Frequently Asked Questions
Please select the product below that your questions relate to:
Q1. What is NetFlow?
Cisco® NetFlow technology is an embedded feature within Cisco IOS routers and high end switches (e.g 6500 series). NetFlow data records consist of information about source and destination addresses, along with the protocols and ports used in the end-to-end conversation. Scrutinizer uses this information to generate graphs and reports on traffic patterns and bandwidth utilization. More information can be found here.
Q2. What is sFlow?
Unlike NetFlow which aggregates multiple conversation streams into a single packet, sFlow is a packet sample of traffic. Although it offers 100% of the packet, when used strictly for IP accounting, it is unreliable. More information can be found here.
Q3. What is IPFIX?
Internet Protocol Flow Information Export (IPFIX) is an IETF protocol. It was created based on the need for a common, universal standard of export for Internet Protocol flow information from routers, probes, and other devices that are used by mediation systems, accounting/billing systems and network management systems to facilitate services such as measurement, accounting and billing. The IPFIX standard defines how IP flow information is to be formatted and transferred from an exporter to a collector. Previously many data network operators were relying on Cisco Systems' proprietary NetFlow technology for traffic flow information export. You can learn more about IPFIX in RFC 7011.
Q5. What are the different versions of NetFlow available?
Version 1 is the original format supported in the initial NetFlow releases, while version 5 is the standard and most common NetFlow version deployed. Version 5 is an enhancement that adds Border Gateway Protocol (BGP) autonomous system information and flow sequence numbers. Version 6 is similar to version 7. This version is not used in the new IOS releases. Version 7 is an enhancement that exclusively supports NetFlow with Cisco Catalyst 5000, 6500 and 7600 series switches. Version 8 is an enhancement that adds router-based aggregation schemes. It was introduced to reduce resource usage, and includes a choice of eleven aggregation schemes. Version 9 is an enhancement to support different technologies such as Multicast, Internet Protocol Security (IPSec), and Multi Protocol Label Switching (MPLS). Versions 2, 3 and 4 either were not released.
Scrutinizer currently supports NetFlow versions 1,5,6,7 and 9. It also supports sFlow version 2, 4 and 5. IPFIX, JFlow and NetStream are also supported.
Click here for more details.
Q6. How is NetFlow different from traffic analyzers like MRTG?
MRTG and other such equivalent tools provide information that is largely limited to SNMP statistics. NetFlow is more geared toward application-level details such as hosts, protocols, and conversations, which are an inherent part of IP traffic.
Q7. Is Cisco the only vendor supporting NetFlow?
NetFlow technology was invented by Cisco, and Cisco IOS devices offer NetFlow compatibility. There may be other vendors offering NetFlow support on their devices. Scrutinizer has been tested on over a dozen different vendors.
Q9. What are the differences between the free and commercial version?
The commercial version of Scrutinizer NetFlow & sFlow Analyzer includes the Flow Analytics add-on module, which adds historical data retention and network behavior analysis.
Q10. What are the system requirements?
Scrutinizer's system requirements are detailed here.
Q11. How do I enable NetFlow or sFlow on my router/switch?
Here are detailed instructions on how to enable NetFlow on Cisco routers and switches.
Q12. How do I find out if my Cisco equipment supports NetFlow?
Review the NetFlow Services Solutions Guide to find out if you have a NetFlow compatible Cisco router or switch.
Q13. What if I need features that Scrutinizer doesn't support?
At plixer, we understand that our software needs to be flexible. If you want a feature added, we may be able to work with you. Click Here to learn about our professional services.
Q14. Does it support other Languages?
Scrutinizer currently supports the following languages; Traditional Chinese, Simplified Chinese, English, French, German, Japanese, Korean, Portuguese, Russian, and Spanish.
Q15. How will enabling NetFlow affect the performance of the router/switch?
For detailed information on exactly how enabling NetFlow will affect the performance of your Cisco router or switch, review the NetFlow Performance Analysis whitepaper [PDF].
Q16. How long do I have to wait before the graphs are populated?
Less than 5 minutes. Make sure you have the NetFlow configured correctly on the router or switch.
Q17. Why are some interfaces labeled as IfIndex2, IfIndex3 or just 1, 2, 3, etc.?
This happens if the interfaces did not respond to the SNMP requests sent by Scrutinizer. Bring up the SNMP view that lists all the interfaces and click the Update button. Please review SNMP Device View in the Scrutinizer manual.
Q18. How do I enter IP to name resolutions so that Scrutinizer doesn't have to use the DNS to resolve IPs?
Edit this file: C:\WINDOWS\system32\drivers\etc\hosts and enter the IP to name translations.
Q19. Overall utilization on the interface appears to be understated. Why would this be?
- Make sure NetFlow is enabled on all physical interfaces of the device. Don't be concerned with the virtual interfaces, as they will auto-appear once NetFlow is enabled on the physical interface.
- If the hardware can't keep up with sending the NetFlow packets, it will drop NetFlows before they even leave the device. To check to see if this is the problem, login to the Cisco device.
Command to type: Router_name>sh ip flow export
At the bottom of the export, look for something like "294503 export packets were dropped due to IPC rate limiting". If this counter is incrementing, the hardware cannot keep up with the export demands.
- The command below breaks up long-lived flows into 1-minute segments. You can choose any number of minutes between 1 and 60; if you leave the default of 30 minutes you will get spikes in your utilization reports.
Command to type: ip flow-cache timeout active 1
- The command below ensures that flows that have finished are exported in a timely manner. The default is 15 seconds; you can choose any value between 10 and 600. Note however that if you choose a value that is longer than 250 seconds Scrutinizer may report traffic levels that appear low.
Command to type: ip flow-cache timeout inactive 15
- NetFlow version 5 only exports IP traffic (i.e. no IPX, etc.) and no layer 2 broadcasts are exported by this version of NetFlow.
Q20. How do I setup my router to forward netflows to two destinations?
Type the "ip flow-export destination" command twice:
router-name# ip flow-export destination 10.1.1.8 2055
router-name# ip flow-export destination 10.1.1.9 2055
Q21. How do I replace the Telnet option in Scrutinizer with an SSH client?
Note: This issue is relevant to Scrutinizer version 6 only.
Follow the steps outlined in the "How to replace the Telnet option in Scrutinizer with an SSH client" document.
Q22. Why are my graphs reporting over 100% utilization?
- The interface speed is not correct. Scrutinizer uses the speed specified in the SNMP OID. Login to the router or switch and fix the problem or in Scrutinizer go to Device Details and manually type in the correct speed.
- The active timeout has not been set to 1 minute on the router. Login to the router or switch and fix the problem.
- Non-dedicated burstable bandwidth, where the ISP allows you to use over the allocated bandwidth.
- Both ingress and egress NetFlow collection have been enabled on the interface. This can work properly if the direction bit is set in the egress flows. Scrutinizer works ideal when only ingress NetFlow collection is configured on all interfaces. Only egress on all interfaces is also possible.
- Do you have any encrypted tunnels on the interface?
- 47 - GRE, General Routing Encapsulation.
- 50 - ESP, Encapsulating Security Payload.
- 94 - IP-within-IP Encapsulation Protocol.
- 97 - EtherIP.
- 98 - Encapsulation Header.
- 99 - Any private encryption scheme.
- Full Flow Cache: All flows are stored in the flow cache on the router before export. Once the cache is full, it stops adding entries into the cache until it expires them. When events such as a DDOS or a "social event" occur, the router's cache becomes full. The cache can be increased; however, it will use more memory and could have a negative impact on the router. A loss of flows will cause Scrutinizer to understate utilization.
Q23. How do I find out if any updates are available for Scrutinizer?
In your local Scrutinizer install, click the Status tab. If updates are available, you will see a spinning blue icon in the upper right hand corner. If you have a proxy server, this spinning icon will always appear. Click on it to find out the latest version.
Users can also use the -v parameter for any \scrutinizer\cgi-bin\*.cgi or \scrutinizer\bin\*.exe file to get the current version and build for that executable.
Example: scrut_util -v
Compare this to the Scrutinizer Update History.
Q24. I have forgotten my Scrutinizer password. How do I find out what it is?
Version 7.x and later
In your local Scrutinizer install, type the following commands in a command prompt, from the [homedir]\bin\ directory:
scrut_util.exe -reset_admin_password [USERNAME]
The USERNAME is the name of the Scrutinizer user account to modify. When the command is executed, it will prompt for the new password, and then to re-enter it.
Note: These commands must be run from the Scrutinizer server.
Q25. How do I setup SSL with Scrutinizer?
An installer with SSL support is available for eligible parties. Please contact us for the SSL installer.
Q26. Why do I receive a "Somix product already installed" error when trying to install Scrutinizer?
If the following registry is found, you will receive this error:
The solution is to rename the registry key. This renaming will do no harm to your system and will quickly allow you to work with Scrutinizer.
Q27. How do I use a different drive for storing data?
Please note: The following procedures will not work for remote drives based on Windows shares.
Version 7.x and later
- Stop the plixer_mysql service.
- Copy the [homedir]\Scrutinizer\mysql\data directory to the new drive.
- Edit the [homedir]\Scrutinizer\mysql\my.ini file, changing the drive letter for the datadir=x:[homedir]/SCRUTINIZER/mysql/data/ entry.
- Start the plixer_mysql service.
For more information on using a different drive for stored data or storing data to a remote database with Scrutinizer version 7 or higher, please review this guide.
Q28. Why don't all of the colors print correctly when I try to print an emailed report?
This can be caused by an option found in some browsers and email clients.
In Internet Explorer:
- Open the "Tools" menu.
- Click "Internet Options.
- Click the "Advanced" tab.
- Scroll down to the "Printing" section.
- Check "Print background colors and images.
- Click "OK."
This change will carry over to Outlook and Outlook Express.
Q29. Can Scrutinizer run in VMWare?
Yes, but as with any virtualized environment, you may experience sharp declines in performance when your server's resources are divided between many sessions.
Q30. How do I update Scrutinizer?
Visit https://forums.plixer.com/viewtopic.php?f=15&t=2544#p9095 to update Scrutinizer on Windows.
Visit https://forums.plixer.com/viewtopic.php?f=15&p=9127#p9127 to update Scrutinizer Virtual Appliance.
For hardware appliances, please reach out to tech support for upgrades.
If you experience trouble, please post at http://forums.plixer.com.
Q31. How do I exclude Scrutinizer in Symantec AntiVirus?
- From within Symantec, expand the "Configure" option from the tree menu and select "File System."
- Click the "Exclusions" button.
- Click the "Files/Folders" button.
- Find the Scrutinizer directory and check the box next to it.
- Click "OK" to finish.
Q32. How do I setup integration between Scrutinizer and WhatsUp Gold?
Visit the WhatsUp Gold Integration page for instructions on setting up WhatsUp Gold v12/v14 and Scrutinizer to work together.
Q33. Why are my IPs not resolving, even though I have configured my DNS properly in Windows?
In certain situations, Scrutinizer may not be able to properly resolve IP addresses. This usually happens when there are multiple DNS servers with disparate records. To deal with this, Scrutinizer allows you to specify your DNS servers in a file rather than get the settings from the Windows Registry. The steps are outlined below:
- Create a file in the \scrutinizer\html directory called dns.conf.
- Open this file with a text editor like Notepad.
- Create a list of DNS servers in the file in the format below. nameserver 192.168.1.1
Now that you have created this file, you should now be able to go into the Scrutinizer web interface and do lookups properly.
Q34. What can be done to speed up the interface of Scrutinizer?
- Disable antivirus software, or at least exclude the Scrutinizer directory from antivirus scanning.
- Run software to defragment the hard drive frequently (e.g. Diskeeper).
- Does the machine Scrutinizer is installed on meet our minimum hardware requirements?
- Are there other applications running on the server (e.g. WhatsUp Gold, MRTG, etc.)? If so, they should be turned off.
- Is the Microsoft IIS Service running? If so, it should be turned off.
- Are you running Scrutinizer in a VMware session? This will cause unnecessary slowness.
- Does your company have a proxy server? Scrutinizer tries to connect to plixer.com on many of the pages and proxy servers which block Scrutinizer's access to the internet can cause interface slowness.
- Are you receiving flows from over 200 unique devices? You must meet our minimum hardware requirements.
- Click on the Vitals Tab within Scrutinizer. Are you receiving over 200 UDP Datagrams/Sec? You must meet our minimum hardware requirements.
- Call us at (207)324-8805 x3 and we can help you to optimize your Scrutinizer installation.
Q35. I'd like to change the mySQL "scrutinizer" user password from the default to something more secure. Is there anything else I need to do other than set the password in mySQL?
Update MySQL Root password via CLI using scrut_util.exe located in the [HOMEDIR]\Scrutinizer\bin\ directory.
There is a 2 step process, resetting the password then updating the plixer.ini file.
Changes the MySQL root account password.
Use this command to update the plixer.ini database root user password. Scrutinizer and the database root password must be in sync.
C:\Program Files (x86)\Scrutinizer\bin>scrut_util.exe -reset_mysql_password
Changing Password for MySQL Root Password. Press to abort.
NOTE: On Windows Vista/2008/7, you must run this command from the Administrator Dos Prompt
Attempting to login with new password ... PASS!
Password Updated for MySQL Root ... DONE!
Q36. Where can I find the Scrutinizer manual?
Here is an online copy of the Scrutinizer manual for review.
Q37. How do I know how much hard drive space I will need?
Use the NetFlow Bandwidth and Hard Drive Consumption Calculator to determine how much hard drive space your NetFlow data will consume.
Q38. Why are DSCP values wrong in my Juniper flow data?
In Juniper JunOS 11.2R4, DSCP reporting via JFlow has issues. You might sometimes see unexpected DSCP values in Scrutinizer. Please use Wireshark to compare what you are seeing in Scrutinizer to what your Juniper devices are exporting in the flow packets.
Q39. How do I add a second NIC to the Scrutinizer Virtual Appliance?
- Install the second NIC into the ESX(i) host
- Using vSphere, assign the second NIC to the Scrutinizer VM
- Log into the Scrutinizer CLI and create a /etc/sysconfig/network-scritps/ifcfg-eth1 file with the proper network configurations. You can use the ifcfg-eth0 configuration as an example since the ifcfg-eth1 file is not created automatically.
- Restart networking with the command: service network restart
Q40. Where can I find the change log?
Each insatllation contains changelog.txt in scrutinizer/files that details all bug fixes. You can also view the change log online at https://www.plixer.com/Support/available-updates.html