Scrutinizer Frequently Asked Questions

Q1. What is NetFlow?
Q2. What is sFlow?
Q3. What are the different versions of NetFlow available?
Q4. How is NetFlow different from traffic analyzers like MRTG?
Q5. Is Cisco the only vendor supporting NetFlow?
Q6. Is a trial version of Scrutinizer available for evaluation?
Q7. What are the differences between the free and commercial version?
Q8. What are the system requirements?
Q9. How do I enable NetFlow or sFlow on my router/switch?
Q10. How do I find out if my Cisco equipment supports NetFlow?
Q11. What if I need features that Scrutinizer doesn't support?
Q12. Does it support other Languages?
Q13. How will enabling NetFlow affect the performance of the router/switch?
Q14. How long do I have to wait before the graphs are populated?
Q15. Why are some interfaces labeled as IfIndex2, IfIndex3 or just 1, 2, 3, etc.?
Q16. How do I enter IP to name resolutions so that Scrutinizer doesn't have to use the DNS to resolve IPs?
Q17. Scrutinizer related services are not starting or not installed properly. What do I do?
Q18. Overall utilization on the interface appears to be understated. Why would this be?
Q19. How do I delete all DNS resolutions in Scrutinizer?
Q20. How do I setup my router to forward netflows to two destinations?
Q21. How do I enable remote access to MySQL?
Q22. How do I replace the Telnet option in Scrutinizer with an SSH client?
Q23. Why are my graphs reporting over 100% utilization?
Q24. How do I find out if any updates are available for Scrutinizer?
Q25. I have forgotten my Scrutinizer password. How do I find out what it is?
Q26. What do I do if the Apache server doesn't get setup as a service during the Scrutinizer install?
Q27. Why do I have a blue box over my graphical trends?
Q28. How do I setup SSL with Scrutinizer?
Q29. What are the known bugs?
Q30. Why do I receive a "Somix product already installed" error when trying to install Scrutinizer?
Q31. How do I use a different drive for storing data?
Q32. How do I interpret the nProbeLive traffic?
Q33. Why don't all of the colors print correctly when I try to print an emailed report?
Q34. Can Scrutinizer run in VMWare?
Q35. How do I install Scrutinizer on Windows Vista?
Q36. How do I exclude Scrutinizer in Symantec AntiVirus?
Q37. How do I setup integration between Scrutinizer and WhatsUp Gold v11?
Q38. Why am I seeing "XX" in my select boxes in Firefox 2.0.0.4?
Q39. My clickable links on the Flash map don't work! I'm using Firefox 2.0.0.4.
Q40. Why are my IPs not resolving, even though I have configured my DNS properly in Windows?
Q41. What can be done to speed up the interface of Scrutinizer?
Q42. I'd like to change the mySQL "scrutinizer" user password from the default to something more secure. Is there anything else I need to do other than set the password in mySQL?

Q1: What is NetFlow?
Cisco® NetFlow technology is an embedded feature within Cisco IOS routers and high end switches (e.g 6500 series). NetFlow data records consist of information about source and destination addresses, along with the protocols and ports used in the end-to-end conversation. Scrutinizer uses this information to generate graphs and reports on traffic patterns and bandwidth utilization. More information can be found here.

Q2: What is sFlow?
Unlike NetFlow which aggregates multiple conversation streams into a single packet, sFlow is a packet sample of traffic. Although it offers 100% of the packet, when used strictly for IP accounting, it is unreliable. More information can be found here.

Q3: What are the different versions of NetFlow available?
Version 1 is the original format supported in the initial NetFlow releases, while version 5 is the standard and most common NetFlow version deployed. Version 5 is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. Version 6 is similar to version 7. This version is not used in the new IOS releases. Version 7 is an enhancement that exclusively supports NetFlow with Cisco Catalyst 5000, 6500 and 7600 series switches. Version 8 is an enhancement that adds router-based aggregation schemes. It was introduced to reduce resource usage, and includes a choice of eleven aggregation schemes. Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS). Versions 2, 3 and 4 either were not released.

Scrutinizer currently supports NetFlow versions 1,5,6,7 and 9. It also supports sFlow version 2, 4 and 5. IPFIX, JFlow and NetStream are also supported.

Click here for more details.

Q4: How is NetFlow different from traffic analyzers like MRTG?
MRTG and other such equivalent tools provide information that is largely limited to SNMP statistics. NetFlow is more geared toward application-level details such as hosts, protocols, and conversations, which are an inherent part of IP traffic.

Q5: Is Cisco the only vendor supporting NetFlow?
NetFlow technology was invented by Cisco, and Cisco IOS devices offer NetFlow compatibility. There may be other vendors offering NetFlow support on their devices. Scrutinizer has been tested on over a dozen different vendors.

Q6: Is a trial version of Scrutinizer available for evaluation?
Yes. A free version of Scrutinizer can be downloaded from here. You can get an evaluation license to try the full version by filling out this form.

Q7: What are the differences between the free and commercial version?
The commercial version of Scrutinizer NetFlow & sFlow Analyzer includes the Flow Analytics add-on module, which adds historical data retention and network behavior analysis.

Q8: What are the system requirements?
Scrutinizer's system requirements are detailed here.

Q9: How do I enable NetFlow on my Cisco Router?
Here are detailed instructions on how to enable NetFlow on Cisco routers and switches.

Q10: How do I find out if my Cisco equipment supports NetFlow?
Review the NetFlow Services Solutions Guide to find out if you have a NetFlow compatible Cisco router or switch.

Q11: What if I need features that Scrutinizer doesn't support?
At plixer, we understand that our software needs to be flexible. If you want a feature added, we may be able to work with you. Click Here to learn about our professional services.

Q12: Does it support other Languages?
Support for other languages is currently in development.

Q13: How will enabling NetFlow affect the performance of the router/switch?
For detailed information on exactly how enabling NetFlow will affect the performance of your Cisco router or switch, review the NetFlow Performance Analysis whitepaper [PDF].

Q14: How long do I have to wait before the graphs are populated?
Less than 5 minutes. Make sure you have the NetFlow configured correctly on the router or switch. You might want to try debug mode.

Q15: Why are some interfaces labeled as IfIndex2, IfIndex3 or just 1, 2, 3, etc.?
This happens if the interfaces did not respond to the SNMP requests sent by Scrutinizer. Bring up the SNMP view that lists all the interfaces and click the Update button. Click here to learn more.

Q16: How do I enter IP to name resolutions so that Scrutinizer doesn't have to use the DNS to resolve IPs?
Edit this file: C:\WINDOWS\system32\drivers\etc\hosts and enter the IP to name translations.

Q17: Scrutinizer related services are not starting or not installed properly. What do I do?
Note: This issue is relevant to Scrutinizer version 6 only.
If services, such as Apache, are not installing or starting properly, changes may need to be made to the Windows DEP settings.

Make sure you have administrative rights for the computer Scrutinizer is being installed on. Do not install Scrutinizer via a terminal session.

Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. On any Windows XP (SP2) or Windows Server 2003 the collectd.exe and index.cgi files should be excluded from DEP or set to Windows Services only.

In order to exclude these files: Right click My Computer, select Properties and click the Advanced Tab. Next, click "Settings" under Performance and select Data Execution Prevention. Here you have the option to "Turn on DEP for essential Windows programs and services only" or "Turn on DEP for all programs and services except those I select:"

If you choose "Turn on DEP for all programs and services except those I select:", then you will need to manually add the collectd.exe, index.cgi and filed.exe files found in the "\SCRUTINIZER\html\" directory.

Click Apply and OK when done; then OK again to exit.

Once the necessary files are excluded from DEP protection, Scrutinizer will need to be re-installed.

Q18: Overall utilization on the interface appears to be understated. Why would this be?

1. Make sure NetFlow is enabled on all physical interfaces of the device. Don't be concerned with the virtual interfaces, as they will auto-appear once NetFlow is enabled on the physical interface.
   
   
2. If the hardware can't keep up with sending the NetFlow packets, it will drop NetFlows before they even leave the device. To check to see if this is the problem, login to the Cisco device.
   
Command to type: Router_name>sh ip flow export

At the bottom of the export, look for something like "294503 export packets were dropped due to IPC rate limiting". If this counter is incrementing, the hardware cannot keep up with the export demands.


3. The command below breaks up long-lived flows into 1-minute segments. You can choose any number of minutes between 1 and 60; if you leave the default of 30 minutes you will get spikes in your utilization reports.
   Command to type: ip flow-cache timeout active 1


4. The command below ensures that flows that have finished are exported in a timely manner. The default is 15 seconds; you can choose any value between 10 and 600. Note however that if you choose a value that is longer than 250 seconds Scrutinizer may report traffic levels that appear low.
   Command to type: ip flow-cache timeout inactive 15


5. NetFlow version 5 only exports IP traffic (i.e. no IPX, etc.) and no layer 2 broadcasts are exported by this version of NetFlow.

Q19: How do I delete all DNS resolutions in Scrutinizer?
Note: This issue is relevant to Scrutinizer version 6 only.
Log into the mysql prompt and "delete * from scrutinizer.hosts".

Q20: How do I setup my router to forward netflows to two destinations?
Type the "ip flow-export destination" command twice:
router-name# ip flow-export destination 10.1.1.8 2055
router-name# ip flow-export destination 10.1.1.9 2055

Q21: How do I enable remote access to MySQL?
Note: This issue is relevant to Scrutinizer version 6 only.
Follow the steps below:

1. Open a DOS command prompt on the Scrutinizer server.
2. Run the following command from the ~\SCRUTINIZER\mysql\bin directory:
   mysql -u root --password=
3. A mysql> prompt should be displayed.
4. To create a remote user account with root privileges, run the following commands:
   GRANT ALL PRIVILEGES ON *.* TO 'USERNAME'@'IP' IDENTIFIED BY 'PASSWORD';
   
   'USERNAME' is the username to be created.
   'IP' is the public IP address of the remote connection.
   'PASSWORD' is the password to be assigned for this username.
   (IP can be replaced with % to allow this user to logon from any host or IP)
   
   mysql> FLUSH PRIVILEGES;
   mysql> exit;

Click here for more information on limiting MySQL user accounts.

Note: To assign the root user with a password, run this command:
mysqladmin -u root password YOUR_NEW_PASSWORD

Q22: How do I replace the Telnet option in Scrutinizer with an SSH client?
Note: This issue is relevant to Scrutinizer version 6 only.
Follow the steps outlined in the "How to replace the Telnet option in Scrutinizer with an SSH client" document.

Q23: Why are my graphs reporting over 100% utilization?
Note: This issue is relevant to Scrutinizer version 6 only.

1. The interface speed is not correct. Scrutinizer uses the speed specified in the SNMP OID. Click on the speed of the interface to manually type in the correct speed.
2. The active timeout has not been set to 1 minute on the router.
3. Non-dedicated burstable bandwidth, where the ISP allows you to use over the allocated bandwidth.
4. Both ingress and egress NetFlow collection have been enabled on the interface. This can work properly, however NetFlow should be turned off on other interfaces. Scrutinizer works ideal when only ingress NetFlow collection is configured on all interfaces.
5. Do you have any encrypted tunnels on the interface?
   • 47 - GRE, General Routing Encapsulation.
   • 50 - ESP, Encapsulating Security Payload.
   • 94 - IP-within-IP Encapsulation Protocol.
   • 97 - EtherIP.
   • 98 - Encapsulation Header.
   • 99 - Any private encryption scheme.
   This can cause traffic to be counted twice on an interface.

Q24: How do I find out if any updates are available for Scrutinizer?
Note: This issue is relevant to Scrutinizer version 6 only.
In your local Scrutinizer install, click the Status tab. If updates are available, you will see a spinning blue icon in the upper right hand corner. If you have a proxy server, this spinning icon will always appear. Click on it to find out the latest version.

Users can also type the following commands in a command prompt, from the ~\SCRUTINIZER\html\ directory, to list the currently installed version of Scrutinizer:
index.cgi -v
collectd.exe -v

Q25: I have forgotten my Scrutinizer password. How do I find out what it is?

Version 7.x and later
In your local Scrutinizer install, type the following commands in a command prompt, from the [homedir]\bin\ directory:

scrut_util.exe -reset_admin_password [USERNAME]

The USERNAME is the name of the Scrutinizer user account to modify. When the command is executed, it will prompt for the new password, and then to re-enter it.

1. mysql -u root
2. use scrutinizer
3. select * from userslist\G;
   
   This will display all users and their passwords. If there are numerous users, you may need to scroll through to find your username and password.
   
   
4. Exit

Note: These commands must be run from the Scrutinizer server.

Q26: What do I do if the Apache server doesn't get setup as a service during the Scrutinizer install?
Note: This issue is relevant to Scrutinizer version 6 only.
This happens generally because another version of apache is installed, but currently isn't running. To fix this problem, edit the file ~\SCRUTINIZER\apache2\conf\httpd.conf using a text editor (e.g. Notepad, Wordpad, etc.). Find the line "Listen". There will be "Listen 80", or something similar, around line 54 in this file. Change this to another port such as "Listen 8181" then Save and Close the file.

Now start Apache by typing the following command from the ~\SCRUTINIZER\apache2\bin directory:
apache

Verify apache is running. It should appear to hang at the command line, press CTRL+C and execute the following so that the services gets setup correctly:
apache -k install -n scrutinizer_apache2 C:\scrutinizer\apache2\bin\

Notice the service is now listed and it is up and running. It should be configured to automatically startup on reboot.

Q27: Why do I have a blue box over my graphical trends?
Note: This issue is relevant to Scrutinizer version 6 only.
Check the version of your browser. Only IE 6+, Firefox 1.5+, and Mozilla 1.7+ are currently supported. Also, make sure you are using the "default" web browser security settings.

Q28: How do I setup SSL with Scrutinizer?
An installer with SSL support is available for eligible parties. Please contact us for the SSL installer.

Q29: What are the known bugs?
Click Here for further details on known Scrutinizer bugs that are currently being worked on.

Q30: Why do I receive a "Somix product already installed" error when trying to install Scrutinizer?
If the following registry is found, you will receive this error:
\\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App\Paths\configure.exe

The solution is to rename the registry key. This renaming will do no harm to your system and will quickly allow you to work with Scrutinizer.

Q31: How do I use a different drive for storing data?

Please note: The following procedures will not work for remote drives based on Windows shares.

Version 7.x and later

1. Stop the plixer_mysql service.
2. Copy the [homedir]\Scrutinizer\mysql\data directory to the new drive.
3. Edit the [homedir]\Scrutinizer\mysql\my.ini file, changing the drive letter for the datadir=x:[homedir]/SCRUTINIZER/mysql/data/ entry.
4. Start the plixer_mysql service.

For more information on using a different drive for stored data or storing data to a remote database with Scrutinizer version 7 or higher, please review this guide.

Version 6.x and earlier

1. Stop the Scrutinizer mysql service.
2. Copy the scrutinizer\mysql\data directory to the new drive.
3. Edit the scrutinizer\mysql\my.conf file, changing the drive letter for the datadir=x:/SCRUTINIZER/mysql/data/ entry.
4. Start the Scrutinizer mysql service.

Q32: How do I interpret the nProbeLive traffic?

Inbound and outbound are moot points (i.e. don't matter) with the nProbeLive because there is ONLY 1 interface. Traffic in and out the switch port are being sent to the nProbeLive which doesn't know if the traffic was received or sent on the mirrored switch port. nProbeLive can only deduce the source and destination of the packet. Look again at this:

Notice: All interfaces matches itself:

inbound src = outbound src
inbound dst = outbound dst

Here is an example:
Bob sends packets to Sally. Bob is both the inbound and outbound source (Src) to Sally as there is ONLY 1 interface. On this same packet, Sally is the inbound and outbound destination (Dst). When Sally replies to Bob with a packet, the opposite holds true.

In Summary: When looking at nProbeLive traffic, just look at:

• "All" interfaces from the drop down box
• inbound traffic as outbound will be exactly the same
• The Top Conv tab provides the easiest to comprehend data
• On the Hosts tab: just toggle Src and Dst

Q33: Why don't all of the colors print correctly when I try to print an emailed report?

This can be caused by an option found in some browsers and email clients.

In Internet Explorer:

1. Open the "Tools" menu.
2. Click "Internet Options.
3. Click the "Advanced" tab.
4. Scroll down to the "Printing" section.
5. Check "Print background colors and images.
6. Click "OK."

This change will carry over to Outlook and Outloook Express.

Q34: Can Scrutinizer run in VMWare?

Yes, but as with any virtualized environment, you may experience sharp declines in performance when your server's resources are divided between many sessions.

Q35: How do install Scrutinizer on Windows Vista?
Note: This issue is relevant to Scrutinizer version 6 only.

1. Double-click the installer to start the process as normal.
2. Click "continue" when prompted by UAC.
3. Unblock apache.exe when prompted by UAC.
4. Unblock collectd.exe when prompted by UAC.
5. Installer will read "File Copy Complete — Executing Install Scripts."
6. Click "OK" to finish when installation is complete.
7. Run 'services.msc' from the command line or the 'Run' dialog.
8. Stop the following services:

• Cron service
• Scrutinizer Filer Service
• Scrutinizer Netflow Collector
• scrutinizer_apache2
• scrutinizer_mysql

If you experience trouble, please post at http://forums.plixer.com.

Q36: How do I exclude Scrutinizer in Symantec AntiVirus?

1. From within Symantec, expand the "Configure" option from the tree menu and select "File System."
2. Click the "Exclusions" button.
3. Click the "Files/Folders" button.
4. Find the Scrutinizer directory and check the box next to it.
5. Click "OK" to finish.

Q37: How do I setup integration between Scrutinizer and WhatsUp Gold v11?
Visit the WhatsUp Gold v11 Integration page for instructions on setting up WhatsUp Gold v11 and Scrutinizer to work together.

Q38: Why am I seeing "XX" in my select boxes in Firefox 2.0.0.4?
Note: This issue is relevant to Scrutinizer version 6 only.
This is a known bug with the 2.0.0.4 build of Firefox. It is expected to be patched in the upcoming 2.0.0.5 release. It occurs when a visible/hidden style is applied to a select box after a page has loaded, which occurs in several places throughout Scrutinizer. It does not affect functionality in any way.

Q39: My clickable links on the Flash map don't work! I'm using Firefox 2.0.0.4.
Note: This issue is relevant to Scrutinizer version 6 only.
Firefox 2.0.0.4 contains a bug that sporadically prevents the links on your icons in the Flash maps from working. This bug does not exist in the Firefox 1.5/1.8 branch, nor in any version of IE or Opera. The bug has been logged with Mozilla and we are awaiting word of a patch.

Q40: Why are my IPs not resolving, even though I have configured my DNS properly in Windows?
In certain situations, Scrutinizer may not be able to properly resolve IP addresses. This usually happens when there are multiple DNS servers with disparate records. To deal with this, Scrutinizer allows you to specify your DNS servers in a file rather than get the settings from the Windows Registry. The steps are outlined below:

1. Create a file in the \scrutinizer\html directory called dns.conf.
2. Open this file with a text editor like Notepad.
3. Create a list of DNS servers in the file in the format below.
   nameserver 192.168.1.1
   nameserver 166.186.184.2
   nameserver 224.39.1.171

Now that you have created this file, you should now be able to go into the Scrutinizer web interface and do lookups properly.

Q41: What can be done to speed up the interface of Scrutinizer?
Note: This issue is relevant to Scrutinizer version 6 only.

1. Disable antivirus software, or at least exclude the Scrutinizer directory from antivirus scanning.
2. Run software to defragment the hard drive frequently (e.g. Diskeeper).
3. Does the machine Scrutinizer is installed on meet our minimum hardware requirements?
4. Are there other applications running on the server (e.g. WhatsUp Gold, MRTG, etc.)? If so, they should be turned off.
5. Is the Microsoft IIS Service running? If so, it should be turned off.
6. Are you running Scrutinizer in a VMware session? This will cause unnecessary slowness.
7. Does your company have a proxy server? Scrutinizer tries to connect to plixer.com on many of the pages and proxy servers which block Scrutinizer's access to the internet can cause interface slowness.
8. Are you receiving flows from over 200 unique devices? You must meet our minimum hardware requirements.
9. Click on the Vitals Tab within Scrutinizer. Are you receiving over 200 UDP Datagrams/Sec? You must meet our minimum hardware requirements.
10. Call us at (207)324-8805 x3 and we can help you to optimize your Scrutinizer installation.

Q42: I'd like to change the MySQL "scrutinizer" user password from the default to something more secure. Is there anything else I need to do other than set the password in MySQL?
Note: This issue is relevant to Scrutinizer version 6 only.
Yes. you need to add the following lines to the conf.cgi file (found in the \scrutinizer\html directory):
$conf{'dbUser'};
$conf{'dbPassword'};
$conf{'dbPort'};

Denika Frequently Asked Questions

Click the question to view the answer.

Q: What is SOE?

Q: Can I monitor any SNMP OID with Denika?

Q: Is there any documentation that can help me with Denika 6.0?

A: If you need help installing or configuring Denika 6.0, review the documents below:

SOE: Install Guide SOE: Backup/Restore Guide Denika 6.0: Quick Start Guide Denika 6.0: Upgrade Guide Denika 6.0: How to Setup Email Reports

Q: I had a problem with the install, what should I do?

Q: Can I automatically create Denika reports?

Q: What about devices that go away?

Q: Where is the Denika Manual?

Q: How do I setup Cisco IP SLA?

Q: How do I setup NBAR on my Cisco router?

A: Make sure you enable NBAR on the router for the interfaces you want to collect statistics on. Call us if you need help setting it up. You must first enable Cisco Express Forwarding (CEF) on the router before enabling NBAR.

Interfacing with NBAR on your Cisco router is done through the Modular QoS Command-Line Interface (Modular QoS CLI). In order to configure a QoS policy you must configure traffic classes, policies that will be applied to those traffic classes, and the attaching of policies to interfaces using the following commands:

	class-map - defines traffic classes by specifying the criteria by which traffic is classified.
	policy-map - defines QoS policies which are applied to traffic defined by a class map.
	server-policy - attaches certain traffic to an interface on the router.

Q: How do I configure a traffic class?

Q: How do I configure a traffic policy?

Q: How do I attach a traffic policy to an interface?

Logalot Frequently Asked Questions

Click the question to view the answer.

Q#1: What types of logs does Logalot collect?

Q#2: What if I lose connectivity to a Windows server?

Q#3: What is an Orphan?

Q#4: How do I create a policy?

Q#5: How do I know what devices are sending logs?

Q#6: What is the Bulletin Board?

Q#7: How do I integrate Logalot with third party applications?