Deployment Architecture
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Network Traffic with Stream

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-06-2017 01:11 AM

Hi!

I would like to monitor to total amount of traffic leaving and entering my home network. I have the following setup:
Internal network: 192.168.1.*
Firewall (internal NIC): 192.168.1.1
Firewall (external NIC): 192.168.178.23
DSL Modem: 192.168.178.1

I have Stream installed on the firewall 192.168.1.1.

I would like to see the following:
Total MB uploaded for a defined time
Total MB downloaded for a defined time

The queries I am using are:
Upload: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_in) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Download: sourcetype="stream:ip" dest_ip!="192.168.1.*" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

When I cross compare the Up and Download statistics on my DSL router for a specific time to what I get with my queries, I get very different numbers.

Any ideas?

Thanks!

Tags (1)
0 Karma
Reply

nickhills
Ultra Champion
‎12-07-2017 11:19 AM

Ah, ok I see the error in my suggested query, however....
If your firewall has a dedicated nic connected to the router, you could just tell stream to monitor all traffic on that nic. Then you won’t need to filter anything.
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/ConfigureStreamForwarder#Use_XM...

If my comment helps, please give it a thumbs up!
0 Karma
Reply

nickhills
Ultra Champion
‎12-06-2017 06:55 AM

Well without digging into your exact setup, i think you might be better in looking at traffic to/from specific IPs (rather than ignoring traffic to a range)

Try changing your queries to:

sourcetype="stream:ip" dest_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

sourcetype="stream:ip" src_ip="192.168.178.1" | stats sum(bytes_out) as bytes | eval MB=round((bytes/(1024*1024)),2) | table MB

Edit: Also - how wild, is 'wild'? and in which direction is it different?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

fludorf_splunk
Splunk Employee
Splunk Employee
‎12-07-2017 06:10 AM

Hi, thanks for getting back to me.

I tried your suggestion but this only provides traffic to/from that specific IP rather than via it.

Examples of differences:

Original queries:
In: 462 MB
Out: 8770 MB

Suggested queries
In: 0 MB
Out: 27 MB

DSL Router Information:
In: 435
Out: 4936

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top