No matter what Cisco NetFlow collector software you may be running, you may have noticed that when your firewall NATs an address, it becomes the source or destination within your flows, and thus makes NetFlow a lot less useful.

Let me provide you with an example in Scrutinizer.

NAT

Note the series of conversations coming in from the web, as shown above, and how the destinations all show the NAT address of 66.186.x.x.

Let’s look at the traffic coming from host vs.mcafeeasap.com. How can we find out who the destination host is within our network that is generating this traffic?

First things first; these conversations are from records generated by the Internet router. Since the traffic by this time has already been NATTED, we should find this traffic before it hits the router…

So let’s go to my internal switch.

conversation2

Once on my internal switch, I did a filter search for this host and generated a series of conversations from vs.mcafeeasap.com.  Since this was a McAfee update, there were a LOT of internal conversations, to say the least. But as you can see, you have both the source host and destination, without the NAT address getting in the way.

How did I do that filter search? In the top right corner of the Scrutinizer GUI, you have the binoculars icon that look like this:

binoculars

When you click on the binoculars, you get a menu, as shown below. Within this menu, you can do a search for all conversations, where the source or destination is a specific IP address.

wizard

So as you can see in this menu, I am doing a search by an IP on my internal switch. The IP that I specified was the IP of the McAfee host.

The search results produced all the flow records, where McAfee was either the source or destination. Now, the decision is up to me, as to which I need to see.

I really hope this helps everyone out there, and not just our Scrutinizer customers. Just understand that the flows are there, you just can’t look at your Internet router if you need the details.

Ryan Slosser author pic

Ryan Slosser

My name is Ryan. I work in development here at Plixer. I mostly deal with hardware deployment. I enjoy kayaking and fishing during the summer and skiing in the winter. People can count on me and I always give 100% unless I'm donating blood.

Related

Leave a Reply