Thanks to Jimmy D, our renowned International Sales Channel Manager, we have a proven solution for monitoring NetFlow traffic for home users.

A situation arose for Jim where his wife and daughter would be in Florida caring for his parents while he was still here in Maine. The geek that he is, he didn’t want distance to keep them apart.

So he decided to provide voice, video, and network monitoring while they were in Florida. To achieve this, he decided to set up a small embedded server rack in his parents’ Florida home. This would allow for VoIP, Video, network traffic monitoring, and a web server.

Read more »

If you are running Scrutinizer v7.01, the Cisco ASA interfaces don’t show up in the Status tab yet. It was a philosophical decision. Here’s why:

The ASA running v8.2.1 exports bidirectional NetFlow!  This is unlike anything else we’ve seen.  In nearly all NetFlow exports v5, v9, IPFIX etc. flows are exported in one direction (i.e. A -> B and then a separate flow for B -> A).   This is true for ingress or egress NetFlow. For Example: lets say A -> B creates a flow of 200KB.  Then in return:  B -> A causes a 2nd flow of 40KB. Well, the developers of the ASA decided to be unique and add the two flows together and export A -> B 240KB!!!!  The two added to each other is called a bidirectional flow.

Because of this, when we calculate the percent utilization using NetFlow (i.e. not SNMP) by adding the total flows together we overstate InBound/OutBound utilization in the Status tab. We are talking with Cisco about this unconventional export method. We have no definitive news yet.

NOTE: The ASA also doesn’t support an Active Timeout causing huge spikes in the graphs and thus making network traffic analysis kind of tricky when traffic that occurred over several minutes shows up in a single minute!

If you are seeing some screwy results with ASA and NSEL, the above is why. Anyway, everyone can blame Mike for not sticking the data in the Status tab!

Here is a pic of our  ASA:

Need help configuring NetFlow export from the ASA?  You can also setup NetFlow exports up using Cisco ASDM. Make sure you have watched the Cisco ASA and NetFlow training video.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

This is Brighton. He is currently 3 1/2 years-old and he’s my son. He’s very much like his mother, with a strong will and a fierce determination that will make him successful in about anything he does.

However, that same determination also sometimes makes his parents want to carve their brains out with a spoon.

He’s at that stage where he will repeat the same thing over and over and over and over until everyone immediately stops what they are doing to address his needs.

Yet again, it’s raining here in Maine. I think it has been raining for four days straight and now I’m beginning to get a little antsy to see some sunshine.

Usually, I don’t watch the Weather Channel. I just take every day as it comes and adapt to the weather. If I wake up and it’s rainy and cold, I wear something warmer. If it’s bright and sunny, I wear a t-shirt.
I’m simple that way.

But when we have a run in weather like this, I ask myself: “When is this going to end?!?”
That’s when I break out of my normal habit and check the forecast for the next couple days. I must admit, there is a sense of peace knowing that the rain SHOULD end by tomorrow night.

Much like monitoring the weather, you can use SNMP to monitor your daily, weekly or even monthly traffic statistics to help you project what tomorrow may bring.

Notice the Port Utilization graph shown above: Not only does it provide statistics based on current data collected, it also estimates future projections based on your current trend using those strike lines.

With limiting budgets, it’s more difficult to rationalize spending on a new DS3 circuit for the company. However, network performance monitoring applications, such as Denika, make life easy by forecasting network growth, so that you can see a problem before it ever begins.

Think about this: Would you feel better knowing that tomorrow was always going to be a bright and sunny day?

-Nate

It was a cold afternoon here in the city, colder then your normal spring afternoon. Things had been hectic here in the office lately, but I had a feeling that things were going to get much much busier.

A tall man walked through the door.

“Are you the Cisco NetFlow detective?” he asked.

“Yes, I am. What can I do for you?’

‘I’m in trouble, big trouble!” he said.

“What kind of trouble?” I knew that he was in trouble from the second I saw him; it’s the kind of trouble the haunts a man, the kind that brings them to a guy like me.

“Jimmy, I’m getting logs from the IDS and firewalls notifying me of an intrusion attempt. They are trying to communicate to a local IP, but I don’t know who that local IP is or who else they were talking to.”

“What’s even worse is that our school district was awarded a technology grant that makes us a beacon school for technology. These hacks are getting out to the news and my job is on the line. The school board is calling for an investigation into my actions. I don’t know what else I can do!”

“Don’t worry Joe, I’ve seen this before and I can help you out. Let’s look at your network. What do you have behind that firewall?”

“We have multiple Cisco routers and three Catalyst switches.” said Joe.

“Good news Joe, they support Cisco NetFlow. This will be easy.”

Joe looked confused. “What’s Cisco NetFlow?”

“NetFlow is a protocol developed by Cisco to help you manage your network traffic. It gives you a record of each conversation. It can tell you who is talking on your network, who they are talking to and what they are saying. We’ll use Scrutinizer to help us manage and report on it. It will find out where the issue is.”

After a few minutes Jimmy D and Joe had set up Scrutinizer and were successfully sending flows from all the switches and routers.

“Now we need to let it gather some data. Let’s get together in the morning.”

The Next Day:

“First, let’s take a look at the firewall logs.”

As we browsed through the list something caught my attention. It appeared the attacks were coming from a 66.122.5.200 address. We then created a custom report in Scrutinizer to reveal who was attempting to communicate with this address. We already knew that the internal machine wasn’t getting to the IP in question, but we still wanted to know who is trying to communicate with it. It could be a virus or worse.

We first resolved the outside IP of 66.122.5.200 and it returned the host www.hackedquiznotes.tv. We then created a custom report that generated all conversations to and from that IP. On a hunch, I decided to report on the router that served the student level of the campus.

We ran the report and found the issue.

“Look, from here we can see that this workstation is trying to communicate with that IP. We can also see that they were using port 6609. Let’s go down to that lab and look at that machine.”

Soon Jimmy D and Joe were in the computer lab face-to-face with a student.

“Ben, this is Detective Jimmy D and he is looking at some issues with our network,” said Joe.

“Excuse me for a moment Ben, I need to check something on that computer.” Joe and I sat down at the computer while Ben stood over by the door.

“Haven’t I seen him before?” I asked.

“You might have seen Ben in the paper. He and his father helped break ground on the new CBA Network Management building. CBA Network is one of the companies asking the school district to outsource their network solutions to them. They are trying to cut costs.”

I started typing and the pieces started to come together… The picture wasn’t good.

“Joe, it looks like Ben added an app that monitors certain folders for any activity. Once activity is detected it uploads that file to a remote site. In this case, it is www.hackedquiznotes.tv, via port 6609.”

“That’s not right. Ben wouldn’t have access like that…”

Joe quickly sat down at the computer and checked on the user name that was running that service. The users name is abcnm and it was created two weeks ago by Jon, the Jr. Admin.

Joe turned to me and had a horrible look on his face.

“What wrong Joe?” I said.

“I can’t believe it,” said Joe. Two weeks ago Jon, my Jr Admin was passed up for the Admin position. He was very upset that I had gotten the job. He wanted it, and wanted it bad.

“Why do you think he did this?” asked Joe.

Joe quickly turned to Ben and asked, “What do you have to say about this?”

All of a sudden a look of anger came over Ben’s face. The kind of anger you see when you see the senior quarterback missing the last touch down during the last second of his last game ever.

“Arggg, I would of gotten away with it, if it wasn’t for him!” yelled Ben.  “My dad was going to buy me a new car, if he won this contract. So I made sure Jon would take over your job in the new building. The district
would have gotten rid of you by then!”

“Ahh I see,” said Joe. “Well I think that you need to speak with Vice Principal Flanagan. I’ll bet he
will want to contact the District and your father!”

“Thank you Jimmy D. You have saved my position!”

“Not a problem Joe, that is my job.”

Although quite a bit of this story is fictional, it is based on a real life call. Some of the names have been changed to protect the innocent.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

Remote employees are becoming more popular in almost every industry today.  And why not?  Remote sales people can prospect for customers in a geographical area that is too far from businesses.  Remote employees can dramatically lower facilities costs too.  It’s not for everyone though.  Some great employees can be easily distracted and produce less.  Others can lose the structure of a work day and start working many more hours causing burn out.  So how would you know if working from home is really a good fit for an employee? 

Scrutinizer would not only tell you a lot about an employees work habits, but it can also tell you a lot about how much it costs the company in terms of bandwidth.

We don’t have many remote employees, but we do have some.  I decided to trend myself one day while working from home.  I was surprised to see how much more bandwidth was consumed by VoIP in comparison to everything else.  I can also see how my traffic impacted the inbound pipe.  In this case the extra bandwidth consumption wasn’t too much of a big deal, but 20 more remote employees may put too much of a load on this specific interface. 

I can drill in to any of the protocols listed above to see specifics on when I started working and which internal resources I was using.

I think overall the success of a remote employee really depends on the individual and whether they have the discipline to do their job, and let it go once the day is done. 

In my case I wanted to see what was happening when the other person on the line said I was breaking up.  After setting up QoS on my home router and doing everything else that I could, it just comes down to me having a slower than desired upload speed.  So if I want to work from home, I better get some faster internet service.

Raul J Duran

Over the weekend I spent quite a bit of time watching some of the awesome IT security videos that are offered on The Academy Pro web site. I couldn’t believe all the valuable step by step information that this site offers.  Believe it or not, I had a goal. I needed to learn more about “Conficker“.

We have already covered how to detect “Conficker” traffic via Scrutinizer’s Flow Analytics application from my buddy Milton’s blog back in March. In the NetworkWorld article titled “Downadup/Conflicker worm: When will the next shoe fall? “, Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks is quoted as saying,  “It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs”. So how can we prevent this from happening?

My goal was to conduct a security audit for such a vulnerability. That is where TheAcademyPro comes in. TheAcademyPro web site was created by Peter Giannoulis, a well know information security consultant and author. Check out this awesome interview with Peter on Hak5. They just started a series on how to conduct vulnerability scans for Conficker:

Conficker vulnerabilities with Core Impact – Posted on April 20th, 2009

“Everybody’s had to deal with Conficker over the last little while, but many don’t realize exactly how easy it is to exploit a system using the targeted vulnerability. Let’s begin the week by manually exploiting Conficker vulnerabilities with Core Impact 8 modules.”

Now I have a bit more information and might be able to conduct a security audit soon. I will keep you posted.

____________________________________
Jim Dougherty aka "Jimmy D"
Lead PreSales Support Engineer and
Netflow Evangelist for Plixer International!

Follow me on Twitter
http://twitter.com/jimmydnet
____________________________________

There is no question that our Network monitoring tools are our eyes into how our network is being utilized.  Moreover, to truly gauge the efficiency of changes made to the network to increase efficiency, it’s critical to have performance trends before and after changes are made.

Scrutinizer QoS reporting can be the key to troubleshooting or evaluating network performance of traffic going through QoS queues. 

Today we’ll talk about how we can use Scrutinizer’s custom reporting to analyze the traffic associated with QoS and class maps.

We know that to create a class map, we can specify the DSCP value we want to be included in the class map.  In the map below we can see that EF in the name column corresponds to a codepoint of 10111000, for example.
 

Scrutinizer allows class map reporting by simply adding the Diffserv codepoints assigned to the DSCP Values of your class map to your custom report.  It’s just like as if you were creating a class map, except instead of the DSCP Value you use the codepoint. 

Let’s say we have a router with a VoIP class map configured to include the EF DSCP Value.  Let’s also say we want to analyze traffic associated with this class map on this specific router.   

All I need to do now is to create a custom report in Scrutinizer where I have included the 10111000 (EF) Codepoint, select interfaces belonging to this router, and I’m instantly viewing a report of all the traffic flowing through my VoIP class map.
 

We can also use this same technique to create a custom report on a class map that hasn’t been rolled out yet, so that you can verify that the changes made to the router configuration have resulted in the changes intended in traffic flow. 

Ideally, the administrator would pair this with a Cisco IP SLA Jitter monitor that would also give stats on:

• Latencies including source to destination, destination to source, and jitter. 
• MOS Score if the class map affects VoIP Traffic
• Packet Loss metrics including late, or out of sequence packets, and tail drop.

By comparing the before and after statistics, verification can be made of increased efficiency and everybody is happy.

If you would like information on how to setup the Cisco Jitter IP SLA, check out the 4 part Cisco IP SLA Blogs on Systrax.

Raul J Duran

WebNM is a management platform that allows you to monitor any resource on your network. You can monitor hosts, servers, applications, network devices, interfaces, and databases at the click of a mouse. The WebNM platform is reliable, scalable, and easy to learn. You can even integrate your existing applications with WebNM seamlessly, allowing you to customize the software as needed.

The architecture of WebNM provides close monitoring solutions to all the above-mentioned resources. The program doesn’t install robots on any of your servers, so there’s no drain on your resources. WebNM can monitor all of your network devices and servers and provide feedback in the form of reports and anomaly alerts. You can set up regularly scheduled email reports to let you know the exact status of all of your servers and other devices. Again, there’s little or no resource drain on your hardware devices, meaning you’ll get your systems monitored for very little system resource drain.

WebNM uses synthetic transaction monitoring to watch your databases and applications. There is no transaction that’s too complex for WebNM. It will monitor any use of any operating system. If you look up something in a database table, log in to an application, or transfer files from one location to another, the action will be noted by WebNM. The software also archives the events, allowing you to see your system’s response time and its chart its availability.

WebNM offers a number of other options. It can provide service level management, VoIP management, executive dashboards, server and network monitoring, and netflow analysis. All of these options can help you know exactly what your system is doing and when it does it.