Hey Steve.. (pardon the top-post.. corporate e-mail system) Our issue is that we also need to monitor the network behavior of Windows PCs (and Macs and the occasional Linux box) that we don't have administrative control over.
One of my big problems is that employees use their personal $OS machines to VPN their way on to our network, which then directs their P2P noise through our network. Other than parsing the firewall logs and tallying up a given IP's outbound connection rate, Netflow is the only way I can think of to catch these bogeys. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steven Kurylo Sent: Monday, February 07, 2011 6:45 PM To: Jeremy Charles Cc: [email protected] Subject: Re: [lopsa-tech] getting specific netflow analysis > 1) A host on my network is receiving traffic from hundreds of remote hosts > out on the Internet. I'd like to have some way of noticing that this is > happening so that I can take a closer look at what that host is doing. For > example, it would be fine if I could see a table of hosts that's sorted > according to how many remote hosts it's receiving traffic from... or even a > threshold alert. I don't do this with netflows, but perhaps how I monitor this problem will help. We use OpenNMS to monitor the network. I've created a threshold on the SNMP value tcpActiveOpens. I don't really care if its coming from one host or 500, but after watching the graphs for a while I set it a value that's outside of normal operations. When it gets triggered, I look at the server logs or use ntop to see where the traffic is coming from. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
