Can I ask you something?  As the manager of the network I’m sure you and your team end up investigating a lot of potential threats. My question is: what is your guess as to the ratio of NetFlow alarms you investigate from your NetFlow tool to the number of calls you receive from a user on the network complaining about a problem?  In other words, are the canned (i.e. non custom) NetFlow detected alarms more helpful or are your own investigations and user complaints more helpful?

NetFlow Alarms Vs. NetFlow Investigations

The reason I ask is because the lions share of the NetFlow case studies we write regarding NetFlow analysis experiences end up being related to problems found where an application was doing something it didn’t need to be or could be done at a different time of the day. Second to this would be viruses and botnets.  I feel that good reporting and filtering in a NetFlow tool like we find in Wireshark packet analyzer is equally or more important to NetFlow Network Behavior Alarming.  I believe most people would agree that waiting for alarms that tell you the majority of problems on the network is wishful thinking.

I’m a big fan of creating custom behavior watches using saved reports. Many NetFlow Analyzers and this includes the expensive ones, don’t have good filtering and custom alarming abilities. I’ll digress further on this in another blog on NetFlow filtering.

Although our NetFlow tool constantly scans the flows for anomalous activity and alarms for it, most IT professionals using our tools are so busy, that they often only have time to respond to something very obvious in the dash board or generally react to telephone calls. Few people watch the alarm log or even respond to every alert because of the potential for an insignificant issue or they use the alarm log after they find a problem.

When interviewing for Scrutinizer NetFlow collection case studies, “I got a call from a user” or “I noticed this huge spike in traffic” are often opening comments when we ask a user to share an experience where they found and resolved an issue.  “Noticing an alarm that came in” is seldom an opening line for a story.

What is your experience related to the above?

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply