Skip to main content

Volume of network traffic from one user

  • Updated

You might want to look at the volume of traffic related to a certain user's network connections when doing the following:

Prerequisites 

In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.

Category

Name

Importance

Data

Network traffic data

Required

Add-on

Palo Alto Networks Add-on for Splunk

Recommended

 

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

While monitoring your network traffic for volume outliers, excessive data from one user catches your eye. You want to investigate that user's activity.

  1. Run the following search:
sourcetype="pan:traffic" (src_ip=<IP address of user> OR dest_ip=<IP address of user>)
| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip
| eval mb_in=round((bytes_in/1024/1024),2)  
| eval mb_out=round((bytes_out/1024/1024),2) 
| eval mb_total=round((bytes_total/1024/1024),2)
| fields - bytes*
| sort - mb_total
| head 10

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype="pan:traffic" 

Search Palo Alto Networks data.

(src_ip=<IP address of user> OR dest_ip=<IP address of user>)

Search for events with the IP address of the user you are investigating as the source or destination.

| stats count AS event_count sum(bytes_in) AS bytes_in sum(bytes_out) AS bytes_out sum(bytes) as bytes_total by src_ip dest_ip

Group the events by unique source and destination IP address connections, count the number of times each connection occurred, and show the result in an event_count column. Sum the bytes in, bytes out, and bytes total for each set of events.

| eval mb_in=round((bytes_in/1024/1024),2)  

Convert bytes_in to megabytes, rounded to two decimal places, and display in a column called mb_in.

| fields - bytes*

Remove any field with bytes in the name from the results.

| sort - mb_total

Sort the results so the event with the highest total megabyte count appears first.

| head 10

Limit the results to the top 10.

 

Result

The results show the top 10 talkers between the user under investigation and other systems. You can investigate the connections and drill further into each of them as needed.

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.