Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » admin » Can we query traffic reports for a URL/Domain from Trisul Netflow Analyzer ?
Trace:
admin:domainsandip

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
admin:domainsandip [2024/05/22 18:53] veeraadmin:domainsandip [2024/05/23 14:58] (current) – [How Trisul Netflow Analyzer show DNS names] veera
Line 1: Line 1:
-====== Can we get traffic reports for a URL? ======+====== Can we query traffic reports for a URL/Domain from Trisul Netflow Analyzer ? ====== 
 + 
 + 
 +We get a lot of questions from customers who try to query traffic or flows for a domain name and are unable to get it.  
 + 
 + 
 +For example : this customer tries to query for all flows to ''gmail.com''  
 + 
 +{{ :admin:url1.png?600 |}} 
 + 
 + 
 +This article explains why it may not always be possible to get what you want.  
 + 
 +The main issue is that Netflow is a L3 technology primarily hence it works with IP Addresses rather than domain names.  A quick overview of the differences between URL, Domain names, and IP Addresses is in order. 
 + 
 + 
  
-Before diving into the answer, let’s understand what a URL and a domain are. 
  
  
Line 8: Line 23:
 A **URL** (Uniform Resource Locator) is the address used to access resources on the internet.  A **URL** (Uniform Resource Locator) is the address used to access resources on the internet. 
 It specifies the location of a resource and the protocol used to access it.  It specifies the location of a resource and the protocol used to access it. 
 +It looks like this ''https://www.example.com/about-us?id=23''
  
 A URL typically consists of several components: A URL typically consists of several components:
-  * - Protocol: Indicates the method used to access the resource (e.g., `http`, `https`, `ftp`). 
-  * - Domain Name: The human-readable address of a website (e.g., `example.com`). 
-  * - Path: Specifies the exact resource or page within the website (e.g., `/about-us`). 
-  * - Parameters: Optional query strings used to pass additional information (e.g., `?id=123`). 
  
-For example, in the URL `https://www.example.com/about-us?id=123`: +  * **Protocol**: Indicates the method used to access the resource (''https''). 
-- `https` is the protocol. +  * **Domain Name**: The human-readable address (**the domain name**) of a website (''example.com''). 
-`www.example.comis the domain name+  * **Path**: Specifies the exact resource or page within the website (''/about-us''
-`/about-us` is the path+  * **Parameters**: Optional query strings used to pass additional information (?id=23). 
-- `id=123` is a parameter.+ 
 +===== What is a Domain? ===== 
 + 
 +A** domain** name is a human readable name given to one or more IP Addresses. A Domain Name System is used to resolve these human readable names to IP Addresses.  
 + 
 +Domains are registered through domain registrars, and they are unique to ensure that each website has a distinct address. However one can use multiple IP addresses for a single domain.  This is called DNS Load Balancing where the DNS server hands out one of the many IP Addresses in random manner to split the load. 
 + 
 +Ultimately the endpoint is an  **IP address** 
 + 
 +===== What is an IP Address  ===== 
 + 
 +AN IP Address is the actual network endpoint of any communication in IP networks. They can be IPv4 or IPv6 addresses.  
 + 
 +<note> 
 +The Netflow protocol deals only with IP Addresses because that is what the routers and switches work on.  
 +</note> 
 + 
 +Hence Trisul Netflow Analyzer or any other such netflow analysis product only understands and works with IP Addresses.   Hence a query for '' gmail.com'' has to be translated into a query for an IP Address. 
 + 
 +<code> 
 +vivek@VIVEKLINUX03:~/Downloads$ ping gmail.com 
 +PING gmail.com (142.250.195.101) 56(84) bytes of data. 
 +64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=1 ttl=118 time=7.79 ms 
 +64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=2 ttl=118 time=6.79 ms 
 +64 bytes from maa03s39-in-f5.1e100.net (142.250.195.101): icmp_seq=3 ttl=118 time=8.38 ms 
 +^C 
 +--- gmail.com ping statistics --- 
 +3 packets transmitted, 3 received, 0% packet loss, time 2003ms 
 +rtt min/avg/max/mdev = 6.786/7.651/8.377/0.656 ms 
 + 
 + 
 +</code> 
 + 
 +So we find the IP of gmail is 142.250.195.101 , so this works.  
 + 
 +However, there are hundreds of IP Addresses for Gmail.com. Just a few minutes later the same ping command can give another IP.  
 + 
 + 
 + 
 +===== How Trisul Netflow Analyzer show DNS names  ===== 
 +  
 +If you go to Trisul Netflow Analyzer, you might see domain names instead of IP AddressesHow does this happen if this information is not sent via Netflow ? 
 + 
 +{{ :admin:url2.png |}} 
 + 
 +It is because we use Reverse DNS in combination with Netflow.  
 + 
 +  For all Hosts (IP Addresses) Trisul uses an intelligence algorithm to select the most important IP addresses for resolution. These can be on topper lists, or with alerts etc. 
 +  A background DNS Resolution process runs that keeps resolving these hostnames. 
 +  - However only the most recent name is assigned to the IP Address 
 + 
 +Hence if you queried for gmail.com , only the most recently seen IP is used to perform the actual query
 + 
 + 
 +===== Solutions ===== 
 + 
 +There are few options to query based on domain name.  
 + 
 +<note>Querying by domain  only works if Trisul Netflow Analyzer is able to resolve the IP into domain name. 
 +</note> 
 + 
 + 
 + 
 +==== Option 1:  Use the Trisul Network Analytics Packet Mode license ==== 
 +  
 +Trisul NSM - the packet mode version of Trisul is able to listen to actual packets and extract full information about domain names from the HTTP-Header and SNI in SSL/TLS.
  
-What is a Domain? +==== Option 2 Search for the domain name  ====
-A domain is a specific part of the URL that identifies the website. It consists of a: +
-- Top-Level Domain (TLD): The last part of the domain name, such as `.com`, `.org`, `.net` +
-- Second-Level Domain (SLD): The main part of the domain name, located directly to the left of the TLD (e.g., `example` in `example.com`).+
  
-Domains are registered through domain registrars, and they are unique to ensure that each website has a distinct address.+Put the domain name instead of the IP Address in the queries. This will use the latest IP -> Domain mapping for the query.
  
-Ultimately the endpoint is an IP Address. The DNS protocol is used to convert a domain name into an IP Address.  An IP Address looks like this  102.42.38.231. +==== Option 3:  Use the Super Search Hosts app  ====
  
-The example is+Login as Admin > Web Admin > Manage > Apps. 
  
-URL +Then install the "Super Search Hosts" app. This allows you to enter a domain name, then it presents all IP dddreses associate with the domain. 
  
-https://my.example.com/site_login/index.php  
  
-Domain 
-my.example.com 
  
-IP Address +Hope this helps clarify the questions about the ability to query by names and URL.
-102.42.38.231+
  
  
admin/domainsandip.1716384235.txt.gz · Last modified: 2024/05/22 18:53 by veera