Using netflow/nfsen to recognize internal vs external traffic

You can easily create a filter which can differentiate between the traffic directed to the internet and traffic directed to your other sites.

All my sites are numbered using the RFC1981 address space. This makes is really easy to define an external and internal filter. The internal filter is defined as “traffic from a RFC1991 source to a RFC 1981 destination”. The external filter is the opposite of this.

The nfdump filter are:

Internal: (src net or src net or src net and (dst net or dst net or dst net

External: not ((src net or src net or src net and (dst net or dst net or dst net and not proto esp

My sites are connected by IPsec and the “not ESP” make sure that you don’t include this traffic in the external filter. This simplistic filter has an issue: for example if you have an inside user (eg guest) that is VPNing back to their office.

These filters can give you some nice graphs as shown below where red = External traffic and blue = internal traffic.


In this graph you can clearly see that an internal backup is running from Thursday 10th to Sat 12th. Otherwise most of the traffic from this site is directed towards the internet.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s