Working in Technical Support we often are asked to help troubleshoot network issues on customer networks. If a customer has the proper visibility and has NetFlow/IPFIX enabled on any or all devices on their network, this task isn’t usually too difficult. Whether it be a DDoS attack, a malicious virus communicating on their network, or just a simple slowness issue caused by a large transfer, NetFlow can help us find the culprit.Where we usually run into trouble is when they do not have a flow exporting device where the “bad” traffic is traversing and therefore, we can’t see exactly what it’s doing across their network, or perhaps they simply do not have devices exporting IPFIX/NetFlow. If you find yourself in this position you may think you’re out of options. In comes a NetFlow Probe Appliance, which can be deployed in those hard to see areas; this will give you full IPFIX visibility.

What is a NetFlow Probe?

NetFlow probe appliance, sometimes called a NetFlow probe, is a network appliance that allows you to mirror/span a port from a non-NetFlow sending device. It then converts the raw data to IPFIX/NetFlow and then sends that data to your NetFlow monitoring tool. Now you may be asking yourself, “What kind of data can I receive?” Some NetFlow probes allow us to view details on URL information, VoIPIPFiX Support
statistics, and even application information. Depending on what types of devices you currently have on your network, NetFlow probes can often give you better visibility than you are currently getting with NetFlow v5.

Viewing my NetFlow Probe data:

Once you have your NetFlow probe configured and sending to you NetFlow monitoring tool, it will show up just like any other device you have configured. You may need to rename interface names so that you can remember what ports are mirrored,  but after you have those things taken care of, you should see all the nice juicy IPFIX exports in your NetFlow collector and can begin running IPFIX Supportreports. You will probably be amazed by the level of detail and granularity you can view just by deploying one of these simple appliances. Now that you are collecting data, and already have better visibility on your network, we can take this one step further and look into configuring some NetFlow security algorithms on the traffic; NetFlow probes send us all of the required information that we need to analyze and report on malicious traffic.

Future of the NetFlow Probe:

The future of NetFlow probe appliances is looking very good. Since IPFIX is an IETF standard, it opens up many doors for developers. They can now have their probes export more fields, which, in turn, will provide additional information elements for NetFlow tools.  I’m very excited to see what happens in the future and so should you! If you have any questions on NetFlow probe appliances, or need help configuring one, feel free to let us know!

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Leave a Reply