I’m trying to use traffic flow to monitor the network traffic using the ELK stack.However it seems like the switch is only providing Broadcast data or data that goes to or originates from the switch itself. So if I have any traffic going from one computer not connected to the switch to one that it or vice versa , it never shows up, no matter what form of traffic it is. Here’s an example screenshot from what the switch is reporting
This is in a 1 week time frame.
The inner circle is the protocol used and the outer circle is the IPs that are used for that protocol.
As you can see above over 3/4 of the traffic I see are either broadcasts or communication from the switch to the servers that it’s sending the traffic flow data to.
The switch I’m using is a Cloud Router CRS125-24G-1S-RM
The switch is in bridge mode.
Traffic flow is enabled on all interfaces, and the targets are receiving traffic flow version 9.
The active flow timeout is 30 minutes and the Inactive flow timeout is 15 seconds.
All the interfaces were by default slaves to ether1. I saw online that making them not slave might solve the issue, but it didn’t.
I’m particularly interested in getting data pertaining to any RDP sessions made from a computer connected to the switch to one that isn’t and any traffic that might flow back to a computer connected to the switch.
Does anyone have any idea on how to solve this?