Tag: Workflow

Estimating NetFlow volume

Customers often ask "how much NetFlow traffic should we expect to see in our environment?". Unfortunately it's rather difficult to simply pull out a number because so many factors come into play. Here's a quick list of some of the most important factors in no particular order...1. Large number of public IP addressesIf you have a large amount of publically addressable IPs (such as a class B) you will be the victim of bulk scanning more often than an organization with a single class C. Automated scanning from worms and the like are the primary contributors. Each IP scanned will… READ MORE

Building context sensitive links into your SMC user interface.

Here's a quick tip for Lancope customers that would like to add web links to the StealthWatch GUI. StealthWatch 5.8 and later provides a hidden mechanism for adding context sensitive links to host IP address shown within the StealthWatch Management Console UI. By default only one web link (DShield.org) is provided...   We plan to provide a UI for adding additional web-based linkages in the near future, but for now the more adventurous users can follow the steps below to add additional links to various web-based applications.   1. Grab the WebLinks.xml by navigating to:    https://192.168.0.2/admin/cgi-bin/importWebLinks.cgi  (where “192.168.0.2” is the IP… READ MORE

Very Cool Workflow Addition in StealthWatch

Here is a very cool workflow addition (and huge time saver!) within StealthWatch System 5.8 as an option from a flow table query… When you are viewing a flow analysis and are looking at the exporter interface information to see where the flow came from, you can right-click the list of interface(s) and select Interface Status to jump to a view of each interface that observed the flow.    READ MORE

CATEGORIES StealthWatch
TAGS stealthwatch, netflow, network visibility, anomaly detection, network performance monitoring, network behavior analysis, workflow, sflow, flow analysis, wan optimization, network troubleshooting

Resetting .JNLP associations to “Java Web Start.app” in OSX

Most people just use the Mac and never really have to think about how the underlying applications and services operate. You point, click, and things just happen. The Mac so rarely needs "fixing" that its users never have to learn how. So when something "core" breaks in OS X it's a pain to repair. Apple recently released Java SE 6.0 for OS X. This release offers the usual gambit of bug fixes, performance improvements, and tons of other items that most users will want. Unfortunately on some systems when you install SE 6.0 the "Open With..." associations between Java Web Start… READ MORE

A note on double counting SPAN port traffic on the Cat6k

One of the new features in StealthWatch v5.10 allows the FlowSensor to track TCP retransmissions rates for a given flow. While doing internal testing here at Lancope we noticed the retransmission rates for a specific vlan was very high - 25%+ for almost all flows. The Flow Table screenshot below shows the problem in action... At first I thought it was an issue with the retransmission detection algorithm, but on further inspection realized the issue was a misconfiguration in a Cisco SPAN session's directionality. If we log into the FlowSensor that was seeing the retranmissions and run a tcpdump we… READ MORE