1 Reply Latest reply on Dec 24, 2014 1:26 PM by choly

    Missing Netflow data

    vidarst

      Hello people,

       

      One of our use-cases of Netflow is to track down security related incidents where our ISP reports users to us for whatever reasons. Most of the "footprints" our ISPs use is *VERY* small (1-400Kbit) TCP/HTTP or UDP C&C transactions between an internal users in our network and an external IP. In many of these cases I can't find the transactions our ISP is reporting, although I can clearly see the source IP is ours and should originate from a specific router/router interface on our network. Infact most of the times they report such incidents, I'm not able to track down the related netflow data because I simply can't find it when I search for "Endpoint IP address" (which is normally the unique identifier of the incident)

       

      Is there any reason why Netflow should disregard tiny transactions like these? I've configured NTA to monitor all ports.

       

      Thanks in advance,

       

      Best regards,

       

      Vidar S

        • Re: Missing Netflow data
          choly

          Hi Vidar,

          Is there any reason why Netflow should disregard tiny transactions like these?

          Yes, it is., process called Top Talker Optimization. With default set at 95% it stores flows which creates 95% portion of total bytes of incoming flows. This works just fine for most of our customers, however if you are interested in *VERY* small traffic, please increase the value to 100% in NetFlow Settings > Top Talker Optimization. Please note that storing 100% of incoming flows will affect required DB size and may also negatively impact charts and reports loading times.