Interesting netflow entry

Wil Schultz wschultz at
Tue Feb 7 00:30:33 UTC 2006

Bill Nash wrote:

> You may find it far simpler to just ask the person who owns the 
> sources that those packets are. While this may not be politically 
> feasible (insert network and privacy policies here), given the amount 
> of VPN traffic that's encapsulated in UDP, that may be anything. The 
> problem with netflow is that it does reveal many interesting, hypnotic 
> patterns inside your network. Having spent my share of time on the 
> receiving end of that lunacy, I can only offer this advice: Drinking 
> from the firehose is only funny for a little while.
> Depending on your deployment method (transit flow monitoring vs 
> locally sourced, data center vs office campus, college campus vs four 
> hippies with tin cans), identifying flows may be far easier if you 
> have a network inventory to refer to. Even something as simple as 
> parsing XML output from NMAP into a db will give you better insight 
> into what your flows are.
> Incidentally (because I ask everyone this), what's your flow volume 
> (flows per second)?
> - billn
Cannot get ahold of the machine until tomorrow. I did a 'wc' on 4 
devices for 5 minutes and it comes out to just under 3600, about 11-12 
per second...


More information about the NANOG mailing list