While doing a demonstration of the reporting capabilities of Scrutinizer last week, I had a customer ask, “How can I monitor Netflix traffic?”
There are a couple of ways that this can be done.
If you have Cisco routers, and are running IOS 15.1 or higher, there is an option to enable NBAR. Using Flexible NetFlow, we create a user defined flow template by adding the collect NBAR application option parameters to the flow record. Then it is just a matter of selecting the NBAR report filters available in Scrutinizer.
But I would like to show you a way to use a template option to capture and pass URL’s. We will be using nProbe to capture traffic from an interface on a device and export IPFIX templates to Scrutinizer.
The set up of nProbe is a simple process of using command line options to configure the template and create and start a nProbe service.
Once we see the device and interfaces in Scrutinizer, it is just a matter of adding filters to the report to isolate the Netflix traffic.
From the Status Page, I have selected my nProbe device and selected a Host report from the Source Reports options. Then I changed to report on traffic from all interfaces on this device. From the filtering options, I selected Advanced Filters, which allow me to filter the report on any field present in the template, and specified a LIKE compare of Netflix on the HTTP_URL field.
What if I wanted to know when the Netflix traffic exceeded a certain threshold?
You’ll notice in the report filter above that I added an Inbound Threshold filter. Adding an Inbound Threshold to the report adds this report to the Flow Analytics cycle. Where every 5 minutes the threshold is checked on a total or row basis for the last 5 minutes of data.
When the threshold is exceeded, I will get an alarm.
There are a number of new report filters available in Scrutinizer v8. If you would like me to show you how to use them to assist with your network analysis needs, give me a call – (207)324-8805
