As mentioned in Scott’s blog,  “Getting the most from your NetFlow and sFlow Analysis Tool“, disk fragmentation can be the primary cause for slow performance in running NetFlow reports.

Due to the large volume of data stored when collecting NetFlow packets, disk I/O may already be pushed to the limits on your server.  Add to that a highly fragmented disk drive and you might as well go hang out at the water cooler while you wait for your report to run.

Here’s an example of an extremely fragmented disk:

As Scott mentioned in his blog, “With hard drives, blue is a good thing, red is bad. Ideally we would want to see mostly blue and white.”

But, on the other hand,  if you don’t have anything better to do with your time, if using Scrutinizer has so streamlined your network monitoring that you need to slow your day down a bit, then please, leave your disk fully fragmented and take a break!

Otherwise, if you prefer your Netflow reporting to complete in your lifetime, then defrag!

And in the spare time that you now have to kill, you can monitor excessive Facebook traffic and other odd traffic patterns on your network, or read our blogs to learn how to enable Flexible NetFlow, or give us a call to find out what else our NetFlow solution can do for you.

- Joanne

If you’re not familiar with this NetFlow Forwarder application and you have the need for exporting NetFlow packets to multiple (unlimited!) collectors, then you must read his blog.

With switches or routers that do not support NetFlow export to more than one NetFlow collector, or if you have the need to export to more than the typical two collectors, the samplicator is an ideal solution.

Configuration is quick and easy and, if using the config file to list source (exporters) and destinations (collectors), extremely scalable.

For example, in the configuration displayed below, we have 18 exporters forwarding to 9 different collectors in varying combinations.  Several of the exporters only forward to one collector, whereas the remainder forward to either 7 or 8 collectors.

The flexibility of configuring NetFlow duplication is limitless using the config file.

But reading the list of source ips and destination ips in this config file can be very confusing, and our manager, like so many, prefers to see a graphical display.

Graphical view

So we created a quick graph (using GraphViz) of the exporter and collector ip addresses with arrows of who forwards to who.

The exporters are all displayed around the outer perimeter of the graphs and the collectors are on the inside with the arrows pointing to them.  Gives you a simple display of the complexity that the configuration file can provide.

Using this NetFlow replicator and the config file, you can expand your NetFlow reporting capabilities to multiple NetFlow collectors, including my favorite, Scrutinizer NetFlow and sFlow Analyzer.  And don’t forget, since the samplicator forwards UDP packets, you can also forward sFlow and IPFIX packets, and also SNMP Traps or Syslogs.

- Joanne

Update:

To run the samplicator with a config file, use the following command syntax:

samplicate -p2002 -f -S -c /home/plixer/sample.cfg

See the sample.cfg file for an example.

Such as support for Flexible NetFlow, IPFIX reporting, portable network maps?  How about automated NetFlow configuration on your routers and switches?  Is customization of the web interface important to you?  Multiple language support critical?

All of that and more is available with our NetFlow Traffic Analyzer, but here’s something else that’s often overlooked.

Technical Support

Here at Plixer International, we pride ourselves on the high level of technical support provided to our customers before and after their purchase.

We have Presales support that will assist with any technical issues related to the installation and utilization of Scrutinizer NetFlow and sFlow Analyzer, including assisting with configuring NetFlow on your switches and routers.

And our Post sales technical support is second to none.

What value do we add?  First of all, we are accessible.  I don’t know how many Technical Support numbers I call, for both business and personal issues, where I am kept on hold for 30 minutes and up.   Voicemails may be returned anywhere from 1 to 3 days.  Or submit a request online or via email with no response for several days.

Quick Response

At Plixer, we take great pride in knowing that most calls get answered immediately, with no wait.  And if we are all on calls and your call goes to voicemail, it is our first priority to return that call, usually within the hour and worst case, the same day.  Online requests are given the same high level of response time.

We really take our customers needs seriously.  We know that if we address their concerns at the onset, then the issues they are having are prevented from escalating to more serious issues.

As I mentioned above, it’s not often that Technical Support is immediately accessible.  Because of this, we often also have customers asking technical questions about third party applications that integrate with Scrutinizer.  Questions beyond the realm of integration with our product, because they know that they can get us on the phone, whereas reaching support for the developers of the application is not typically that easy.

And once on the phone (or LiveChat, or email), we strive to get to the root of the issue quickly and come to a resolution soon to minimize any downtime, or otherwise monopolize a busy Network Administrators time.

We have the answers

Some frequent questions are how to interpret the data they are seeing, or how to create meaningful reports.  We are more than happy to walk you through reading the data, or creating reports, and we also have many short (under 5 minute) Webcasts available online that may also provide that valuable information.

With your original purchase of Scrutinizer, you also receive one year of maintenance, which includes unlimited technical support.  Technical support is available via phone, online chat, email, and online support form.

What is it worth to you?

What is the value to you and your Network Management team to having another team to turn to for answers?  We know how busy you are.  We have the answers, and want to share them with you, saving you the time to address more critical network issues.  Such as who is watching YouTube and hogging bandwidth.  And if we don’t have the answers, we’ll find them.

Thanks!

Typical response from a customer, “Thanks for the quick reply!”  How often have you said that to your vendors technical support?

- Joanne

NetFlow is a traffic profile monitoring technology developed by Darren Kerr and Barry Bruins at Cisco Systems, back in 1996. At that time, network monitoring mostly consisted of seeing how much traffic was traversing your network, but did not include what that traffic was.

With the introduction of NetFlow, and with the use of a NetFlow Analyzer, the following information is made available via the flow packets: source IP address, destination IP address, source port number, destination port number, protocol type, type of services, and the router input interface.

Exporting flows to a NetFlow collector provides a deeper level of detail that was up to this point unavailable in network management. This type of information has proven invaluable in detecting worms, port scans, DDoS attacks, and other security threats and network misuse.

That’s how NetFlow started and that was the typical information available in NetFlow version 5 packets.

NetFlow v9 brings us Flexible NetFlow packets (FNF), which opens the door even wider to dig deep into what is happening on your network increasing the ability for:
- Real-time network monitoring
- Application and user profiling
- Network planning and capacity planning
- Security incident detection ad classification
- Accounting and billing
- Network data warehousing, forensics, and data mining
- Troubleshooting

So what’s next for NetFlow?

Extending NetFlow exports to new and different devices to the NetFlow world, such as switches, firewalls, and non-NetFlow capable devices, is the ongoing challenge for software developers.

NetFlow originally was not available for Layer 2 devices, but more and more vendors are enabling NetFlow or sFlow (sampled packets) on their switches, including Cisco 6500′s, Juniper EX3200/4200, HP Procurve, Enterasys, and many others.

Data from firewalls can be very interesting to network security managers, as that is typically the first point of entry from the internet to your network. Cisco ASA firewalls can export NetFlow packets, and with a NetFlow analyzer that can interpret the data, valuable network intrusion data can be retrieved and analyzed.

Have non-NetFlow capable devices? Installing a NetFlow probe can provide the NetFlow export data you need.

Other devices and/or applications can be monitored using IPFIX software (IP Flow Information eXport), which will generate and export flow packets to an IPFIX collector.

With continuing development, tapping into all the hardware and software that makes up your network, ensuring optimal processing and securing your network from both external and internal threats becomes easier all the time.

Stay tuned as we explore more ways to use NetFlow technology.

- Joanne

The Output Sampled NetFlow feature is now available starting with IOS 12.0(24)S for IPv4 traffic on Cisco 12000 Series IP Service Engine (ISE) line cards.  In IOS 12.0(26)S, this feature was enhanced to report the input interface and support for the Cisco 12000 Series 4-Port Gigabit Ethernet ISE line card was added.

Which means that you can now export both ingress and egress Sampled NetFlow for Cisco 12000′s!

And with a NetFlow collector and analyzer you can collect these NetFlow packets and report on that data, getting more accurate outbound interface utilization information.

Configuring for Output Sampled NetFlow is relatively easy, as the global NetFlow configuration for this feature uses the same commands and settings with input sampled NetFlow.

To configure Output Sampled NetFlow on an interface, there are four basic steps:

1. enable
2. configure [terminal | memory | network}
3. interface type slot/port
4. ip route-cache flow [sampled [{input | output}]]
5. Repeat steps 3 and 4 for each interface.

After configuring the Cisco 12000 to export NetFlow, and then configuring the interfaces to export Output Sampled NetFlow, you can display the current content of the NetFlow cache with the following commands:

1. enable
2. attach slot-number
3. show ip cache verbose flow

See the NetFlow Cache Information Example in Cisco’s Output Sampled NetFlow document.

If you would like assistance with this NetFlow configuration, or are looking for a NetFlow traffic analyzer to collect the NetFlow packets, please contact us at (207) 324-8805, we’d be happy to work with you.

- Joanne

What a great opportunity to meet several of the Plixer Team members, including:

• MMM (Mix Master Mitch), our renowned NetFlow Rapper
• Michael Patterson, Product Manager
• Jon Mills, Marketing Manager
• Nathan Halverson, blogger extraordinaire!

3 NEW features will be highlighted with live demos of our NetFlow Analyzer.  Maybe we’ll show off our IPFIX and NetFlow Probe abilities?

Come see why our sFlow and NetFlow Collector are different from the rest for network traffic monitoring.

- Joanne

This recently published case study demonstrates how successful network traffic analysis can be performed using NetFlow reporting with Scrutinizer NetFlow Analyzer. Monitoring NetFlow exported from devices such as Cisco ASA’s, routers, switches, and numerous other NetFlow compatible devices simplifies the task of managing your network, whether wired or, in LTU’s case, fully wireless.

Using Scrutinizer as their traffic management tool has helped protect the school from legal exposure due to illegal downloads of music, movies and applications. NetFlow analysis also helped LTU identify suspicious activity and block possible malicious users.

“With 60 servers in our virtualized environment and thousands of users constantly accessing our network from all across campus, managing the high volume of network traffic was a real challenge,” commented Chavis. “We had issues with lots of network noise and fluctuating response times. Enforcing security was also a major concern. Troubleshooting problems was difficult and time-consuming. For example, we had a denial of service occur in one of the buildings on campus. It took us hours to identify that the source was a bad printer card.” – Tim Chavis, Executive Director, IT Services for the school’s Edward Donley Computer Center

Read the full Lawrence Technological University Case Study to see how else NetFlow reporting has paid off for them.

- Joanne

So, no, it wasn’t malicious activity, but that sort of network monitoring also was not authorized for that individual on their network.

Using Scrutinizer NetFlow and sFlow Analyzer, he asked how he could detect that sort of network traffic.

Using the Flow Analytics algorithms, we are constantly checking for what we consider malicious behaviors, or network traffic consistent with misconfigured servers or applications. This did not fit in the traffic patterns that we filter on.  But this workstation was sending snmp (and other) packets to many, many other ip addresses on their network, which would be generating a high number of flows per interval for that workstation.

In Scrutinizer v7.7, we have the ability to set report thresholds on a per row or report total basis.  For this situation, a threshold setting per row fits the bill perfectly.   So let’s see how we do that with our NetFlow Traffic Analyzer.

Setting a Report Threshold

1. Using the Report Wizard from the Status page, we can add filters for the devices and interfaces that we want to monitor for this purpose.
2. The report threshold is based on Inbound, and runs every 5 minutes along with the Flow Analytics algorithms.  So both of those settings need to be selected to use the report threshold.  For the report threshold we are setting for this example, we want the Host Flows report.
3. Now we need to save the report.  Give the report a name (overwriting UNSAVED) and then save the report.
4. Once you have the saved report, you can set the report threshold.  From the Add New Filter dropdown list select Inbound Threshold. Here you have two options, Total or Per row.  Total would be setting the threshold on the entire report total, Per row in our case would be per host, which is what each row includes.  For my test data, I set the threshold value of > 10 K in 5 min Per row.  If any single host generated more than 10K flows in 5 minutes, an alarm would be generated by the network traffic analyzer.

Scrutinizer can also be configured to generate syslogs based on the alarms, sent to a syslog server which could in turn send an email alert to the Network management team.

Another frequent use of the report threshold configuration is to monitor the amount of traffic a host is generating, which would alert the Network team of a large download, or streaming audio, video, etc.

If you have any further questions regarding configuring the report thresholds or its application, please don’t hesitate to contact Plixer International at (207) 32-8805.

- Joanne

So we need to be able to seamlessly move from one application to the other.  If your NetFlow traffic analyzer is Scrutinizer version 7, then the following information should be of great interest to you.

Reports can be called outside of the Scrutinizer application by creating a custom url that can be either embedded in another Network Management application, or entered directly in your internet browser.

How do we do it?

Here is the syntax required to create a report:

http://{servername}/index.html?popID={NEW|report_id}&newFilterType={option1|option2|option3|…}&newFilterData={data1|data2|data3|…}&newReportType={report_type}&dateRange={date_range}

{servername} – Scrutinizer server name or IP Address

popID – NEW or report_id

If you have an existing report you want to call, you need the report id. To get the report ID in Scrutinizer, go to Status->Saved Reports, and then click on the Display Report Filter icon to the left of the report name.  The report id is in the banner (ID: 2020)

newFilterType – Enter filter(s) from Table 1, pipe (|) delimited.

newFilterData – Enter data associated with filter type(s) entered for newFilterType

newFilterType and newFilterData are entered in pairs, for example:

newFilterType=sdfDips|sdfIps|sdfPorts&newFilterData=
in_7F0000001_ALL|in_10.1.25.6|in_80-6

Table 1

newReportType – enter valid report_type from Table 2.

dateRange – enter valid date_range from Table 2.

Table 2

To call an existing Saved Report without any changes, you can use the following url format:

http://{servername}/index.html?popID={report_id}

To hide the menus, add ‘&max=1′:  http://{servername}/index.html?popID={report_id}&max=1

If you do not know the exporter, you can use Scrutinizer’s search function:
http://{servername}/search.html?el={ip_address}

If the ip address is a flow exporter, it will display an all interfaces report for that device.  If it is not an exporter, it will display the search utility, with the ip address filled in.

If you have NetFlow configured on your routers and switches, but haven’t decided on a NetFlow Traffic Analyzer yet, this may be another reason to take a look at our NetFlow and sFlow Analyzer.  If you have any questions regarding this process, or need support with the NetFlow configuration on your devices, please give us a call at 207-324-8805.

- Joanne

Michael Patterson addressed this issue in his blog, “Messed Up Interface names in Scrutinizer” in February.

To summarize Michael’s blog, the device in question was including interface instance numbers from enterprise mibs in the NetFlow packets, and most NetFlow Traffic Analyzers get the interface descriptions from the standard MIB-2 ifIndex tables.

Vendors/products that have exhibited this interface instance mismatch are:

• Alcatel-Lucent SR 7750 running TMOS-C-5.0.R21.
• Huawei NetStream
• Cisco ASA
• Enterasys NetFlow v5

Cisco has since corrected this issue with the Cisco ASA with the release of version 8.2(2).

Enterasys resolved the issue with NetFlow v9 exports.

For the Alcatel-Lucent SR 7750 and the Huawei devices,  we have developed scripts to address this issue.  For more information on obtaining these patches, please contact Plixer Sales department at 207-324-8805 x3.

We are working to identify other vendors that have also used enterprise MIBs for the interface instances.  We are addressing this issue both with the vendors directly, and by providing patches that will permit Scrutinizer to report the correct interface information in the NetFlow reports.

If you’re currently using Scrutinizer NetFlow Analyzer and are seeing this issue with a device not listed above, please let us know.  If you’re not using Scrutinizer, Plixer’s NetFlow collector,  the free download comes with a 30 day evaluation key and free technical support on initial setup and configuration.

- Joanne