Overview

The Telesoft IP Flow Probe is a 1U appliance that generates unsampled flow statistics on traffic from 10Gbit/s, 100Gbit/s to 200Gbit/s. Instrumenting up to 150 Million concurrent flows at a churn rate of up to 1.5 Million active flows, enables the collection of flow statistics from ultra scale networks. The IP Flow Probe eliminates the inefficiencies and inaccuracies of sampling network data, by providing complete visibility of network behaviour and anomalies required for detection of advanced persistent threats.

Distributing flow records across multiple collectors such as Elastic Search and Apache Kafka using the universal standard IETF Internet Protocol Flow Information export (IPFIX) protocol and JSON allowing existing collection and recording infrastructure to scale up to 200GbE networks, allowing you to accurately gather, process, compare and analyse network behaviour in real-time.

Intelligent load balancing across flow collectors reduces load and storage on a single collector instance, flow safe load balancing ensures duplex flows are forwarded to the same collector for accurate and rapid analysis.

The Telesoft IP Flow Probe leverages Telesoft’s proven FPGA technology to process packets at rates which are ordinarily limited by the throughput of existing CPU architectures. Allowing network operators to maintain bandwidth and avoid packet arrival congestion. The IP Flow Probe can terminate up to 20x10GbE for monitoring multiple 10Gbit/s trunks or up to 2x100GBASE- LR4 for 100Gbit/s trunks. The traffic monitoring interfaces work in passive mode and do not require any protocol handshake or keep alive in order to process incoming traffic, ensuring plug and play and seamless integration.

The Flow Probe can be configured to include the Host: and URI information from HTTP sessions. This allows the user to be able to determine which websites have been visited by which source IP address without having to perform any additional processing. This information can be used for statistical information to check for abnormal behaviour, or to look for identified Indicators Of Compromise (IOCs) URLs. The host information is carried in the httpRequestHost ElementID, while the additional URI information uses Telesoft’s Enterprise Number as an extension to IANA-IPFIX as set out in RFC 7011.

The Server Name can also be included from SSL sessions, allowing statistical checking for unexpected behaviour, or looking for specific servers of interest. This again uses Telesoft’s Enterprise Number as an extension to IANA-IPFIX as set out in RFC 7011 to carry the additional information in the IPFIX record.

HTTP Return codes can be monitored to check for machine initiated sessions / attacks. A high level of visits to websites that do not exist - 404 - would indicate that a machine is the source of the requests. The HTTP return code is included in the HTTPStatusCode ElementID.

Flows to DNS servers can be identified, with the query name, response name and address added into the flow record. This allows for the detection of suspicious and rogue DNS server in the network. The DNS parameters are included by using the extensions with the IANA-IPFIX spec.

Key Features

200Gbps throughput

Secure, reliable performance regardless of packet arrival rate

Unsampled 1:1 IPFIX record generation

Complete visibility of network behaviour and anomalies

Supports the latest IPFIX/Netflow/JSON export formats

Work with any industry standard IPFIX/Netflow collector

Flow safe load balancing of IPFIX/Netflow/JSON records to multiple collectors

Scale the number of collectors in load share pool as required

Available in a standard 1U chassis

Reduced OPEX, space and cooling

Contact Us