The following is a transcript of the audio podcast you can listen to in the player above.

Welcome to Briefings In Brief, an audio digest of IT news and information from the Packet Pushers, including vendor briefings, industry research, and commentary.

I’m Ethan Banks, it’s February 7, 2019, and here’s what’s happening. I had a briefing with Plixer today.

Plixer Scrutinizer, Flow Records, And Context

Plixer is in the world of flow record analysis, solving issues for both network and security operations folks. “Oh, so they’re a netflow collector?” Yes, that’s how Plixer started back in 1999, but there’s much more to the story than just collection of flow records now that they’ve got nearly 20 years of software development under their belt.

Plixer’s Scrutinizer platform doesn’t simply collect netflow records. Rather, Plixer grabs all sorts of flow records, including netflow, sflow, IPFIX, and more. How much more? Thousands. Plixer has made a point to integrate with several different industry vendors to be able to parse not just the standard flow records, but also many of the proprietary record types that are out there, for example, from Gigamon and Ixia.

The big idea is to, as a first step, collect a bunch of records from a bunch of sources–all the sources you have on your network. Collection is good and needful, but the real issue (and one we’ve been harping on in the Packet Pushers world) is how that data is interpreted. Records aren’t interesting by themselves. Context is. Software that collects flow records and parses through them so that you have transactional context up and down the stack is what operations folks need. You don’t have the bandwidth to be providing context yourself.

And that’s the next step Scrutinizer takes–providing context to help you make sense of all the flow records being collected from the network. Ahhhh…”Scrutinizer” – I see why they called it that now. While a standard netflow record might give you 12 data points (IP address, ports, and so on), Plixer with all of the integrations they’ve done with other platforms, can tap into as many as 5,000 data points around a transaction.

Plixer describes it as a “massively contextual database” containing L2-L7 information. The context stitches together all of the data you might care about when troubleshooting a problem or performing a forensic investigation. Metadata like application, user name, jitter, latency, SSL cert details, geo IP location, etc. are all examples of elements Plixer understands to help clarify what’s really going on and why.

The FlowPro Network Probe For Those Hard-To-Reach Network Segments

Flow records from sources all over your network including the funky proprietary ones are good, but what if you’ve got some dark spots on your network? Areas where the network equipment in play doesn’t have good flow information to send to Plixer Scrutinizer?

Plixer has announced the FlowPro network probe to shine some light on these dark areas. Available both as hardware and virtual appliances, FlowPro observes network packets via SPAN or ERSPAN and can, based on its observations, create and export flow records to Scrutinizer. But that’s not all that FlowPro can do. There’s a bunch of analytical capability baked into the tool.

For example, Plixer described rich DNS security functionality to me. FlowPro can inspect DNS via domain reputation checking, look and inspect for DNS tunneling, monitor queries for A and AAAA records, note hits on “whatismyip.com”, and then detect behavior indicating that malware folks are trying to get paid based on lookups against the public IP address of a compromised host. All of that work is done locally on the FlowPro, with anomalous events kicked up to Scrutinizer.

The virtual FlowPro runs on VMware, KVM, or Hyper-V. The hardwa…