...
The default page after opening opFlow displays the top 10 sources of network traffic. If you feel you are under a DDoS attack, change the page to display the top 10 applications. To do this navigate to menu -> Advanced, this opens the menu below.
Figure 1 - Advanced Window
From the advanced menu, change the summary type to "App Sources" also change the "Specific Time" section to match the time period that you feel the attack occurred. Click "Apply Selection" to confirm the changes.
Figure 2 - Top 10 Applications
In the example in Figure 2 above we see UDP:32760 in the second row, this is displaying normal traffic for this particular network. The domain traffic in the first row seems unusual. Viewing this information we have an idea that the attack traffic is related to UDP destination port 53. In order to get a tighter vector on this traffic navigate to menu -> Views -> Conversation Map. The time interval will remain the same as the "Specific Time" filter entered earlier.
In the example below you can see that how the opFlow server collects and analyzes NetFlow information received by the router
...