Forum Discussion

chris69's avatar
chris69
8 years ago

Net flow / Please increase the filter capabilities

The current net flow reporting capabilities are very limited, even if the required net flow data will be delivered by the end devices. I.e. I'm trying to report all traffic for udp port 53 pointing to a specific device; or I'd like to combine search criteria, like a specific source and destination IP addresses using a specific port. All this information will be exported by the end devices to the net flow collector, but it's not possible to report or filter on this. Why not? This option would be very useful for analysing specific traffic between two locations, systems, etc.

Today, we just get the top ten talkers and the top 20 flows... I.e. if roughly 60% of the traffic is outlined as "others" you'd like to get a chance to dive into this part of the overall traffic, correct?

netflow
  • mwilcox's avatar
    mwilcox
    5 years ago

    This is exactly what I am looking for. Anyone have further ideas on this topic?

  • mnagel's avatar
    mnagel
    Icon for Professor rankProfessor
    5 years ago

    Open source gets this done far better and more elegantly.  NFsen, for example, allows you to define a tcpdump-style filter for flow selection.  Very powerful and very useful and this should be added to LM ASAP (advanced feature option off by default if needed).  Things have improved with NetFlow LM the past few years, but it is still very primitive and lacks even basic alerting tied to searches.  The feature seems to be stuck where it is -- would be great if someone at LM could show us a roadmap...

    FWIW, I have been working on a way to extract NetFlow data via the API to workaround this.  It is possible, but not trivial.  This should be within the main UI.

    Also, add IPv6 support -- we get the weirdest results from our SonicWall that sends both IPv4 and IPv6 flows :).