[netsa-tools-discuss] Using rwfilter --flags-inital to fitler servers and clients addresses

Tue Oct 27 09:58:56 EDT 2015

This is great, actually I'm trying to grab a baseline view of the network
by supplying as much commands possible using silk. The analyst handbook is
great in terms of step by step by explanation. It introduced me to a tool
"gnuplot" which makes job so much easier (visually) before I was doing
excel which is slow.

I will look into "Network Profiling Using Flow" and see how it could help
me.

Thanks Mark.

regards,

On Tue, Oct 27, 2015 at 6:51 PM, Mark Thomas <mthomas at cert.org> wrote:

> The absence of the initial TCP flag fields makes it more difficult
> to find servers in your network.
>
> For TCP data, you can ignore sessions that have fewer than four
> packets (--packets=4-).  (Unless your flow generator is a Cisco ASA
> router, would does not provide counts of packets.)
>
> Assuming your flow generator provides a summary of TCP flags across
> all packets in the flow (e.g., not a Cisco Meraki MX), filter for
> flows that contain both SYN and ACK flags (--flags-all=SA/SA).
>
> Busy, well-known servers have a large volume of traffic either
> arriving (an SMTP server) or leaving (a web server) on a well-known
> port.  Use rwstats with sip,sport as the key and bytes as the value.
> Repeat for dip,dport.
>
> Servers typically communicate with a lot distinct hosts.  Use
> rwstats to find hosts that communicate with a lot of distinct IPs.
>
> Look for other suggestions in the "Network Profiling Using Flow"
> paper.  http://www.sei.cmu.edu/reports/12tr006.pdf
>
> There are resources and papers on the Internet that discuss finding
> servers with network flow data.
>
> -Mark
>
>
> On Mon, 26 Oct 2015 20:03:46 +0500, asad wrote:
>
> > Mark-
> >
> > This begs the question that how I change the command to suit its purpose,
> > I'm not using YAF but I have seen in analyst handbook there are examples
> > using all-flags without ever mentioning YAF involvement.
> >
> > So, for this case to work what should I be changing in my command?
> >
> > On Mon, Oct 26, 2015 at 7:05 PM, Mark Thomas <mthomas at cert.org> wrote:
> >
> >> asad-
> >>
> >> The "initialFlags" field of the SiLK flow record (which is the field
> >> checked by the --flags-initial switch on rwfilter) is only populated
> >> when the flow record was converted from an IPFIX record generated by
> >> YAF.
> >>
> >> Unless you are using YAF as your flow generator, the initialFlags
> >> field is always empty.
> >>
> >> -Mark
> >>
> >>
> >> -----Original Message-----
> >> From: asad <a.alii85 at gmail.com>
> >> Date: Mon, 26 Oct 2015 13:43:15 +0500
> >> To: <netsa-tools-discuss at cert.org>
> >> Subject: [netsa-tools-discuss] Using rwfilter --flags-inital to fitler
> >>         servers and clients addresses
> >>
> >> Hello,
> >>
> >> I'm processing nexsus 7k logs, and on 1 vlan I have tried to filter
> >> all those IP addresses that are responsible for initial query
> >> (handshake). My cmd and results looks like
> >>
> >> "rwfilter  --sensor=S1 --type=int2int  --start-date=2015/10/15
> >> --end-date=2015/10/23 --flags-initial=S/SA --print-statistics
> >> --pass=query.rw
> >> Files   216.  Read      35403.  Pass          0. Fail       35403."
> >>
> >> If the filter is correct, it means I don't have a client in my VLAN
> >> all are servers?Can this query be converted to identity list of source
> >> IP addresses which requested connection to the servers in specific
> >> vlan?
> >>
> >> Thanks.
> >>
>
-------------- next part --------------
HTML attachment scrubbed and removed