Common list of Netflow applications to add

Hmm...   The problem is that most sites like these (and specifically these) aren't unique "applications" as far as Netflow is concerned.   For something to be an application, it has to have a unique attribute like a port number.  For example TCP port 25 is SMTP, TCP 110 is POP3, TCP 22 is SSH, TCP 80 is HTTP, TCP 443 is HTTPS, etc. etc...

Facebook definitely used HTTP/HTTPS (ie: TCP ports 80 and 443), but not all traffic on those ports is facebook.  I believe both Youtube and Netflix will also use these ports (HTTP/HTTPS), possibly in addition to a few other standard video streaming ports and maybe even some custom ports.  

I'm guessing the best way to classify this traffic in Netflow would be to use IP address groups, do some research to find out where the majority of traffic is coming from for those websites, and create IP groups for them.   I'm also guessing that the IP's used by these sites might shift from time to time.  There is also a good chance that they might offload some of the traffic onto different vendors caching services, like Akamai...

Good luck though!!

As I suspected, it may be a little more involved than just specifying some IPs. I'll keep looking into it but thanks for the reply!

As mentioned already, trying to track this and get the right level of visibility using IP ranges, port numbers is almost impossible. Netflow is really struggling these days to track Internet activity due to the huge growth in CDNs(Content Distribution Networks), increased use of proxies, etc. One really has to look inside the packets to get the names, the readable and accurate detail you require. Seems like organizations are finding it really difficult these days to get the right level of visibility, to really understand bandwidth usage on those few really critical links including the Internet.

Some sort of DPI based technology which also includes application classification (classify traffic by application by looking inside the actual packets, not using port numbers) should get you the granularity/level of visibility you need, including bandwidth, IP address and sometimes even user name.  There are a number of options out there include our LANGuardian which also integrates with NPM, etc.

So Solarwinds has their own DPI - http://oriondemo.solarwinds.com/Orion/SummaryView.aspx?ViewKey=DPI Summary.   It would be fantastic if they could bring NPM QoE (formerly DPI) together with NTA.

We more plan to focus on AppFlows (NBAR2, PaloAlto, Citrix, etc.) that uses DPI on your edge routers/switches/firewalls and export that using netflow/IPFIX technology. The main advantage is in ease of deployment (it's already on your network) and very good vendor support in term of detection algorithms for applications.