Skip to main content
Lantern Home
 
 
Splunk Lantern

Volume of traffic between source-destination pairs

  1. Last updated
  2. Save as PDF

 

Your organization has been experiencing sluggish performance on its network. You want to identify problematic destination IP addresses and establish alerts for when network usage becomes too high so you can clean up bandwidth bottlenecks.

Data required 

Firewall data

Procedure

This sample search uses Fortinet FortiGate data. You can replace this source with any other firewall data used in your organization.

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=fgt_traffic src=<IP address sending the request> NOT (dest=<Internal IP address> OR dest=<DNS>)
| stats sum(bytes_in) sum(bytes_out) BY src dest
| table src dest bytes_in bytes_out
| sort – bytes_out

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=fgt_traffic 

Search only Fortinet FortiGate network traffic data.

src=<IP address sending the request> 

Search data coming from this IP address.

If you want to search all IP addresses in a netblock, use a wildcard search. For example, src=192.168.255.0/24

NOT (dest=<Internal IP address> OR dest=<DNS>)

Exclude internal and DNS destination IP addresses.

Logs vary in the information they contain. Not all logs have hostnames or IP addresses. Sometimes the dest field will have a hostname in it but sometimes it will have an IP address. Parentheses and OR statements will broaden your search so you don’t miss anything. 

Example:
(dest=”192.0.2.0” OR dest_ip=”192.0.2.0”)

Example:
(dest=”192.0.2.0” OR dest=”example.com”)

| stats sum(bytes_in) sum(bytes_out) BY src dest

Sum the total volume of bytes_out and the total volume of bytes in for each source-destination pair.

| table src dest bytes_in bytes_out

Display the results in a table with columns in the order shown.

| sort – bytes_out

Sort the results by the source-destination pair with the largest volume of bytes out first.

Next steps

Use the results to establish baselines or examine the results for outliers. Change the sort order as needed to look at the top inbound byte volumes or the lowest byte counts, if that is appropriate for your use case. Set an alert for when the number of source-destination connections exceeds a certain threshold. You can also monitor for potential concerns, such as many hosts from the same subnet all communicating to the same destination IP, with identical byte counts, both in and out. 

You might also be interested in other processes associated with the Monitoring for network traffic outliers use case.