cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
343
Views
0
Helpful
1
Replies

MARS receiving Netflows with 0.0.0.0/0

gmherring
Level 1
Level 1

I am sending Netflows from my 6500s to MARS. I seem to get a lot of events that have 0.0.0.0/0 as the source and a lot that show that address and port as the destination.

Are these broadcasts?

Also most of my Netflow events are "Sudden Increase in traffic to a port". I turned on Netflow processing a week ago yet a lot of the raw event still show the mean as 0.

1 Reply 1

pmccubbin
Level 5
Level 5

I've been told that the "Sudden Increase in traffic to a port" means that MARS has seen a situation where the traffic to a port is more than 2 standard deviations from its normal traffic rate.

In the normal course of its operations, MARS develops a baseline of the network using Netflow. Consequently it's perfectly normal for there to be moments where you have spikes in traffic which would trigger this sort of event. It's then up to the administrator to determine if this is a false positive or not.

Hope this helps.

Review Cisco Networking for a $25 gift card