One of the cool new features added to the reporting engine in the latest release of our NetFlow and sFlow Analysis tool is the Advanced Filter option. This filter lets you filter the data in any report on any field that is present in the exported template. So filtering reports on things like MAC addresses and Vlan ID’s are all possible.

Let’s take a look at a cool use of the MAC address filter.

We have our Cisco wireless access point plugged into our Enterasys N series NetFlow capable switch.  This allows us to look at the volume of traffic coming from the wireless devices.

The above is useful, but I wanted to narrow in on the hand held devices.  Specifically, I wanted to find out how much traffic is placed on the network when a person streams a NetFlix movie to their hand held.

So I decided to setup nProbe.

In my configuration, the uplink from the Enterasys switch is spanned (i.e. mirrored) to an nProbe.  The nProbe exports IPFIX (i.e. the proposed standard for NetFlow) and can include the MAC address among other things in its flow exports.  Using the new Advanced filter option in Scrutinizer,  I filtered for the first 3 octets of the MAC address of the iPhone 3GS and iPhone 4 phones (60:33:4b & 64:b9:e8):

Immediately after adding the filters, I saw the traffic I wanted to narrow in on:

Wow, 700K per second or 161 Megabits (over 20 Megabytes) in 3 minutes just from streaming a single NetFlix movie!

I decided to add the High Tech Computer (HTC) vendor IDs so that I could see the Android traffic as well:

I knew this was going to be one of my favorite reports to show people so I saved the report and then added it to the dashboard in MyView:

You can also export MAC addresses using Cisco’s Flexible NetFlow technology.  However, if you don’t have a Cisco router where you need one, nProbe will give you the visibility into your network traffic that you are looking for.

Finding BYOD Devices

Many NetFlow and IPFIX capable devices export authentication details which allow administrators to click on your user name and display the IP addresses you have authenticated onto the network with.  Believe it or not, this can help us find misplaced BYOD devices.

Using the find IP address utility found in just about any IPFIX and NetFlow analyzer, we can narrow the search down to a specific switch and port.  If the phone is actively connected to a wireless access point, we can narrow the search down to a floor or wing of a building.

 

 

 

If you need any help getting these additional fields exported in your flow templates, give me a call. (207)324-8805

-Scott

Tags: Cisco Wireless Access Point, Enterasys N Series NetFlow, Flexible NetFlow, MAC address reporting, monitor Android traffic, monitor iphone activity, Netflix traffic monitor, NetFlow, network probe, nProbe, Nprobe configuration, vendor MAC address, Vlan ID reporting

This entry was posted on Friday, November 12th, 2010 at 9:40 am and is filed under NetFlow, NetFlow Analyzer, Network Traffic Analysis, Network Traffic Monitor, Scrutinizer. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.