Working in technical support I get asked a lot, “I enabled NetFlow on my router, why don’t I see outbound traffic?” This is because NetFlow version 5 only supports ingress flow monitoring and they don’t have NetFlow enabled on all interfaces. In NetFlow v5 outbound traffic is calculated by the idea what goes in must go out (or stop at the router) so, it’s necessary that all interfaces are monitoring ingress traffic to get an accurate representation of outgoing traffic. So, if ingress monitoring has been working great all along why enable egress monitoring?

Read more »

Paul Dube
Technical Support
Follow me on Twitter

You’ve installed Scrutinizer only to find out that your network hardware doesn’t support NetFlow or sFlow; what now? If you’re in this situation then you’ve come to the right place. I’ve put together a guide on how to configure a Windows nProbe to send NetFlow v5 to your favorite NetFlow collector and analyzer.

Read more »

Paul Dube
Technical Support
Follow me on Twitter

With today’s blog, I want to do two things for my customers: the first being to remind you that any custom report filters you create can be imported into MyView.

Secondly, once you import that report into MyView, how to hack the bejeezus out of it to get what display you’d like.

Let me explain…

Read more »

I was working with a call center that had a problem with high bandwidth usage and he wanted to know if Scrutinizer NetFlow & sFlow Analyzer would be able to help him out. They were seeing a lot of Facebook traffic on their network and wanted to be able to see if it was coming from the call center.

I let him know that with Scrutinizer, he could add a filter to show him all of the Facebook traffic on his network and limit it to the traffic from a certain IP range. He could also add a filter that would monitor his NetFlow data and alert if a certain amount of Facebook traffic originated from that IP range.
Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

We just released the new Scrutinizer 7.0 and finished shooting the new NetFlow Rap video. Things have been crazy here at work.

I just saw a tweet asking how NetFlow is handled on the ASA. Since Scrutinizer handles the flow from the ASA, I though I would post the information I have from Cisco explaining how NetFlow is handled in the ASA.

Read more »

Distributed denial of service (DDoS) attacks are unfortunately par for the course on the Internet these days but when high-profile sites are targeted, the attacks are big news. Take for example last week’s DDoS attack on Twitter, which the microblogging site speculated was geopolitical in motivation.

Quick overview of DDoS

DDoS attacks are often caused by botnets flooding Web sites with requests thus bringing the site’s Web servers to their knees. A botnet is a collection of computers that have been compromised by viruses and worms so that they can be controlled by malicious individual(s). An example could be the collection of computers compromised by Conficker, however a Conficker botnet has yet to be leveraged to do harm.

In the case of Twitter, the irony is that it could have been the compromised computers of some of Twitter’s own users that caused the DDoS. Read more »

With flow monitoring becoming a practical solution for traffic analysis, numerous vendors have created their own version of flow export for their devices. Regardless of whether you are working with NetFlow, sFlow, Netstream, or jFlow; each device’s exportation method is similar.

Consider the command: ip flow-cache timeout active 1

I wanted to cover this command that is native to Cisco devices using NetFlow, simply because everyone forgets to use it. But before I rave about how important it is, just remember that this configuration can be found in various forms, across multiple vendors. Here’s a brief list:

Read more »

“Why don’t I see my VLAN traffic?”  was the question one of our customers asked me the other day. Although other Cisco models were exporting flows properly, it seemed that all of his Cisco 7600s were under reporting traffic.

Read more »

Now for something completely different . . . . .

I don’t know why but I got it in my head to reuse the Kcups in our office coffee machine. Don’t get me wrong the Keurig, single cup coffee maker is awesome. I have one at home, but I could never get over throwing the little cups away. Seemed a waste.

At home,  I have the reusable containers. This eliminates the need to use the prepackaged Kcups. After a quick Google search I found these little plastic lids that cover the Kcup, allowing you to reuse it. I figured that I could replicate that here in the office.

Read more »

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

No matter what Cisco NetFlow collector software you may be running, you may have noticed that when your firewall NATs an address, it becomes the source or destination within your flows, and thus makes NetFlow a lot less useful.

Let me provide you with an example in Scrutinizer.

Note the series of conversations coming in from the web, as shown above, and how the destinations all show the NAT address of 66.186.x.x.

Let’s look at the traffic coming from host vs.mcafeeasap.com. How can we find out who the destination host is within our network that is generating this traffic?

First things first; these conversations are from records generated by the Internet router. Since the traffic by this time has already been NATTED, we should find this traffic before it hits the router…

So let’s go to my internal switch.

Read more »