I’m a geek, there is no doubt about it. I have been a geek since I was 8 years old, and my dad bought my first computer, a Timex Sinclair 1500. If you are a true geek, then you know how long I have been a geek.
Well, knowing that Scrutinizer can do more than just post alerts when a threshold has been violated is a big step in gaining control of your network management woes.
Did you know that Scrutinizer has to the ability to send a syslog message when an alarm has been posted? This means you can be alerted when an interface is exceeding a threshhold, a device has stopped sending NetFlow or when one of the many Flow Analytics algorithms has been violated.
What? You don’t have a syslog manager? Not a problem. We offer a free version of Logalot that will support up to three devices. Now you can send emails, pages, post to a file or even execute a file when you receive a syslog alert.
Using syslogs to be your personal attendant – a real life example.
I was working on a unique project that required me to run a file remotely on multiple machines when a syslog alert was received. To complicate the issue, I needed to qualify the syslog message before issuing the command.
I quickly grabbed a few scripts and started to develop an app that would accomplish the task. Soon I found that this solution was less then perfect. The code that I had taped together would be difficult to manage and I just didn’t have the time or resources to give it the attention that it needed. So I started to look for another solution.
We already had Denika and Logalot installed. I figured that it would be a smart move to use an already existing application to employ my solution. With Logalot, you can create policies that help qualify the syslog message. Once the policy is violated, it can perform an action. In most cases you send an email or page, but in this case I was going to run a file. The next hurdle that I needed to jump was running the file remotely.
After a little more research, I found the perfect solution. PsExe is a tool that I remembered using a while ago; back then it wasn’t owned by Microsoft.
“PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.” – Microsoft
Bingo! This is what I needed. Now I can execute the application remotely, unattended and generally hassle free. I configured the Logalot policy to run when a certain syslog message came in. In that policy, I asked it to run a batch file that called the PsExe file with various parameters. Within a few minutes, I had this solution tested and implemented across multiple machines.
The moral of the story: there are many solutions out there and finding the right one isn’t as hard as you might think. In this example, I was able to cut down my work load quite a bit by using two free applications and a little work. So knowing is half the battle!
One of the many things that we pride ourselves in, is the outstanding support that we give for all of our products. In recent months we decided to provide “One on One” chat support for both our evaluators and our tried and true customers.
“According to a Northstar Research Partners study commissioned by live chat vendor LivePerson, high-value customers who spend more than the average consumer are more likely to use live chat. The study says more people feel highly satisfied after receiving customer service via live chat (46 percent rate it 9 to 10 on a 10-point scale) than other forms of customer service such as a toll-free number (41 percent), e-mail support (31 percent), or online FAQs (24 percent).” – PC World
This type of thinking holds true in the Netflow world. The more we work with the person, the more comfortable they feel about Scrutinizer. It gives us the ability to understand what the person needs and how we can provide the solutions. This type of relationship is priceless.
Getting “One on One” support is easy. If you don’t own the product and have some questions, go to www.plixer.com and click on the “Start Chat Now” option. If you are having a hard time finding the link, just look for the handsome guy in the green hat. PreSales chat is online from 8:00 am to 10:00 pm eastern.
If you own Scrutinizer you already have the “One on One” support link embedded in the interface. Just click on the small doctor icon located in the upper right-hand side of the screen. It’s like having your own netflow support department at your finger tips.
So the next time you have a question make sure to check out our live “On on One” support.
I was installing the new Flow Analytics beta on a customer’s machine the other day and we started to see odd results.
For those of you who do not know about the Flow Analytics module for Scrutinizer, it’s a behavioral analysis engine that listens to the network traffic that you are already collecting with Scrutinizer. It’s searching for patterns or “chatter” that resembles negative network behavior.
Initially everything was working fine, but within a short period of time, we started to see SYN violations. We opened up the SYN Violations alarms message from Flow Analytics and clicked on the “Possible Worm Attack” link. Clicking on this link provided us with all the raw data that showed signs of SYN Violations.
To our surprise, we were seeing the IP address 169.254.18.31, which is the dummy address that Microsoft assigns to you if it can’t grab one from DHCP. I had never seen this reported before, and in reality we shouldn’t even see that IP address, because the machine should not have access to the network.
A bit concerned, I decided to search for the 169.254.18.31 address across all of the routers. I figured that this might give me a clue as to what was happening or at least tell me who this IP address was talking to. The result only showed one router. Now I was starting to get excited! I clicked the destination router and could see all of the conversations. BANG! We found the smoking gun.
This unique behavior was due to the IP HELPER function of his router. He explained to me how this function helps orphaned IP’s find their way to the internet, and in the end making sure that everyone has some sort of network connection.
“Ahhh, that makes sense. People are unplugging their laptops, but WI-FI is still active. The WI-FI is not getting an IP, so IP HELPER steps in,” he said.
We were both impressed. With one central application and a little detective work, we were able to resolve this issue quickly. Mystery solved!
The following is a clip from an article published by CISCO regarding the IP HELPER function:
“Here is brief information about ip-helper address. If your DHCP server is located remotely, your local DHCP client might not get IP address due to broadcasting traffic is blocked by router.
By default, routers drop all broadcast packets sent through them. Because DHCP clients use BOOTP packets, which are broadcasted to all hosts (255.255.255.255), they will be dropped by router. The “ip helper-address” command enables the router to forward these BOOTP broadcast packets to a specific host, as specified by the address following the “ip helper-address” command. Note that this command must be placed on the router’s interface that is receiving the broadcast packets from the hosts, which is Ethernet(FastEthernet or GigabitEthernet Interface) of the router.”
One complaint that I hear from customers is that their MyView page is slow to load. After a little detective work, we always find quick and easy ways to speed up their interface.
For those of you who haven’t used MyView before; here is a quick introduction. MyView is a customizable dashboard that provides users of Scrutinizer a unique view of their network traffic and management interface. On top of that, each user can have their own customized view. You can quickly see how your MyView dashboard will be an invaluable tool for gaining complete network awareness.
I have seen MyView used in many ways. One of the better practices is having a login for Flow Analytics, one for your custom reports and one for day to day operations. For example, in our NOC, we have a special MyView for our demos, one for our manager and one with multiple custom reports. Mike, our manager, has a his own special MyView that contains a few flash maps and “PlumTrack”; our in-house PBX phone monitoring application.
There are a few limitations with MyView that you need to be aware of though. You have to remember that each and every window in MyView is a micro web page that must adhere to all the caveats that you would experience with normal browsing. In short, don’t open up too many resource consuming web pages! What are resource consuming pages? Well, there are three types.
The first is a static or simple page. The NOAA weather map is a great example of this. It a simple image that is loaded every few minutes when the gadget refreshes. It is common to have a few of these, as they have limited load times and are mostly harmless.
The next page type is one that generates its data “server side”, meaning that it makes a call to the local database . Once it completes the task, it then reports the requested information. Many of our prepackaged gadgets use this method, including all of your custom reports, since each one becomes an available MyView gadget. You also need to remember that each time one of these reports is called on, it requires time to process and return the data.
The third and most resource intensive ,are those outside of our environment. Many of today’s AJAX, DHTML, Web 2.0 applications consume quite a bit of your browsers resources. Adding multiple instances of these types of applications can severely slow down your browsers performance. Nine out of ten times this is the culprit for slowness.
Whats coming in 7.0?
We have some exciting changes coming in the next version. With the Scrutinizer 7.0 MyView feature , you are going to have multiple sub tabs that allow you to have multiple views to one page. You will have a smoother experience with moving your gadgets and the ability to set permissions based on specific MyView tab content.
More importantly, we have improved the overall speed of the MyView engine. This will allow Scrutinizer and MyView to be your preferred network management tools, since it provides seamless integration between most of your 3rd party tools.
Stay tuned for more network management goodness and other pointless bits of geek lore!
Have a happy New Year!
Today I was working with a customer on an install when we started going down memory lane. He asked how I liked Gotomeeting and I mentioned that nowadays it’s common for us to use it to demonstrate or install Scrutinizer. Trying to be funny I showed my age and said “back when I was a ‘young pup’ we had to do installs like these blind folded, over dial-up, up hill both ways.”
We both chuckled for a few minutes, swapped a few stories and continued with the install. We both agreed that it was nice to be able work on a machine remotely.
The install that we were working on was for our new Flow Analytics module. I don’t know why, but our walk down memory lane made me think . The “Top” gadgets that are included in Scrutinizer’s Flow Analytics package are a great tool. Don’t get me wrong; I thought that they were valuable before, but being able to associate their value with past hard-ships (up hill both ways) made it clear.
I mean, you can see “Top Conversations”, “Top Application”, “Top Protocols” and more, from all of your routers on your network. Think about it, you could see who your “Top Talkers” are from around the world in one easy to see and manage place. How awesome is that? How much time can that save you?
Just like GotoMeeting in the early 90’s, this type of information was not easily available a year ago. Flow Analytics is definitely the future of NetFlow.
Breaking news . . . . .
Scrutinizer Flow Analytics 1.1.0 beta was released today.
“I wonder if I can buy an old 8086 with a 2400 baud modem on ebay? Now that was a processor. Back when I was a kid . . . “
UPDATE – 127/17/2008
As of this morning Mike still does not have power ;(
Boy did I get a lot of emails and IM’s over the weekend! Everybody wanted to know why they couldn’t get in touch with us on Friday. Believe it or not we had a good excuse! New England got hit with the worst ice storm since 1998. From the reports that I have seen, almost everyone in Southern Maine and New Hampshire lost their electricity . We lost power here in the office until Sunday. Mike still does not have power (but he has a generator)
I recorded a few YouTube videos to give you an idea of what it was like!
I have had quite a few people ask ‘who that guy is on the IM link of plixer.com and systax.com?’ I thought that I pass the info along to our readers.
My name is Jim D (jimmyd) and I am one of the Pre-Sales support reps here at Plixer. The green hat is a Cisco hat that we picked up from one the trade shows. How we got the pose is a cute story.
One day I was getting coffee and Mike wanted to talk to me about a customer that I had been working with. Trying to be funny, I quickly dawned the cap and replied “Let’s rap.” I also added a few “Yo Yo Yo” ‘s to the mix to make it feel authentic. Mike first looked puzzled but soon thought that it was a great idea for picture and asked me to do it again. The rest was history.
So that is my 15 minutes of fame. I got my pic on the website and have had quite a few chuckles with customers. I guess it’s a cool way to bring a bit of reality to the web.