Using the data from one or more NetFlow exporters, the NetFlow collector can then piece together what sessions or conversations have occurred. For example, it can show that:
HostA sent 1kbyte to HostB from port 32123 to port 80
HostB sent 235KBytes back to HostA on the same ports
HostC sent 2kbytes to HostB from port 42714 to port 80
HostB sent 23kbytes back to host C using the same ports
... etc...
From this simplified example, it seems likely that HostB is a web server, receiving (small) requests on port 80, and sending back longer responses.
Of course, on production networks there can be hundreds, or even thousands, of these sessions (also called "flows", as in "flows of data") per second, and you need a tool for making sense of all this flow information. Dartware's InterMapper Flows is a NetFlow collector that does just this.
|
