NetFlow Analyzer, though the name says NetFlow, can work with quite a number of flow formats like sFlow, jFlow, NetStream, IPFIX etc. This blog will give you a brief idea on sFlow technology and also guide you on how to use NetFlow Analyzer with sFlow from HP Procurve devices.
What is sFlow?
sFlow is a monitoring technology which allows you to capture the traffic data from a switched or routed network to give complete visibility into the use of network bandwidth. This data helps in performance optimization, accounting/billing for usage, defense against security threats, capacity planning and much more.
sFlow datagrams are exported based on sampling due to which impact on the device CPU/Memory and available bandwidth is minimal. Based on a defined sampling rate, 1 out of N packets (where N is the sampling rate) is captured and sent to the NetFlow Analyzer for traffic analysis by the device. Though, this type of sampling does not provide 100% accurate statistics, it does provide a result with quantifiable accuracy.
sFlow analysis with NetFlow Analyzer:
NetFlow Analyzer can work with any devices which are capable of exporting NetFlow, sFlow and other compatible flow which are completely vendor dependent. You can check out the list of flow formats and devices with which NetFlow Analyzer can work from here.
HP Procurve and sFlow:
Just like Cisco has NetFlow and other vendors have thier flow formarts, some vendors use a technolgy called sFlow. HP Procurve devices are capable of exporting sFlow datagrams which can be used for bandwidth monitoring and traffic analysis. NetFlow Analyzer is capable of analyzing the sFlow datagram exported from the HP Procurve to give you the traffic statiscs on each active ports.
sFlow export on the HP procuve device can be configured using two different methods, We can enable sFlow on the HP device either by logging in to the router and configuring them for sFlow export. But this is available only in the older device models or OS.
On the new HP devices, sFlow can be enabled only through SNMP. To make the sFlow configuration on HP device a simple task, NetFlow Analyzer provides scripts to enable and disable the sFlow export. So, lets see how we can use the script and enable sFlow.
sFlow Enable utility:
The script to enable sFlow, named as sFlowEnable.bat (for Windows and .sh for Linux), is present under <\AdventNet\ME\NetFlow\troubleshooting> directory.
The usage for the script is as follows:
SFlowEnable.bat switchIp snmpPort snmpWriteCommunity collectorIP collectorPort samplingRate
Example:-
C:\AdventNet\ME\NetFlow\troubleshooting>sFlowEnable.bat 192.168.188.30 161 private 192.168.133.1 9996 4096
Once sFlow is enabled on the HP devices, NetFlow Analyzer server will receive the packets and the product will capture the packets to automatically generate the reports. You also need to ensure that no access control lists (ACLs) or firewalls block the NetFlow packets (on UDP 9996) and that even the software firewalls on the server are allowing the packets to reach the NetFlow Analyzer installation.
After enabling the sFlow on the HP devices, we need ensure a few points to get the accurate traffic statistics about the device in NetFlow Analyzer.
The first and foremost is the sampling rate. We suggest setting the sampling rate to 4096. We have observed from various setups and from our existing customers feedback that the sampling rate of 4096 gives the most accurate traffic statistics in NetFlow Analyzer.Most of the other sFlow collectors in the market suggest the sampling rate to 256 which means more number of exported sFlow datagrams. With a sampling rate of 4096, you get the additional benefit that the device is not being overloaded by sampling large number of datagrams and exporting to the NetFlow Analyzer.
Next point we need verify is the "sFlow receiver timeout". This determines how long sFlow remains active on the exporting device. When the value has expired, sFlow also gets disabled on the device forcing you to re-enable sFlow export. Due to this, we recommend setting the sFlow Receiver Timeout to the maximum possible value, which is 2147483647 seconds which is 68 years ! The command to be used on the HP device for setting the sFlow receiver timeout is:
setmib sFlowRcvrOwner.1 -D NetFlow Analyzer IP sFlowRcvrTimeout.1 -i 2147483647
sFlow Disable Utility:
Of course. We have thought about that too. Just in case you want to export sFlow to different server or stop the flows for some time or whatever be the reason, NetFlow Analyzer provides you the script to disable sFlow export on the HP device.
The disable can be done using the script sFlowDisable.bat (for Windows and .sh for Linux) and the file is present under <\AdventNet\ME\NetFlow\troubleshooting > directory. The usage of the script is as below:
SFlowDisable.bat switchIp snmpPort snmpWriteCommunity
Example :-
C:\AdventNet\ME\NetFlow\troubleshooting>sFlowDisable.bat 192.168.188.30 161 private
Go ahead and try our 30 day trial to see for yourself on how well NetFlow Analyzer works with sFlow and HP devices.
Thanks
Praveen Kumar
Download | Interactive Demo | Product overview video | Twitter | Customers
Some tools claim to be free and some are free AND useful. Talking with relation to the so many free network traffic analysis tools available online. The main objective of a traffic monitoring and analysis tool is to be able to see the history of threats, threshold violations, bandwidth utilization and extrapolate it to the future for taking better informed capacity planning decisions. All this analysis is carried out with the data (from NetFlow, sFlow, IPFIX, jfLow and more) available (stored) with the tool. One should be able to compare traffic through a particular device various time periods to see the effectiveness of the policies that have been recently changed / set.
At the end of the day, "relative results" matter. To be able to show that one has made certain changes and how it has affected the network for good, hopefully! All this is possible only if a large amount of data is available for analysis. There are free tools which offer to store data for up to one wHOLE day. All a user will find the next day is a hole in the previous day data. A clean data base and a blank look on one's face. For analysis, data size is very critical. And it doesn't take a genius to say that one day data does not contribute to any analyzable data. Time and data are somethings that cannot be got back once lost (data can be, if you have fail-over, but, hey! how many free tools have that!).
Even when you are going for a free tool, you have a choice to make. To make the choice between something that is going to cost your time and data or the one that is useful-AND-free, which can store the data forever, carry out the necessary analysis.
NetFlow Analyzer free edition lets you monitor two most critical interfaces in your network and the data can be stored forever - that is absolutely free AND useful. An useful solution which gives better analysis with the data that can be stored forever. You can see the history of security threats, the trend of bandwidth requirement growth over a period of time, answers questions such as "who are the top talkers?, is the bandwidth used for the business critical applications ?" and much more.
So you want a "free" tool or a free AND useful tool?
Cheers
Joe
Released!
NetFlow Analyzer Enterprise Edition 7.0 is packed with a load of amazing features. The official PR is available here.
And happy to announce that NetFlow Analyzer Enterprise Edition supports Cisco NetFlow (and other flows), Cisco NBAR and Cisco CBQoS out–of–the–box. Download the 30-day free trial and try it out in your network setup.
Following are some of the new features added in 7.0.
We have posted a number of blogs to share information on how to use
NetFlow technology and NetFlow Analyzer to manage your network better.
Those blogs will definitely continue to give you more ideas to put the
product to better usage but we will also discuss about some of the
common issues that you may have come across in the product and how they
can be resolved.
NetFlow Analyzer
generates traffic reports based on the NetFlow packets exported from
the router. Based on the information in the NetFlow packets, the
product displays the traffic passing through the interfaces of the
exporting device.
One issue that is frequently reported is that the traffic utilization shown in NetFlow Analyzer is more than the actual traffic on the interface. Reports
showing more than actual utilization or more than 100 % utilization can
be resolved quickly by checking a few points on the exporting device
and the product.
Incorrect active timeout:
The
traffic reports in NetFlow Analyzer is shown with a 1 minute
granularity, ie. NetFlow Analyzer shows details of the traffic for each
minute. By default, the active timeout on the NetFlow exporting devices
is 30 minutes, which means that the information about the traffic that
passed through the interface in the previous 30 minutes is exported at
the 30th minute.
Since NetFlow Analyzer reports traffic
every minute, the export of 30 minutes information all at once leads to
the product's reports showing a spike every 30 minutes. The incorrect
traffic details for that minute leads to showing incorrect speed which
thus leads to worng utilization calculation. To avoid this, simply
check if the active timeout on the router is set to 1 minute using the
command "ip flow-cache timeout active 1""
Multiple NetFlow commands:
NetFlow can be enabled on the router using any one of the three commands:
ip
route-cache flow : - This command can be applied on all main
interfaces and will automatically enable NetFlow on the sub interfaces
too. This command accounts for the IN traffic across an interface.
ip
flow ingress :- Some of the newer IOS supports this command
which also accounts for the IN traffic across an interface. The
difference is that this command needs to be applied on a sub-interface
level
ip flow egress :- The same as 'ip flow ingress' but this command accounts for the OUT traffic across an interface.
NetFlow
can be enabled on the interfaces of the router by applying any one of
the above mentioned command, but most of the netwrok admin enable
either "ip flow ingress" or "ip route-cache flow" on the interfaces for
traffic accounting. When all these commands are applied on the
interfaces, it causes the same traffic to be counted multiple times
again causing the product to show incorrect traffic stats and thus
incorrect utilization reports.
Incorrect link speed in NetFlow Analyzer:
NetFlow Analyzer calculates the utilization based on the link speed. For
example, if the link has capability to handle 1 Mbps and the actual
traffic passing through an interface is about 512 Kbps, the utilization graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here
is the formula which explains the utilization calculation on NetFlow
Analyzer.
Utilization = Actual Speed/Link Speed * 100
So,
if the link speed is not updated properly in NetFlow Analyzer, the
utilization shown in NetFlow Analyzer will be different than the
actual. NetFlow Analyzer can determine the interface speed if you set
the appropriate SNMP Port and Community for the router on NetFlow Analyzer. This can be done from the 'Set SNMP Parameters' icon on the
'Interface View' right next to the router name or you can set the
interface speed manually for each interface on NetFlow Analyzer (from
the Edit Settings icon on the 'Interface View' next to the interface
name). You can refer to this blog for more details.
Non dedicated burstable bandwidth:
Certain ISPs allows
you to use over the allocated bandwidth depending on the other
customers sharing that link. So, even though the max bandwidth is
2Mbps, the ISP may allow you to use even more based on availability.
This also affects the accurate reporting on NetFlow Analyzer causing
incorrect bandwidth utilization values and even more than 100%.
ESP and GRE traffic:
This is another reason for traffic
to get double counted in NetFlow Analyzer. With NetFlow data, the
tunnel traffic will be accounted as the normal traffic before
encryption and again as the encrypted traffic. NetFlow Analyzer have an
option to filter this kind of encrypted tunnel traffic from the
reports. This option is availble under Product Settings - Advance
Settings - ESP or GRE Filter.
To know more about the about ESP and GRE traffic double count, check this link.
If none of the above resolves the issue, please find the technical explanation on what could still be causing this:
Any
analyzer tools calculates the OUT traffic of an interface based on the
IN traffic of the interface that sends traffic to it. When traffic is
passing from higher speed interface to lower speed interface, the
calculation of OUT traffic from a higher speed IN traffic causes
incorrect traffic utilization to be shown on the OUT traffic.
The
above reason for more than 100 % utilization on OUT traffic can be
resolved by enabling only "ip flow egress" on all the interfaces.
If you have any further queries on this, kindly send us a email at netflowanalyzer-support@manageengine.com.
Thanks
Praveen
Download | Interactive Demo | Product overview video
Being a niche player in the SAAS market, Zoho brings an amazing level of engineering expertise to ManageEngine in building highly secure and scalable distributed applications. And hopefully you know, Adventnet has recently changed its name to Zoho Corp and formed three divisions namely ManageEngine, Zoho, and WebNMS.
Growing network needs complicate the job of network administrators and bring in new challenges. Network Administrators need robust,cutting-edge network management tools to quickly troubleshoot network incidents and increase the network performance. However considering the economic situation, it is very important to choose the right application which can leverage on network performance management data from multiple technologies and of course at an affordable cost.
ManageEngine NetFlow Analyzer team constantly interacts with its customers, technology companies and VARS to prioritize the road map. Whenever a new technology is introduced in the product, all existing customers see an immediate value by means of simple free upgrade instead of paying a hefty price. Here the ROI includes cutting bandwidth upgrade costs due to increased visibility using ManageEngine NetFlow Analyzer, avoid unauthorized bandwidth usage and increase the efficiency of business critical applications with almost zero implementation cost.
Multiple technologies - Single Solution:
Cisco NetFlow:
Cisco's NetFlow technology exports flow records from any IOS capable routers and switches. The exported flow records contain information about protocols, ports, source, destination IP addresses and much more.
NetFlow Analyzer provides several instant reports to monitor bandwidth including top talkers, top protocols, top conversations, and more. Apart from these pre-defined bandwidth reports, NetFlow Analyzer also includes options to search for specific bandwidth usage details based on IP address, host name, protocol, and more.
Bandwidth Monitoring without Probes
NetFlow Analyzer does network bandwidth monitoring using NetFlow. NetFlow exports are collected, correlated, and analyzed to get granular details to monitor bandwidth usage across each WAN link. There is no need for hardware probes to monitor bandwidth usage. NetFlow Analyzer is an all software solution which is suitable for both Windows and Linux.
Real-time Bandwidth Monitoring
Bandwidth monitoring reports for each interface shows the current, average, and peak bandwidth usage patterns across each NetFlow-enabled interface. With these bandwidth usage statistics you can get instant visibility into how much bandwidth was used up by hosts, applications, and conversations across a specific interfaces.
Application-wise Bandwidth Distribution
To monitor bandwidth utilized by different applications, NetFlow Analyzer gives you instant visibility into which applications are using up maximum bandwidth. You can also drill down to see the top sources, destinations and conversations using the bandwidth. With such granular detail, network troubleshooting and problem resolution take far less time than with traditional tools.
Cisco NBAR:
Cisco NBAR (Network Based Application Recognition) engine runs on the IOS and does deep packet inspection to identify applications riding on regular ports. For example TCP 80 can be identified as kazza2, BitTorrent, Napster etc. The respective utilization, volume and speed can be polled through SNMP protocol over time.
NBAR reports are very useful to set the Quality of Service (CB-QoS) policies. NBAR and QoS policies can work together to prevent bandwidth stealing applications and increase the efficiency of business critical applications.
Cisco CB-QoS (Class Based - Quality of Service):
We have discussed a lot about deploying CB-QoS policies for improved network performance. You can find CB-QoS blog series in this link. Cisco CB-QoS is the simplest way to prioritize network traffic.
Having insights over pre and post policy metrics, network administrators can modify their CB-QoS policy configuration for improved performance and to avoid any impact to business critical applications due to misconfiguration.
This is why we call ManageEngine NetFlow Analyzer is a powerful traffic analysis and forensic solution for a network of any size. Try our 30 days all feature version and write your queries to netflowanalyzer-support@manageengine.com
Thanks
Raj
Couple of day’s back one of our customer wants to know the best practice to monitor the VOIP/IP Phone traffic using NetFlow Analyzer. I felt this deserves a blog really.
By default NetFlow Analyzer identifies SKINNY & SIP (port numbers 2000 & 5060) applications and show the usage with the IP address or phone involved on each and every interface. But to monitor the voice traffic as a separate entity or for a specific phone, you have two ways. Either by using the application mapping using voice gateway IP or individual IP network/range of phones with IP group.
Let’s see the options in detail.
1. Application mapping using voice gateway IP
ManageEngine NetFlow Analyzer detects applications based on the port and protocol values available in the flow records. And it is possible to add, modify and delete the port - protocol mappings from the user interface. As an added advantage NetFlow Analyzer also provides an ability to associate the IP addresses into this application mapping for precise classification. So if you create an application mapping "MyAPP" with an IP address - port - protocol match, NetFlow Analyzer starts classifying the all conversations/calls originated or designated to the mapped IP address with the defined port & protocol as “MyApp”.
Using this functionality one can create a new application mapping using the "Application Mapping" link with the voice gateway IP and port & protocol used for IP phone traffic. If you are not sure about the port and protocol, you can also use 0-65535 as a port range in the application mapping. Since this is going to be your voice gateway, mostly it deals with VOIP traffic.
This new VOIP tracking application will be shown under the application tab with the respective traffic volume and further drills down to conversation/call information.
2. Using IP groups
As a second option, it is also possible to monitor the IP phone traffic by creating an IP group. The IP groups feature lets you monitor departmental, intranet or application specific traffic exclusively. You can create IP groups based on IP addresses and/or a combination of port and protocol. You can even choose to monitor traffic from specific interfaces across different routers. After creating an IP group, you can view the top applications, top protocols, top hosts, and top conversations in this IP group alone.
Now create an IP group with a VOIP gateway or VOIP IP network or VOIP phone range. You can create as many IP groups based on your requirement. The possibility of associating the port, protocol and interface information with IP groups helps to make the classification to be more precise.
Each IP group gives you the complete traffic, application and conversation information pertained to the IP addresses or port-protocol mapping involved in the group.
Note: In both the options, ensure that the desired IP address (voice gateway IP or IP address of IP phone(s)) is visible to your router or L3 switch. So that it can be exported through the NetFlow packet.
Please write your questions to support@netflowanalyzer.com. You can download our 30 days all feature trial software from the following link.
Download:
http://www.manageengine.com/products/netflow/download.html?ab
Features:
http://www.manageengine.com/products/netflow/netflow-features.html
Live Demo:
http://demo.netflowanalyzer.com
Thanks
Raj
I'm sure you would have heard about the ManageEngine NetFlow Analyzer and the Riverbed Technology Alliance(RTA). I just wanted to let you know the what, why and of course, the end user benefits of the RTA.
What and why - this RTA?
RTA is a program by riverbed which allows companies with complementary technology to bring additional value to the end users. Riverbed Steelhead appliances are used for WAN optimization and much more. And these Steelhead appliances export NetFlow, this is where ManageEngine NetFlow Analyzer comes useful. NetFlow Analyzer collects and analyzes these NetFlow packets exported from the Steelhead appliances and gives in-depth visibility of your network such as top talkers, top applications, DSCP values and much more.
Over the past four years, the time since NetFlow Analyzer came into being, and with 4000 businesses using this solution, we have seen at least 500 of them using Riverbed Steelhead appliances. And the value the joint solution brings is immense.
"The joint solution from Riverbed and ManageEngine NetFlow Analyzer provides in–depth visibility into our WAN traffic and accelerates applications crossing the WAN," said George Caraker, Manager of IT Operations at Kennedy⁄Jenks Consultants. "We can now quickly and easily identify the root cause of many network issues, resolve bandwidth utilization problems, and track long term trends. We can also do application monitoring and IP monitoring to ensure quality of business critical applications like MS Exchange and SAP. ManageEngine NetFlow Analyzer is easy to install and use and represents excellent value."
End user benefits:
Check out the Riverbed ManageEngine joint solution brief here.
Cheers
Joe
Corp