Like many product managers I’m constantly playing with our tool. I use it weekly to track down why a connection is overly utilized. I track down the host and then ask the proprietor of the computer if the traffic is really necessary. Most of the time the traffic is work related, but doesn’t necessarily have to be caused during peak working hours.

Find the host
One frequently used tool is the search utility. It can be launched by clicking on the binocular iconbinoculars. I use it to search for IP address on the network as well. Here is how it works.

hackerTracker3
Just enter the following information above:
• Flow exporters to query – ‘All’ of them if necessary
• The time frame to search “Last Hour”
• The IP address to search for (e.g. 208.80.152.2)
• Click ‘Search’

Drill in for details
Notice above that the host is only found on a single router. It found the host as both the source and the destination. To decide which one to click on, ask yourself this question: are you looking for the machines this IP address is sending to or receiving from?

If the machine is causing lots of traffic (i.e. sending), I want to know who it is sending data to so, I click for the Src report applications:

hackerTracker1

Above, I drill in for the conversations of this host using HTTP:

hackerTracker2
Notice above that it tells me who is receiving the data on our DMZ, but it also tells me the interface the host resides on. If you mouse on the interface number (i.e. 3) it will give you the ifAlias and or ifName of the interface.

Take it a step further
Let’s say you notice in the alarms tab that someone on the network is communicating with a host that is known to be on the Russian Business Network (RBN) which could be very bad. Click on “Launch Lookup” to find the machine communicating with this RBN host:

hackerTracker4

This time it finds the host 221.192.8.90 on two different routers. I want to know who is sending data to this host so I will click on the report for Dst:

hackerTracker5

I drill in for the conversations as outlined at the beginning of this blog and find all the hosts that are communicating with this possible threat.

Summary
The NetFlow Hacker Tracker is part of our free NetFlow analyzer. It works with sFlow as well for any vendor supporting these flow technologies. Expect improvements to this feature in the next version of our Cisco NetFlow and sFlow collector.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply