Netflow and PRTG

paulcastellano · ‎10-05-2016

I have just started monitoring netflow from Cisco 1900 in PRTG.

Here is a sample of the Source/Destination IP's for Top Talkers:

1. [208.250.54.122] 50-77-110-129

2. 157.154.4.10 50-77-110-129
3. static-207-68-115-146.alt.east.verizon.net (207.68.115.146) 50-77-110-129

4. 21-eberlyw10.lezzer1.local (10.21.9.148)            ddj17842.lezzer1.local (10.12.0.7)
5. [69.147.94.144]                        50-77-110-129
6. xx-fbcdn-shv-01-ort2.fbcdn.net (157.240.2.25)        50-77-110-129

7. [192.229.211.40]                        50-77-110-129
8. [173.194.63.20]                        50-77-110-129
9. [31.13.69.228]                        50-77-110-129
10. 52.71.213.205                        50-77-110-129

The 208.250.54.122 is the headquarters static ip and the 50-77-110-129 is the static ip for a remote site.

So line 1 is traffic between those sites. Line 2 is between HighmarkBCBS and the remote site. Line 4 shows traffic between an actual pc (10.21.9.148) at the remote site and a server at headquarters.

I'm trying to see if possible to determine what is the internal ip (actual pc) that is generating each line. What ip at the remote site

is generating the traffic to/from 157.154.4.10 or 192.229.211.40 or 173.194.63.20?

Is it a netflow or PRTG setting/configuration?

Paul

communities@paessler.com · ‎12-05-2016

It's not really the netflow or the PRTG configuration -- it's a question of where you're collecting the flows.

The results you're seeing are from flow records generated on the router between HQ and the remote site. However, the traffic has already been NATTED by the time this router sees the flows.

So, you need to find/analyse this traffic *before* it gets to that router, by collecting flows from some other internal switch -- one that sees the traffic before it gets NATTED.