risks on the network.  Not unlike spearphishing emails to your corporate email, hackers can use social media to trick you into clicking malware-infested links. Beside it consuming work-related time, your security team now has a whole new attack vector to protect against.

Something I have seen happen frequently is random spam bots being added on instant messaging clients such as Skype, These users will usually stay harmless but everyone once in a while they will try and gather PII (Personally identifiable information) or will try and get you to click a link that may not be very safe for you. See the image below for an example of one that I have seen.


Skype Spam

Application monitoring with NetFlow

Now that we have gone over some of the benefits of monitoring these applications, you may consider setting up alerts to notify you when these are in use during business hours or when they have exceeded a certain amount of bandwidth. Taking a proactive approach to monitoring this will free up more time to focus on the things that are currently piling up on your desk! If you’re not a Cisco shop or you have a mixed bag of equipment, however, don’t worry! There are lots of other vendors out there who do deep packet inspection to identify applications.  Just to name a few:

  • SonicWALL
  • Palo Alto
  • nProbeLayer 7 DPI

For more information on how you can take advantage of these exports, or how to define your own if you have exporters that don’t export this type of visibility, feel free to reach out to us!



Jake Bergeron author pic


Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.