How do you know if the NetFlow collector is saving or even getting all of the NetFlow datagrams that are being sent to it or that it is receiving? It is important to know if any flows are missing.

Why do we care?

This is a great question. We care because a loss of flow exports is usually caused by one of three things:

      1. The network dropped some packets

 

      2. The router can’t keep up

 

    3. The NetFlow receiver / collector can’t keep up

NetFlow sequence numbers are becoming increasingly important. When building a NetFlow collector it is important that the engine scales while staying accountable. If you look at the NetFlow v9 packet format you will notice something called the package_sequence.

Scrutinizer monitors the NetFlow sequence numbers per router / exporter to make sure that no NetFlow exports are missing. If they are, we can approach the issue like this:

1. Can Scrutinizer keep up? Check the vitals:

netflowSequenceNumbers

Above we can see that the NetFlow collector is seeing increments in the MFSN (Missed Flow Sequence Numbers) trend. Scrutinizer provides these details:

      a) For the entire collector

 

      b) Per listening port (e.g. 2055, 9996, 6343, etc)

 

    c) Per router

It is just a matter of drilling in until we find the culprit. If all ports and all exporters are showing MFSNs, then we know that the collector can’t keep up with the volume of flows.
To find the above reports in Scrutinizer, navigate to Admin tab –> Reports –> Vitals. From here you can get to the vitals on individual NetFlow exporters by clicking on the listener ports (e.g. 2055, 9996, 6343, etc.). It is easier to navigate to these reports if you’re on the Status Tab and you click on the NetFlow version ‘v5’ next to the interface name.

2. If the network is dropping packets or if we suspect that the individual router is having trouble keeping up with NetFlow exports, we check the MFSN for the individual exporter.

netflowSequenceNumbers2

3. If we suspect that it is the router and not the network, then we go into the router and type in:

      a) myRouter# show ip flow export

 

      b) myRouter# show ip cache verbose flow

 

    c) myRouter# show ip cache flow

The above commands allow us to check the current NetFlow configuration and health of the router.

SCTP

Most collectors only listen for NetFlow, sFlow, NetStream, IPFIX, jFlow, etc. on UDP ports such as 2055, 9996, 6343, etc. As SCTP becomes more popular, collectors will confirm the reception of NetFlow datagrams and allow the retransmission of missed frames.

Summary

NetFlow Sequence Numbers are used to determine missed NetFlow packets and not so much for general packet loss on the network. I have seen cases where an increase in the NetFlow volume due to a DoS attack or network scan can cause a burst and ultimately some missed flows.
A NetFlow Analyzer worth its salt should be delivering reports in some capacity related to flow sequence numbers.

Joanne Ghidoni

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…