Changes between Version 8 and Version 9 of netmon2017netflow


Ignore:
Timestamp:
Nov 21, 2017, 4:35:36 AM (6 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • netmon2017netflow

    v8 v9  
    253253This will go away if you reload the page, it's not a problem.
    254254
     255== Using NfSen to identify top talkers ==
     256
     257Now let's use NfSen to explore the traffic flows in the network, with the aim of finding out who was been downloading the most data. Look carefully at the output generated at each step - ask an instructor to explain if you don't understand what you see.
     258
     259 - Navigate to Detail page
     260
     261 - Select time window. to do that change from "Single Timeslot" to '''Time Window'''. Once you have done this, the vertical selector arrow and line in the graph window can be split.
     262
     263 - Pull the left half of the arrow to the left and the right half to the right, to select the time period of interest. Then you should see some summary statistics appear in the table below the graph, for the time period you have selected
     264
     265 - List individual flows by Selecting "List Flows", make sure none of the "Aggregate" boxes are checked, and then click process. This will display some flows at the beginning of the time period. Click '''process'''. You will see the top flows below.
     266
     267 - By selecting "bi-directional" you can get NfSen to associate the inbound and outbound flows into a single line
     268
     269 - If we know which host we want to examine, we can apply a filter to show only those flows to and from that host. Do this by entering "host x.x.x.x" in the filter box, and then pressing process again. (Replace x.x.x.x with the address of one of host PC)
     270
     271 - The next thing we can do is to get NfSen to sort the flows by number of bytes. Remove any filter from the Filter box; select "Stat TopN", stat "Flow Records", order by "Bytes". Ensure all the aggregate boxes are all unchecked, then press process
     272 
     273 - NFsen can show you inbound traffic grouped by receiver IP address. which means showing the total amount of traffic delivered to that host. To do this, Stat "DST IP Address", order by "bytes". Then apply a filter which shows only traffic to your group's network: "dst net 192.248.6.0/24". Yo ucan do the same with a single host.
     274
     275 - By clicking on an IP address, you will get some information from reverse DNS and whois.