Netflow data is a type of network traffic data that was developed by Cisco but has now become a more generic term for referring to a method of collecting and monitoring traffic generated by network devices, such as routers and switches. A netflow solution consists of a flow generator or exporter, a flow collector, and an analysis application (in this case, Splunk!).
Data visibility
Netflow data is a rich data source with cross functional value to the enterprise. Use cases for basic flow data include monitoring availability, efficiency, and security of networks, hosts, and applications.
High-value fields
In the Common Information Model, netflow data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
dest
The destination of the network traffic (the remote host).
dest_ip
The IP address of the destination.
dev_ip
The IP address of the device.
dev_mac
The device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14.
protocol
The OSI layer 3 (network) protocol of the traffic observed, written in all lower case.
src
The source of the network traffic (the client requesting the connection).
src_ip
The IP address of the source.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
|
Data Source |
Sourcetype |
Recommend Add-Ons |
|
Cisco |
There are many available sourcetypes, depending on what data you need. |
|
|
NetFlow Logic |
There are many available sourcetypes, depending on what data you need. |
Related Use Cases
Comments
0 comments
Article is closed for comments.