NetFlow Traffic Analysis¶
NetFlow is an industry-standard network telemetry protocol (originally developed by Cisco) that enables network devices to export metadata about IP traffic flows as they pass through an interface. Each flow record captures key attributes of a traffic session — source and destination IP, source and destination port, protocol, byte and packet counts, timestamps, and interface — without capturing the actual packet payload. This makes NetFlow highly efficient for large-scale traffic visibility while preserving user privacy.
mfusion and HSG collect NetFlow exports from RansNet devices and supported third-party network equipment using NetFlow v5 and NetFlow v9 (which also supports IPFIX-compatible templates). Collected records are stored, processed, and presented through intuitive analytics interfaces for network-wide traffic visibility and security monitoring.
Key Use Cases¶
NetFlow analysis is particularly valuable for:
- Bandwidth accounting — Understand which users, devices, applications, or destinations consume the most bandwidth
- Security investigation — Identify anomalous traffic patterns, unauthorized connections, or data exfiltration attempts
- Capacity planning — Trend traffic volumes over time to inform WAN link or hardware sizing decisions
- Dispute resolution — Provide verifiable, timestamped per-connection evidence to resolve user complaints or billing disputes
- Compliance and forensics — Maintain an auditable record of network activity for regulatory or incident response requirements
Top Reports Dashboard¶
The Top Reports view provides an at-a-glance summary of the highest-volume traffic across three dimensions — source, destination, and application — over a selected time window. Each dimension is presented as a ranked table with visual charts.
Top Sources¶
Ranks internal hosts or users by total data volume generated. This immediately surfaces the heaviest bandwidth consumers on the network — whether a specific workstation, IoT device, or user — enabling administrators to investigate whether consumption is expected or anomalous.
Top Destinations¶
Ranks external IP addresses or services by inbound and outbound traffic volume. Common legitimate destinations (CDNs, cloud services, update servers) will dominate in normal operation. Unexpected high-volume destinations — unfamiliar IPs, unusual geographies, or known malicious hosts — can indicate data exfiltration, command-and-control activity, or misconfigured applications.
Top Applications¶
Ranks traffic by application or service type based on destination port and protocol classification (e.g., HTTP, HTTPS, DNS, video streaming, P2P). This helps administrators understand the composition of network traffic — for example, identifying excessive video streaming, peer-to-peer file sharing, or unexpected protocols that may warrant policy action.
Tip
Use the Top Reports view during routine monitoring to quickly detect capacity issues or abnormal traffic patterns without needing to inspect individual flow records. Any entry that stands out — an unfamiliar IP, a spike in a specific application, or an unknown device — can be drilled down to the Detail Flow Records view for full investigation.
Detail Flow Records¶
The Detail Flow Records table provides a complete, granular log of every captured traffic flow across the network. Each record represents a single IP conversation and includes:
Record Fields¶
| Field | Description |
|---|---|
| Timestamp | Start time when the flow was initiated |
| Source IP | Internal host or device that initiated the connection |
| Source Port | Ephemeral port used by the source |
| Destination IP | Remote server or peer IP address |
| Destination Port | Service port on the destination (e.g., 443 for HTTPS, 53 for DNS) |
| Protocol | IP protocol — TCP, UDP, ICMP, etc. |
| Bytes / Packets | Total data volume (bytes) and packet count for the flow |
| Duration | Length of the flow session in seconds |
| Interface | Network interface where the flow was observed |
Filtering and Search¶
The detail view supports free-text and field-specific filtering to narrow down records by source IP, destination IP, port, protocol, or time range. This allows administrators to rapidly isolate:
- All connections from a specific device
- All traffic to a specific destination
- All flows within a particular service port
- Connections during a specific time window
IP Resolution¶
Click Resolve IP to perform reverse DNS lookups on source and destination IP addresses, replacing raw IPs with human-readable FQDNs (e.g., 203.0.113.5 → cdn.example.com). This significantly improves readability during investigations — it is far easier to recognize a known cloud service by domain name than by IP address, and it immediately highlights unfamiliar or suspicious hostnames that warrant closer scrutiny.
Note
Reverse DNS resolution is performed on demand and depends on the availability of PTR records for the queried IPs. Not all IP addresses will resolve to a meaningful hostname — in particular, many cloud and CDN providers use dynamic or non-descriptive PTR records.
Common Investigation Scenarios:
| Scenario | Action | Expected Outcome |
|---|---|---|
| User disputes data charge | Filter by user's device IP across billing period | Complete timestamped record of every connection and data consumed |
| Security alert on suspicious connection | Filter by source host IP | Full sequence of connections before/after alert to identify if broader compromise occurred |
| Verify firewall policy is blocking | Search for blocked destination IPs | Blocked IPs should not appear in flow records (or show very few packets) |
| WAN link saturated | Filter by time window, sort by bytes transferred | Identify responsible host and destination within seconds |
SOC Dashboard¶
The SOC Dashboard provides security-focused visibility into network traffic using the same NetFlow data. It is purpose-built for security operations centers (SOCs) and security teams to detect, investigate, and respond to potential security threats and anomalous activity.
Dashboard Components¶
| Component | Purpose | Key Insights |
|---|---|---|
| Threat Detection | Identify suspicious traffic patterns and anomalies | Connections to known malicious IPs, suspicious protocols, brute-force attempts |
| Data Exfiltration Detection | Monitor for unauthorized data transfers | Unusual outbound connections from internal hosts to unknown external destinations |
| Command & Control (C2) Detection | Identify compromised hosts communicating with C2 infrastructure | Periodic or encrypted connections to suspicious IPs or domains |
| Protocol Anomalies | Flag unexpected or suspicious protocol usage | Uncommon ports, tunneling attempts, or protocol misuse |
| Geographic Analysis | Detect connections from unusual locations | Connections from IP addresses in high-risk countries or unexpected regions |
| Connection Frequency Analysis | Identify scanning or reconnaissance activity | High number of failed connections, port scans, or brute-force patterns |
Warning
The SOC Dashboard surfaces potential threats based on traffic patterns and known threat intelligence. Manual review is recommended to validate alerts and confirm whether flagged activity is benign (e.g., legitimate geographic roaming, authorized data transfers) or a genuine security incident.
Best Practices¶
Monitoring and Alerting¶
- Set baseline thresholds — Establish normal traffic patterns by source, destination, application, and time-of-day so anomalies stand out
- Monitor top talkers regularly — Review the Top Reports view weekly or daily during business hours to spot emerging trends
- Alert on geographic anomalies — Flag connections from unexpected geographic locations using the SOC Dashboard
- Track protocol anomalies — Investigate unusual protocols, non-standard ports, or encrypted traffic from unexpected sources
Data Retention and Compliance¶
- Retention policy — Configure NetFlow retention based on compliance requirements (typically 90 days to 2 years for dispute resolution and forensic investigations)
- Data privacy — NetFlow captures only headers (no packet payload), preserving user privacy while enabling investigation
- Audit trails — Export NetFlow data for archival if required by regulatory frameworks (PCI-DSS, HIPAA, SOC 2, etc.)
Investigation Workflow¶
- Start broad — Use Top Reports to identify suspicious sources, destinations, or applications
- Drill down — Switch to Detail Flow Records and filter to isolate relevant connections
- Resolve IPs — Click Resolve IP to map raw IP addresses to recognizable hostnames
- Document timeline — Export or screenshot the filtered results as evidence for the incident record
- Correlate with other logs — Cross-reference NetFlow findings with firewall logs, DNS queries, and access logs for a complete picture
Related Features¶
- Device Monitoring — Real-time device status, uptime, and resource utilization
- Hotspot User Activity — Guest authentication logs and session tracking
- Security and Firewall Logs — Complementary firewall and access control logs for security correlation



