Defrag your hard drive!

As mentioned in Scott’s blog,  “Getting the most from your NetFlow and sFlow Analysis Tool“, disk fragmentation can be the primary cause for slow performance in running NetFlow reports.

Due to the large volume of data stored when collecting NetFlow packets, disk I/O may already be pushed to the limits on your server.  Add to that a highly fragmented disk drive and you might as well go hang out at the water cooler while you wait for your report to run.

Here’s an example of an extremely fragmented disk:

As Scott mentioned in his blog, “With hard drives, blue is a good thing, red is bad. Ideally we would want to see mostly blue and white.”

But, on the other hand,  if you don’t have anything better to do with your time, if using Scrutinizer has so streamlined your network monitoring that you need to slow your day down a bit, then please, leave your disk fully fragmented and take a break!

Otherwise, if you prefer your Netflow reporting to complete in your lifetime, then defrag!

And in the spare time that you now have to kill, you can monitor excessive Facebook traffic and other odd traffic patterns on your network, or read our blogs to learn how to enable Flexible NetFlow, or give us a call to find out what else our NetFlow solution can do for you.

- Joanne

If you are seeking a good understanding of NetFlow, or a better understanding of how it can be enabled, configured, and analyzed, the “Commercial NetFlow Applications” chapter from the book Digital Forensics for Network, Internet, and Cloud Computing can be a great resource.  Written by Mike Patterson of Plixer International, Inc., the chapter details NetFlow and explains how you can capitalize on its utilization. Read more »

Our NetFlow and sFlow Analyzer receives  data collected over a 1 minute time interval  per flow, and can store up to 100 000 conversations (flows) per device. One limitation in NetFlow monitoring today is the amount of disk space needed to store the collected network traffic information. Especially, if one’s intent is to hold on to that information  for a certain period of time. In this blog I will try to help you understand how Scrutinizer archives data. In addition I will talk about the NetFlow Calculator, which can be a helpful tool for estimating the disk space needed on your NetFlow analyzer server. Read more »

If you’re a faithful follower of our blogs, then you are familiar with the “samplicator” described in Michael Patterson’s “Free NetFlow Forwarder or NetFlow Duplicator” blog from May 29th, 2010.

If you’re not familiar with this NetFlow Forwarder application and you have the need for exporting NetFlow packets to multiple (unlimited!) collectors, then you must read his blog.

With switches or routers that do not support NetFlow export to more than one NetFlow collector, or if you have the need to export to more than the typical two collectors, the samplicator is an ideal solution.

Configuration is quick and easy and, if using the config file to list source (exporters) and destinations (collectors), extremely scalable.

Read more »

There is no doubt that flow technology is revolutionizing network monitoring. In this  NetFlow/J-Flow/IPFIX/sFlow era, there is no need to settle with only knowing utilizations on the network. Besides, little analysis can be done in monitoring bandwidth only anyways.

Scott wrote a blog earlier that made a valid point: “A Network Administrator’s abilities are only as good as his awareness of what happens on his network.” In harmony with that statement, it’s beneficial to have useful tools to be able to collect that traffic information.

Recently, I learned that J-Flow is supported for the Juniper SRX series Gateways. I thought this might be good information for people who want to start monitoring flows on this type of device, especially our NetFlow and sFlow Analyzer users, since it can also process J-Flow packets. Below are some sample commands taken from Juniper’s Knowledge Base which walks you through your J-Flow configuration. Read more »

Today I will discuss the command “ip flow ingress infer-fields”, mostly used in the NetFlow configuration of NetFlow switches. Being the newest member of the Plixer International Tech Support team I am discovering how amazingly large certain networks can get. This is when an outstanding network monitoring and diagnosis capability come in handy. Read more »

For most of the last year I have been working as a member of the  Technical Support Team here at Plixer International. But as of July 1st, I have moved from Technical Support to a Pre-Sales Support role on the Sales Team. In my new role I will be responsible for providing technical support for all pre-sales/evaluating customers.

I just want to say that it has been a pleasure working with the many customers that I’ve talked to over the last year. I wish you all much success in your Network Admin/IT endeavors.

If you are new to the NetFlow technology, I would welcome the opportunity to demonstrate the benefits of using NetFlow and our network analysis tool to open windows into what is going on over your network. The following information is made available via the flow packets: source IP address, destination IP address, source port number, destination port number, protocol type, type of services, and the router input interface.

Exporting flows to a NetFlow collector provides a deeper level of detail that was up to this point unavailable in network management. This type of information has proven invaluable in detecting worms, port scans, DDoS attacks, and other security threats and network misuse.

Read more »

Okay, back to the basics. We’ve been working with Cisco NetFlow technology for many years now, but what is NetFlow?

NetFlow is a traffic profile monitoring technology developed by Darren Kerr and Barry Bruins at Cisco Systems, back in 1996. At that time, network monitoring mostly consisted of seeing how much traffic was traversing your network, but did not include what that traffic was.
Read more »

A couple weeks ago a customer reported an issue where, apparently, our NetFlow and sFlow Analyzer was not seeing traffic from Vyatta Core 6. This being the second time the issue is reported to us, I was encouraged to talk about it.

In general, whether it is a collector issue or an exporter issue, from a tech support view point, I would say that the Scrutinizer web interface does a great job signaling what might be preventing proper network traffic analysis. This customer’s Scrutinizer web  interface seemed to be saying: “There are flows coming from Vyatta, but there is nothing to report on”. Whenever he restarted the Netflow collector, everything would work well for a short period of time, then in the Scrutinizer web interface, while the Vyatta widget would  still be green, indicating that it is eventually sending netflow, its interfaces would turn yellow (no data to report for this interface) for a few hours before the collector completely stops.

What we found

His Vyatta was sending NetFlow packets that were not properly constructed. Looking at their content, we found that they did not contain flow information, but packet headers only, which gives Scrutinizer nothing to report on.

Recommendations

Unfortunately I am not a Vyatta expert. If you are experiencing a similar issue, I recommend consulting the Vyatta community, or try other software base routing/firewall systems such as nProbe, pfsense, Quagga,etc. I can’t tell you much about pfsense or Quagga; however, once in a while we get calls from nProbe users, it supports NetFlow and seems to work well for them.

Sampled NetFlow provides NetFlow statistics for a subset of incoming (ingress) IPv4 traffic on an interface.  Output Sampled NetFlow allows you to collect NetFlow statistics for a subset of outgoing (egress) IPv4 traffic on that interface.

The Output Sampled NetFlow feature is now available starting with IOS 12.0(24)S for IPv4 traffic on Cisco 12000 Series IP Service Engine (ISE) line cards.  In IOS 12.0(26)S, this feature was enhanced to report the input interface and support for the Cisco 12000 Series 4-Port Gigabit Ethernet ISE line card was added.

Which means that you can now export both ingress and egress Sampled NetFlow for Cisco 12000′s!
Read more »