Using netflow/nfsen to recognize internal vs external traffic

You can easily create a filter which can differentiate between the traffic directed to the internet and traffic directed to your other sites.

All my sites are numbered using the RFC1981 address space. This makes is really easy to define an external and internal filter. The internal filter is defined as “traffic from a RFC1991 source to a RFC 1981 destination”. The external filter is the opposite of this.

The nfdump filter are:

Internal: (src net 10.0.0.0/8 or src net 172.16.0.0/12 or src net 192.168.0.0/16) and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16)

External: not ((src net 10.0.0.0/8 or src net 172.16.0.0/12 or src net 192.168.0.0/16) and (dst net 10.0.0.0/8 or dst net 172.16.0.0/12 or dst net 192.168.0.0/16)) and not proto esp

My sites are connected by IPsec and the “not ESP” make sure that you don’t include this traffic in the external filter. This simplistic filter has an issue: for example if you have an inside user (eg guest) that is VPNing back to their office.

These filters can give you some nice graphs as shown below where red = External traffic and blue = internal traffic.

IntvsExt

In this graph you can clearly see that an internal backup is running from Thursday 10th to Sat 12th. Otherwise most of the traffic from this site is directed towards the internet.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s