Using Scrutinizer NetFlow Analyzer, he was able to respond to the RIAA’s (Recording Industry Association of America) allegations of students illegally downloading or sharing of music.

“With upwards of 3,100 students calling the residence halls ‘home,’ it’s our job to make sure the data flow is running efficiently. Scrutinizer NetFlow Analyzer allows us to accomplish this with powerful reporting, dynamic traffic analysis, automated features and convenient archiving. We’ve also found the archiving capability extremely useful for forensic analysis.” – Rick Coloccia

Read more on how Scrutinizer resolved this and other network traffic issues in the EducationNews.org article, “SUNY Geneseo Leverages Scrutinizer NetFlow Analyzer to Monitor Network Behavior during RIAA Crackdown and Beyond“.

- Joanne

A situation arose for Jim where his wife and daughter would be in Florida caring for his parents while he was still here in Maine. The geek that he is, he didn’t want distance to keep them apart.

So he decided to provide voice, video, and network monitoring while they were in Florida. To achieve this, he decided to set up a small embedded server rack in his parents’ Florida home. This would allow for VoIP, Video, network traffic monitoring, and a web server.

This was his goal (Hi Kim!):

And here are the components that make up the remote monitoring solution to achieve that goal:

• The router is a Linksys WRT-54GTM with 32k running DD-WRT, which supports rFlow.

• The server is an HP t5700 Thin client running XP Embedded. The entire unit runs in flash memory and recovers from a reboot nicely. It is also a great client for magicJack (VoIP).

• magicJack – plug the adapter into one of the many USB ports, connect your phone and you have unlimited calls nationwide. Cost: $40, and you do not violate the ToS.

• The Dude – The Dude network monitor is a new application by MikroTik, which can dramatically improve the way you manage your network environment. It will automatically scan all devices within specified subnets, draw and layout a map of your networks, monitor services of your devices and alert you in case some service has problems. Also, The Dude is free of charge!

• Abyss embedded web server – Abyss Web Server enables you to host your Web sites on your computer. It supports secure SSL/TLS connections (HTTPS) as well as a wide range of Web technologies. This server application is super thin and runs very well. And is also free!

• The camera is a Panasonic BL-C111A MPEG-4 Pan/Tilt PetCam Network Camera – You can log into it via the web and move it around remotely.

Jim had everything shipped to him in Maine, set it all up and tested it. He wanted to make sure it was a simple and seamless install for his wife. He also added a small surge protector.  After configuring and testing, he shipped the entire unit, still assembled, to her. All she had to do was to take the unit out of the box, plug the surge protector into the wall, the network cable into the wan port on the router, and her laptop into one of the LAN ports.

Jim also provided simple instructions on how to get the outside IP address of the router. She then IM’d the IP address to Jim. He logged into the cable modem, opened the RDP port, and Voila! He can now monitor his wife and daughter over a thousand miles away!

And to see the network traffic utilization, simply configure the router to export the rFlow packets to Scrutinizer NetFlow Analyzer, and here you go:

Although this seems like overkill for a home implementation, it is a great example of how to simplify the monitoring of remote offices.  As we see more and more employees telecommuting, optimal bandwidth utilization is now business critical. With the above configuration, your favorite NetFlow monitoring application see bottlenecks when they happen and gives you the information that you need to fix them.

Thank you, Jimmy D. for taking us another step into the technology of the 21st century!

- Joanne

David points out that with the low initial cost for Scrutinizer NetFlow & sFlow Analyzer, it is a very affordable Flow Analytics solution for small and medium-sized businesses.

This flow analysis tool can also be deployed centrally and accessed globally via the web interface.  What this means is that one install of Scrutinizer can provide network management information for your entire network and accessible by everyone on the network management team, regardless of geographical location.

David also mentions that Scrutinizer is an SaaS application, which, I suppose if you consider it is hosted by your own company and accessed over the Internet, could be loosely interpreted as SaaS.  But I wouldn’t truly call Flow Analytics SaaS.

In David’s words, “Scrutinizer 7.5 also monitors network behavior activity and helps to detect various types of attacks. The addition of a new reporting tool, the matrix, lets admins visually assess threats. Spam bots are easily recognizable.”

Very nice article regarding another option for network analysis.  Thank you David.

- Joanne

While the network maps in Scrutinizer can make the traffic flow on your network easier to visualize and congested links quicker to spot, adding more visual definition to your maps will make them more user friendly and understandable by more members of your organization.

So how do you spice up your NetFlow data and breathe some life into your network utilization maps? Try combining a tool created for home design with a network monitoring tool to create incredible network maps.

For example, using Floorplanner, you can create 2D and 3D floor plans of your office space,  including furniture. Then add to that a network management tool such as Scrutinizer NetFlow and sFlow Analyzer.  With the network mapping tool in Scrutinizer, you can add links to each desktop, printer, webcam, etc., from your switches and routers in the wiring closet.

Performance review coming up soon? Imagine a 3D office network map, such as the example below, displayed on a large screen monitor in your NOC. Could anything be more impressive?

With this map displayed on a screen in your NOC, network utilization is visible to all.

Network slow? With this network map and the floor plan of your office, you can see who’s the bandwidth hog, where they sit, and with a NetFlow Analyzer tool, you can drill into their link, and Cisco NetFlow technology provides the detail on what they are doing.

- Joanne

And what needs to be included in that price? Staff to support the network? Network Monitoring hardware and software? Office space to house the staff and equipment?

Network Monitoring is not inexpensive. But with more and more demand on network resources every day, it also cannot be overlooked or skimped on.

Depending on your geographical location, the cost for staffing your network management team will vary and may or may not be something you have much flexibility with. Keeping your staff small and hiring entry level are options.

Hardware and software requirements for network monitoring depend on your network configuration.

If your routers and switches support NetFlow, exporting NetFlow to a flow analyzer application can provide more detailed information into your network operations and traffic than ever before. And NetFlow analyzer applications can be affordable. Prices range from free to $10,000 and up.

But what are you getting for your dollars? I’m not so sure about the others, but I know the free NetFlow Analyzer that we offer comes with initial free technical support to assist you with installing and configuring Scrutinizer. Flow data is retained for 24 hours and most features are available with the free product. An evaluation key can be provided by request to unlock the full features of Scrutinizer to be able to try before you buy.

Speaking of buying…. without mentioning specific pricing, I have been told repeatedly by customers that we are way underpriced. Hmmmmmmmmm……. Maybe it’s worth checking out. A full featured NetFlow and sFlow Analyzer that is way underpriced. Aren’t we all looking to cut corners in this down economy?

And did you know that the first year of purchase comes with free technical support? There’s that word again, free.

And technical support. Another way to reduce costs for your organization. With free technical support, your staff can spend less time troubleshooting issues with the network management software and more time on network traffic analysis.

And then maybe they’ll find what’s been eating up all the bandwidth and you won’t have to add more bandwidth after all. Another cost savings for your company.

In this economy, we’re all looking to cut corners in our spending. And if we can do that by working more efficiently then it’s a win-win for everyone.

If you have any questions about Scrutinizer, please contact us, we’d be delighted to discuss how it can benefit your organization.

- Joanne

To minimize data loss and support time required to repair the corrupted database tables, in version 7 of our NetFlow and sFlow analyzer, we have introduced the ’self-healing’ database.

A MySQL database check and repair is run on a regularly scheduled basis, once an hour.  If the database check finds any corrupted database tables, it will attempt the repair.  If it is unable to repair, an alarm will be generated to Scrutinizer to alert you of the corrupted table.

Also, the Server Health LED (right-most of the four system LEDs in top right of the screen) will turn red if database corruption is detected.  Another note on the Server Health LED – If the servers disk space drops below 2 GB or available memory is less than 128 MB, this LED will turn yellow.

If the Server Health LED is red, clicking on that LED will display what database corruption exists.  For example, in the image below, the plixer.fa_threats and plixer.task_results database repairs failed, but the repair for the plixer.fa_topdomainresolve database table was successful.

An alarm is also generated when Scrutinizer is unable to successfully repair a corrupted database table and can be viewed by going to the Alarms tab and selecting the Database Health selection from the dropdown list then clicking the Search button.  If you have a syslog server configured in Admin->Settings->Syslog Server, then you can also configure your syslog server to alert you when a database repair is unsuccessful.  Thus minimizing data loss.

In the example documented in this blog, the auto-repair failed the first time, but by the time I was able to run a manual check and repair, the auto-repair had successfully repaired the database table.  In other words, there are few cases of database corruption that will require manual intervention.  But if the corruption is persistent, please contact technical support for assistance.

Or if you have not yet upgraded to Scrutinizer v7 NetFlow and sFlow Analyzer, please contact us for instructions and/or assistance with the upgrade so you, too, can benefit from the many new features we have introduced in version 7 of our network analysis application.

- Joanne

So it was with great relief and gratitude to Michael Patterson, President and CEO, and Marc Bilodeau, CIO, that we enjoyed our Christmas company celebration this past Saturday.

It began with each of us picked up at our doorstep by Portland Limousine, four couples per limo, complete with champagne. Travel time ranged from 1 – 2 hours, and gave us the opportunity for some socializing prior to arriving at our first destination.

Which was dinner at the Ristorante Massimo in Portsmouth, NH. We had a nice, cozy private function room that easily led to further socializing and some great photo ops.

The food was amazing!

Then after enjoying the wonderful dinner, drinks, and good company of our co-workers and spouses, we exited the restaurant to limos waiting at the door (quite welcomed with 20 degree weather…) and off to the theater!

Dropped off at the door of the Seacoast Repertory Theatre to enjoy their rendition of “A Christmas Carol”.

Then, so convenient to have the limos again waiting just outside the door of the theater to whisk us away back home. Sit back and relax and enjoy the ride.

What a night. All thoughts of NetFlow, network management, software upgrades, and all other work-related issues gone for at least 8 hours…..

Happy Holidays everyone!

- Joanne

case TOOL_SCRUTINIZER:
return "http://xxx.xxx.xxx.xxx/index.cgi?el=" + sNetworkAddress + "&user=USER&pass=PASSWORD";

would be replaced with:

case TOOL_SCRUTINIZER:
return "http://xxx.xxx.xxx.xxx/search.html?el=" + sNetworkAddress + "&user=USER&pass=PASSWORD";

for Scrutinizer v7.

ie. Replacing index.cgi with search.html. Makes it pretty simple to upgrade any current 3rd party integration back to Scrutinizer v7.

The url that is passed to Scrutinizer:

http://xxx.xxx.xxx.xxx/search.html?el=IPADDRESS&user=USER&pass=PASSWORD

requires the Scrutinizer server’s ip address or hostname be entered in place of xxx.xxx.xxx.xxx, the IPADDRESS field be replaced by the variable name for the application you are integrating with, and the user credentials (replace USER and PASSWORD) for the level of access this integration is allowed.

On that note, in version 7 of Scrutinizer, users’ permissions are based on group membership. Permissions are set at the group level, then users are added as members to the groups appropriate to their access level.

So if you did not want to give open access to Scrutinizer for anyone using WhatsUp Gold, the user credentials that you would enter in the url would probably not be from the Admin group, but rather the Guest group, or another group without admin level permissions.

Using the 3rd Party Integration link:

By clicking on the Scrutinizer icon in the Device Toolbar in WhatsUp Gold:

the following Search page is opened:

In this case, we have one instance of the host ip 125.55.44.33 found, as source address. Clicking on source in this screen will then bring up the Conversations WKP (Well Known Port) report for this host ip.

Why would you want to integrate Scrutinizer with your other applications (e.g. Nimsoft, Solarwinds Orion, etc.)?

Say you get an alert from Zenoss that a specific interface on a router has exceeded the utilization threshold. By clicking on the Scrutinizer integration icon for that device, you can drill right down to the actual flow data and see who is causing the high utilization, what applications they’re using and who they are talking to.

No longer do you just see that there is a problem on your network, but now you can see who and what is causing that problem and resolve it, by integrating NetFlow management with your existing network management application.

- Joanne

Why do we care?

This is a great question. We care because a loss of flow exports is usually caused by one of three things:

1. The network dropped some packets
2. The router can’t keep up
3. The NetFlow receiver / collector can’t keep up

NetFlow sequence numbers are becoming increasingly important. When building a NetFlow collector it is important that the engine scales while staying accountable. If you look at the NetFlow v9 packet format you will notice something called the package_sequence.

Scrutinizer monitors the NetFlow sequence numbers per router / exporter to make sure that no NetFlow exports are missing. If they are, we can approach the issue like this:

1. Can Scrutinizer keep up? Check the vitals:

Above we can see that the NetFlow collector is seeing increments in the MFSN (Missed Flow Sequence Numbers) trend. Scrutinizer provides these details:

a) For the entire collector
b) Per listening port (e.g. 2055, 9996, 6343, etc)
c) Per router

It is just a matter of drilling in until we find the culprit. If all ports and all exporters are showing MFSNs, then we know that the collector can’t keep up with the volume of flows.
To find the above reports in Scrutinizer, navigate to Admin tab –> Reports –> Vitals. From here you can get to the vitals on individual NetFlow exporters by clicking on the listener ports (e.g. 2055, 9996, 6343, etc.). It is easier to navigate to these reports if you’re on the Status Tab and you click on the NetFlow version ‘v5’ next to the interface name.

2. If the network is dropping packets or if we suspect that the individual router is having trouble keeping up with NetFlow exports, we check the MFSN for the individual exporter.

3. If we suspect that it is the router and not the network, then we go into the router and type in:

a) myRouter# show ip flow export
b) myRouter# show ip cache verbose flow
c) myRouter# show ip cache flow

The above commands allow us to check the current NetFlow configuration and health of the router.

SCTP

Most collectors only listen for NetFlow, sFlow, NetStream, IPFIX, jFlow, etc. on UDP ports such as 2055, 9996, 6343, etc. As SCTP becomes more popular, collectors will confirm the reception of NetFlow datagrams and allow the retransmission of missed frames.

Summary

NetFlow Sequence Numbers are used to determine missed NetFlow packets and not so much for general packet loss on the network. I have seen cases where an increase in the NetFlow volume due to a DoS attack or network scan can cause a burst and ultimately some missed flows.
A NetFlow Analyzer worth its salt should be delivering reports in some capacity related to flow sequence numbers.

- Joanne

Way to go Vyatta! Soon we will have listed their hardware on our Configure NetFlow page.

- Joanne