I was trying to find some real meat and potatoes on the differences between IPFIX and Cisco NetFlow v9. In my searches I kept coming back with an empty plate.

This is one of those times where I had to roll up my sleeves, dig into the RFCs and actually find out for myself.

A word about the RFCs
You probably already know that IPFIX RFC 5101 and RFC 5102 are derived from the NetFlow version 9 RFC, which was written by Benoit Clais, a business friend of mine. Actually, you’ll notice that Benoit worked on the IPFIX RFCs as well. Anyway and more to the point, what makes them different? I wanted some specifics!

The chicken or the egg?
NetFlow v9 came first. IPFIX made provisions for NetFlow v9 and added support for it. This is not a tough one to figure out if you look at the RFC numbers.  heh heh  Anyway, IPFIX lists an overview of the “Information Element identifiers” that are specified in Section 5 of the RFC and are compatible with the “field types” used by NetFlow v9.  These are basically the juicy details of information that can be exported by NetFlow. Some things you will notice right away:

• The very first ID ‘1′ NetFlow v9 calls it ‘IN_BYTES’ and IPFIX calls it ‘octetDeltaCount’.  This is a big deal because if we are talking about flows, is IN_BYTES really inbound data?
• Another thing I noticed is that NetFlow v9 defines 79 ‘field types’ and IPFIX defines the same 79, but goes on up to 238! Wow.
• Many of the Reserved Information Element identifiers are actually defined in NetFlow v9 (e.g. NetFlow v9 field type 3 is defined as ‘Flows’ and in IPFIX it is ‘Reserved’).  This is common when comparing the RFCs. NetFlow v9 defines field types 33, 34, 38, 39, etc with values. The same field types are all defined as ‘Reserved’ in the IPFIX RFCs. It was likely done to keep IPFIX compatible with NetFlow v9 (i.e. the chicken).
• IPFIX allows a vendor ID to be specified whereby the vendor can stick proprietary information into NetFlow and export anything they want and this isn’t limited to just SNMP information. I MEAN ANYTHING!
• NetFlow v9 on the other hand supports Flexible NetFlow which arguably is equally as flexible as IPFIX. More on this later.

So, there you have it (i.e. some meat and potatoes).  I could really dig in and blog in detail about the differences even more, but maybe I will later.  At first I have to digest the above. 

Oh, here is the NetFlow v9 format.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Yet again, it’s raining here in Maine. I think it has been raining for four days straight and now I’m beginning to get a little antsy to see some sunshine.

Usually, I don’t watch the Weather Channel. I just take every day as it comes and adapt to the weather. If I wake up and it’s rainy and cold, I wear something warmer. If it’s bright and sunny, I wear a t-shirt.
I’m simple that way.

But when we have a run in weather like this, I ask myself: “When is this going to end?!?”
That’s when I break out of my normal habit and check the forecast for the next couple days. I must admit, there is a sense of peace knowing that the rain SHOULD end by tomorrow night.

Much like monitoring the weather, you can use SNMP to monitor your daily, weekly or even monthly traffic statistics to help you project what tomorrow may bring.

Notice the Port Utilization graph shown above: Not only does it provide statistics based on current data collected, it also estimates future projections based on your current trend using those strike lines.

With limiting budgets, it’s more difficult to rationalize spending on a new DS3 circuit for the company. However, network performance monitoring applications, such as Denika, make life easy by forecasting network growth, so that you can see a problem before it ever begins.

Think about this: Would you feel better knowing that tomorrow was always going to be a bright and sunny day?

-Nate

Oftentimes, when I’m running around the country setting up Flow Analytics, I don’t see Null Scans pop up. However, recently I’ve visited high profile customers that are big targets for malicious behavior. As we configure Cisco NetFlow on their routers and ASA firewalls, I’ve noticed FA alerting on these packets with no flags set.

The Null Scan is a type of TCP scan that hackers — both ethical and malicious — use to identify listening TCP ports. In the right hands, a Null Scan can help identify potential holes for server hardening, but in the wrong hands, it is a reconnaissance tool. It is a pre-attack probe.

A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. In a production environment, there will never be a TCP packet that doesn’t contain a flag. Because the Null Scan does not contain any set flags, it can sometimes penetrate firewalls and edge routers that filter incoming packets with particular flags.

The expected result of a Null Scan on an open port is no response. Since there are no flags set, the target will not know how to handle the request. It will discard the packet and no reply will be sent. If the port is closed, the target will send an RST packet in response.

Information about which ports are open can be useful to hackers, as it will identify active devices and their TCP-based application-layer protocol.

Cisco NetFlow packets contain a summary of the packets flowing through an interface including TCP flags, or in this case, not set. Cisco NetFlow coupled with a behavior analysis tool can help identify when Null Scans are occurring on your network.

-Tom Pore
Follow me on Twitter

If you are not fortunate enough to have equipment that supports Cisco NetFlow technology, but still need to know bandwidth utilization statistics across network links, then there may be no better solution than the combination of SNMP and MRTG.

MRTG (or Multi Router Traffic Grapher) is a free software tool, developed by Tobias Oetiker, that uses SNMP (Simple Network Management Protocol) to poll network devices. MRTG stores the retrieved data to a log file, where it then generates a graphical representation of the stored data.

There are several third party network monitoring tools, like Denika, that use MRTG and SNMP as the means to capture this valuable data. In Denika’s case, the functionality of MRTG is expanded on by incorporating a MySQL database, which provides long term data storage.

If you have ever used MRTG, then you know that it is not easy to configure. MRTG uses a system of templates to send the neccessary object identifiers (OIDs) to the device, which then must have a MIB (or management information base).

Plixer has gone a long way to simplifying this process by making its database of MRTG templates available on the web. In Plixer’s MRTG repository, one can browse a number of different vendors, hardware models and templates. So whether you want to gather port utilization information on your Adtran devices, or frame relay utilization on your Cisco Catalyst 6509, or maybe just CPU utilization on your Foundry BigIron switch, it’s much easier to configure MRTG using Plixer’s MRTG repository.

~ Jon Mills

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

With Cisco NetFlow technology and Plixer’s Scrutinizer NetFlow Analyzer and Flow Analytics module, network administrators can now monitor and alert on unwanted transport protocols, such as IGMP.
Read more »

Anomaly detection across multiple Cisco NetFlow- and sFlow-exporting devices is a topic I believe we engineered well. It is also an important subject because performing Network Behavior Analysis across dozens of flow-sending devices is critical to avoid excessive notifications and to gain:
* A global view of the problem.
* Alarm capture at the ingress interface or edge of the network.
* Ease of configuration enterprise wide.

The Flow Analytics Overview shown below outlines each algorithm as well as the corresponding Time it takes to run and the Count of violations in the last 5 minutes. Click on each value to display a trend.

To add or remove routers from an algorithm, simply click on the router icon shown above. The window below will appear:

Adding and removing routers and switches from each algorithm is simple. Select the drop-down box to jump to another algorithm. Other Flow Analytics blogs can be found here.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Since nearly the start of my career I’ve been hearing from customers that they want some sort of summary view for the helpdesk or Network Operations Center . Typically I ask “what should we put in it” and usually I hear things like “summary information”, other times I get a few more details like  “devices that are having performance problems, failed devices, alarms, etc. you know stuff like that.”

The truth is many of us aren’t sure about what we want to see, but feel fairly confident that we’ll know it when we see it.  It can be tough to build an interface around limited information. We set out to do this with MyView, which is a form of ‘mashup’ as described by the Gartner Group.

“By 2012, one-third of analytic applications applied to business processes will be delivered through coarse-grained application mashups.”

Our office has two 48-inch LCDs hanging from the ceiling and each displays a unique MyView. One side displays the sales team and the other the support team.  Here is what we see:

You can see in the upper right hand corner that I am definitely slacking today. I’ve been on the phone today for 20 minutes for only four calls and I put only one note into our CRM. You can click on the numbers and bring up details of the actual calls I made.

I can see that Jay isn’t at his desk as shown via the webcam at our remote office. I hope we don’t get in trouble! In the lower right are the busiest Cisco NetFlow- and sFlow-capable interfaces on our network. Notice that all are currently under utilized.

My point is that we are looking at what we want to see in our call center. This is because the MyView interface in Scrutinizer is completely customizable and can include third-party applications. It is very simple to create your own gadgets. We include dozens of gadgets for things such as alarms, VoIP, network mapping, etc. Call us if you need help getting started.

You can see a brief clip of our LCDs at the end of the D.C. Douglas video.

Have fun.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

With the founders of the BitTorrent tracking website The Pirate Bay recently getting sentenced to a year in jail, as well as being ordered to pay $4.5 million in damages, it has never been more important for corporations be aware of what their networks are being used for.

We have previously discussed the importance of keeping a good Internet usage policy, but that is really just the first step in keeping a company legally secure against illicit Internet usage. Sure there’s some great material on YouTube, which can often times be very informative and very related to one’s job. However, there is very little that someone can find with BitTorrent and related sources that isn’t violating someone’s intellectual property rights. Why put the corporation at risk? Everyone can make their own choice about whether to participate in the illegal downloading of movies, music, software, etc. from the privacy of their own home. But when it’s on the company’s network, it becomes the company’s responsibility.

Using the Cisco NetFlow technology with Scrutinizer’s Flow Analytics module to monitor Internet traffic patterns can not only bring traffic that is harmful to the network to the forefront (e.g. Conficker worm, Xmas Tree scans, etc.), it can expose traffic that is harmful to a company’s wallet and image.

Have you already used Flow Analytics to catch BitTorrent traffic on your network?

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

I’m playing with Application Groups in Scrutinizer v7  where you can define ranges of ports and IP addresses to define applications.  Seems I can also use it for IP Grouping:

Notice the above is a bi-direction trend which can be more useful than pie charts, but we do both:

The above of course is support for Cisco NetFlow, sFlow, IP FIX, jflow, etc.  It’s all network traffic monitoring using ‘flows’.

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

Last month we wrote about Terabit Ethernet and cited industry experts as saying that the first commercial use of Terabit Ethernet could come as soon as 2015 (imagine doing network traffic monitoring at that speed!). This month comes news that a U.K. research agency is investing GBP1 million to help companies research into the commercial release of Internet access at speeds of between 1Gbps and 10Gbps. The agency, the Technology Strategy Board, says those speeds are between 100 and 1,000 times faster than the current broadband speeds available to British consumers today.

Among the studies that will each be funded to the tune of between GBP30,000 and GBP100,000, include research with such heady titles as “high volume photonic packaging for bi-di components,” and “feasibility examination of low cost, tunable ONUs (optical network units) for WDM PONs (passive optical networks)”.

The agency says the studies would be used to establish European collaborations that would participate in larger EU-funded research and development initiatives. The result could be a pan-European Ultra Fast Broadband, and “could see European companies gaining a massive competitive advantage on a global scale,” the agency says.

The agency doesn’t provide dates or timeframes for the projects. In the meantime, U.K. ISP Virgin Media earlier this month said it has started customer pilots of 200Mb Internet access. Virgin is working with Cisco to test out what the ISP says is the world’s fastest implementation of DOCSIS 3. Virgin notes that J:Com in Japan supplies broadband at up to 160Mbps, while Cablevision in the U.S. offers 101Mbps. Some 100 ‘lead adopters’ in Ashford in Kent are trailing the Virgin ultrafast network for full high-definition and 3D TV.

Elsewhere in the world, South Korea is reported to be working on giving its citizens 1Gbps Web connections by 2012. The government there is planning to invest up to a third of the $24.6 billion it will cost to introduce the 1Gbps network. The rest will come from private carriers, reports Engadget.