Today I’m going to discuss how to run some of the common reports in our NetFlow and IPFIX analyzer. Our NetFlow and IPFIX analyzer has the ability to report on all versions of NetFlow, sFlow, IPFIX and everything in between. If you’re new to the product, you might want to check out Cisco’s Introduction to NetFlow our NetFlow configuration guides to help you get started.

What is a NetFlow report?

We define a NetFlow report as a combination between a report type and any custom filters that have been added to the report. The first thing you’ll be required to do is select a report type, so let’s take a look at our report list. An important thing to note about this list is that it’s dynamic, so it will show you only the reports that are available for the device that you’ve clicked on. In the list below, I’ve clicked on a Cisco router that has been configured to export both Cisco’s NBAR and Performance Reporting using Flexible NetFlow.NetFlow Reporting

The list is broken down into different categories to help you choose which report type you would like to run, with Pair Reports -> Conversations WKP (Well Known Port) being our default report.

Dashboards show you multiple reports in one view to allow you to get a high level overview by just running one report. Try running a Node Details dashboard as an example.

Source and Destination reports allow you to look at top talkers by who is sending or receiving the most data. Catch your top hosts by running Source or Destination Report -> Hosts.

Pair reports are used to look at the top conversations between hosts. Locate the top conversations on your network by running a Pair Report -> Conversations WKP.

Top reports provide you with a breakdown of the top type of service, applications, protocols, etc. Find the top applications on your network by running a Top Report -> Well Known Ports.

Volume Reports have been designed to give you long term trends which remove the details of who is causing the traffic and instead show you trends of average and peak values.  Is your internet circuit big enough?  Use our Volume Report -> Traffic Volume report for bandwidth planning.

 

How do I run NetFlow reports?

Let’s take a look at the Status page to demonstrate how to select a report type and then we’ll look at adding filters.

NetFlow and IPFIX Analysis

In the screenshot above (click to enlarge) we’re looking at the Status Tab which is showing us the top interfaces on the network for the last 5 minutes. On this page, there are a number of different ways to begin running reports, so we’re going to go over the three most common methods.

Reporting in real time: If you’re looking to find out what’s happening right now on an interface then you will begin by clicking on either the inbound or outbound column of the desired interface. After clicking on the interface, you will be presented with a list of the available reports for that device. If you’re unsure which report to run, try running our default report (Pair Reports -> Conversations WKP).

24-hour reports: When you need to report further back then the last 5 minutes on an interface you will start on the Status tab and click on the desired interface’s name (also labeled the “Interface” column). This time you will be presented with the same list as before, but each report will be for 24-hours. This gives you the ability to find the time frame you’re interested in and then use the drag and drill method to zoom in.

Searching for hosts: The search method is used when you’re looking for a specific host and you don’t know which network interface they’re located on. You can search by clicking on the binoculars in the upper right hand corner next to the system menu and the logout button. If you search across all devices then you will see all the interfaces that the host has been talking on and then you can decide where to begin reporting.

 

How do I add NetFlow report filters?

Adding Filters to NetFlow and IPFIX reportsNow that you’re viewing a report it’s likely that you want to narrow down the results you see, which can be done by applying filters. When you’re viewing a NetFlow report, on the left hand side of the page there’s a drop down box labeled “Add New Filter” which will display all the available filters. Advanced NetFlow analysis requires advanced filters so it’s important you’re aware of the logic when adding NetFlow filters.

Here are some descriptions of the most commonly used filters:

Hosts: used to show all the traffic to or from a specified host

Subnet: used to display all traffic on the specified subnet.

Well Known Port: used to display all the traffic involved on a specific port.

Type of Service: this will help you verify if your routers are correctly, or incorrectly, marking quality of service.

Inbound Threshold: This filter is used to define NetFlow report thresholds in which you will be alerted if they are crossed.

Device/Interface: use this filter if you need to report on multiple devices or interfaces in the same report.

Advanced Filter: if you’re exporting Flexible NetFlow and you’ve defined some custom exports, you can filter on any field that’s being exported in the NetFlow template by using this filter.

 Contact Us

If you have any questions about our NetFlow and IPFIX analyzer, don’t hesitate to call us at 1-207-324-8805 and we would be glad to help.

Paul Dube

Paul Dube is the Director of Technical Services at Plixer. He has a passion for enabling individuals and organizations to use highly complex systems to solve business and personal objectives. This passion for problem solving has Paul working with some of the largest enterprises to solve their security and networking challenges and also educating his young daughters on how to enrich their lives with technology. When he's not working, you will find him enjoying time with his family, cooking something delicious on the Big Green Egg, and enjoying the best brews that the locals have to offer.

Related

Leave a Reply