[TABS_R id=6660]
What type of data is displayed in the following output?
Date flow start Duration Proto Scr IP Addr:Port Dst IP Addr: Port Packets Bytes Flows
2010-09-01 00:00:00.459 0.000 UDP 127.0.0.1:24920 -> 192.168.0.1:22126 1 46 1 2010-09-01 00:00:00.363 0.000 UDP 192.168.0.1:22126 > 127.0.0.1:24920 1 80 1
firewall log
traffic from a tap
mirrored traffic
NetFlow traffic
Explanation:
The traffic displayed is from a NetFlow capture. NetFlow can collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as netFlow records toward at least one NetFlow collector. Each flow is a unidirectional set of communication processes that share the following.
– Ingress interface
– Source IP address
– Destination IP address
– IP protocol
– Source port for UDP or TCP, 0 for other protocols
– Destination port for UDP or TCP, type and code for ICMP, or 0 for other protocols
– IP Type of Service
Traffic from a TAP or traffic mirrored to a SPAN port would not be organized in this way. Its output in a capture tool like Wireshark would provide the ability to open the packet and look at its parts.
A network test access points (TAP) is an external monitoring device that mirrors the traffic that passes between two network nodes. A tap (test access point) is a hardware device inserted at a specific point in the network to monitor data.
The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer.
A firewall log output would indicate whether traffic was allowed or denied according to the firewall rules, which is not indicated in the output provided.
Objective: Network Concepts
Sub-Objective: Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic.
[TABS_R id=6660]