Flow Analysis
A _flow_ is piece of information that represents a record of data transfer between two IP addresses. This is a crucial entity in both traffic and security monitoring. Trisul stores all _flows_ in highly efficient, compressed format optimized for fast queries over large datasets. This section describes the tools available to work with flows.
Tools
working with flows in Trisul
-
Flow Tracker
-
Tracks the top-N flows matching a certain criteria over a certain period of time.
-
Flow Tagger
-
Tags interesting flows based on observation of certain types of traffic.
-
Real Time Stabber
-
A stabber that enables you to monitor _currently active_ flows involving a host or application
-
Explore Flows
-
General purpose flow query
-
Investigate IP activity
-
Investigate all flow based and alert activity of an IP
Howto .. with flows
- Find out which flows caused a traffic spike
- View flow activity of a host or port in real time
- Jump from alerts to flows that caused them
- Search flows for IP
- Optimize full content storage (eg, store only first 1M of each flow)
All tasks
Working with flows
You can do all of the following
- Record all flows, no summarization or roll ups
- Fast retrieval of flows
- Access to flows from alerts, traffic, end points
- Pull up PCAPs for any flow
- Flow Taggers - Tag flows automatically for future searches
- Flow Tracker - Track top flows that interest you
- Flow alerts - Get an alert when someone uploads 10MB out of your network
- Payload search - Reassemble TCP, HTTP and search inside flows