06-10-2012 02:11 AM - edited 03-11-2019 04:17 PM
Hi all,
If I noticed a lot of (incoming&outcoming) traffic in outside interface of ASA. Is there any way to know where is this traffic coming or going to (IP address)?
And if that traffic happened earlier (for example 1 day ago), can I still know the origin or destination IP address?
Please help!!
Thanks in Advance,
Omer
Solved! Go to Solution.
06-11-2012 07:23 AM
The open source tool for capturing and analyzing netflow exports is ntop. Please see more information at http://www.ntop.org/products/ntop/
06-10-2012 06:27 AM
There's no easy way to tell if you didn't already have instrumentation turned on.
The ASA is capable of exporting netflow data to an external collector. It is there that you would be able to retrospectively analyze top flows by source and destination address and port. Additionally in near real time you can monitor the top 10 hosts in the ASDM dashboard (or CLI equivalent).
06-10-2012 10:16 PM
Thanks Marvin for your reply.
Actually I asked this question because I've seen spiky load in my outside interface which looked suspicious. I was curious to know where it came from.
I used show conn command, but it was only showing the connections in use.
I'm using opennms as monitioring tool, but not sure if it will help in this case.
Any recommendation??
Thanks,
Omer
06-11-2012 07:23 AM
The open source tool for capturing and analyzing netflow exports is ntop. Please see more information at http://www.ntop.org/products/ntop/
06-11-2012 10:04 PM
Thanks for the valuable information
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide