netflow_detectiveIt was a warm day here at the office – warmer then most. I was getting up to get a drink of water when she walked in. She was a beautiful dame, but in my world they are all beautiful. This one was different. She had a mission. She needed something.

Nancy: My name is Nancy and I am head of network security at A&G records. I really need your help.

JimmyD: What seems to be the problem?

Nancy: We just signed an exclusive contract with Mix Master Mitch and we have filming his new NetFlow rap video. We have a lot of money invested in its production and we have planned a major release, but…

JimmyD: But what?

Nancy: Someone is uploading the videos to youTube! This leak could cost us thousands of dollars.

I have NetFlow on my network and I can’t seem to track down this user’s IP address. I can see their traffic all the way up to the ASA firewall, but I can’t see past that.

JimmyD: Do you have a NetFlow capable router behind the firewall?

Nancy: No, we don’t. That is where the problem is. I read that the ASA supports NetFlow. I even upgraded the IOS to get it, but I am not seeing anything. I really need to stop this traffic and fast.

JimmyD: I see, lets go down to your office and see what we can do.

Nancy: Thanks JimmyD. I hope you can help.

I got her address and started on my way to their office. It was late in the afternoon of this steamy summer day. It began to rain. It was a hard rain – one that beats you down with every drop. You know what I mean – one that has a strangle hold on you. Just like Nancy’s issue. She needed to find out who was uploading these videos, but kept on hitting a dead end.

JimmyD: Let me see what you have.

She pulled up Scrutinizer. I took a look at her screen and I knew what to do.

JimmyD: I can help you.

Nancy: You can? How?

Jimmy D: I see that you are using Scrutinizer 6.5. As you have found out, it does not support NetFlow from the ASA. The good news is that Scrutinizer 7.0 supports it, and it’s one of the only NetFlow tools that can do this. You are going to be able to find out who is uploading that file.detective

We spent the rest of the afternoon installing and configuring Scrutinizer 7.0, and setting up NetFlow on the ASA. We then created a custom report that would tell us of any YouTube traffic that came across their Network. We also made sure that we would be alerted when it happens.

At 5:05pm her pager buzzed.

Nancy: It’s the youTube alert, Jimmy!!!???Scrutinizer's Search Function

Jimmy D: By using Scrutinizer’s search function, we can quickly track down all of the conversations by the IPs in this report. Hmmm… This one looks suspicious. Let’s click on the small binoculars and search to see what it has been doing on your network.

Nancy: I know where that IP is!

She made a call to security.

Nancy: This is Nancy up in IT. Can you please go to the Janitor’s office and bring who ever is on that computer up to my office?

The security officer came in holding Joe the janitor’s arm.

Nancy: Why Joe? Why?

Joe: ‘Cause, I’ve been looked over time and time again for promotions, and I am tired of it! They offered me five thousand dollars to post the leaks.

Nancy: Well, you are going to have to tell your story to the police. Take him away.

Thank you for all your help, Jimmy D. I couldn’t have solved this mystery with out you.

JimmyD: Don’t worry about it, Nancy. It’s just another day in the life of a NetFlow Detective.

Jim D author pic

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D


Leave a Reply