5 Replies Latest reply on Jul 10, 2015 5:50 AM by michal.hrncirik

    Common list of Netflow applications to add

    milstateit@mil.wa.gov

      Hello everyone,

       

      Has anyone seen a common list of applications that you can add to Netflow? For example, Netflix, youtube, facebook, etc... Big bandwidth hogs like streaming video can usually be seen pretty quickly on Netflow, however I would like to create customize a view that shows the usage of several common applications/destinations and the bandwidth being used for those communications.

       

      Thanks in advance!

        • Re: Common list of Netflow applications to add
          Craig Norborg

          Hmm...   The problem is that most sites like these (and specifically these) aren't unique "applications" as far as Netflow is concerned.   For something to be an application, it has to have a unique attribute like a port number.  For example TCP port 25 is SMTP, TCP 110 is POP3, TCP 22 is SSH, TCP 80 is HTTP, TCP 443 is HTTPS, etc. etc...

           

          Facebook definitely used HTTP/HTTPS (ie: TCP ports 80 and 443), but not all traffic on those ports is facebook.  I believe both Youtube and Netflix will also use these ports (HTTP/HTTPS), possibly in addition to a few other standard video streaming ports and maybe even some custom ports.  

           

          I'm guessing the best way to classify this traffic in Netflow would be to use IP address groups, do some research to find out where the majority of traffic is coming from for those websites, and create IP groups for them.   I'm also guessing that the IP's used by these sites might shift from time to time.  There is also a good chance that they might offload some of the traffic onto different vendors caching services, like Akamai...

           

          Good luck though!!

          • Re: Common list of Netflow applications to add
            darragh.delaney

            As mentioned already, trying to track this and get the right level of visibility using IP ranges, port numbers is almost impossible. Netflow is really struggling these days to track Internet activity due to the huge growth in CDNs(Content Distribution Networks), increased use of proxies, etc. One really has to look inside the packets to get the names, the readable and accurate detail you require. Seems like organizations are finding it really difficult these days to get the right level of visibility, to really understand bandwidth usage on those few really critical links including the Internet.

             

            Some sort of DPI based technology which also includes application classification (classify traffic by application by looking inside the actual packets, not using port numbers) should get you the granularity/level of visibility you need, including bandwidth, IP address and sometimes even user name.  There are a number of options out there include our LANGuardian which also integrates with NPM, etc.