Re: [Nfsen-discuss] Very unusual event , how to get info about ?

Wed, 23 Dec 2015 20:11:18 -0800 

Leandro,

To get a general idea of what's going on I would:

> 1. Target the peak on the graph (single timeslot).
> 2. In the Netflow Processing area, select the source-in-question ("cordoba" 
> in your case).
> 3. Leave the filter blank.
> 4. Select "Stat TopN".
> 5. Under Top, raise to 500. Under Stat, select "DST Port", and order by 
> "bytes".
> 6. Click "process" and check the nfdump output.

This will give you a breakdown of all flows in that timeslot grouped by 
destination port with flow/packet/byte count and percentages.

Judging by your attached graphs, you are looking for byte and/or packet counts 
with unusually high percentages.
You may want to try targeting the area on the graph just around the spikes so 
you can get an idea of "normal" percentages.

Also try adjusting Stat to "SRC Port", "SRC IP Address", and "DST IP Address", 
as well as order by "packets" for more info.

Once you start to narrow down a common denominator, you can use that in 
conjunction with a filter to target more precisely.

Regards,
- James

On 2015-12-24 00:22, Leandro wrote:
> Hello guys , yesterday we registered a very unusual event on our network.
> UDP traffic went 240Mbps up from the average value in our main
> internet link as show in picture bellow:
> 
> eve
> 
> Im trying to get some info about this event using filters but still
> can not get the idea.
> How Can know who is generating this traffic ? I think that the
> solution should involve some ordered steps to get the source ip ,
> destination port , et.
> I can think also that it could be due to an attackt but since Im not sure.
> Any ideas about how to begin, could be great,
> Regards,
> Leandro.
> 
> 
> 

> ------------------------------------------------------------------------------

> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss


------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to