Guys like Stephen Covey keep me inspired. Have you read his book “Seven Habits of Highly Effective People“. I thought it was great. It lead me to believe that it was high time someone blogged about what sets NetFlow and sFlow reporting tools apart:
1. All the records, all the flows, all the time
Many if not most NetFlow reporting solutions only save data for top N reporting. Scrutinizer saves all the flows, all the records all the time in the 1 minute interval tables. No flows are dropped. The roll ups into higher intervals (e.g. 5 min, 30 min, 2 hr, 12 hr, 1 day and 1 week) are created using up to the top 100,000 flows from the prior interval after they are aggregated. This is more than any just about any other vendor. Why so much? Because, of the need to search and expect results for traffic that you know was on the network for the time frame specified. We can report on the top N of course but, the bottom N as well and anything in between.
2. Does it scale?
A single NetFlow & sFlow collector should be able to receive from over 1000 routers / switches or servers. The issue generally isn’t the number of routers exporting to a single collector, but rather the total volume of flows. I’ve seen over 3000 interfaces show up in a single Scrutinizer installation. Still not big enough? Scrutinizer has a distributed ability allowing you to view all interfaces from several dozen collectors via a single interface. What else does scaling mean?
- The tool should allow you to define Class A IP Groups and filters
- IP Groups or subnet reporting allows reporting across subnets or departments by grouping ranges of IP addresses
- The software should be able to collect at least 3000 flows per second (i.e. over 200,000 flows per minute) from a single router and still allow the front end to report on the data without timing out the web browser.
- Filtering or searching should be possible across all or a selection of routers and switches.
- Aggregation up to the top 100,000 conversations per interval per router/switch. Most collectors only save a few hundred or a couple thousand when they create the 5 minute, 10 minute, 30 minute roll ups.
3. Mind the flows
- Does the flow analyzer indicate when long lived netflows are arriving? Long lived flows (i.e. greater than 1 minute) can cause inaccurate spikes in the trends.
- Does the sFlow and NetFlow reporter indicate when it is overwhelmed and dropping flows?
- Does the collector monitor the flow sequence numbers to help determine if flows were dropped by an individual routers or switch?
- Can the NetFlow collector deal with a mismatch of Ingress and Egress configurations per router?
- Can the NetFlow Analyzer help with CBQoS to confirm policy configurations by comparing flows in and out of the same router? Basically, it should display ingress and egress DSCP or DiffServ values of the flows it has received.
4. Is the NetFlow software Innovative
- Does the development group display industry firsts with support for IPv6, NSEL and Flexible NetFlow?
- NetFlow sequence numbers are becoming increasingly important.
- Does it demonstrate unique ways to display the flows?
– Matrix and flock
– Google maps with links that can be clicked on
– Flexible NetFlow, NetFlow Event Logs or NetFlow Security Event Logs
– Unique reporting techniques such as Host to Host, Conversations, Connections, etc.
– MyView for creating unique mashups allowing for ultimate customization.
- Important reports such as Host to Host, Connections, Conversations, Raw Flows, Applications, WellKnown Ports, ToS values, etc. These are necessary when performing Wireshark like analysis.
5. Network Behavior Analysis with Flow Analytics
Top applications, hosts, flows, countries, domains, etc. across selected devices in a single report
- Notification for possible attempted internal attacks (e.g. SYN, XMAS, FIN, etc.) and scans to help catch worms such as Conficker.
- Deduplication of flows
- Alarming on anything via saved reports with thresholds
6. Best of Breed with good third party integration:
- 3rd party icons in maps
- Double links in maps (e.g. one for utilization and a second for VoIP MOS, Packet Loss or mitter).
- Provide convenience links to get to other 3rd party applications
- Google maps
- Are most of the interfaces URL based so that they can be launched from 3rd party pages or does the vendor lock you into their framework or suite of solutions.
7. Does the interface allow you to get to the raw flows?
Sometimes you need to dig in like you can with WireShark. Access to the raw flows is critical if you need to look under the hood before busting out the packet analyzer. The Flow View in Scrutinizer lets you review all of the fields of the flow that were sent in by the exporter. It even supports Flexible NetFlow.
Are you looking for a comprehensive, easy to use, feature packed, NetFlow, sFlow, IPFIX or NetStream Analyzer? Make sure you take the NetFlow Challenge.