What is Flow Analytics™ ?

Flow Analytics™ is a built-in module that a NetFlow analyzing tool uses to perform network behavior analysis. Flow Analytics™ can trigger alarms for such behaviors as worms, network scanning, and known compromised internet hosts. It can alarm you if any DoS attacks are happening. Once that happens it can identify repeat offenders and create a Unique Identifier (UI) to manage traffic counts. Flow Analytics™ can also identify your top applications, conversations, protocols, etc across dozens of routers and switches.

Flow Analytics™ allows you to store data for more than 24 hours. You can choose to save an infinite amount of Net Flow data history at every interval. So now you can go back and identify a problem that occurred 2 weeks ago on your network. Flow Analytics™ also allows for automated DNS resolution to help you quickly identify culprits on your network.

What makes Flow Analytics™ incredibly amazing is the ability to look at the NetFlow from multiple routers and switches simultaneously every 5 minutes. Potentially, you can configure hundreds of devices for each algorithm in Flow Analytics™. In this blog I will show you how to set up Flow Analytics™ and how to start configuring it. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

- What will be the main use for NetFlow?

- Is real-time reporting or historical reporting more important?

- Is it  traffic analysis including application and user monitoring?

- How much are you willing to pay for the product?

- Do your switches/routers support NetFlow?

- Is scalability a concern?

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

What if network maps were not just a graphical representation of physical connectivity on a network?  A map in our NetFlow and sFlow Analyser is more than just a map:

• You can view the utilization  of every NetFlow exporting interface on your map.
• Links on the map are clickable. This brings up a report on traffic information for that particular connection. Information including, utilization, protocols, applications, etc, the entire scrutinizer report arsenal is available.
• Connections change color based on definable utilization thresholds.
• Google Maps can be used as a background, allowing for large scale network map based on longitude and latitude.
• Device  Icons change color based on the device status.
• You can create links to other map applications (e.g. flash maps with Visio backgrounds, WhatsUp Gold, etc). Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Today I’ll continue with what we started in Part 1.

Tip 5: Avoid overwhelming your NetFlow collector and take advantage of Flexible NetFlow sampling. Ex: For billing, you could export only counters per subnet via Flexible NetFlow.

Tip 6: Use NetFlow Analysis tools that have exceptional Netflow information filtering capability.

Tip 7: Look at the Flexible NetFlow features list from Cisco to find out what IOS version you need for the specific feature you want to enable. Your network device might have Flexible NetFlow enabled, however, the IOS version might not have the feature you need. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

You probably have NetFlow enabled on your network devices, but the question is, are you truly taking advantage of what it offers? From working in technical support, I noticed, although NetFlow technology is evolving rapidly, when it comes to understanding how the technology works and how much can be accomplish with it, many users are staying behind. Today I want to give you a few tips. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Today I want to talk, in a nutshell, about the advantages of NetFlow. One thing in particular that distinguishes NetFlow based traffic monitoring from the traditional SNMP dependent systems is the ability to characterize traffic applications and patterns. Knowing what the traffic is, who it is from, how and where it flows is critical for network performance and troubleshooting. For instance, it helps Network managers “determine where to apply QoS, optimize resource usage and it plays a vital role in network security to detect Denial-of-Service (DoS) attacks, network-propagated worms, and other undesirable network events.”

In planning, as I previously stated, NetFlow information ensures that resources are used adequately in support of organizational goals. Moreover, it facilitates solutions to many common network issues including: Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

There is no doubt that flow technology is revolutionizing network monitoring. In this  NetFlow/J-Flow/IPFIX/sFlow era, there is no need to settle with only knowing utilizations on the network. Besides, little analysis can be done in monitoring bandwidth only anyways.

Scott wrote a blog earlier that made a valid point: “A Network Administrator’s abilities are only as good as his awareness of what happens on his network.” In harmony with that statement, it’s beneficial to have useful tools to be able to collect that traffic information.

Recently, I learned that J-Flow is supported for the Juniper SRX series Gateways. I thought this might be good information for people who want to start monitoring flows on this type of device, especially our NetFlow and sFlow Analyzer users, since it can also process J-Flow packets. Below are some sample commands taken from Juniper’s Knowledge Base which walks you through your J-Flow configuration. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Today I will discuss the command “ip flow ingress infer-fields”, mostly used in the NetFlow configuration of NetFlow switches. Being the newest member of the Plixer International Tech Support team I am discovering how amazingly large certain networks can get. This is when an outstanding network monitoring and diagnosis capability come in handy. Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

How do you know if the NetFlow collector is saving or even getting all of the NetFlow datagrams that are being sent to it or that it is receiving? It is important to know if any flows are missing.

Why do we care?

This is a great question. We care because a loss of flow exports is usually caused by one of three things:

1. The network dropped some packets
2. The router can’t keep up
3. The NetFlow receiver / collector can’t keep up

NetFlow sequence numbers are becoming increasingly important. When building a NetFlow collector it is important that the engine scales while staying accountable. If you look at the NetFlow v9 packet format you will notice something called the package_sequence.

Read more »

If you are running Scrutinizer v7.01, the Cisco ASA interfaces don’t show up in the Status tab yet. It was a philosophical decision. Here’s why:

The ASA running v8.2.1 exports bidirectional NetFlow!  This is unlike anything else we’ve seen.  In nearly all NetFlow exports v5, v9, IPFIX etc. flows are exported in one direction (i.e. A -> B and then a separate flow for B -> A).   This is true for ingress or egress NetFlow. For Example: lets say A -> B creates a flow of 200KB.  Then in return:  B -> A causes a 2nd flow of 40KB. Well, the developers of the ASA decided to be unique and add the two flows together and export A -> B 240KB!!!!  The two added to each other is called a bidirectional flow.

Because of this, when we calculate the percent utilization using NetFlow (i.e. not SNMP) by adding the total flows together we overstate InBound/OutBound utilization in the Status tab. We are talking with Cisco about this unconventional export method. We have no definitive news yet.

NOTE: The ASA also doesn’t support an Active Timeout causing huge spikes in the graphs and thus making network traffic analysis kind of tricky when traffic that occurred over several minutes shows up in a single minute!

If you are seeing some screwy results with ASA and NSEL, the above is why. Anyway, everyone can blame Mike for not sticking the data in the Status tab!

Here is a pic of our  ASA:

Need help configuring NetFlow export from the ASA?  You can also setup NetFlow exports up using Cisco ASDM. Make sure you have watched the Cisco ASA and NetFlow training video.

May 29th, 2012 Cisco ASA UPDATE:  New Cisco NSEL Reports in Scrutinizer v9.  Check them out.

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.