Bill Nash wrote:
You may find it far simpler to just ask the person who owns the
sources that those packets are. While this may not be politically
feasible (insert network and privacy policies here), given the amount
of VPN traffic that's encapsulated in UDP, that may be anything. The
problem with netflow is that it does reveal many interesting, hypnotic
patterns inside your network. Having spent my share of time on the
receiving end of that lunacy, I can only offer this advice: Drinking
from the firehose is only funny for a little while.
Depending on your deployment method (transit flow monitoring vs
locally sourced, data center vs office campus, college campus vs four
hippies with tin cans), identifying flows may be far easier if you
have a network inventory to refer to. Even something as simple as
parsing XML output from NMAP into a db will give you better insight
into what your flows are.
Incidentally (because I ask everyone this), what's your flow volume
(flows per second)?
- billn
Cannot get ahold of the machine until tomorrow. I did a 'wc' on 4
devices for 5 minutes and it comes out to just under 3600, about 11-12
per second...
-Wil
