Empty fields for Total Traffic and Total Bytes on StealthWatch SMC

sammausing · ‎03-31-2020

A simple portscan was initiated from a Linux host scanning a /24 subnet for ports 14021-14025/tcp.

SMC displayed correct number of flow records in flow table for this activity but "Total Traffic" and "Total Bytes" column was empty for all the flows. A packet capture collected on Flow collector for that exporter during this activity showed the flow sets had octet values included in the flow records. My understanding is Octets value includes includes IP header(s) and IP payload. May I know where this value is displayed on SMC or why my Total traffic and bytes fields may be blank.

We are on version 6.10.5 and Exporter was ASR router in this case which has Netflow v9. Thanks.

kyoshiik · ‎04-01-2020

I'm searching similar internal case. Now one thing in my head, is it half-open port scan? I think total traffic is calculated the session is finished. Any chance to test with normal traffic?

sammausing · ‎04-01-2020

It is a full connect scan using nmap (example: nmap -vv -Pn -n -p441-445 x.x.x.x/24) sending tcp. Is there any tuning to be done on SMC to get this octet value visible. As the number of octets includes IP header(s) and IP payload, why SMC restricts to show Total bytes only in case of actual IP payload. Why it doesn't show up the whole flow record as it is.

kyoshiik · ‎04-01-2020

Total byte is designed for how many data(like as file upload/download) transferred in that session. IP header volume makes hard to find file transferred size. And Stealthwatch stitched whole flow into one single session to be easy to view like firewall log and to reduce disk space. Please let me know why you need IP header data size? If it is enough reason, I’m happy to request an enhanced request.

kyoshiik · ‎04-01-2020

I confirm TAC team and if the session doesn’t send/receive actual data, total byte is zero. Just open/close session makes this case.