If you are running Scrutinizer v7.01, the Cisco ASA interfaces don’t show up in the Status tab yet. It was a philosophical decision. Here’s why:

The ASA running v8.2.1 exports bidirectional NetFlow!  This is unlike anything else we’ve seen.  In nearly all NetFlow exports v5, v9, IPFIX etc. flows are exported in one direction (i.e. A -> B and then a separate flow for B -> A).   This is true for ingress or egress NetFlow. For Example: lets say A -> B creates a flow of 200KB.  Then in return:  B -> A causes a 2nd flow of 40KB. Well, the developers of the ASA decided to be unique and add the two flows together and export A -> B 240KB!!!!  The two added to each other is called a bidirectional flow.

Because of this, when we calculate the percent utilization using NetFlow (i.e. not SNMP) by adding the total flows together we overstate InBound/OutBound utilization in the Status tab. We are talking with Cisco about this unconventional export method. We have no definitive news yet.

NOTE: The ASA also doesn’t support an Active Timeout causing huge spikes in the graphs and thus making network traffic analysis kind of tricky when traffic that occurred over several minutes shows up in a single minute!

If you are seeing some screwy results with ASA and NSEL, the above is why. Anyway, everyone can blame Mike for not sticking the data in the Status tab!

Here is a pic of our  ASA:

Need help configuring NetFlow export from the ASA?  You can also setup NetFlow exports up using Cisco ASDM. Make sure you have watched the Cisco ASA and NetFlow training video.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

I was working with a call center that had a problem with high bandwidth usage and he wanted to know if Scrutinizer NetFlow & sFlow Analyzer would be able to help him out. They were seeing a lot of Facebook traffic on their network and wanted to be able to see if it was coming from the call center.

I let him know that with Scrutinizer, he could add a filter to show him all of the Facebook traffic on his network and limit it to the traffic from a certain IP range. He could also add a filter that would monitor his NetFlow data and alert if a certain amount of Facebook traffic originated from that IP range.
Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

It was a warm day here at the office – warmer then most. I was getting up to get a drink of water when she walked in. She was a beautiful dame, but in my world they are all beautiful. This one was different. She had a mission. She needed something.


Read more »

We just released the new Scrutinizer 7.0 and finished shooting the new NetFlow Rap video. Things have been crazy here at work.

I just saw a tweet asking how NetFlow is handled on the ASA. Since Scrutinizer handles the flow from the ASA, I though I would post the information I have from Cisco explaining how NetFlow is handled in the ASA.

Read more »

Now for something completely different . . . . .

I don’t know why but I got it in my head to reuse the Kcups in our office coffee machine. Don’t get me wrong the Keurig, single cup coffee maker is awesome. I have one at home, but I could never get over throwing the little cups away. Seemed a waste.

At home,  I have the reusable containers. This eliminates the need to use the prepackaged Kcups. After a quick Google search I found these little plastic lids that cover the Kcup, allowing you to reuse it. I figured that I could replicate that here in the office.

Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

I use Wireshark all the time. In general, I just scratch the surface by using  it to test whether or not NetFlow is coming into Scrutinizer.

Golden Rule: Using an external third-party application, like Wireshark,  to test connectivity helps establish credibility in any situation.

Most people whom I speak with have a general understanding of what a packet capture is. The problem is, they don’t know how to gather or use the data once they have obtained it. So I thought I would do a little homework and find some resources that provide some basic Wireshark training for the busy IT professional.

Read more »

I was looking at a WireShark packet capture of some IPFIX traffic coming from a Nortel switch and quickly saw a few things that puzzled me.  At first, I started splitting hairs because I was thinking that if Nortel is going to market IPFIX support, it should adhere to the standard (RFC 5101).

Then again, it might have better luck working with the various NetFlow traffic analyzer solutions on the market if it makes the exported data look like Cisco NetFlow v9.

Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

We are all trying to get more bang for our buck, but what if you are looking for a free Cisco NetFlow alternative? What is the best option? The good news is that, even if you are just looking for a free Cisco NetFlow monitoring application, Scrutinizer will meet or exceed your needs!

A lot of people ask me, “Can you send me the free version of Scrutinizer?” They don’t understand that when you download Scrutinizer from the Plixer website, you automatically get the FREE version.

The Scrutinizer free version is perfect for dealing with network congestion and troubleshooting other issues. You are able to store 24 hours worth of data, drill down through that data and export the data to be used in your favorite application.

“But I don’t have a NetFlow capable device.” Not a problem. A while ago, I wrote a blog post titled “Cisco NetFlow traffic analysis now within reach of small businesses,” which talks about how to flash your lower end router to enable NetFlow. My Product Manager wrote a post about using nProbe, which gives you the ability to generate Cisco NetFlow traffic from just about any router or switch.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Back in January, we discussed how to analyze NetFlow data on a Linux server with Scrutinizer for Linux. Now the excitement continues with the release of Flow Analytics 2.0 for Linux! Not only are Linux users able to run one of the industry’s strongest NetFlow collectors and reporting tools, but now they can dig deeper with Flow Analytics.

With Flow Analytics you are able to detect and alert on certain network traffic patterns, using the same NetFlow collection mechanisms found in Scrutinizer. These patterns could resemble things like Port Scans, DDoS Attacks, P2P traffic and more.  Along with that, it generates top end reports that quickly generate reports from all of your NetFlow devices. Imagine being able to see all of the top talkers, number of unique hosts, top domains, top countries and more, across all of your NetFlow sending routers.

I have provided the tar ball and install instructions below. The Flow Analytics demo requires a Plixer Engineer for install and  I would be more then happy to assist.

Scrutinizer Install Instructions – http://www.plixer.com/files/scrutinizer_linux_install_instructions.txt

Scrutinizer tar ball – http://files.plixer.com/plixer-scrutinizer-linux.tar.gz

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________