Differences

This shows you the differences between two versions of the page.

--- admin:domainsandip [2024/05/23 13:29] – [Can we get traffic reports for a URL?] veera
+++ admin:domainsandip [2024/05/23 14:58] (current) – [How Trisul Netflow Analyzer show DNS names] veera
@@ Line 5: / Line 5: @@
+For example : this customer tries to query for all flows to ''gmail.com''
+{{ :admin:url1.png?600 |}}
 This article explains why it may not always be possible to get what you want.
+The main issue is that Netflow is a L3 technology primarily hence it works with IP Addresses rather than domain names.  A quick overview of the differences between URL, Domain names, and IP Addresses is in order.
@@ Line 16: / Line 23: @@
 A **URL** (Uniform Resource Locator) is the address used to access resources on the internet.
 It specifies the location of a resource and the protocol used to access it.
+It looks like this ''https://www.example.com/about-us?id=23''
 A URL typically consists of several components:
-  * - **Protocol**: Indicates the method used to access the resource (e.g., `http`, `https`, `ftp`).
+  * **Protocol**: Indicates the method used to access the resource (''https'').
-  * - **Domain Name**: The human-readable address of a website (e.g., `example.com`).
+  * **Domain Name**: The human-readable address (**the domain name**) of a website (''example.com'').
-  * - **Path**: Specifies the exact resource or page within the website (e.g., `/about-us`).
+  * **Path**: Specifies the exact resource or page within the website (''/about-us'')
-  * - **Parameters**: Optional query strings used to pass additional information (e.g., `?id=123`).
+  * **Parameters**: Optional query strings used to pass additional information (?id=23).
 ===== What is a Domain? =====
-A** domain** is a specific part of the URL that identifies the website.
+A** domain** name is a human readable name given to one or more IP Addresses. A Domain Name System is used to resolve these human readable names to IP Addresses.
-Domains are registered through domain registrars, and they are unique to ensure that each website has a distinct address.
+Domains are registered through domain registrars, and they are unique to ensure that each website has a distinct address. However one can use multiple IP addresses for a single domain.  This is called DNS Load Balancing where the DNS server hands out one of the many IP Addresses in random manner to split the load.
 Ultimately the endpoint is an  **IP address**
+===== What is an IP Address  =====
+AN IP Address is the actual network endpoint of any communication in IP networks. They can be IPv4 or IPv6 addresses.
-. The DNS protocol is used to convert a domain name into an IP Address.  An IP Address looks like this  102.42.38.231.
+<note>
+The Netflow protocol deals only with IP Addresses because that is what the routers and switches work on.
+</note>
-For example,
+Hence Trisul Netflow Analyzer or any other such netflow analysis product only understands and works with IP Addresses.   Hence a query for '' gmail.com'' has to be translated into a query for an IP Address.
-In URL: ''https://www.example.com/site_login''
+<code>
+vivek@VIVEKLINUX03:~/Downloads$ ping gmail.com
+PING gmail.com (142.250.195.101) 56(84) bytes of data.
+bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=1 ttl=118 time=7.79 ms
+bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=2 ttl=118 time=6.79 ms
+bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=3 ttl=118 time=8.38 ms
+^C
+--- gmail.com ping statistics ---
+packets transmitted, 3 received, 0% packet loss, time 2003ms
+rtt min/avg/max/mdev = 6.786/7.651/8.377/0.656 ms
-  * ''https'' is the protocol.
-  * ''www.example.com'' is the domain name
+</code>
-  * ''www'' denotes web addresses and subdomain of example.com
-  * ''.com`, `.org`, `.net'' is the Top-Level Domain (TLD)
+So we find the IP of gmail is 142.250.195.101 , so this works.
-  * ''example'' is the Second-Level Domain (SLD)
-  * ''site_login'' is the path
+However, there are hundreds of IP Addresses for Gmail.com. Just a few minutes later the same ping command can give another IP.
-  * DNS converts www.example.com into IP addresses like 102.42.38.231
-  *
+===== How Trisul Netflow Analyzer show DNS names  =====
-In NetFlow Analyzer, We can monitor the traffic through IP addresses of that URL such as
+If you go to Trisul Netflow Analyzer, you might see domain names instead of IP Addresses. How does this happen if this information is not sent via Netflow ?
+{{ :admin:url2.png |}}
+It is because we use Reverse DNS in combination with Netflow.
+  - For all Hosts (IP Addresses) Trisul uses an intelligence algorithm to select the most important IP addresses for resolution. These can be on topper lists, or with alerts etc.
+  - A background DNS Resolution process runs that keeps resolving these hostnames.
+  - However only the most recent name is assigned to the IP Address
+Hence if you queried for gmail.com , only the most recently seen IP is used to perform the actual query.
+===== Solutions =====
+There are few options to query based on domain name.
+<note>Querying by domain  only works if Trisul Netflow Analyzer is able to resolve the IP into a domain name.
+</note>
+==== Option 1:  Use the Trisul Network Analytics Packet Mode license ====
+Trisul NSM - the packet mode version of Trisul is able to listen to actual packets and extract full information about domain names from the HTTP-Header and SNI in SSL/TLS.
+==== Option 2:  Search for the domain name  ====
+Put the domain name instead of the IP Address in the queries. This will use the latest IP -> Domain mapping for the query.
+==== Option 3:  Use the Super Search Hosts app  ====
+Login as Admin > Web Admin > Manage > Apps.
+Then install the "Super Search Hosts" app. This allows you to enter a domain name, then it presents all IP dddreses associate with the domain.
+Hope this helps clarify the questions about the ability to query by names and URL.