Netflows Simplified (Part 1)

Netflows Simplified (Part 1)

For any given office computer at any given time, numerous network communications are ongoing. There may be Kerberos authentication and ticketing occurring between the computer and the domain controller. Streaming audio from, say, Pandora leaves many packets. ARP and DNS packets will be interspersed with application layer packets for files and websites. In sum, there are many thousands of packets to work through.

Like separating spaghetti strands from a bowl of pasta, separating packets into sessions allows us to separate and study the communication from end-to-end. Session data presents the packets for a single communication. That is, for a source host, a destination host, and a given application layer protocol. The InfoSec analyst can then follow the packet trail thru the session to see what transpired and how.

Now there are two ways to read a session: in detail and in summary. The detail of a session includes all the bytes of the packets. This is available from a switch mirror port. The summary of a session includes the packet headers (IP, UDP, TCP). There are a few ways to get this information, including the Cisco NetFlow protocol. NetFlow can be all of all packets or of statistically relevant packets (sampled NetFlow).

Picture all network traffic for a given office computer as a big bowl of pasta. Pull out individual strands to get your session data. Keep statistics on the strands to get your NetFlow.

Posted by