nanog mailing list archives
Re: Why do you use Netflow
From: Jack Bates <jbates () brightok net>
Date: Tue, 19 Aug 2003 15:12:57 -0500
lance_tatman () agilent com wrote:
Netflow overhead is relatively low considering what it does. I keep mine on at peering points.Are operators frequently using netflow nowadays? I assume that if you are, you turn it on only for some limited duration to collect your data and then go back and do your analysis. Is this assumption correct?
What are you looking at when you analyze this data? I've seen uses such as top 10 destination AS's for peering evaluations. What else? Billing?
Number one use for netflow, scan detections. I detect most users infected with a virus before remote networks can auto-gen a report. I also detect mail being sent from various customer machines. High volume traffic flags me so I can investigate if it's spam or not.
I can tell you (well, I won't without a court order, but I could) the username, or customer name (if static), of every worm infected user on my network at any given point in time. 50+ inactive flows for an IP address is definite worm sign. If you want to be more specific, do sequential scan checks on the flow data. Has been very useful in dealing with Blaster.
Netflow is particularly useful when utilizing NAT, as it's much easier to collected netflow data than translation tables.
On a cold, boring day, you can setup aggregates and generate cute little statistics for all sorts of things, and I hear it's useful in some scenarios.
-Jack
Current thread:
- Why do you use Netflow lance_tatman (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Re: Why do you use Netflow Petri Helenius (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- Re: Why do you use Netflow Jack Bates (Aug 19)
- Re: Why do you use Netflow james (Aug 19)
- Message not available
- Re: Why do you use Netflow james (Aug 19)
- Re: Why do you use Netflow Jason Frisvold (Aug 19)
- RE: Why do you use Netflow Mark Borchers (Aug 19)
- Rules and Regs for a LEC's and Non LEC's Aaron D. Britt (Aug 19)
- Re: Rules and Regs for a LEC's and Non LEC's alex (Aug 19)