Why do you use Netflow

• Previous message (by thread): Why do you use Netflow
• Next message (by thread): Why do you use Netflow
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

lance_tatman at agilent.com wrote:

> Are operators frequently using netflow nowadays?  I assume that if you are, you turn it on only for
> some limited duration to collect your data and then go back and do your analysis.  Is this assumption correct?
> 
Netflow overhead is relatively low considering what it does. I keep mine 
on at peering points.

> What are you looking at when you analyze this data?  I've seen uses such as
> top 10 destination AS's for peering evaluations.  What else?  Billing?
> 

Number one use for netflow, scan detections. I detect most users 
infected with a virus before remote networks can auto-gen a report. I 
also detect mail being sent from various customer machines. High volume 
traffic flags me so I can investigate if it's spam or not.

I can tell you (well, I won't without a court order, but I could) the 
username, or customer name (if static), of every worm infected user on 
my network at any given point in time. 50+ inactive flows for an IP 
address is definite worm sign. If you want to be more specific, do 
sequential scan checks on the flow data. Has been very useful in dealing 
with Blaster.

Netflow is particularly useful when utilizing NAT, as it's much easier 
to collected netflow data than translation tables.

On a cold, boring day, you can setup aggregates and generate cute little 
statistics for all sorts of things, and I hear it's useful in some 
scenarios.

-Jack

• Previous message (by thread): Why do you use Netflow
• Next message (by thread): Why do you use Netflow
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]