In 2002, Maine began providing laptops to all middle school students (see Maine Students Hit the IBooks). This month, the state extended the program to include all high school students. This raises a question that I have not yet seen being discussed in print – how will the students’ Internet usage during the school day be monitored?
Read more »
One of the great features of Scrutinizer is the My View page, which allows a customized interface on a per user basis. It also allows the use of many different existing gadgets, or with a little HTML know-how, our customers can make their own.
Plixer’s Flow Analytics module comes with several gadgets built in that give the administrator even more visibility into network traffic. One is called the Top Flows gadget, a chart that displays how many flows and conversations are attributed to the top 10 hosts communicating – across all routers set to be monitored. In order to understand the chart below, it’s important to know what we mean by Flows and Conversations.
A conversation between two people involves a series of exchanges of statements, right? A conversation between hosts in Scrutinizer and Flow Analytics works the same way. A conversation in this gadget is the number of unique hosts the source or destination host is communicating with.
Consider a Flow as the number of unique entries for a host in the database for the time frame selected. Clear as mud?
Let’s take a look at the chart:
We have two main columns – Top Src Flows and Conv and “Top Dst Flows and Conv” with hosts listed in order of the greatest number of Flows.
“Ok great… So as a network administrator why is this important to me?”
I’m glad you asked…
First this is an informative chart, not an alarming gadget. The reason entries are yellow is because their are outstanding alarms for the host displayed. Mouse over the ‘!’ sign to see how many and click to drill in and see them.
Second, it’s not all about the ratios of Flows vs. Conversations. For example, lets say you’re walking down the street and this guy says…
“Hey buddy… Come here. I got a great deal for you today. Come here!!!”
If you ignore the person and don’t say anything back, this is considered a scan. It could involve one or hundreds of packets in one direction. Because he was trying to get you to respond, he would be using TCP. However, because you didn’t respond, flows are only created in one direction. One conversation occurred using one or more flows.
Some may reply, “No thank you sir… Please don’t kill me”, and walk away. In this case, a conversation occurred on one or more unique ports with TCP hand shakes and so flows go in both directions. Two conversations occurred with 2 or more flows depending on the number of applications involved. Routers and switches create unique flows when the source and destination ports, among other things, don’t match up.
The million dollar question…
Do flows in one direction mean that something is wrong? NO! For example, if on that same corner someone started singing a song to you and you decide to stand there and listen without even so much as a “thank you”. This would be like UDP with each lyric causing a unique flow in one direction (e.g. syslogs or SNMP traps, etc.). This is because UDP doesn’t require the hand shakes that TCP does. The above results in one conversation and generally hundreds of flows.
And that’s the way it works. A high ratio of flows to conversations does not necessarily mean good. A low ratio doesn’t either. A high ratio with both at the exact same number does imply something is suspicious! Maybe I’ll digress on this later.
…Anyway, that’s why the Top Flows gadget is important to you.
Thanks,
Raul J Duran
It was a cold day in March, colder than usual for this time of year. The phone rang and it was Jon telling me that his router wasn’t performing well and was having issues. They all have an issue in this city. Some are big and some are small, but they all have issues. As for Jon, his issue was big and that’s why he called me… I’m Jimmy D, the Cisco NetFlow Detective.
His story was the same old song; everyday around a specific time, his network would slow down and the CPU on is his router would peg at 90%. He needed to know why, and fast. His company was getting ready to release a hot new piece of software and they needed the bandwidth to support it.
He had taken the first step; he was already monitoring his bandwidth with Scrutinizer. But Jon needed more. He needed to know what times his CPU utilization was high and what traffic patterns occurred during that time. If this was a perfect world, he would also be alerted when it happened.
“Let’s go get a cup of coffee.” I said.
“Jon, we can trend your CPU utilization via SNMP with Denika. We can also set up alarms and alerts in both Scrutinizer and Denika. We can also capture syslogs from the router with Logalot. All this information can be tied together to give us a better picture and possibly point out a pattern.”
“Awesome, that’s what I was looking for! Can you help me?” he replied.
“Sure Jon, I’m the NetFlow detective, that’s what I do.”
Later that day, we took some time to set up both products. I explained how the process worked and what we were looking for. I let him know that although we can store this data forever, We were specifically interested in the next 24 hours. I was positive that our culprit would strike again.
He let me know that he would call me the next day.
“Jimmy, I just got an alert!” said Jon.
“Lets look at what it said.” I asked.
It was 5:01 p.m. and I wasn’t surprised. Nasty things, like rats and bad packets, show up quickly. After a few minutes of searching, I could see a pattern and it wasn’t pretty.
“I believe that I found your issues Jon.”
I looked at the time of the CPU spikes in Denika’s SNMP reports. We then looked at the Layer 3 traffic reports within Scrutinizer. I compared the timeframes and quickly saw the traffic matched.
“We now know it is a user. So now let’s find out who it is. To do so, we can drill down through the IP addresses in Scrutinizer and find out what IP is causing the traffic. Here you go Jon, are you ready to see who is hogging your bandwidth and causing the high CPU utilization?”
In one click, I quickly resolved the top talkers and saw that it was jenny.abcorp.com.
“Oh no, that’s my girlfriend!” said Jon, “Can we tell who she was talking to?”
We quickly changed to the conversations destination and could see that she was uploading 6 gigs of information to cbacorp.com at 5 p.m. every day. Jon knew the rest of the story because it was a common one. Geek programmer meets cute Russian model who thinks he is Superman, but soon finds out that he had been taken by a pretty face. She was uploading the latest builds of their hot new software to the competitors. She was a spy.
“Thank you Jimmy, you saved our company.” said Jon.
“Don’t sweat it kid. My job is to shed some light in a dark world…”
Most of these names and happenings in this story are true. Some have been changed to protect the innocent.
____________________________________
I did some investigation on IPv6 the other day. Luckily Wireshark has the decodes necessary to look inside the Cisco NetFlow v9 / IPFIX packets.
The flow shown below is one of the Egress flows and I highlighted the IPv6 Address. Take a look:
What is your company doing to prepare for IPv6? You can start by asking “why IPv6”.
If there’s one thing to know when working here at Plixer, it’s this: Watch your back when April Fools comes around!
Last year, Tom Pore convinced Raul that there was a customer who needed immediate assistance. Of course, this customer being Mr. Behr and Mr. Lyon at the San Diego Zoo. Raul, being the “go getter”, didn’t bother to second guess Tom’s request and made the call.
The funny part was that the operator that answered the phone caught on long before Raul that he was being duped. Can you imagine that?
Raul – “Good morning, could I please speak to Mr. Lyon?”
Operator - “Sorry, there’s nobody here by that name…”
Raul – “Oh, could I speak to Mr. Behr then?”
Operator – “…”
… and that’s what you get for trusting Tom.
In Raul’s defense though, we did have contacts at the San Diego Zoo, so that made “Mr. Lyon’s” request for assistance way more legitimate.
(I’ll pause to give you guys time to pick yourselves up off the floor)
This coming April, however; we could all find ourselves being the victim of one big prank…
Right now, there’s a lot of buzz being generated on the net regarding the Conficker C worm. The true danger is that 75% of the world’s users are running Windows, which harbors the vulnerabilities this worm exploits. To compound the issue, Conficker C is programmed to have all infected machines accept instructions on April 1st.
What does this mean? I have no idea, and neither does anyone else… and that worries people.
So what will happen when millions of PC’s in this giant botnet awaken?
Maybe some poor sap is going get the DDoS attack of DDoS attacks; maybe we’ll all get spammed with “I Love You!” e-cards; maybe the planet will finally be hacked…
To combat this, Microsoft has issued a patch that supposedly addresses the vulnerability, but it still wants blood from the person(s) responsible.
Earlier this year, Microsoft issued a bounty of $250,000 for information leading to the arrest of the author(s) of Confiker. That person must have some GOOD friends…
So what does Conficker C and Tom Pore have in store for us this coming April Fools? We’ll just have to see…
-Nate
While Tom Pore has already warned us of the dangers March Madness poses to networks in corporations that are without a good Internet usage policy, I thought I might put this into perspective with a good example. This one just so happens to be based on a true story.
Opening day of March Madness was here and the office was abuzz with talk of ladders, brackets and favorite teams. Then 8 a.m. rolled around, and everyone grabbed their cup of coffee and started their work day.
It wasn’t long before complaints started to surface of slow Internet connections and flaky applications. Something seemed amiss with the corporate T1. Scrutinizer was on the case!
The first order of business was to load our favorite Cisco NetFlow analysis tool and take a look at the Top Conversations across the T1. Luckily, we anticipated some March Madness activity and, with a little research beforehand, added CBS Sports’ IP address (80.12.192.191 – for us) to our known hosts. Sure enough, the Top Source was CBS Sports.
Drilling in on that conversation revealed that it was indeed HTTP traffic. A lot of it!
Low and behold, the single destination host belonged to our very own rap sensation Mix Master Mitch. So we can now add NCAA Basketball to the list of Mitch’s passions.
With Flow Analytics installed, the process would be even simpler. As you can see (right), the Top Flows Gadget makes it obvious that both CBS Basketball and Mix Master Mitch are the Top Source and Destination, respectively.
Because of the amazing quality of video that CBS is able to stream to the millions of people watching this event, a single host can easily consume the vast majority of a T1’s available bandwidth. That’s why it is so important for companies to prioritize essential traffic, as well as VoIP and other types of latency sensitive traffic. However, for a lot of us, giving the boss his own private pipe to avoid menacing complaints is not only poor practice, but cost inefficient.
Ultimately, the least invasive and most cost effective method of keeping something like the Presidential Inauguration or March Madness from hindering your network’s throughput is to make employees aware of what kinds of traffic is acceptable, with a good Internet usage policy, and to be able to pinpoint a disturbance when one occurs, with a good NetFlow or sFlow tool.
Last month, I wrote a guide on How To Change Your MySQL Password. This week I have had a lot of Plixer customers asking me how to move Scrutinizer to a new server. So what better topic than that for a new guide?
There are a few reasons why you might want to move Scrutinizer to a new server, such as because you where using a non-production server to try NetFlow with an evaluation of Scrutinizer, or you’re running Scrutinizer on a VM and would like to place it on its own server to increase performance. For whatever reason here are some quick and easy instructions that could help you with the process.
1. Update the existing Scrutinizer installation to the latest released version.
2. Download the full version of Scrutinizer and install it on the new server.
3. Stop Apache, mysql, collector, filed, cron on both servers
(cron is prior to version 5.5 only)
4. Backup the following directories on the new server
\ scrutinizer\html\conf.cgi
\scrutinizer\files\rrds
\scrutinizer\mysql\data\scrutinizer
\scrutinizer\mysql\data\scrutinizer_*
5. Copy the following directories from original server to new server:
\scrutinizer\html\conf.cgi
\scrutinizer\files\rrds
\scrutinizer\mysql\data\scrutinizer
\scrutinizer\mysql\data\scrutinizer_*
6. Restart the Scrutinizer services.
Milton
Plixer International is proud to present the YouTube debut of Mix Master Mitch’s first single, “NetFlow Rap”.
Enjoy!
Lyrics
Workin’ in IT’s a breeze
Got my chair back, feet up, crossing my knees (cuz I’m feelin’ it)
Got the collector running data, it’s reelin’ it
Writing data to mySQL, there’s no sense concealing it
Because I got it Scrutinized
A Big Mac, super sized
Just spent 9 grand, now all my NetFlow’s analyzed
Finally realized I needed a tool
Called up the Plixer and they took me to school
Engineer’s on site, and if that wasn’t enough
Even set me up to integrate their stuff with WhatsUp
Tables charts and graphs galore
Signed up for the webinar and learned that there was even more
Now I can run a report
And find out which cohorts are busy building heavy forts on my ports
Check my Top Conversations every single minute
Now when there’s a network battle, instantly I win it
There’s not another tool on the market to top this
I got a group and a flash map for every office
Now when I’m off eating crawfish
An alarm is set off, and I will know, so I can instantly stop this
So go to triple dub dot plixer.com
And download it off the web – don’t need a CD-ROM
So get a demo let them show you the tool
Cuz nobody thinks its cool to be the “I don’t know fool”
Go go to Plixer and they won’t steer you wrong
Then you too could sit back and listen to this song
But if you don’t go, I won’t be help responsible
When you get busted by the network constable
So just download and play today
They even have a free version if you don’t want to pay
Case in point, get your network fixed
And I know just the guy to do it, it’s the plkixey plix
You need this, in any given network today
Don’t know how you’ve been livin’ with no NBA
If every day you fall victim to performance paralysis
I don’t know why you think you don’t need behavior analysis
So if you’re waitin’, procrastinatin’, hesitatin’, and tool debatin’
You can escape from the fake statement you’re statin’ and makin’
It’s frustrating, making mistakes, because you’re pacin’ and waitin’
For the boss to stop flaking, wake up and stop the budget breaking
So many vowel sounds that now my head is aching
May fall off because it’s loose, just like the feet of Kevin Bacon
But back to the track and the point that I was makin’
Hold up, there’s a phone call that I’m about to be takin’
(hello)
There’s a radio station, somebody listens to it
But there’s an issue because there’s not enough legit bandwidth
We can resolve this real quick, just ran a report and found out that it’s Chris
Went to his cubicle and said Chris what’s this
The T1 is lit, the boss is pissed and pitching a fit
What’s that? How did we find out about it?
With the Plixer Flow Analytics
I spit this, just like a baby spits spinach
Flow Analytics will finish your decision, due to the features within it
Competition watching – chances of winnin’ business diminish
Like they were presidential running mates of Dennis Kucinich.
The new Systrax community site is growing in popularity. In an effort to encourage a fun, yet functional, support team, Plixer has posted a Meet the Team page. Not all participating members are posted yet. We are busy!!! Anyway, this is a place where customers can learn more about the members who are answering some of the tough questions being posted on the forums.
“Each member of our support team is versatile in nearly all areas of each Plixer product. They are all familiar with topics such as Cisco NetFlow, sFlow, IP SLA, NBAR, etc.,” says Product Manager, Michael Patterson.
Do you like the Anime character artwork? If so, you can pick up a good book like Anime Poster Art at Amazon.com.
We decided to change the systrax colors. Can you take a moment and let us know what you think?
Thanks,
Michael Patterson