Sometimes when you’re trying to really dig into an issue, you want to expose all of the individual raw flows in their native format.  This is why years ago, we introduced FlowView.  Think of it as being similar to the packet list view in Wireshark which lists absolutely every packet related to the filter that was typed into the interface. In the flow industry, we have something similar, it’s called FlowView.

Packet Analyzer Vs. Flow Analyzer


To understand why you need something like Flowview for analyzing NetFlow, IPFIX or even sFlow, it’s best to start with a problem. Below you see a typical example from our NetFlow reporting solution. Notice on the left, that there is a filter:

  • Exclude all applications related to ‘cifs’
  • Include all traffic between 10.12.2.4 and 10.1.4.252
  • Exclude all traffic when 10.1.4.252 is the source
Flow View

Above, I was narrowing in on a specific issue here in the office.  Notice that the average transaction duration time between these hosts for all applications outside of cifs is 2.4 ks or 2400 seconds which equates to about 40 seconds. I then changed the report type to try and figure out how many flows were involved with this number (2.4 ks).  To do this, in the upper left corner outlined in red twice is the report type selector.  I’ll selected ‘Connections’.

FlowView

Above you can see that the filter on the left didn’t change and that we are looking at  10 of 15 results. A typical user of our NetFlow Reporting solution knows that this data is likely still aggregated by the GUI.  To avoid aggregation, above outline twice in red it says “View Raw Flows (Inbound)”.  If you click on this, you will see the raw flows or FlowView shown below:

FlowView NetFlow

Above, notice at the bottom left: 26 results.  Clearly some aggregation was occurring in the ‘Connections’ report.  Aggregation is necessary in most reports however, when performing forensic traffic analysis, it is sometimes nice to get down to the raw unadulterated flows and Flowview offers this.  Notice also the massive drop down box displaying all of the elements possible to report on across all of the flow templates used to create the report.

NOTE: since I launched Flowview from a 30 minute interval report, it is possible that some aggregation occurred.  To avoid this, I could force the Connections report to 1 minute intervals and then launch Flowview to see the raw flows untouched (I.e. before the collector did any aggregation).

FlowView is our proprietary solution for delivering the absolute most forensic insight into what the router sent related to the traffic you need to investigate.  Flow View is just the beginning, learn more about what it takes to be a leader in NetFlow by downloading our white paper “Flow-based Approaches to Network Management”.

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply