Network Top Talkers
- Yuki Bradley Kondo
Overview:
A cloud storage company would like to know the top talkers in their corporate office in any given time. They have used existing tools such as the NetFlow and Splunk PCAP Analyzer. However, those tools provide an overview of the network and do not allow the user to “drill down” to specific top talkers in their network. For example, if the user needs to know the specific VLAN or MAC or the top talkers they cannot perform that task using either of those tools.
Many enterprise networks consists of thousands of devices connected concurrently. Being able to correlate and visualize large amounts of network traffic is difficult since top talkers can change dramatically within 10-30 minutes, especially during a security or performance issue.
The Problem:
Current solutions cannot quickly visualize top talkers and their peers.
Current solutions do not allow the user to “drill down” to a specific host to find out its protocols and peers.
Existing PCAP tools do not allow the user to query data based on a date and time range.
The current solution does not allow users to compare top talkers from two different points in time from the GUI.
The Solution:
PureInsight leverages an efficient PCAP engine to process packets quickly using standard server hardware. This speeds up the process of being able to quickly visualize network traffic to find out the top talkers.
PureInsight Interactive Search allows the user to populate their dashboard with network traffic based on a date and time range. For example, if top talkers data is needed between the hours of 5-6pm, the user can easily select the time and date.
PureInsight allows the user to compare the top talkers from 2 different time ranges.
Workflow:
- 1 1. Interactive Search (Date and Time)
- 2 2. Set Filter to 10%
- 3 3. Set Criteria (Byte Count)
- 4 4. Set Zoom Criteria (Top Talkers)
- 5 5. Press arrow buttons (<- and ->)
- 6 6. Layout (List View)
- 7 7. Save the List of Top Talkers in a CSV
- 8 8. Open Search Results in Flow Analysis
- 9 9. Lasso Tool
- 10 10. Download Peaking Flows
1. Interactive Search (Date and Time)
Use the Date and Time Search to extract all PCAP files within a selected time range. By moving the cursor on a particular node, you can view more details such as IP address, MAC address, and the number of packets and bytes sent from or received by that node.
2. Set Filter to 10%
Shows only 10% of the traffic with nodes having a large number of packets or bytes.
3. Set Criteria (Byte Count)
Top Talker can differ in the number of packets or bytes sent from or received by that node.
4. Set Zoom Criteria (Top Talkers)
Zoom in Top Talkers. A combination of 4 and 5 allows you to iterate through the top talkers.
5. Press arrow buttons (<- and ->)
Clicking on the Back Arrow button displays the Nodal graph from the previous search results and the Forward Arrow button displays the Nodal graph from the current search results.
6. Layout (List View)
List View displays the nodes in a table.
7. Save the List of Top Talkers in a CSV
You can save a list as a report.
8. Open Search Results in Flow Analysis
Input the output file of Interactive Search.
Flow Analysis is used to create network streams from the PCAP files. Streams are plotted based on 5-tuple information, which contains source/destination IP, source/destination port, and timestamp extracted from each packet. The streams are plotted as the number of packets (y-axis) vs time (x-axis).
9. Lasso Tool
The lasso tool allows you to select points of interest by highlighting areas around the graph. This tool is used to select a specific area on the screen, which will generate column data below that list the packets and their details.
10. Download Peaking Flows
You can export data as a CSV.
