[c-nsp] Re: Netflow traffic study

Gerry Boudreaux gerry at tape.net
Thu Dec 29 01:19:36 EST 2005 

In a previous job, we were analyzing netflow data to look for unusual  
patterns, like resi customers making too many smtp connections in a 5  
minute window, or portscans, etc....

most were custom written perl scripts, but we used the results of our  
analysis to push filters to specific customer interfaces, and then  
expired them after two weeks, assuming that either the customer would  
have fixed the problem, or the scanner would re-capture them.

We also pushed the results to a searchable web-page for support to  
use to troubleshoot issues like "Why cannot I sent e-mail?"  um well,  
you tried to send 50000 messages in a 5 minute window, and you are a  
resi customer, you might have a virus...

By limiting unwanted traffic, you might save money by not needing  
additional upstream bandwidth.

Just one possibility on how you can manipulate netflow data.  Use  
your imagination.

G


On Dec 28, 2005, at 9:57 PM, Kanagaraj Krishna wrote:

> Hi,
>    I'm working for a medium size ISP providing transit services to  
> our customers. We are currently in the process of expanding our  
> network
> which includes addition to our upstream providers. In the process  
> of identifying where to put our money into, we want to study our  
> customers
> traffic pattern (destination, type of traffic, region etc) before  
> deciding on the most suitable  upstream provider that fits the bill
> (coverage and quality). One of the option that we are looking into  
> in doing these is the Netflow function on cisco routers. I have a few
> questions regarding this issue:
>
> - Any good (free/open source) software that can analyze (stats,  
> graph etc) Netflow data?
> - Any comments on the use of Netflow for this purpose?
> - Any other suggestions in reaching our objectives (other than  
> Netflow)?
>
> Hope to get input from you guys out there. Thanks.
>
> Regards,
> Kanagaraj Krishna
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list