Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Longview IoT Boosts Energy and Wireless Efficiency

Some of the biggest challenges slowing down the adoption of IoT are security, efficient battery usage and optimized wireless communications.One company has...

Full Story »

Hallmark's Simple, Inexpensive Way to Boost Customer Satisfaction

In an effort to boost margins, companies often push more users to automated solutions such as FAQs, chatbots, voice bots and anything...

Full Story »

Huawei Places the World's First 5G VoNR Video Call

Huawei recently completed the world's first voice over NR (VoNR) call. The voice and video call service was made using two Huawei...

Full Story »

IGEL Advances Future of Work

IGEL is a provider of a next-gen edge OS for cloud workspaces. The company’s software products include IGEL OS, IGEL UD Pocket (UDP) and Universal...

Full Story »

Tata Communications and Cisco Collaborate on SD-WAN

Tata Communications and Cisco have extended their partnership to enable enterprises to transform their legacy network to a customized and secure multi-cloud...

Full Story »

How to Win the 50-Year-Old China Trade War

Today and this week in-fact is historic - the left and right in the U.S. agree that we have a major trade...

Full Story »

Extreme Elements Enables The Autonomous Enterprise

Extreme Networks just announced Extreme Elements which in-turn enables the autonomous network and subsequently the autonomous enterprise. In a dynamic webinar, Dan...

Full Story »

Securing Remote Networks Against Cyber Threats: part 2

July 5, 2013

IP Host Reputation

Today, some NetFlow collector vendors are comparing IP addresses found in flows to reputation lists.  This host reputation look up process is a routine that goes out to an Internet based reputation list provider every hour and downloads an updated list of known hosts that end systems on the network should not be communicating with. Typically this is a list of compromised hosts that have a reputation for sending nefarious traffic (e.g. C&C). 

Read part 1 of this series.





Securing Remote Networks Against Cyber Threats: part 1

June 9, 2013

Managed Security Service Providers (MSSP) are depending on NetFlow and IPFIX as one of the top 3 enablers for improving network threat detection for onsite as well as remote sites.  The distributed NetFlow collection nature of this technology allows IT security teams to gain threat insight into remote areas without actually visiting each location. 

Router Overhead When Enabling NetFlow

May 1, 2013

Are you concerned about the router overhead when enabling NetFlow?  You should be if the router already has a busy CPU.  Make sure you trend the CPU utilization on a busy router before you try enabling NetFlow or IPFIX.  In most cases enabling these network traffic monitoring exports won’t impact performance however, they could however on an already over worked appliance. 

Cisco Wireless Controller NetFlow Configuration

April 15, 2013

Two months ago we started playing with the Cisco Wireless Controller NetFlow configuration and got it to export flows with NBAR support.  Pretty cool stuff. We were given a Cisco 2500 series to play with and once we had flows going to our NetFlow analyzer, it became clear why this hardware is part of the Cisco AVC family of NetFlow capable solutions. 

Building a NetFlow Cache: Exporting IPFIX

March 12, 2013

Most engineers implementing NetFlow or IPFIX know how to get started.  Where they sometimes stumble is in the area of a properly structured export with well thought out relationships between the templates. Today I want to provide an good example.

This  post on building a NetFlow Cache and exporting IPFIX is pretty deep. For this reason, my prior post on Exporting NetFlow or IPFIX   really should be reviewed first.  A flow cache entry in a router or switch is built using the first packet between two hosts and the cache table is maintained for all active connections (i.e. flows).   When a packet comes into the device, its tuple is compared to existing entries in the cache table.  A match of the key fields triggers a flow entry update where packet, byte counts and perhaps other fields are incremented and updated. Packets that don’t match a flow entry are compared to policy (e.g. firewall or ACL rules) and are ultimately dropped or used to create new cache entries.  Flow entries are exported to a flow collector periodically based on timers (I.e. Active Timeout) or flow behaviors.



Amazon EC2 Monitoring: Network Performance

January 25, 2013

We recently did a cost analysis where we considered outsourcing to Amazon’s EC2 (Elastic Computing Cloud) service and the topic of network performance monitoring among other issues came up.  We considered the amount of bandwidth we would use as well as how we would monitor the quality of service our customers were gaining through our use of EC2 and the final decision was that Amazon EC2 was not of us.

Enterasys Dragon: Intrusion Prevention System Log Analysis

December 13, 2012

Network threat detection solutions generally share some common attributes with routers, switches, firewalls and even servers.  The one I want to focus on today is logging and specifically those from the Dragon Intrusion Prevention System.  If we can get the machine messages, in this case syslogs, from all systems into a somewhat similar format and in one location, we can then correlate the data and look for events across systems even if they perform very different functions on the network. In the end, this will improve network visibility and security event awareness.



Next Generation Firewalls with Application Performance Monitoring In Mind

December 1, 2012

When choosing a next generation firewall, consumers are fortunate in that these appliances have an array of functions to choose from.  Although the primary goal is a solution that will help the business protect the company’s crown jewels from Internet bots and other types of network threats, other features such as Application Performance Monitoring are a growing concern. 

Palo Alto Networks NetFlow Export includes Firewall Event Field in PAN-OS 5.0

November 25, 2012

Palo Alto Networks is showing further commitment to NetFlow Reporting by including a Firewall Event element in PAN-OS 5.0.  This new field will provide a few new advantages to Firewall Administrators.  These improvements to their NetFlow export can be seen in multiple ways:

IPFIX Vendors should implement RFC 5610

November 7, 2012

This is a call to all the great companies to date that have implemented IPFIX.  It is clear that IPFIX is the next generation protocol for to be included with most network monitoring solutions and for this reason, I'd like this companies and those considering IPFIX to include support for RFC 5610 or some similar sort of technology.  Without support for this RFC, deciphering new elements is nearly impossible.  The situation IPFIX collector vendors are facing is similar to trying to look decipher traps or browse OIDs without a MIB file. 

Featured Events