You’re in the market for a NetFlow Traffic Analyzer.  What are the key features that you’re looking for?  What makes one NetFlow analyzer stand out from the rest?  Do you have a list of “must haves”?

Such as support for Flexible NetFlow, IPFIX reporting, portable network maps?  How about automated NetFlow configuration on your routers and switches?  Is customization of the web interface important to you?  Multiple language support critical?
Read more »

I was talking with our newly appointed Pre-Sales Support Specialist, Scott, the other day when we realized that we don’t have a NetFlow Glossary blog, so I wanted to take this opportunity to consolidate some resources and highlight some of the key NetFlow terminology that we find ourselves talking about on a daily basis.

NetFlow Terminology:

Bidirectional Flows
Flexible NetFlow
Ingress vs. Egress
Interface 0
ip-flow timeout active 1
IPFIX
ip route-cache flow vs. ip flow ingress
NBAR
NetFlow Collector and Analyzer
NetFlow Exporters
NetFlow Options Templates
NetFlow Probe
NetFlow Replicator
NetFlow v5 vs. v9
NSEL
sFlow

Read more »

Paul Dube
Technical Support
Follow me on Twitter

Okay, back to the basics. We’ve been working with Cisco NetFlow technology for many years now, but what is NetFlow?

NetFlow is a traffic profile monitoring technology developed by Darren Kerr and Barry Bruins at Cisco Systems, back in 1996. At that time, network monitoring mostly consisted of seeing how much traffic was traversing your network, but did not include what that traffic was.
Read more »

A customer called the other day regarding NetFlow collection and interface descriptions not matching the correct interface instance numbers.  I’d seen this issue before and knew it was not related to the NetFlow configuration, but rather that the device in question was exporting the wrong interface information in the NetFlow packets.

Michael Patterson addressed this issue in his blog, “Messed Up Interface names in Scrutinizer” in February.

To summarize Michael’s blog, the device in question was including interface instance numbers from enterprise mibs in the NetFlow packets, and most NetFlow Traffic Analyzers get the interface descriptions from the standard MIB-2 ifIndex tables.
Read more »

Expanding upon my last blog, “Cisco’s Flexible NetFlow and LEGO Blocks“, this week I’d like to show the application of FNF’s Template FlowSet configuration in your netflow collection.

Referencing Cisco Systems “NetFlow Version 9 Flow-Record Format” whitepaper, skipping to Table 6 – NetFlow Version 9 Field Type Definitions, there is a list of the fields available to build your NetFlow v9 Template FlowSet.

In the packet capture displayed below, FlowSet 1, Template Id 257, lists the fields included in the Template FlowSet. One of the fields included in this Template FlowSet is LAST_SWITCHED (21), with 21 being the value for that field. The value is an important field, as it is unique to that Field Type.
Read more »

What does Cisco’s Flexible NetFlow (FNF) have to do with LEGO blocks?

Well, if you’ve been struggling with configuring Flexible NetFlow on your Cisco routers, using LEGO blocks as an analogy for creating the data export record can simplify the process of the FNF configuration, bringing you closer to the end goal of managing your network traffic flow.

In Brad Reese’s article “How to setup Cisco’s Flexible NetFlow (FNF) with LEGO Blocks“, LEGO blocks are used to visually display the assembly of an FNF record.

Read more »

Working in technical support I get asked a lot, “I enabled NetFlow on my router, why don’t I see outbound traffic?” This is because NetFlow version 5 only supports ingress flow monitoring and they don’t have NetFlow enabled on all interfaces. In NetFlow v5 outbound traffic is calculated by the idea what goes in must go out (or stop at the router) so, it’s necessary that all interfaces are monitoring ingress traffic to get an accurate representation of outgoing traffic. So, if ingress monitoring has been working great all along why enable egress monitoring?

Read more »

Paul Dube
Technical Support
Follow me on Twitter

I was scouring the web looking for information on NetFlow v9 the other day and came across this document on NetFlow.   I thought these slides on ‘show ip cache flow’ and ‘show ip cache verbose flow’ were interesting.  If you are trouble shooting with a customer, they can be pretty useful.  Read more »

Michael Patterson
Scrutinizer Product Manager

We had a customer approach us the other day with an nprobe issue. Apparently, he could see the NetFlow v9 data in Flow View of Scrutinizer, but he couldn’t report on the data. How come?

He sent us a Wireshark packet capture and brought up Flow View. Flow View is a way to see the raw flows (inclusive of all columns) being exported by a device.

Anyway, in Flow View everything looked normal, but then one of our developers spotted the word ‘post’ in front of a couple of import column names. We (and Scrutinizer) expect to see ‘octetDeltaCount’ and instead, the customer had configured nProbe to kick out ‘postOctetDeltaCount’.

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

Most people collecting NetFlow use it in a very traditional fashion (i.e. NetFlow v5 with ingress flows). Ingress flow means that only inbound (i.e. received) traffic is collected and exported in NetFlow datagrams. This may sound like you won’t know what is going ‘out’ an interface, but have no fear. There is any easy way to calculate outbound traffic using ingress NetFlow.

Above, out bound utilization on interface 1 is determined by looking at the flows from interfaces 2,3 & 4 that are destined for interface 1. Since an ingress flow contains the source and destination interface (i.e. port of the router). Out bound traffic is determined by using ingress flows from the other interfaces. For this reason, it is important to enable NetFlow on all interfaces of the switch or router. This trick is common practice in all NetFlow reporting tools. But, what about NetFlow v9 and its support for ‘Egress’ NetFlow (i.e. traffic going out an interface)?

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter