Link to home
Create AccountLog in
Avatar of Castlewood
Castlewood

asked on

What does Source/Destination In/Out mean in Netflow Analyser?

Kind of confused about the indication of traffic direction and trying to figure out which is for download / upload in Netflow Analyser. Can someone help me understand what the following combinations mean? (Please see the attached)

Source + In
Source + Out
Destination + In
Destination + Out
netflow.png
Avatar of harbor235
harbor235
Flag of United States of America image

source IP + input interface
source IP + output interface
destination IP + input interface
destination IP + output interface

Remember, flow records need to potentially identify multiple network devices all sending flow data to a netflow collector. So you need the capability to identify the source interface
as well.

harbor235 ;}
Avatar of Castlewood
Castlewood

ASKER

Thank you for the reply. It is clear now that 'IN' refers to Input interface, instead of Incoming traffic while 'OUT' Output interface.

In an incident, however, I still can not explain why this was happening. Please refer to the attached, where 47MB of traffic flowed from 10.10.10.118 (at my office) to 10.10.50.207 (at another facility via MPLS VPN connection) at 8:58am. Verified that the users didn't have any data transfer during that period of time -- the only close one is a Skype video-call at 8:42am.

Can you help me understand the following questions?
1. So far I'm still not sure if that Skype call was for the 47MB of traffic since the time is about 15 minutes away. I understand Netflow always delays compared to the realtime Cisco ASA. But is 15 minutes delay justified?

2. While 10.10.10.118 made the Skype call, that traffic went out through the Internet connection via OUT interface. Then how come the destination IP shows 10.10.50.207 which is our internal IP subnet in that remote facility? Since it is through Internet, I expect to see a public IP address as the destination IP.

Please help.
Thanks.



These two users' Skype call was happening at 8:42am - 8:48am. How come Netflow

The reason
The attachment I see has sources 10.10.10.12,134,177 over a ~9hr time frame via network.png, is that the one your talking about?


I do not use the flow analyzer software you are using, is there more than one attachment?


harbor235 ;}
My bad. I didn't hit 'Attach'. Here it is.
netflow2.png
ASKER CERTIFIED SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer