The most commonly used format is NetFlow v5. Network traffic monitoring generates statistics both on the underlying data transfers when abstracting from packets, and the subject of the communication itself the content of the communication is not stored.
These statistics represent the flow data in the network, which can be thought of as similar to a list of telephone calls. Network and Security Operations gain an understanding of who communicates with whom, when, how long and how often. In the language of a data network environment, they monitor IP addresses, data volumes, time, ports, protocols and this can further be enriched with latency measurements and application layer data for a variety of protocols.
When a request from a client to the server is sent green envelope , the active device with NetFlow export capability looks into the packet header and creates a flow record. So when the server responds to the client IP addresses and ports in the packet header are reversed and another flow record is created — NetFlow is one-way traffic technology.
The subsequent packets with the same attributes update the previously created flow records e. When the communication is over, flow records are sent to are sent to a software or a physical device called Netflow Collector. Here the data is ready to be stored and analysed for different reasons. NetFlow statistics are provided by network elements routers, switches or by specialised standalone hardware probes.
The probes are transparently connected to the monitored network as passive appliances, creating a precise and detailed flow of statistics from the copy of network traffic. This approach is used to overcome various performance and feature limitations of router-based NetFlow monitoring. It is usually necessary to test if it does — older nodes can sometimes suffer from performance issues, do not provide precise statistics or have limited scope for monitored network traffic characteristics.
NetFlow data extracted from routers or switches is an abstraction of the network traffic itself. The content of the communication is not stored , therefore the achievable aggregation rate is about as compared to storing full packet traces. This means that the bandwidth NetFlow exports consume about 0. Leveraging flexible format IPFIX , specialized exporters are able to enrich NetFlow data fields with application layer information from packet payload to provide a deeper understanding of network traffic while maintaining aggregation rate of or 0.
This brings appropriate detail while retaining scalability, providing an insight into data communication, flexible reporting and effective troubleshooting of operational issues and the detection of security incidents. Such data enables to analyse traffic structure, identify end-stations transferring large amounts of data or to troubleshoot network issues and wrong configurations.
However the level of detail contained in NetFlow data might not suffice for further troubleshooting, forensics or performance monitoring. It collects data from network devices, giving information on their availability and status CPU and RAM utilization, how much bandwidth network device consume etc. An agent running on a managed device reports the requested information via SNMP to the manager.
Flow data technology, mostly represented by NetFlow and IPFIX, is a passive, agentless technology dedicated for network monitoring with several operational and security applications. Network traffic monitoring with NetFlow generates statistics both on the underlying data transfers and the subject of the communication itself the content of the communication is not stored. But what else? What is the origin of this anomaly?
Aside from a bit of fairly low-end hardware, it is free to set up and can be utilized by both secops and netops for an unsampled understanding of the network. People seem to only consider vendors when thinking about flows despite tools like SiLK, Argus, and NFdump having existed for quite a long time.
These tools sometimes have a moderately steep learning curve for the average analyst, but other tools like FlowBAT free for SiLK and NFsen free as well for NFdump exist as front ends to both greatly reduce the learning curve and provide many additional features for accessibility and analysis. To get an idea on how far it is from being really effective, we only need to think how it can be used to differentiate malware traffic from normal traffic.
Given that hackers are increasingly more sophisticated, we will need to gather more information not less info as in netflow record. Several tools do this.
Some make use of this data better than others. One of the huge NetOps gains flow provides is the ability to see the path of a flow as it traverses the network. An advantage commercial tools have over freeware is the ability to de-duplicate the flow data while retaining the hop-by-hop info.
Beyond that, the differences are around the out of the box algorithms and the ability to create and apply your own. Full disclosure, the company I work for sells a product in this space. It is not a panacea, but far better than it was just 4 years ago. Thanks a lot of great comments and the discussion — sorry I was not able to answer to every comments as I am under some deadline.
However, I really, really appreciate the discussion! Expert Guidance. Connect with Peers. Blog home. It can perform actions based on monitoring status changes using conditions and correlation rules.
The platform comes with a builtin reporting system and pre made reports, and can extended to monitor any parameter in the supported protocols. The platform can work as a stand alone product or connect to existing management platforms hpov, tivoli and micromuse, unictenter, etc. MotaData is a unified analytics platform for complete IT Monitoring and Log Management that derives business insights by real-time processing, correlation and visualization of IT network and security information data.
NerveCenter is a Perl SNMP based true correlation application using finite state technology to walk through network events looking for a cause and effect relationships. Netcool suite offers five product families that support domain-specific IT management, end-to-end consolidated operations and business service management.
NetCrunch is An all-in-one and agentless network monitoring and management system, capable of monitoring every device in your network. Monitor bandwidth, availability, performance and NetFlow. Automatic views and maps. All leading operating systems supported. NetInfo is a collection of 15 network tools on a single, interface. NetInfo allows businesses to combat network downtime by allowing network administrators, webmasters, and Internet service providers to isolate faults, process diagnostic data and increase internal network security.
N-able provides availability, performance, security and service management to multiple customers from one central Web console. NetCrunch from AdRem, provides visualization of physical network topology; flexible performance monitoring, trending and reporting; event filtering and escalation; SNMP management; web access.
Netview Network Mom Availability A Macintosh tool for monitoring, alerting, and reporting on availability and latency. NeuralStar provides enterprise-class capabilities including NOC level visibility, management of multiple and geographically distributed networks and automatic failover and redundancy for continuous operations.
Observium seeks to provide a powerful yet simple and intuitive interface to the health and status of your network. This includes connected components from servers, routers and printers services such as mail services, web servers and virus programmes. It is based on Nagios.
OpenNMS is an enterprise-grade network management platform developed under the open source model. It is designed to scale to tens or hundreds of thousands of managed nodes from a single instance. The software is free under the GPLv2 license, and commercial support, training, and consulting are available.
It offers network-centric views that are designed to deliver the critical information you need. Reconnoiter is a monitoring and trend analysis system designed to cope with large architectures thousands of machines and hundreds of thousands of metrics.
Sentinet3 provides networks, applications, systems, environment and security monitoring. ServersCheck is a web based monitoring tool for monitoring networks and servers e. StableNet Carrier-Grade performance management tool, built upon open standards. SysOrb comes with an embedded database for stats, alert notification module, report generator etc.
It provides users out-of-box capabilities to efficiently and proactively manage networks of any size. The Dude is a free network monitor will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems.
It has a built-in end-user portal and multi-threaded polling engine for fast, reliable monitoring. With Uptrends Infra you can monitor network protocols and network devices.
Vallum Halo Manager is a web-based network monitor tool, based on GMI agent technology, suitable for small networks or distributed management of many subnets, featuring continuous polling of ping and GMI devices, auto-discovery, alerting, and performance metrics. Verax NMS is a service availability and performance monitoring system supporting a range of network elements e. VMware vSphere and data center devices incl. WhatsUp Gold is available for single networks and as a distributed solution for managing large, geographically dispersed networks Zoho Corp ManageEngine OpManager network management software.
0コメント