Netflow - IP information gathering

jc84_ · ‎07-08-2011

Hi All,

This might be a little off-topic to Cisco, but what the heck.

I'm just curious as to how 'you' go about tracking down a user that *may* possibly be downloading large amounts of data causing congestion on a link. For instance, I had a case this morning with a internal IP address of 10.x.x.x that showed a 900MB conversation over TCP 80 (HTTP) to an ip address of 174.120.5.220.

Great - so its not that hard to track down the internal user. Yell at him to stop, talking to him about what he's doing to the network. No biggie.

I'm more curious about options/tools available to find out what he was doing. I know that he was downloading something, I know that it was over HTTP and I know the outside IP address he was accessing. So I start off by looking at 174.120.5.220. I can check the A record which tells me nothing....

Name: dc.5.78ae.static.theplanet.com.... I can't browse to that IP address. I can see who owns that IP address (XO Communications), but in this case its all useless.

The question, more or less, is do I have any options to keep moving forward in finding out what this user was actually doing?

Giuseppe Larosa · ‎07-08-2011

Hello Jeff,

it should be a form of tunneling over TCP 80 in order to appear as legitimate traffic to firewalls.

to know what was doing you should have captured the conversation recorded it somewhere and then to try to decode it.

You may be interested in a tool called ntop

http://portal.acm.org/citation.cfm?id=1688988

Edit:

wiki.nectec.or.th/ngiwiki/pub/Project/NtopPublic/ntop-guide.pdf

Hope to help

Giuseppe

kevinm2264 · ‎07-08-2011

Hi

I use solarwinds for that and it's great. Make sure your switches support Netflow!

Sent from Cisco Technical Support iPhone App