I’m sure many have known this for quite sometime but, I thought that Blue Coat NetFlow Support was worth a post. Apparently their Packet Shaper supports NetFlow v5. In truth, their export isn’t all that interesting but, it isn’t the only option either. The Blue Coat Packet Wise operating system can export three different record types from the Packet Shaper:
- Packeteer-1 (should be avoided)
- Packeteer-2: contains all the NetFlow fields as well as PacketShaper-specific data, for example: the traffic class into which the flow was classified, type of policy, number of retransmitted bytes, Response Time Measurement (RTM) data, packet exchange time, and VoIP statistics for RTCP VoIP streams. It should only be exported to Blue Coat ’s IntelligenceCenter. This is sort of a bummer as it reminds me of Cisco Performance Monitoring for Medianets.
- NetFlow-5: identifies the flow’s Layer 4 protocol (such as TCP, UDP, or ICMP) and IP ToS/Diffserv. Although it only provides traditional v5 details, it is the only export available for 3rd party NetFlow collectors.
To enable the Blue Coat Packet Shaper NetFlow Support:
- Click the Setup tab.
- From the Choose Setup Page list, choose flow detail records. The Flow Detail Record Settings page appears
Keep in mind that the Packeteer flow detail record feature has the following requirements:
- PacketWise v7.0.0 or above
- PacketShaper 900, 1200, 1400, 1550, 1700, 2500, 3500, 6500, 7500, 8500, 9500, or 10000 models
- 256 MB minimum memory
What you may not have expected to learn in this blog is that you can tie the NetFlow v5 exports to the syslogs exported which provides URL details. To do this, export the syslogs to the Flow Replicator which acts as a syslog to IPFIX gateway. The Blue Coat Packet Shaper Syslogs are parsed by the Flow Replicator and exported in a structured format inside IPFIX datagrams. You can then leverage the source IP address in the NetFlow information to link to the source IP address in the IPFIX data to retrieve the username or URL details as shown below.
The Flow Replicator turns the combined NetFlow and IPFIX export into a rich flow reporting solution. The Flow Replicator turns any machine message (E.g. text log, syslog, event log, etc.) into structured IPFIX flows. If you have a log that needs reporting on, check out the Flow Replicator.
For a free 30 day trial of Scrutinizer, Download Now!