I love that title. It sounds so dramatic.

I’ve been seeing this issue lately and I think it’s worth talking about, since I can imagine it affects the way you see flows within just about any NetFlow traffic analyzer.

Within a NetFlow v5 packet, there are two rows that define the inbound and the outbound interface for every conversation. Those interface numbers are really just the ifindex interface ID assigned by your router.

The inbound/outbound interface fields are crucial to being able to calculate where your traffic stream is going.

Lets look at a couple screenshots:

This screenshot gives you a sample of a sFlow packet capture using Wireshark. Notice the fields for Input Interface index and Output Interface Index.

Looking at this packet capture, this particular sampled conversation first came in on interface 1, and then went out on interface… zero?

Interface 0 or Interface “null” can occur within a couple of the following scenarios.

• Multicast traffic
• Conversation denied by ACL rule
• Packets are destined for the router itself
• Conversation is dropped by QoS
• Router misconfiguration
• IOS bug
  

Those are a few of the common configurations that may cause this kind of traffic pattern. It’s important to know this, since this will affect how Scrutinizer renders this data when you are monitoring bandwidth usage.

For example: Imagine you have multicast traffic coming in on the Serial 0/1 interface (interface ID 1) and going out Serial 0/2 (interface ID 2). Keep in mind that multicast traffic will give you the outbound interface as “0″ in the NetFlow record.

How would your NetFlow collector know to associate that outbound multicast traffic with your Serial 0/2 interface with an ifindex ID of 2, when the NetFlow record says 0? It doesn’t with ingress flows, but if you enable multicast egress flows, you will see the outbound interface fill in as expected.

This scenario can cause a lot of confusion for a regular user that is new to the NetFlow dynamics.

When a NetFlow analyzer looks at these NetFlow records with an outbound interface of “0″, it may not be able to properly associate it with the interface the traffic may truly be passing across.

To help combat this problem, Scrutinizer throws nothing away. Maybe you’ve noticed that you have an Interface 0 listed on some of your devices. This interface is not a real interface. This is a summary of all the traffic that cannot be associated with any of your existing interfaces. Better to show it than discard it, right?

If you feel that you may be running into some of the conditions I listed above, I invite you to give us a call here. We created a fantastic tool within Scrutinizer called Flow View which allows you to see the contents of your NetFlow packets to verify everything you are seeing.

- Nate

Tags: Flow View, inbound interface, interface 0, interface null, NetFlow Collector, NetFlow records, netflow traffic analyzer, NetFlow v5 packet, outbound interface, traffic stream

This entry was posted on Friday, November 6th, 2009 at 11:22 am and is filed under NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.