I got a call today. A machine on my network is performing a port scan on my ISP's customer's server. They provided me with a NAT'd address for our machine, source port 500, destination port 500, and the customer's destination address. How can I setup netflow on my cisco 3550, to show my culprit internal address? I'm guessing I just want to aggregate info for source port 500, dest port 500, and dest IP?
I'm looking for specifics. I'm a cisco newbie, and the online docs are a little over my head for netflow.