<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Dear Jimmy<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I feel your pain in identifying and quickly finding abnormal traffic, this is what I live and breathe almost every day !<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Winding back the clock say 4 or years ago I remember trying lots of software and evaluating lots of options with one goal in mind… Find attack traffic and quickly identify the source and destination along with the protocol in near real time, enabling us to lower the time it took to deal with threats, relying on SNMP data for this purpose was useless. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In the end we choose ManageEngine Netflow Analyzer which provided a fantastic starting point for us in providing real time visibility, whilst now a days we NSFOCUS hardware mainly for DDoS detection and mitigation we still to this day use ManageEngine Netflow Analyzer within our NOC !<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A very old case study of mine can be found here - <a href="http://micron21.com/ddos-netflow.php">http://micron21.com/ddos-netflow.php</a> <o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Whilst the software is commercial I believe it’s still very well priced, and the free version from memory supports a single interface for free !<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Back in the days the software developers were very helpful in helping create custom modifications building new features and functions for us so well worth in my eyes checking it out !<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Kindest Regards<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Verdana","sans-serif";color:black'>James Braunegg<br></span></b><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>P:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> 1300 769 972 | <b>M:</b> 0488 997 207 | <b>D:</b> (03) 9751 7616</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>E:</span></b><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><a href="mailto:james.braunegg@micron21.com"><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>james.braunegg@micron21.com</span></a></span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'> | <b>ABN:</b> 12 109 977 666 <br><b>W:</b> <a href="http://www.micron21.com/ddos-protection"><span style='color:black'>www.micron21.com/ddos-protection</span></a> <b>T:</b> @micron21<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><br><img border=0 width=250 height=39 id="Picture_x0020_1" src="cid:image001.jpg@01CF2A7B.4AA84740" alt="Description: Description: Description: Description: M21.jpg"><br></span><span lang=EN-AU style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'>This message is intended for the addressee named above. It may contain privileged or confidential information. If you are not the intended recipient of this message you must not use, copy, distribute or disclose it to anyone other than the addressee. If you have received this message in error please return the message to the sender by replying to it and then delete the message from your computer.</span><span style='font-size:8.0pt;font-family:"Verdana","sans-serif";color:black'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> AusNOG [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>Jimmy<br><b>Sent:</b> Saturday, February 15, 2014 3:28 PM<br><b>To:</b> ausnog@lists.ausnog.net<br><b>Subject:</b> [AusNOG] What tool shows this?<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>I wonder what network monitoring tool is this?<img border=0 width=580 height=56 id="_x0000_i1025" src="cid:image003.png@01CF2A91.97CEF120" alt="Inline images 1"><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Also what is a good network monitoring tool (open source preferred) that collects netflow data and can easily show a current traffic anomaly e.g. a ddos attack quickly and succinctly? The primary goal is to help me identify the traffic anomaly, if there's a certain IP address being targeted, etc.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am currently using ntop but I find it a little cumbersome and slow, although it's helpful, but it isn't giving me a nice output like the above.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Jimmy<o:p></o:p></p></div></div></div></body></html>