Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2289
Views
20
Helpful
6
Replies

Traffic Analysis on a small enterprise network

Go to solution
Gustav92
Level 1
Level 1

‎10-21-2019 08:48 AM

Hi everyone. I need to do some traffic analysis on a small network, we have a 3560x switch, several 2960s switches, one fortigate 200e, and of course a couple hundred computers. If I want to do this, is SPAN my only choice? From what I´ve read, SPAN seems to be a traffic monitoring tool, not a traffic analysis tool like sflow or netflow are. What can I do?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-22-2019 12:45 AM

Hi there,

While I agree with both @balaji.bandi and @Captain HoOmi about the use of netflow, use of a SPAN port is a valid method for traffic analysis. It depends on the fidelity of analysis you want to achieve. Keep in mind that netflow collectors sample traffic (x packets in x), extract metadata from the captured streams and export it to a netflow analyser.

 

A SPAN port will capture every packet and its payload. This can be used for IDS or SIEM systems, which are normally directly attached and can ingest the data arriving at a high rate.

 

Examples of opensource SIEM systems would be: AlienVault (https://www.alienvault.com) or Security Onion (https://securityonion.net/) 

Example of a traffic analyser that uses a SPAN port would ntop (https://www.ntop.org/)

 

As for opensource neflow analyser, take a look at nfsen (http://nfsen.sourceforge.net/) or nsfen-ng (https://github.com/mbolli/nfsen-ng)

 

cheers,

Seb.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2019 09:25 AM

Sflow or netflow is the right tool for traffic analysis based on the port

 

here is the good document with elastic Search

 

https://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics

 

you can also do with Fortinet FW, depends on the version you having 5.X  you have this features

 

https://docs.fortinet.com/document/fortigate/5.4.0/cookbook/476970

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Captain HoOmi
Level 1
Level 1

‎10-22-2019 12:24 AM

SPAN is not a solution for this requirement . You have to configure netflow and sflow and also a netflow analyzer.

 

For 3560x:

https://community.cisco.com/t5/switching/netflow-configuration-on-3560x-switch/td-p/3092188

 

For 2960s: Netflow not supported. Is 3560x your distributed switch? Then enabling netflow on interfaces connected to 2960s switches will capture the traffic flow for analyses

 

For Fortigate: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/Troubleshootin/sFlow%20support.htm

 

Free Flow analyser:

Cacti and Plixer Scrutinizer are good free ones, and ManageEngine netflow analyser is a good paid version

 

 

** Please rate this post or accept the solution if it helped! :) **

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-22-2019 12:45 AM

Hi there,

While I agree with both @balaji.bandi and @Captain HoOmi about the use of netflow, use of a SPAN port is a valid method for traffic analysis. It depends on the fidelity of analysis you want to achieve. Keep in mind that netflow collectors sample traffic (x packets in x), extract metadata from the captured streams and export it to a netflow analyser.

 

A SPAN port will capture every packet and its payload. This can be used for IDS or SIEM systems, which are normally directly attached and can ingest the data arriving at a high rate.

 

Examples of opensource SIEM systems would be: AlienVault (https://www.alienvault.com) or Security Onion (https://securityonion.net/) 

Example of a traffic analyser that uses a SPAN port would ntop (https://www.ntop.org/)

 

As for opensource neflow analyser, take a look at nfsen (http://nfsen.sourceforge.net/) or nsfen-ng (https://github.com/mbolli/nfsen-ng)

 

cheers,

Seb.

Go to solution
Captain HoOmi
Level 1
Level 1
In response to Seb Rupik

‎10-22-2019 01:23 AM

Yep I agree with you %100 but the big difference between Netflow and SPAN is with Span you'll end up with a copy of every packet which is sent to the destination port (including payload of the packets) , I've seen SPAN mostly implemented for IPS solutions to inspect packets or for call recordings and not necessarily just for analysing traffic flows.. With Netflow you only see traffic stats based on IP, application and port. You won't have the payload of the packets.

 

** Please rate this post or accept the solution if it helped! :) **

Go to solution
Gustav92
Level 1
Level 1
In response to Captain HoOmi

‎10-22-2019 05:42 PM

Thanks to both of you, I really appreciate your comments.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Gustav92

‎10-23-2019 12:26 AM

yes many opensource growing big some of very good...i see greylogger has good gui all pre-installed. worth trying.

 

if this solution works your needs, mark as resolved.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents