search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Network Profiling Using Flow

Technical Report
By
In this report, the authors provide a step-by-step guide for profiling and discovering public-facing assets on a network using netflow data.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2012-TR-006
Subjects

Abstract

This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data. Netflow data can be used for forensic purposes, for finding malicious activity, and for determining appropriate prioritization settings. The goal of this report is to create a profile to see a potential attacker’s view of an external network. Readers will learn how to choose a data set, find the top assets and services with the most traffic on the network, and profile several services. A case study provides an example of the profiling process. The underlying concepts of using netflow data are presented so that readers can apply the approach to other cases. A reader using this report to profile a network can expect to end with a list of public-facing assets and the ports on which each is communicating and may also learn other pertinent information, such as external IP addresses, to which the asset is connecting. This report also provides ideas for using, maintaining, and reporting on findings. The appendices include an example profile and scripts for running the commands in the report. The scripts are a summary only and cannot replace reading and understanding this report.

Listen to the podcast from CERT's Podcast Series about this report.

SHARE
Download PDF
Cite This Technical Report

Whisnant, A., & Faber, S. (2012, August 1). Network Profiling Using Flow. (Technical Report CMU/SEI-2012-TR-006). Retrieved April 23, 2024, from https://insights.sei.cmu.edu/library/network-profiling-using-flow/.

@techreport{whisnant_2012,
author={Whisnant, Austin and Faber, Sid},
title={Network Profiling Using Flow},
month={Aug},
year={2012},
number={CMU/SEI-2012-TR-006},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://insights.sei.cmu.edu/library/network-profiling-using-flow/},
note={Accessed: 2024-Apr-23}
}

Whisnant, Austin, and Sid Faber. "Network Profiling Using Flow." (CMU/SEI-2012-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, August 1, 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/.

A. Whisnant, and S. Faber, "Network Profiling Using Flow," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Report CMU/SEI-2012-TR-006, 1-Aug-2012 [Online]. Available: https://insights.sei.cmu.edu/library/network-profiling-using-flow/. [Accessed: 23-Apr-2024].

Whisnant, Austin, and Sid Faber. "Network Profiling Using Flow." (Technical Report CMU/SEI-2012-TR-006). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Aug. 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/. Accessed 23 Apr. 2024.

Whisnant, Austin; & Faber, Sid. Network Profiling Using Flow. CMU/SEI-2012-TR-006. Software Engineering Institute. 2012. https://insights.sei.cmu.edu/library/network-profiling-using-flow/

Ask a question about this Technical Report