13.1. Trisul with Netflow

This section explains how you can setup Trisul in Netflow mode. In this mode, Trisul uses Netflow and other flow telemetry to drive its analytics engine instead of raw packets. This section describes how to configure Netflow mode, to analyze from a Device perspective, and how to use advanced features such as “Interface Tracking”.

13.1.1 Key Features of Trisul Netflow

Trisul supports Netflow v1, v5, and Netflow v9, Flexible Netflow, and all versions of SFLOW, and IPFIX. All routers and interfaces are auto discovered.

Bandwidth and Traffic Monitoring

  Monitor bandwidth usage
  Device and interface drilldown
  Over 200 Metrics,TopN,BottomN
  NO ROLL UPS
  Full resolution metrics
  LIVE Real Time views
  Powerful alerting
  Long term interface drilldowns

Flow Analytics for incident response

  Store ALL flows
  No rollups or loss of info
  Drilldown flows from interfaces
  Powerful Flow Query
  Graph Analytics for Flows
  Enrich withFlow Taggers
  Long timeframe Top-K flows
  Detect Exfil and Long Sessions

Security and Anomaly Detection

  Threat monitoring
  Threshold Band
  Detect anomalies in metrics
  Identify compromised hosts
  Query IP spaces
  Over 20 Retro Analysis tools
  Complement Packet based Trisul
  TRAI ISP Compliance

13.1.2 Introduction to Netflow for Trisul

Netflow is a very handy mechanism to acquire network data from a very large number of network elements in a cost effective manner. For maximum visiblity, we recommend you enable Netflow all over your network and send the logs to a Trisul context.

The following diagram shows an example deployment.

13.1.3 Advantages of Netflow vs Packet Capture

Trisul’s default input mode is raw packet capture. But Trisul also has comprehensive support for Netflow v5/v9/JFlow/IPFIX/and SFlow metering.

advantages of netflow input disadvantages
easier distributed deployment no packet based traffic metering like DNS, HTTP, SSL analysis,etc
less expensive hardware limited security visibility
scales far better than packets cannot access packets for forensics or malware analysis
TIP You can use Packet based Trisul to do full NSM (Network Security Monitoring) at perimeter and Netflow to gain visibilty into lateral traffic inside your network.

13.1.4 Global vs Device View

This may be confusing for those coming to Trisul from traditional netflow solutions. Most of the Trisul dashboards are Global views that represent the sum total of all the interfaces in your network. If you see metrics for 8.8.8.8 it represents the TOTAL traffic to 8.8.8.8 from all the routers in your network.

There is also comprehensive support for a Device View. You access that through the Routers and Interfaces tool. The Device View allows you to select a router then an interface on that router and then see the breakup of traffic within that.

If you log on for the first time into a Netflow instance you may get a dashboard like below. The image below shows where to find the Router and Interfaces for getting to the Device Specific view.