How do you know if the NetFlow collector is saving or even getting all of the NetFlow datagrams that are being sent to it or that it is receiving? It is important to know if any flows are missing.
Why do we care?
This is a great question. We care because a loss of flow exports is usually caused by one of three things:
- 1. The network dropped some packets
- 2. The router can’t keep up
- 3. The NetFlow receiver / collector can’t keep up
NetFlow sequence numbers are becoming increasingly important. When building a NetFlow collector it is important that the engine scales while staying accountable. If you look at the NetFlow v9 packet format you will notice something called the package_sequence.
Scrutinizer monitors the NetFlow sequence numbers per router / exporter to make sure that no NetFlow exports are missing. If they are, we can approach the issue like this:
1. Can Scrutinizer keep up? Check the vitals:
Above we can see that the NetFlow collector is seeing increments in the MFSN (Missed Flow Sequence Numbers) trend. Scrutinizer provides these details:
- a) For the entire collector
- b) Per listening port (e.g. 2055, 9996, 6343, etc)
- c) Per router
It is just a matter of drilling in until we find the culprit. If all ports and all exporters are showing MFSNs, then we know that the collector can’t keep up with the volume of flows.
To find the above reports in Scrutinizer, navigate to Admin tab –> Reports –> Vitals. From here you can get to the vitals on individual NetFlow exporters by clicking on the listener ports (e.g. 2055, 9996, 6343, etc.). It is easier to navigate to these reports if you’re on the Status Tab and you click on the NetFlow version ‘v5’ next to the interface name.
2. If the network is dropping packets or if we suspect that the individual router is having trouble keeping up with NetFlow exports, we check the MFSN for the individual exporter.
3. If we suspect that it is the router and not the network, then we go into the router and type in:
- a) myRouter# show ip flow export
- b) myRouter# show ip cache verbose flow
- c) myRouter# show ip cache flow
The above commands allow us to check the current NetFlow configuration and health of the router.
Most collectors only listen for NetFlow, sFlow, NetStream, IPFIX, jFlow, etc. on UDP ports such as 2055, 9996, 6343, etc. As SCTP becomes more popular, collectors will confirm the reception of NetFlow datagrams and allow the retransmission of missed frames.
NetFlow Sequence Numbers are used to determine missed NetFlow packets and not so much for general packet loss on the network. I have seen cases where an increase in the NetFlow volume due to a DoS attack or network scan can cause a burst and ultimately some missed flows.
A NetFlow Analyzer worth its salt should be delivering reports in some capacity related to flow sequence numbers.