Netflow Traffic Analysis -

| Panel | Purpose | Alert Threshold | |-------|---------|----------------| | Top Talkers (IPs) | Identify bandwidth hogs | >200 Mbps for >10 min | | Top Applications (by port & protocol) | Unusual app usage | Non-standard ports >10% of total | | Conversation Matrix | East-West traffic visibility | Unusual server-to-server chatter | | Protocol Distribution | TCP/UDP/ICMP ratio | >5% ICMP (possible scanning) | | Asymmetric Routing Flag | Flows with mismatched interfaces | >1% of total flows | | DDoS Signature (Flood) | Single IP with >10k flows/min | Threshold per interface | | Feature | Full NetFlow (All flows) | Sampled NetFlow (1 in N packets) | |---------|--------------------------|----------------------------------| | Accuracy | 100% | ~1/N probability of missing flows | | CPU load on router | High (10-20%) | Low (1-3%) | | Storage required | Very high | Low | | Security use (C2 detection) | ✅ Yes | ❌ Risky (can miss beacons) | | Bandwidth top-N reporting | ✅ Yes | ✅ Acceptable |

NetFlow v9 and IPFIX are template-based and can include additional fields (TCP flags, AS numbers, MPLS labels, etc.). 3. Deployment Architecture A standard NetFlow analysis stack consists of three components: netflow traffic analysis

Date: [Current Date] Prepared By: Network Operations & Security Team Version: 1.0 (Operational Guide) 1. Executive Summary NetFlow (originally developed by Cisco) and its variants (IPFIX, sFlow, NetStream) provide the ability to collect and analyze IP traffic metadata. Unlike full packet capture (which is resource-intensive), NetFlow summarizes who , what , where , when , and how of network conversations. | Panel | Purpose | Alert Threshold |

| Field | Description | Example | |-------|-------------|---------| | Source IP | Where traffic originates | 192.168.1.100 | | Destination IP | Target of communication | 8.8.8.8 | | Source Port | Application on source | 54322 (ephemeral) | | Destination Port | Service on destination | 443 (HTTPS) | | Protocol | Layer 4 protocol | TCP (6), UDP (17) | | Packets & Bytes | Volume of transfer | 1,200 packets / 1.4 MB | | Timestamps (Start/End) | Flow duration | 14:32:10.100 – 14:32:10.950 | NetFlow summarizes who