Showing results for 
Search instead for 
Did you mean: 

Not another blog post on Conficker...

Level 12

Today several folks here at the SolarWinds offices in Austin TX suggested that I write a blog post on the Conficker virus. This morning that seemed like a pretty good idea, but as the day went on and I started reading all of the great blog posts and articles (check out the ones by Network World and ZDNet) out there that have been written about this already - there really didn't seem to be anything else to say and it's pretty late to do anything to affect April 1st, so I've decided to write about something else entirely.

Last week we did a great webcast on network troubleshooting technologies. I say it was great not because I had any particular stroke of genius or because I had such a fantastic co-host in Sparky,  but because we've had such phenonemal feedback from the attendees and even people that couldn't attend but wanted the content. As a matter of fact, the demand has been so strong that we've decided to do a part 2 in April.

The most common questions had to do with detecting and monitoring specific types of traffic on the network. Some people were wanting to monitor RDP traffic, some people were concerned about YouTube, others focused on ustream, some were worried about virus and worm traffic, and a a few people were concerned with monitoring the traffic created by monitoring. It seems that we've definitely reached a point where not having visibility into the traffic on your network is simply unacceptable.

The good news is that whether you're working within a large enterprise with a substantial budget for network monitoring or a small business or pubic school with a limited (or maybe even non-existent) budget for doing network management - there are great solutions available to you to help you answer the age-old question of 'who is using our bandwidth and for what?".

There are loads of people out there that will tell you which tools you should be using and promote their own favorite free or paid for tools and I've certainly talked about my favorites in past posts. So tonight, rather than point you towards tools, I'm going to give you my Top 5 List of things you need to consider when monitoring network traffic.

Head Geek's Top 5 List of Things to Consider when Monitoring Network Traffic

#5 - Consider the source. Where you monitor network traffic is a key part of understanding what your monitoring tools are telling you. Which device was the NetFlow export sourced from? Which interface? Was it an ingress flow or an egress flow? Understanding these details is the first step in analyzing your network traffic.

#4 - Document your known traffic. It's very important to understand which TCP ports your business applications run on, what DSCP or TOS settings you should see on that traffic, and which routes that traffic should be taking. Knowing these things will help you to analyze the performane of your applications and will help you to gain an "intuition" when it comes to understanding the performance of these apps on the network.

#3 - Understand how Content Delivery Networks (CDNs) work. It's not as straight-forward as you might imagine.

#2 - Know your network topology. No excuses here folks. Don't just document it - but learn it.

#1 - Do something. If you haven't started - start now. If you've gotten started but still aren't able to understand your traffic as well as you want to - get help. Last but not least, if you have implemented traffic analysis tools and you feel that you've got a good handle on your own network traffic - share the knowledge. Become an active contributor within the forums here on There are a lot of people out there that are just getting started and could really use a "network traffic mentor". Step up.

If you've got some other tips for understanding network traffic ping me back or leave a comment.

Flame on...
Follow me on Twitter

1 Comment
Level 21

A good topic, considering this malware, and more sophisticated packages, are still out there.

But a question for SolarWinds or Thwack:  How are old / obsolete blogs and queries archived or removed?  I've seen plenty entries that are no longer valid or useful due to their issues having been resolved or eliminated through attrition.  Might there be a solution for cleaning up the Thwack blogs that can be done with anything other than by manually reviewing them?