MARS receiving Netflows with 0.0.0.0/0

Unanswered Question
Sep 21st, 2007

I am sending Netflows from my 6500s to MARS. I seem to get a lot of events that have 0.0.0.0/0 as the source and a lot that show that address and port as the destination.

Are these broadcasts?

Also most of my Netflow events are "Sudden Increase in traffic to a port". I turned on Netflow processing a week ago yet a lot of the raw event still show the mean as 0.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pmccubbin Sun, 09/23/2007 - 04:17

I've been told that the "Sudden Increase in traffic to a port" means that MARS has seen a situation where the traffic to a port is more than 2 standard deviations from its normal traffic rate.

In the normal course of its operations, MARS develops a baseline of the network using Netflow. Consequently it's perfectly normal for there to be moments where you have spikes in traffic which would trigger this sort of event. It's then up to the administrator to determine if this is a false positive or not.

Hope this helps.

Actions

This Discussion