Working in technical support I get asked a lot, “I enabled NetFlow on my router, why don’t I see outbound traffic?” This is because NetFlow version 5 only supports ingress flow monitoring and they don’t have NetFlow enabled on all interfaces. In NetFlow v5 outbound traffic is calculated by the idea what goes in must go out (or stop at the router) so, it’s necessary that all interfaces are monitoring ingress traffic to get an accurate representation of outgoing traffic. So, if ingress monitoring has been working great all along why enable egress monitoring?

Read more »

Paul Dube
Technical Support
Follow me on Twitter

I was scouring the web looking for information on NetFlow v9 the other day and came across this document on NetFlow.   I thought these slides on ‘show ip cache flow’ and ‘show ip cache verbose flow’ were interesting.  If you are trouble shooting with a customer, they can be pretty useful.  Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

We had a customer approach us the other day with an nprobe issue. Apparently, he could see the NetFlow v9 data in Flow View of Scrutinizer, but he couldn’t report on the data. How come?

He sent us a Wireshark packet capture and brought up Flow View. Flow View is a way to see the raw flows (inclusive of all columns) being exported by a device.

Anyway, in Flow View everything looked normal, but then one of our developers spotted the word ‘post’ in front of a couple of import column names. We (and Scrutinizer) expect to see ‘octetDeltaCount’ and instead, the customer had configured nProbe to kick out ‘postOctetDeltaCount’.

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

Most people collecting NetFlow use it in a very traditional fashion (i.e. NetFlow v5 with ingress flows). Ingress flow means that only inbound (i.e. received) traffic is collected and exported in NetFlow datagrams. This may sound like you won’t know what is going ‘out’ an interface, but have no fear. There is any easy way to calculate outbound traffic using ingress NetFlow.

Above, out bound utilization on interface 1 is determined by looking at the flows from interfaces 2,3 & 4 that are destined for interface 1. Since an ingress flow contains the source and destination interface (i.e. port of the router). Out bound traffic is determined by using ingress flows from the other interfaces. For this reason, it is important to enable NetFlow on all interfaces of the switch or router. This trick is common practice in all NetFlow reporting tools. But, what about NetFlow v9 and its support for ‘Egress’ NetFlow (i.e. traffic going out an interface)?

Read more »

Jon Mills
Marketing & Public Relations Manager
Follow Me On Twitter

How do you know if the NetFlow collector is saving or even getting all of the NetFlow datagrams that are being sent to it or that it is receiving? It is important to know if any flows are missing.

Why do we care?

This is a great question. We care because a loss of flow exports is usually caused by one of three things:

1. The network dropped some packets
2. The router can’t keep up
3. The NetFlow receiver / collector can’t keep up

NetFlow sequence numbers are becoming increasingly important. When building a NetFlow collector it is important that the engine scales while staying accountable. If you look at the NetFlow v9 packet format you will notice something called the package_sequence.

Read more »

Apparently the Cisco ASA is becoming a popular appliance for securing today’s businesses from the uglies that plague the Internet.  More specifically, the ASA running v8.2.1 or newer exports Flexible NetFlow (a variant of NetFlow v9). Why is this so cool?

The Key Advantages of using Flexible NetFlow on Routers:

A) User configurable ability to monitor a wider range of packet information which produces new information about network behavior: In other words, we can specify exactly what we want.  This is useful if you are trouble shooting and looking for very specific information that isn’t exported in traditional NetFlow (e.g. MAC addresses, VLAN IDs, NBAR, etc.).

B) Enhanced network anomaly and security detection: Basically, Flexible NetFlow can monitor more deeply inside packets.  What could these mean to the market for NBAD solutions?

C) Convergence of multiple accounting technologies into a single mechanism: This is basically reinforcing the above feature of collecting on any specific information but, using it for different purposes.  For example, maybe the NetFlow volume is so high that you have to use sampling.  This could throw a wrench into your accounting and billing plans as they likely won’t be accurate without 100% traditional NetFlow capture. Flexible NetFlow allows you to have a sampling export as well as other exports specific to traffic type (e.g. IP subnet) occurring simultaneously.

Read more »

Scrutinizer v7.2 NetFlow and sFlow Analyzer has been released.  A complete log on the updates is on our web site.  The migration from v6.X to v7.2 is also done. Please contact plixer +1 (207) 324-8805 for assistance on the migration. 

We are offering 2 webcasts to cover many of the new features for Network Traffic Analysis. Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

One of our customers recently invested in a Cisco Nexus 7000.  Raul (Plixer Field Engineer) visited the customer last month and had his picture taken in front of the switch just after it was installed: Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter

NSEL (NetFlow Security Event Logging) is the type of NetFlow exported from an ASA Firewall. The purpose of NSEL is to track firewall events via NetFlow and to have a summary of all conversations associated with that event type.

The three most popular event types that trigger a NetFlow record are:

                                            * flow-create
                                            * flow-denied
                                            * flow-teardown

Read more »

Reporting on traffic impacted by Cisco WAAS using NetFlow requires the use of egress flow in NetFlow v9. Consider the diagram below where the traffic going in on interface 1 should be compressed by WAAS before it leaves on Interface 3:

Read more »

Michael Patterson
Scrutinizer Product Manager
Follow Me on Twitter