On Mon, Jun 29, 2015 at 9:59 AM, Mike Hammett <na...@ics-il.net> wrote: > Simple flows wouldn't necessarily tell you if you're pulling a bunch from a > Netflix caching box on your upstream somewhere. You'd think you had a huge > amount going to your current upstream because technically you do, but a local > cache or peer could alter that significantly.
probably dns and flow gets you some more traction, right? meaning: "gosh 1.2.3.0/26 is sending us LOTS of traffic... oh: nslookup 1.2.3.4 == hosta.networkb.netflix.com, ah-ha!" where ptr records are generated I suppose like: $ host 63.88.73.108 108.73.88.63.in-addr.arpa domain name pointer 108.73.88.63.ashburn.google-ggc.verizon.com. Also, often just port/protocol are helpful enough... you won't know without looking (at the OP's traffic I mean), which it sounds like hasn't really been done yet?
