Aggregating data
Most Cisco NetFlow reporting tools will report data in one minute intervals. However, in order to report on longer lengths of time (e.g. 24 hours), larger intervals are often used. Larger intervals such as five-minute, 30 minute, etc. intervals must be created from the raw flows collected. Usually vendors will only roll the top 100 or possibly 1000 flows based on byte volume into the larger intervals.

Scrutinizer ROCKS at aggregation
Did you know that part of the secret sauce of a good flow aggregation back end is the software’s ability to aggregate data into larger intervals. Before Scrutinizer aggregates raw flows into five-minute intervals, it aggregates all flows together separately on each router and switch. By default the back end will save the top 10,000 aggregated flows per five-minute interval per router and switch to the database. This is done by byte volume. Note: the top 10,000 can be increased to 100,000! Again, this is per flow sending device and is done for all intervals: 5 minute, 30 minute, 2 hour, 12 hour, 1 day and 1 week. I know of no other tool on the market that can save as much historical data as Scrutinizer. It can also save the raw flows forever!

Fast reporting despite data volume
Saving the data isn’t the only thing that has to be engineered well. Once you have the data, the front end needs to be able to retrieve and report on the data in a timely manner. Scrutinizer does this as well.

When rendering trends, larger intervals are necessary to look at extended periods of time. For example if you’re looking at 24 hours of data, most tools will display this amount of time in 30 or 5 minute intervals. If you zoom in on a timeframe for example, let’s say less than one hour, the trend will be displayed in one minute intervals.

No Restoring Data
Some tools require data to be restored from backup to look at it.  With Scrutinizer, just put in the time frame and it renders the trend. Simple.

All the Flows, All the Records, All the Time
If you want to go back in time and find a specific host or flow, Scrutinizer will have the data as long as the back end has been set up to save the data. Click on the image below:
scrutarchiving

NetFlow Calculator
Once you have Scrutinizer up and running you can use the NetFlow calculator to determine how much hard drive space you will need.

Flow Analytics at the same time
While Scrutinizer is saving all flows all the records all the time, Flow Analytics is watching all of flows across all the routers and switches for the following:

  1. Correlation – deduplicates flows from all the routers and switches and provides gadgets displaying the Top X information, (e.g. Top conversation, Flows, Conversations, Hosts, Protocols, etc.)
  2. Internal Security Analysis – Scrutinizer is a leader in Network Behavior Analysis which watches for internal threats and abnormalities that have gotten inside the network.  It informs you of problems that may not be causing enough traffic to consistently show up in your Top X reports, but are following a pattern that could cause network problems.

Summary
Scrutinizer is definitely more than “just a top 10 reporting tool”. Also, if a particular feature is very important to you, get it from the vendor in writing with a money back guarantee. If one vendor is making claims about another, I urge you to call the vendor and get the other side of the story.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Leave a Reply