In Support it’s common to hear, “I’ve configured my device to export NetFlow, but it’s not showing up in Scrutinizer.” There are a number of reasons that can prevent a NetFlow exporter from showing up in Scrutinizer and I would like to demonstrate, using a packet analysis tool, how to isolate the problem. It’s very likely that if you’re involved with network traffic analysis or administration that you’ve used Wireshark at one point or another and I want to go over some common ways to use Wireshark to analyze your NetFlow traffic.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

You’re in the market for a NetFlow Traffic Analyzer.  What are the key features that you’re looking for?  What makes one NetFlow analyzer stand out from the rest?  Do you have a list of “must haves”?

Such as support for Flexible NetFlow, IPFIX reporting, portable network maps?  How about automated NetFlow configuration on your routers and switches?  Is customization of the web interface important to you?  Multiple language support critical?
Read more »

We had a customer approach us the other day with an nprobe issue. Apparently, he could see the NetFlow v9 data in Flow View of Scrutinizer, but he couldn’t report on the data. How come?

He sent us a Wireshark packet capture and brought up Flow View. Flow View is a way to see the raw flows (inclusive of all columns) being exported by a device.

Anyway, in Flow View everything looked normal, but then one of our developers spotted the word ‘post’ in front of a couple of import column names. We (and Scrutinizer) expect to see ‘octetDeltaCount’ and instead, the customer had configured nProbe to kick out ‘postOctetDeltaCount’.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

This is part 5 of a 4-part series on the ToS field (i.e. Differentiated Services Field) of IP frames. :) Yes, yes, it is the running joke in the office on how this 4-part blog actually has 5 parts. Heck, it’s a blog… who cares.
Make sure you have already read Part 1, Part 2, Part 3 and Part 4 of this blog.

Once again, I’ll pull in the WireShark capture from my first blog: Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

I received a WireShark capture from someone else the other day. He said that the default timeout was set for 30 minutes and believes that this is why the earlier capture he gave me had no templates.

He applied the following command on the Cisco ASA5505 running image asa821-k8:

“flow template timeout-rate 1″

His ASA5505 sent out about 20 different Cisco NetFlow v9 flow types and we still only captured about 15 of the ~20 templates.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

I use Wireshark all the time. In general, I just scratch the surface by using  it to test whether or not NetFlow is coming into Scrutinizer.

Golden Rule: Using an external third-party application, like Wireshark,  to test connectivity helps establish credibility in any situation.

Most people whom I speak with have a general understanding of what a packet capture is. The problem is, they don’t know how to gather or use the data once they have obtained it. So I thought I would do a little homework and find some resources that provide some basic Wireshark training for the busy IT professional.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.

I was looking at a WireShark packet capture of some IPFIX traffic coming from a Nortel switch and quickly saw a few things that puzzled me.  At first, I started splitting hairs because I was thinking that if Nortel is going to market IPFIX support, it should adhere to the standard (RFC 5101).

Then again, it might have better luck working with the various NetFlow traffic analyzer solutions on the market if it makes the exported data look like Cisco NetFlow v9.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Join the NetFlow Developments group on LinkedIn.

I got back from SharkFest 2009 last night.  The people and training were awesome.  I learned about TCP windows, Nagel, Stevens graphs, and more … wow.  I definitely learned more about how WireShark can Go Deeper.

Check this out, I got to have lunch and discuss some stuff with Gerald Combs, the founder of WireShark.  I can prove it; here I am having my picture taken with him!

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Q: What is the difference between Cisco NetFlow v9 and Cisco NetFlow v5?
A: Four versions.

Heh heh, I slay me! Alright, sort of stupid I know. I’ll get serious about this.

NetFlow v5 is by far the most popular version of Cisco NetFlow. I would say over 90% of our customer base uses NetFlow v5.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!

Since I posted my last blog “Wanted: Cisco ASA NetFlow packet capture” I have received a few files. Thank you.

It was quite a process as those who were kind enough to send me a WireShark capture with lots of v9 packets quickly learned that the file was useless without the Cisco NetFlow v9 templates.  Templates are sent out as often as 1-30 minutes.  Guess what the default rate is. 

One customer sent us a 5-minute capture from his Cisco ASA 5505. It sent out about 20 different flows types and we still only captured about 15 of the ~20 templates. As you may know, WireShark needs the templates to go back and decipher the flows captured prior. Without the templates, the NetFlow v9 packet capture is pretty much useless.

Read more »

For a free 30 day trial of Scrutinizer, Download Now!

Sign up for Advanced NetFlow Training™ coming to a city near you!