SlideShare a Scribd company logo
1 of 47
There’s Plenty of Room at
       the Bottom:
An Invitation to Explore with Network Flows




                Benjamin Black
                 b@fastip.com
What are Flows
        &
Why Should You Care?
You Should Care
Because Visibility Makes
   Your Life Easier.
Network Flow Data
Means Great Visibility.
DDoS Detection
 Capacity Planning
Traffic Management
  Troubleshooting
    Correlation
         ...
The Nature of Flows
[traffic]
[streams]
[packets]

Header       Payload
[headers]
      Protocol

  Source IP Address

Destination IP Address

     Source Port

   Destination Port
[latency]
[jitter]
[packet loss]
The Structure of Flows
[flow keys]
      Protocol                         Protocol

  Source IP Address                Source IP Address

Destination IP Address

     Source Port
                         =     Destination IP Address

                                     Source Port

   Destination Port                Destination Port
[templates]
  template_id 253

      protocol

  src IPv4 address

  dest IPv4 address

      src port

      dst port

     total octets

    total packets

     start time

      end time
[flow records]
    template_id 253

         TCP

     172.16.101.3

     192.169.7.200

         9801

          80

     27342 octets

      24 packets

   start 28349829023

   end 28356729023
The Ecosystem of Flows
[metering process]

 template_id 253     template_id 253     template_id 253     template_id 253
      TCP                 TCP                 TCP                 TCP
  172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
  192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
      9801                9801                9801                9801
       80                  80                  80                  80
  27342 octets        27342 octets        27342 octets        27342 octets
   24 packets          24 packets          24 packets          24 packets
start 28349829023   start 28349829023   start 28349829023   start 28349829023
end 28356729023     end 28356729023     end 28356729023     end 28356729023
[observation domain]
          eth0



          eth1



          eth2
[collecting process]
          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023




          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023




          template_id 253     template_id 253     template_id 253     template_id 253
               TCP                 TCP                 TCP                 TCP
           172.16.101.3        172.16.101.3        172.16.101.3        172.16.101.3
           192.169.7.200       192.169.7.200       192.169.7.200       192.169.7.200
               9801                9801                9801                9801
                80                  80                  80                  80
           27342 octets        27342 octets        27342 octets        27342 octets
            24 packets          24 packets          24 packets          24 packets
         start 28349829023   start 28349829023   start 28349829023   start 28349829023
         end 28356729023     end 28356729023     end 28356729023     end 28356729023
Storage and Analysis are
   Left as an Exercise
     for the Reader
Where Do Meters Run?
On Network Switches/Routers
      [often sampled]
Dedicated Appliances
[expensive/limited storage]
On Hosts
[where does the data go?]
The Classical View
Where is this going?
Where is this going?




Where is this coming from?
The Flow View
TANSTAAFL
Flow Data Takes Up
  LOTS of Space
[often >1% total traffic]
LOTS of Space Means Storage
Expense or Loss of Resolution or
          Truncation
LOTS of (Multi-dimensional)
         Data is
    Hard to Analyze
Inflexible and Limited
            or
Expensive and Complicated
[apologies]
[resources]
IPFIX WG
  http://datatracker.ietf.org/wg/ipfix/charter/
nProbe
  http://www.ntop.org/nProbe.html
Cisco NetFlow Collection Engine
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html
Arbor Networks
 http://www.arbornetworks.com/
Dartware
 http://www.intermapper.com/products/intermapper-flows
[finally...]
fast_ip is a platform for
     flow analytics
Sign up for our beta
 http://fastip.com
There's Plenty of Room at the Bottom

More Related Content

What's hot

Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
Ontico
 

What's hot (19)

Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
Fail2ban - the system security for green hand -on linux os
Fail2ban  - the system security  for green hand -on linux osFail2ban  - the system security  for green hand -on linux os
Fail2ban - the system security for green hand -on linux os
 
2020 2ed tcp
2020 2ed   tcp2020 2ed   tcp
2020 2ed tcp
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressing2019 2ed internet addressing , internet addressing
2019 2ed internet addressing , internet addressing
 
ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2ハイパフォーマンスブラウザネットワーキング2
ハイパフォーマンスブラウザネットワーキング2
 
Log
LogLog
Log
 
Incident Response: Tunnelling
Incident Response: TunnellingIncident Response: Tunnelling
Incident Response: Tunnelling
 
SIEM
SIEMSIEM
SIEM
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)Performance tweaks and tools for Linux (Joe Damato)
Performance tweaks and tools for Linux (Joe Damato)
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclass
 
XS Boston 2008 Debugging Xen
XS Boston 2008 Debugging XenXS Boston 2008 Debugging Xen
XS Boston 2008 Debugging Xen
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017Tensorflow and python : fault detection system - PyCon Taiwan 2017
Tensorflow and python : fault detection system - PyCon Taiwan 2017
 

Viewers also liked

14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
Kary Adi
 
Dynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of GoalsDynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of Goals
altonbaird
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
Akamon Entertainment
 
Insight family space, Graham Cadle
Insight family space, Graham CadleInsight family space, Graham Cadle
Insight family space, Graham Cadle
localinsight
 
Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...
Vicki Shaw
 
Upgrading the Curriculum
Upgrading the CurriculumUpgrading the Curriculum
Upgrading the Curriculum
Janet Hale
 
Employment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimantsEmployment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimants
localinsight
 

Viewers also liked (20)

Nanotechnology
Nanotechnology Nanotechnology
Nanotechnology
 
Introduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and ConsistencyIntroduction to Cassandra: Replication and Consistency
Introduction to Cassandra: Replication and Consistency
 
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
14 kode-03-b5-strategi-pembelajaran-dan-pemilihannya
 
Dynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of GoalsDynamic Empowerment Webinar #1--The Power of Goals
Dynamic Empowerment Webinar #1--The Power of Goals
 
Disueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vidaDisueña tu profesión. Disueña tu barrio. Disueña tu vida
Disueña tu profesión. Disueña tu barrio. Disueña tu vida
 
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
NdP_Akamon gana el primer premio “Who’s got game” como mejor startup de juego...
 
Hellen e vitoria musicas ....
Hellen e vitoria musicas ....Hellen e vitoria musicas ....
Hellen e vitoria musicas ....
 
Get started with dropbox
Get started with dropboxGet started with dropbox
Get started with dropbox
 
Cascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User GroupCascalog at May Bay Area Hadoop User Group
Cascalog at May Bay Area Hadoop User Group
 
Insight family space, Graham Cadle
Insight family space, Graham CadleInsight family space, Graham Cadle
Insight family space, Graham Cadle
 
Play station 4 camilo q
Play station 4 camilo q Play station 4 camilo q
Play station 4 camilo q
 
Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16Brighton & Hove budget cuts 2015-16
Brighton & Hove budget cuts 2015-16
 
Dr. Bart Cammaerts - The Mediation of Dissensus
Dr. Bart Cammaerts - The Mediation of DissensusDr. Bart Cammaerts - The Mediation of Dissensus
Dr. Bart Cammaerts - The Mediation of Dissensus
 
Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...Reasons for foreign listings by South African junior mining and exploration c...
Reasons for foreign listings by South African junior mining and exploration c...
 
Oficio previc copy
Oficio previc copyOficio previc copy
Oficio previc copy
 
A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...A replication study of the top performing systems in SemEval twitter sentimen...
A replication study of the top performing systems in SemEval twitter sentimen...
 
Upgrading the Curriculum
Upgrading the CurriculumUpgrading the Curriculum
Upgrading the Curriculum
 
Employment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimantsEmployment support for long term incapacity benefit claimants
Employment support for long term incapacity benefit claimants
 
Ailanto 2013 independent living community investment
Ailanto 2013 independent living community investmentAilanto 2013 independent living community investment
Ailanto 2013 independent living community investment
 
eHealth
eHealtheHealth
eHealth
 

Similar to There's Plenty of Room at the Bottom

5 issues
5 issues5 issues
5 issues
m0use
 

Similar to There's Plenty of Room at the Bottom (20)

Technical Overview of QUIC
Technical  Overview of QUICTechnical  Overview of QUIC
Technical Overview of QUIC
 
Send me your echolocation
Send me your echolocationSend me your echolocation
Send me your echolocation
 
Wdt Test
Wdt TestWdt Test
Wdt Test
 
Debugging linux issues with eBPF
Debugging linux issues with eBPFDebugging linux issues with eBPF
Debugging linux issues with eBPF
 
RAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LISTRAZORPOINT TCP/UDP PORTS LIST
RAZORPOINT TCP/UDP PORTS LIST
 
Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014Intro to Packet Analysis - pfSense Hangout May 2014
Intro to Packet Analysis - pfSense Hangout May 2014
 
ioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distributionioDrive de benchmarking 2011 1209_zem_distribution
ioDrive de benchmarking 2011 1209_zem_distribution
 
TCP-IP PROTOCOL
TCP-IP PROTOCOLTCP-IP PROTOCOL
TCP-IP PROTOCOL
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
5 issues
5 issues5 issues
5 issues
 
SCTP Tutorial
SCTP TutorialSCTP Tutorial
SCTP Tutorial
 
Inside Winnyp
Inside WinnypInside Winnyp
Inside Winnyp
 
7. protocols
7. protocols7. protocols
7. protocols
 
Algosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices finalAlgosec how to avoid business outages from misconfigured devices final
Algosec how to avoid business outages from misconfigured devices final
 
Packet Card Knowledge Transferfinal
Packet Card Knowledge TransferfinalPacket Card Knowledge Transferfinal
Packet Card Knowledge Transferfinal
 
(NET404) Making Every Packet Count
(NET404) Making Every Packet Count(NET404) Making Every Packet Count
(NET404) Making Every Packet Count
 
Wireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filtersWireshark course, Ch 03: Capture and display filters
Wireshark course, Ch 03: Capture and display filters
 
Day 20.1 configuringframerelay
Day 20.1 configuringframerelayDay 20.1 configuringframerelay
Day 20.1 configuringframerelay
 
Day 20.3 frame relay
Day 20.3 frame relay Day 20.3 frame relay
Day 20.3 frame relay
 
Tc pdump mod
Tc pdump modTc pdump mod
Tc pdump mod
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 

There's Plenty of Room at the Bottom

  • 1. There’s Plenty of Room at the Bottom: An Invitation to Explore with Network Flows Benjamin Black b@fastip.com
  • 2. What are Flows & Why Should You Care?
  • 3. You Should Care Because Visibility Makes Your Life Easier.
  • 4. Network Flow Data Means Great Visibility.
  • 5. DDoS Detection Capacity Planning Traffic Management Troubleshooting Correlation ...
  • 10. [headers] Protocol Source IP Address Destination IP Address Source Port Destination Port
  • 15. [flow keys] Protocol Protocol Source IP Address Source IP Address Destination IP Address Source Port = Destination IP Address Source Port Destination Port Destination Port
  • 16. [templates] template_id 253 protocol src IPv4 address dest IPv4 address src port dst port total octets total packets start time end time
  • 17. [flow records] template_id 253 TCP 172.16.101.3 192.169.7.200 9801 80 27342 octets 24 packets start 28349829023 end 28356729023
  • 19. [metering process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023
  • 20. [observation domain] eth0 eth1 eth2
  • 21. [collecting process] template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023 template_id 253 template_id 253 template_id 253 template_id 253 TCP TCP TCP TCP 172.16.101.3 172.16.101.3 172.16.101.3 172.16.101.3 192.169.7.200 192.169.7.200 192.169.7.200 192.169.7.200 9801 9801 9801 9801 80 80 80 80 27342 octets 27342 octets 27342 octets 27342 octets 24 packets 24 packets 24 packets 24 packets start 28349829023 start 28349829023 start 28349829023 start 28349829023 end 28356729023 end 28356729023 end 28356729023 end 28356729023
  • 22. Storage and Analysis are Left as an Exercise for the Reader
  • 24. On Network Switches/Routers [often sampled]
  • 26. On Hosts [where does the data go?]
  • 28.
  • 29. Where is this going?
  • 30. Where is this going? Where is this coming from?
  • 31.
  • 33.
  • 34.
  • 36. Flow Data Takes Up LOTS of Space
  • 37. [often >1% total traffic]
  • 38. LOTS of Space Means Storage Expense or Loss of Resolution or Truncation
  • 39. LOTS of (Multi-dimensional) Data is Hard to Analyze
  • 40. Inflexible and Limited or Expensive and Complicated
  • 41.
  • 43. [resources] IPFIX WG http://datatracker.ietf.org/wg/ipfix/charter/ nProbe http://www.ntop.org/nProbe.html Cisco NetFlow Collection Engine http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/index.html Arbor Networks http://www.arbornetworks.com/ Dartware http://www.intermapper.com/products/intermapper-flows
  • 45. fast_ip is a platform for flow analytics
  • 46. Sign up for our beta http://fastip.com

Editor's Notes