Using the Service Provider Module for Scrutinizer NetFlow & sFlow Analyzer and a customized Billing Module, you can monitor the bandwidth usage of your customers and also provide  a data export to your current billing application.

The Service Provider Module allows you to restrict your customers to view specific devices and/or interfaces in Scrutinizer. The “Scrutinizer v7 NetFlow and sFlow Analyzer: Using the Service Provider Module” blog has more information on this module’s features.

The Billing Module is a customized solution using the enhanced features of the Service Provider Module ad importing that data into your billing application.

A custom data file (i.e. saved report filter) is created and exported every hour, giving the most granular data (1 minute intervals) available. The data file can include but is not limited to:

• Time Stamp
• Rate: bytes / second
• Peak: same as above when reporting at 1 minute intervals
• Totals: total bytes per minute

Any NetFlow or sFlow exported field can be included (bits, packets, percent, IP/MAC addresses, VLAN ID, applications, ToS, Autonomous System, etc.) if required.  The billing application or script can then read in the files exported by Scrutinizer at a definable interval.

You should also know that Flexible NetFlow using a Permanent Cache can also be used for importing data into your billing application.

If your billing application is based on 95th percentile measurements, this information is also available in the Traffic Volume report displayed below.

95th percentile billing allows for the top 5% of spikes in a given period to be dropped from the utilization reported.  In the example above, 95th percentile for Inbound is 99.78% and Outbound is 24.81%.  This report is based on a one hour timeframe, providing both Inbound and Outbound traffic for the T1 interface.

Interested in using Scrutinizer to get the data for your bandwidth billing?  Contact Plixer Sales at 207-324-8805 x3 for more information on this custom solution.

- Joanne

1. NetFlow provides amazing network insight on network connections without deploying new hardware.  It leverages existing routers and switches. All you have to do is turn it on and point the flows to the NetFlow or sFlow collector.  Once the interfaces start showing up, you can click away and display high level information such as Top Hosts and Applications or dig in and filter for specific data with packet analyzer like details.

2. High level reports keep big problems obvious, but don’t limit yourself to the top X.  Make sure the NetFlow reporting tool can list all the flows including the raw flows as exported by the hardware.  What’s more, make sure the NetFlow and sFlow Analysis interface provides enough reports so that you can dig into problems and display the data the way you need to. 

3. Flow technology provides some of the fastest trouble shooting available in the industry today. Because the architecture generally focuses on centralized collection, access to the data is fast.  It doesn’t involve RDP connections to remote probes.  All the connections in the network are on one page ordered by your preference.

  
4. Custom filters allow you to narrow in on selected data fast.  Either click to keep narrowing on the data you want or specify filters like you would with a packet analyzer like wireshark. You can also use it for NetFlow billing applications or focusing on traffic from a certain business department or subnet.

5. You can setup threshold alarming based on nearly any configurable traffic pattern.  Once you have the custom filters in place, save it as a report and set a threshold for either too much or too little traffic that matches the filter.  

6. Scheduled reports via email keep you in the know.  Does the boss need a particular report every day, week or month?  Setup the report, add any necessary filters and schedule it to get emailed to you and the boss.  

7. SFlow and NetFlow Analysis allows IT professionals to clean up and optimize the network infrastructure.  Before you clean up the network there was excessive HTTP traffic, odd traffic patterns and abuse. 

8. Do you have VoIP on your network?  Confirm DiffServ domain configurations and QoS policies by displaying DSCP values.  Compare the reports with CBQoS and IP SLA reports. Drill in on a ToS value to see the hosts involved.

9. NetFlow Data storage that allows you to go as far back in time as needed.  If company policies or industry regulations require that you keep the data for a certain amount of time, don’t limit yourself to saving the raw flows for 30 days.  Rather, save them for years if necessary so that you can go back in time and retrieve all of the juicy details.

10. Distributed network monitoring of threats:    While we are collecting all of these flows from thousands of interfaces, it make sense to constantly look for network scans, DDoS attacks, internet threats, etc.  Alarms can trigger events that make access list changes or firewall policy modifications. 

So there you have it.  On ten reasons that can help you decide or convince your boss to take sFlow and NetFlow traffic analysis into serious consideration. We hope you choose our NetFlow Analyzer.

Scrutinizer v7.6 has been released with several best at NetFlow improvements for network traffic analysis. You will find the upgrade available for download now.

New Features include:

+ Flow View now has a Date Selector
+ Users can name their templates exported from flow devices
+ Time frames for 3, 7, and 30 days have been added to the date selector
+ Volume reports have an option to toggle rate vs. totals
+ A new LDAP wizard has been added to simplify LDAP and LDAPS configuration
+ More definition labels have been added for ICMP Traffic
+ NBAR descriptions will no longer be blank if no template has been received
+ Fixed issue when performing an SNMP update for a PC with nprobe installed
+ Users can now configure thresholds based on a per row or report total basis
+ A new report type of IP Next Hop has been added to the status tab
+ Users who are part of an administrator group can copy myview tabs
+ A new report filter has been added for SUBNET TO SUBNET
+ The interface instance column is wider for high interface numbers
+ A Plixer Tools icon will now be visible when Plixer Tools is installed
+ Users can now add very long community strings
+ Added the ability in mapping to filter Denika reports for Denika connections
+ For new installs, users will automatically be licensed for 30 days
+ Updated the Japanese Translation
+ Improved IPFIX support in the NetFlow and sFlow collector
- Dozens of bug fixes

We are very excited about this new release of our network traffic analyzer. Contact us if you have any questions.

It’s a big deal because NetFlow can be used to export more than just traditional ‘flow’ information.  It can also kick out interface names as well as NetFlow counters, MAC Addresses, VLAN IDs and much more.  Often times this means multiple templates are kicked out by the same router or switch.   It is also important for the NetFlow Reporting tool to list the templates because templates can often contain the same data and cause over stated utilization in the reports.  In Scrutinizer v7.5 you could list the templates but, other than the ID, it was a guess to remember which template contained the data you needed to look at. 

In Scrutinizer v7.6, we introduced the ability to rename the NetFlow templates so that they are easier to reference in future reports.  This is just one more reason why we are the leader in NetFlow Analysis.   

NOTE:  The colors above are caused by the change the skin feature.

Thankfully the NetFlow reporting interface allows the user to choose which templates are being used to generate the data necessary for the report. 

What’s more:   You can run the above reports based on a selected template.

Isn’t that sweet…..

Anyway, this is a great new feature in Scrutinizer v7.6 and is another demonstration of plixer’s commitment to best at NetFlow utilities and Flexible NetFlow aka FnF .

Egress Flow Monitoring

Our Product Manger, Michael Patterson, has put together a great blog on Ingress or Egress NetFlow Analysis that helps answers this question. It’s also important to note that in order to monitor egress traffic you must use NetFlow version 9 or IPFIX. Not yet convinced NetFlow v9 is for you? Check out the McMonster analogy to see the benefits of NetFlow v9; mmm delicious NetFlow.

Enabling Ingress and Egress

Anyhow, back go our original topic.

Here are the commands to configure a Cisco router for both ingress and egress flows:

Router > enable
Router#: configure terminal
! send NetFlow off to the collector – Scrutinizer
Router(config)# ip flow-export destination 10.1.1.1
! lets send NetFlow off to a 2nd collector
Router(config)# ip flow-export destination 10.1.1.2
! You have to setup Flexible NetFlow to export to more than two destinations
! Lets export NetFlow v9 as NetFlow v5 doesn’t support egress NetFlows
Router(config)# ip flow-export version 9
! summarize and export long lived flows every minute
Router(config)# ip flow-cache timeout active 1
! export flows that are idle 15 seconds or more
Router(config)# ip flow-cache timeout inactive 15
! export the NetFlow data from the configured loopback interface.
Router(config)# ip flow-export source loopback 0
! lets go enable NetFlow on each interface we want NetFlow from
! lets configure the first interface
Router(config)# interface Ethernet 0/0
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! change to a different interface
Router(config)# interface Ethernet 0/1
Router(config-if)# ip flow ingress
Router(config-if)# ip flow egress
Router(config-if)# exit
! commit the above to memory if you want to keep the configuration

Need a NetFlow analysis tool? Scrutinizer 7.0 and greater have the ability to gather and report on NetFlow v9 and IPFIX flows.

Slide 10 on ‘show ip cache flow’:

Slide 11 on ‘show ip cache verbose flow’:

 
Sometimes I run the above when I’m running the Scrutinizer NetFlow collector in debug. I hope  the above helps when you are trying to do some NetFlow reporting.

The available disk space issue is pretty easy to address. For the most part, you either have enough or you don’t.  We have a Disk Space Calculation tool that can help you get a general idea of how much disk space you will need based on the Data History settings configured in the Scrutinizer application and the number of active exporters, interfaces, and flows per second being received.

When it comes to disk I/O, one performance tuning trick that is often overlooked is a simple defrag of the disk drive.

The collector appliance is constantly processing NetFlow or sFlow packets and reading and writing relatively small amounts of data to disk at a time. Over time the disk drive can become fragmented, and we see an increase in the amount of disk I/O.

Let’s take a look at a fragmented drive.

In network traffic monitoring, green is good and red is bad. With hard drives, blue is a good thing, red is bad. Ideally we would want to see mostly blue and white.

The Technical Support staff at Plixer International is always ready to help get the most out of using our NetFlow and sFlow Analysis Tool.  

But remember to periodically:

Hit your START button, go to Programs/Accessories/System Tools, and run Disk Defragmenter to defragment your disk drive.

-Scott

He sent us a Wireshark packet capture and brought up Flow View. Flow View is a way to see the raw flows (inclusive of all columns) being exported by a device.

Anyway, in Flow View everything looked normal, but then one of our developers spotted the word ‘post’ in front of a couple of import column names. We (and Scrutinizer) expect to see ‘octetDeltaCount’ and instead, the customer had configured nProbe to kick out ‘postOctetDeltaCount’.

Why did the nProbe kick out the wrong field?
The nProbe was exporting postOctetDeltaCount because the user asked for it. It was probably just a user error. Once we made the change it worked fine.

We decided to do a little research on this. The nProbe documentation states:

[ 23] %OUT_BYTES                 Outgoing flow bytes

rfc3954 states
                                           Outgoing counter with
                                           length N x 8 bits for the
   OUT_BYTES                    23   N     number of bytes associated
                                           with an IP Flow. By
                                           default N is 4

The above sort of makes it sound like OUT_BYTES is the element id to use for egress flows, but it isn’t. To the best of my knowledge, most commercial NetFlow exporters that implement egress flows do so with IN_BYTES.

We are a standards based company, so we looked to RFC 5102 to see what IPFIX had to say about this issue. It seems that IPFIX changes the names, but not the element ids, for IN_BYTES and OUT_BYTES to octetDeltaCount and postOctetDeltaCount respectively. NOTE: the implied directionality of IN and OUT was dropped.

The IPFIX descriptions further clarify how these elements are intended to be used.

Excerpt from rfc5102.

5.10.1. octetDeltaCount
Description:
The number of octets since the previous report (if any) in
incoming packets for this Flow at the Observation Point. The
number of octets includes IP header(s) and IP payload.
Abstract Data Type: unsigned64
Data Type Semantics: deltaCounter
ElementId: 1
Status: current
Units: octets

5.10.2. postOctetDeltaCount

Description:
The definition of this Information Element is identical to the
definition of Information Element ‘octetDeltaCount’, except that
it reports a potentially modified value caused by a middlebox
function after the packet passed the Observation Point.
Abstract Data Type: unsigned64
Data Type Semantics: deltaCounter
ElementId: 23
Status: current
Units: octets

If there is no middlebox (or middlebox function) involved, we shouldn’t get postOctetDeltaCount.

nprobe Commands
When in doubt, here is a basic configuration of nProbe that works great with Scrutinizer:

nprobe.exe /c --interface 0 --in-iface-idx 3 --out-iface-idx 5 –-local-networks 192.168.1.0/24 –-local-traffic-direction --collector 192.168.1.51:2055 --flow-version 5 –-lifetime-timeout 60

Summary
We got the customer up and running by using a different “nprobe configuration“  and he is now performing network traffic analysis with arguably the best NetFlow analyzer on the planet!

Using Scrutinizer NetFlow Analyzer, he was able to respond to the RIAA’s (Recording Industry Association of America) allegations of students illegally downloading or sharing of music.

“With upwards of 3,100 students calling the residence halls ‘home,’ it’s our job to make sure the data flow is running efficiently. Scrutinizer NetFlow Analyzer allows us to accomplish this with powerful reporting, dynamic traffic analysis, automated features and convenient archiving. We’ve also found the archiving capability extremely useful for forensic analysis.” – Rick Coloccia

Read more on how Scrutinizer resolved this and other network traffic issues in the EducationNews.org article, “SUNY Geneseo Leverages Scrutinizer NetFlow Analyzer to Monitor Network Behavior during RIAA Crackdown and Beyond“.

- Joanne

I don’t know how accurate that is, but I can definitely confirm that if you go to Google.com and search the key word NetFlow, you’re going to get a LONGGGGGGGG list.

So with a plethora of options and little time to evaluate, what does Scrutinizer offer that might make it worth…scrutinizing? (Sorry, couldn’t help it)

Here’s five compelling reasons to take a look at my product:

Your investment is with a company with NetFlow experience
Plixer International released Scrutinizer in the Fall of 2005. That’s given us five years to examine, learn and understand the way NetFlow works. We ARE NetFlow. So when you purchase Scrutinizer, you are working with people who KNOW the technology.

Existing features were requests by customers, for customers
We are a privately owned company. As a result, that gives us the flexbility to keep an open mind to what our customer base needs from our tools. We always welcome feedback and constructive criticism that make our product better.

Our focus is NetFlow
With all our attention on one technology, there are no excuses to be had in not giving you the latest and greatest features. So with that in mind, we support cutting edge technologies like ASA NetFlow Event trending, NBAR definitions and NetFlow v9. Most vendors do not yet support these functions.

Affordable
Our Scrutinizer price base is affordable. Our pricing structure is based on the number of devices that export NetFlow as opposed to charging you by the individual interface. This makes us VERY affordable to companies with strong core switching enviroments.

Personable and friendly New Englanders…
I’ve always loved the philosophy of Plixer. See, when I first started with the Support Desk, I wasn’t handed a script. I wasn’t forced into any technical support mold. Instead, we’re encouraged to work with our customers using our own styles.
As a result, our help desk treats you like we’ve known you forever. I’ve always gotten good feedback from customers about our support.

“I really really appreciate the time and support. I wish I could easily find vendors that have such a dedicated customer support team like Plixer’s. The support is top of the line and their dedication to customers is as good as it can get. Thanks for the help and patience!!”

Now that I’ve reread this blog, it sounds like a travel brochure. Really sorry about that.
But I think you get the point…

I hope that with some of these highlights, you’ll find good enough reason to give our product a test spin.

Feel free to contact us if you have any questions.

Nathan Halverson
Pre Sales Support Lead
(207) 324-8805 ext 3