cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1498
Views
0
Helpful
5
Replies

Netflow - More Granular Protocol Discovery

b.gamble
Level 1
Level 1

I'm troubleshooting a problem with overutilization of our Internet connection. In try to determine which users and services are being overused, I've set up NetFlow on our core switch and SNMP on all other LAN switches. I'm able to get statistics from these devices, but NetFlow isn't giving me enough information. It'll tell me who's using HTTP, HTTPS, NetBIOS and so on, but there's a large percentage of traffic listed as "other".

I'm using PRTG to capture these statistics.

Is there any other way I can see what the "other" protocols are?

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

b.gamble wrote:

I'm troubleshooting a problem with overutilization of our Internet connection. In try to determine which users and services are being overused, I've set up NetFlow on our core switch and SNMP on all other LAN switches. I'm able to get statistics from these devices, but NetFlow isn't giving me enough information. It'll tell me who's using HTTP, HTTPS, NetBIOS and so on, but there's a large percentage of traffic listed as "other".

I'm using PRTG to capture these statistics.

Is there any other way I can see what the "other" protocols are?

Netflow and for a lot of apps NBAR as well can only classify traffic they have been told about. And for a lot of apps they are simply classified by their port number ie. port 23 = telnet, port 25 = smtp. Sometimes a little more is done and the packet headers are inspected eg. http and NBAR but the majority are simply port number. In any enterprise environment there is always a lot of "other" traffic because each enterprise runs many apps that do not use well known ports or are not known by Netflow.

The only way to classify this traffic is to record the port numbers and then do some investigate work within your company and also on google. Not the best answer for you unfortunately but that's often the only way to make any progress.

Jon

Part of the problem is that it's proving difficult to see what the "other" protocols are.

PRTG shows the NetFlow top talkers, top connections and something else (can't remember). It'll show the ports for those. However, I can't see the top talker for only Internet-bound traffic because local traffic outweighs Internet-bound traffic so that it doesn't necessarily make any of the TopLists.

Is there any other software I can use to see the ports in use for ONLY Internet-bound traffic?

I'm going to use Wireshark. I keep finding out new stuff that it does every time I use it. It keeps a more verbose list of the ports that cross its path.

You can use wireshark but, you'll need to use filters to remove the

internal traffic.  Traditional NetFlow can only tell you what ports were used in the connection.  NetFlow NBAR (i.e. not SNMP) uses Flexible NetFlow and performs deep packet inspection to identify what the actual application is.  More details can be found here in this blog:
http://www.plixer.com/blog/netflow/what-is-cisco-nbar/  on Scrutinizer.

Jan Nejman
Level 3
Level 3

Hello,

  I'm developing other NetFlow analyzer - Caligare Flow Inspector (http://www.caligare.com/netflow/cfi.php)

and it is very dificult to say which port number is which application. I used some heuristics in CFI

for application detection. I.e. for FTP the connection is estahished on well-known port and rest

of communication is using "high" port range. CFI tracks flows, and if it will find well-known connection

in recent, it will use well known application for "other" traffic. So it gives you ability to see "other"

traffic. But it is only heuristic.

The usual steps to identify the problem is list top users (from your network), and on the 1-5 user

use top applications query. It will usually find the problematic users. Some netflow analyzers can

work with Cisco NBAR. (I think that Managengine supports it). It is a nice feature and I can

recommend it to you.

Jan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco