Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
1
Replies

MARS receiving Netflows with 0.0.0.0/0

gmherring
Level 1
Level 1

‎09-21-2007 07:28 AM - edited ‎03-10-2019 03:48 AM

I am sending Netflows from my 6500s to MARS. I seem to get a lot of events that have 0.0.0.0/0 as the source and a lot that show that address and port as the destination.

Are these broadcasts?

Also most of my Netflow events are "Sudden Increase in traffic to a port". I turned on Netflow processing a week ago yet a lot of the raw event still show the mean as 0.

Labels:
0 Helpful
1 Reply 1

pmccubbin
Level 5
Level 5

‎09-23-2007 04:17 AM

I've been told that the "Sudden Increase in traffic to a port" means that MARS has seen a situation where the traffic to a port is more than 2 standard deviations from its normal traffic rate.

In the normal course of its operations, MARS develops a baseline of the network using Netflow. Consequently it's perfectly normal for there to be moments where you have spikes in traffic which would trigger this sort of event. It's then up to the administrator to determine if this is a false positive or not.

Hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card