Solved: Traffic Analysis - ASA

omer_babiker · ‎06-10-2012

Hi all,

If I noticed a lot of (incoming&outcoming) traffic in outside interface of ASA. Is there any way to know where is this traffic coming or going to (IP address)?

And if that traffic happened earlier (for example 1 day ago), can I still know the origin or destination IP address?

Please help!!

Thanks in Advance,

Omer

Marvin Rhoads · ‎06-11-2012

The open source tool for capturing and analyzing netflow exports is ntop. Please see more information at http://www.ntop.org/products/ntop/

View solution in original post

Marvin Rhoads · ‎06-10-2012

There's no easy way to tell if you didn't already have instrumentation turned on.

The ASA is capable of exporting netflow data to an external collector. It is there that you would be able to retrospectively analyze top flows by source and destination address and port. Additionally in near real time you can monitor the top 10 hosts in the ASDM dashboard (or CLI equivalent).

omer_babiker · ‎06-10-2012

Thanks Marvin for your reply.

Actually I asked this question because I've seen spiky load in my outside interface which looked suspicious. I was curious to know where it came from.

I used show conn command, but it was only showing the connections in use.

I'm using opennms as monitioring tool, but not sure if it will help in this case.

Any recommendation??

Thanks,

Omer

Marvin Rhoads · ‎06-11-2012

The open source tool for capturing and analyzing netflow exports is ntop. Please see more information at http://www.ntop.org/products/ntop/

omer_babiker · ‎06-11-2012

Thanks for the valuable information