|Note: These settings are accessed via the Admin menu, which is displayed to Admin users only (hidden from Member users).
Network Classification is covered in the following topics:
General information about network classification is provided in the following topics:
Network classification uses source and destination information related to IPs and ASes to determine the direction of network traffic with respect to your network. The following types of classification are supported:
- Network Directionality: Used to look for traffic based on the direction from which it enters the network and to which it leaves.
- Host Directionality: Used to look for host traffic captured by kprobe based on the direction it is flowing.
The two categories of Network Classification directionality listed above are supported by four dimensions (see Dimension Reference) that can be applied to each flow as it is ingested into the main tables of KDE:
- Traffic Origination: This dimension indicates whether the source for a given flow is inside or outside of your network.
- Traffic Termination: This dimension indicates whether the destination for a given flow record is inside or outside of the network.
- Host Direction: When the flow record has been generated on a host, this dimension indicates whether the direction of traffic is into or out of that host.
- Traffic Profile: Derived from Traffic Origination and Traffic Termination, this dimension categorizes traffic into one of the following directionalities, which are illustrated in the graphic below:
- Through: Traffic coming from outside the network and terminating outside the network.
- From outside, terminated inside (ingress): Traffic coming from outside the network and terminating inside the network.
- Internal: Traffic originating and terminating inside the network.
- Originated inside, to outside (egress): Traffic coming from inside the network and terminating outside the network.
The dimensions described above are available throughout Kentik Detect as:
- Group-by Dimensions
- Filter match criteria
- Alert keys (dimensions of an Alert Policy)
- Alert filter match criteria
Note: The use of Network Classification in Alerting enables you to monitor traffic that comes from outside the network separately from traffic that is internal to the network.
One application of Network Classification is to use the Network Directionality dimensions to investigate spikes in traffic. Suppose, for example, that we used Data Explorer to run a query for top-X customers, and the resulting graph revealed a big spike in flows to a customer called Pear, Inc. (as shown below).
To dig deeper into this anomaly, we’d start in the table (not shown) beneath the graph in the Explorer display area. Clicking the Action menu at the right of the row corresponding to Pear, Inc., we choose Show By to open the Show By Dimensions dialog, then choose one of our new Network Classification dimensions, Traffic Origination (listed under Source). After closing the dialog by clicking the Show By Selected Dimensions button, we re-run the query. In the resulting graph (below) we can now see that the spike is made up of traffic that originated outside of our network (having a Traffic Origination value of “outside”). If we wanted to continue digging further, we would use Show By again, this time looking at source ASN or IP address.
Another use case for Network Classification is specific to host traffic captured by kprobe (Kentik’s software host agent). Since most hosts have only a single interface through which traffic can pass, kprobe captures both inbound and outbound traffic. Host directionality enables you to separate traffic that was coming in from traffic that was leaving. To do so, set the Devices pane of the Data Explorer sidebar to include the hosts that you want to check, then run a query with Host Direction (in the Full category) as the group-by dimension. As shown in the graph below, you can now see separately the flows in and out of your hosts.
Before using Network Classification you must first enable Kentik Detect to determine what is inside and what is outside of your network. Network classification is configured on the Network Classification page, which is accessed from the sidebar of the portal’s Admin section.
The Network Classification page is made up of the following UI elements:
- Internal IPs: An input field used to enter, with a comma-separated list, the IP CIDR blocks used inside the network.
- Automatically include RFC1918 IP Space: A checkbox used to specify whether the RFC1918 IP Space and other common private ranges are included along with the user-defined Internal IPs list. This option is checked by default.
- Internal ASNs field: An input field used to enter, with a comma-separated list, the ASNs used inside the network.
- Automatically Include Private ASNs: A checkbox used to specify whether private 16- and 32-bit ASNs are included along with the user-defined Internal ASNs list. This option is checked by default.
- Save button: Click to save any changes that have been made since arriving on the page.
To set up network classification:
- Go to the Network Classification page (Admin » Network Classification).
- In the Internal IPs field, enter a comma-separated list of the IPs that are internal to your network.
- Using the checkbox below the field, choose whether to automatically include the RFC1918 IP space.
- In the Internal ASNs field, enter a comma-separated list of the ASNs that are internal to your network.
- Using the checkbox below the field, choose whether to automatically include private ASNs.
- Click the Save button. You are now ready to start using network classification dimensions for group-by and filtering in queries and alerting.