Are you interested in getting URL information from NetFlow? The nProbe NetFlow probe or the nBox can do it. Paul at Plixer International recently wrote a blog on Recommended nProbe Templates. For a foundation on this topic, check out his blog. As an extension of his blog, I’ll explain how to get URLS from the nProbe.
Scrutinizer from Plixer is the ideal tool for advanced IPFIX reporting and network traffic analysis.
Below is a top domain report. For our company, the first page of this report is usually legitimate sites, so I went to page 3 in the pagination. There I noticed craigslist.org.
I wanted to see a list of the URLs people are hitting on this domain. I clicked on craigslist.com:
Below is a list of the URLs people are viewing on craigslist.com for the timeframe selected.
I copied the URL and pasted it into my browser. After viewing several URLs, I was able to determine that visits to this website were not work related.
Look at the pagination below the table (i.e. 25 pages). This is showing that approximately 250 URLs have been viewed on craigslist for the time frame selected.
I selected a URL which brought up a menu of reports I can run for it.
Below we see the filter on the left for the domain craigslist.org and the URL filter. Host 10.1.7.21 is our culprit.
What other URLs is this host visiting? Just click it to find out! nProbe and Scrutinizer make network traffic analysis that simple!