Network Flow Analysis

When full packet capture isn't feasible, flow analysis provides valuable insights:

Flow Analysis Tools:

SiLK: System for Internet-Level Knowledge
Argus: Audit Record Generation and Utilization
nfdump/nfsen: NetFlow processing tools

Flow Analysis Queries:

# Find top talkers by bytes
rwstats --fields=sip --bytes --count=10

# Identify long-duration connections
rwfilter --duration=3600- --pass=stdout | rwcut

# Detect potential beaconing
rwfilter --packets=1-3 --duration=0-5 --pass=stdout | rwsort --fields=sip,dip