Today I would like to discuss IP host monitoring with NetFlow. Often times, network administrators need to monitor activities of a particular host on a network during a specific period of time. In this blog I intend to show how this can be accomplished in practice.

A true NetFlow, IPFIX, or Flexible NetFlow Analysis software is equipped with the ability to filter traffic on a specific host or a subnet permitting the admin to determine:

  • IP addresses or subnets the host is communicating with
  • The utilized bandwidth
  • Protocols associated with the host’s traffic
  • Applications this host is using

Let’s start with some concrete examples.

Example 1: How do I filter on a host IP address?

 

IP Address Filter
  1. How much bandwidth this host utilized?
  2. Who did this host talk to?
  3. How long did the conversation last?
  4. What protocols were used?

Solution:

  • Generate a report for the WAN interface.
  • Make sure you are viewing the report in IP mode so that you know exactly what you are looking at.
  • If the host is among the displayed top conversations, click on it to only view traffic associated with this host. If you cannot find the host, the other option is to add an IP host filter.
IP Address Traffic Filter Clicking on  67.225.167.100, as shown in the image  above, will filter all the WAN link traffic for any conversation where 67.225.167.100 is source or destination. An  alternative to clicking the host from the conversation table would be “adding an IP Host” filter to this report.The image to the left of this paragraph illustrates how to add an “IP host” filter. Adding a filter will prompt you with options whether to filter a host as:

source,

destination,

and source or destination.  

Once a filter is applied, depending on the flow format your router/switch is exporting, you can find out more about this host’s traffic. Example 2 shows how to identify applications associated with 67.225.167.100 traffic.

 

Example 2: What Application was 67.225.167.100 using?

Vendors such as Cisco and SonicWALL are now able to define applications in their IP flow implementations. Using deep packet inspection they are able to characterize traffic for application identification.

Let’s consider the scenario in Example 1; suppose I’ve configured, NOT NetFlow v5 or v9, but Flexible NetFlow for NBAR export. This flow data should tell me what applications 67.225.167.100 was using.

Solution:

  • Generate a report for the WAN interface.
  • Apply an IP host filter as shown in Example 1.
  •  Open a Conversation NBAR report.
Traffic Applications
Click to enlarge
In this last report image, I added an IP host filter for 67.225.167.100 traffic, and opened a Conversation NBAR report. As you can see, 96 percent of this host’s traffic was identified as Skype. This report can be saved or added to the dashboard(MyView) where it refreshes every 5 minutes allowing you to monitor this host in close to real-time.

Keep your eye on them!!!

 

 

Dale Locke author pic

Dale

Dale Locke is the Regional Manager for the southeast US at Plixer. He works with prospects to solve the unique needs of their network and visits existing customers to assist with training. He enjoys developing new partnerships and building long lasting relationships with his clients. Dale's favorite hobbies include fishing, hiking, soccer, and football.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply