4 Replies Latest reply on Feb 25, 2010 3:39 PM by jswan

    Trace Source Port using Netflow

      I have my Catalyst 6509 configured for Netflow and I'm testing out NetFlow Traffic Analyzer as a product we might be interested in buying but I can't get the info I'm needing to show this is a viable purchase.

      Here is my question. I have been given a Source Port and the NAT hide behind address (Using fake NAT for security) and I'm needing to gather information on this connection. Here is a screen shot of the exact info as it comes to me. I need to be able to provide either a MAC address or the real address of the PC.

      IP Address       Timestamp

      ----------------------------------------

      192.168.1.1     2010-02-18.19:38:05-0000  SrcPort:TCP/13717

      MalwareType:Torpig

        • Re: Trace Source Port using Netflow
          Andy McBride

          If your NetFlow exporter is on the Nated side you will not be able to see the original IP as it has been translated.

            • Re: Trace Source Port using Netflow

              My Exporter sits behind the firewall as does all of our clients. It flows through my 6509 before it gets NAT'd.  We send all our Outbound internet traffic to the Main Campus IT dept for routing (We are a University) and they sit outside our firewall. If we give them this same information they can tell us what original IP this came from and its MAC address.

              I'm havent seen where Orion displays any MAC address info which would be usefull.

                • Re: Trace Source Port using Netflow
                  pyro13g

                   The MAC for the end station is only known by the last hop router before the end station.  That device is the one the makes the ARP request and caches the answer in it's ARP table.  You are going to have to rely on that other party to give the info you need.

                    • Re: Trace Source Port using Netflow
                      jswan

                      Cisco's dynamic NAT implementation tries to use the same source port on the outside as the client does on the inside. If the source port is already in use, it tries the next available port, incrementally.

                      In theory, you can narrow down stuff like this by searching for inside hosts using a source port in the same range during the same time window. In this case, you would search your NetFlow record for inside hosts using a source port "around" tcp/13717 during that timeframe.

                      In practice, this can be difficult-to-impossible if you have a high traffic volume with a large NAT translation table. It's also difficult to get source port information out of NTA. I'm hoping that Solarwinds will continue to improve search capabilities for this and similar forensic tracking use cases.

                      Probably the best solution would be to use the same bot detection tool that your upstream is using, but install it behind the NAT.