Can we query traffic reports for a URL/Domain from Trisul Netflow Analyzer ?

We get a lot of questions from customers who try to query traffic or flows for a domain name and are unable to get it.

For example : this customer tries to query for all flows to gmail.com

This article explains why it may not always be possible to get what you want.

The main issue is that Netflow is a L3 technology primarily hence it works with IP Addresses rather than domain names. A quick overview of the differences between URL, Domain names, and IP Addresses is in order.

A URL (Uniform Resource Locator) is the address used to access resources on the internet. It specifies the location of a resource and the protocol used to access it. It looks like this https://www.example.com/about-us?id=23

A URL typically consists of several components:

• Protocol: Indicates the method used to access the resource (https).
• Domain Name: The human-readable address (the domain name) of a website (example.com).
• Path: Specifies the exact resource or page within the website (/about-us)
• Parameters: Optional query strings used to pass additional information (?id=23).

A domain name is a human readable name given to one or more IP Addresses. A Domain Name System is used to resolve these human readable names to IP Addresses.

Domains are registered through domain registrars, and they are unique to ensure that each website has a distinct address. However one can use multiple IP addresses for a single domain. This is called DNS Load Balancing where the DNS server hands out one of the many IP Addresses in random manner to split the load.

Ultimately the endpoint is an IP address

AN IP Address is the actual network endpoint of any communication in IP networks. They can be IPv4 or IPv6 addresses.

Hence Trisul Netflow Analyzer or any other such netflow analysis product only understands and works with IP Addresses. Hence a query for gmail.com has to be translated into a query for an IP Address.

vivek@VIVEKLINUX03:~/Downloads$ ping gmail.com
PING gmail.com (142.250.195.101) 56(84) bytes of data.
64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=1 ttl=118 time=7.79 ms
64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=2 ttl=118 time=6.79 ms
64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=3 ttl=118 time=8.38 ms
^C
--- gmail.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 6.786/7.651/8.377/0.656 ms

So we find the IP of gmail is 142.250.195.101 , so this works.

However, there are hundreds of IP Addresses for Gmail.com. Just a few minutes later the same ping command can give another IP.

If you go to Trisul Netflow Analyzer, you might see domain names instead of IP Addresses. How does this happen if this information is not sent via Netflow ?

It is because we use Reverse DNS in combination with Netflow.

1. For all Hosts (IP Addresses) Trisul uses an intelligence algorithm to select the most important IP addresses for resolution. These can be on topper lists, or with alerts etc.
2. A background DNS Resolution process runs that keeps resolving these hostnames.
3. However only the most recent name is assigned to the IP Address

Hence if you queried for gmail.com , only the most recently seen IP is used to perform the actual query.

There are few options to query based on domain name.

Trisul NSM - the packet mode version of Trisul is able to listen to actual packets and extract full information about domain names from the HTTP-Header and SNI in SSL/TLS.

Put the domain name instead of the IP Address in the queries. This will use the latest IP → Domain mapping for the query.

Login as Admin > Web Admin > Manage > Apps.

Then install the “Super Search Hosts” app. This allows you to enter a domain name, then it presents all IP dddreses associate with the domain.

Hope this helps clarify the questions about the ability to query by names and URL.