Traffic analysis involves monitoring the network to find out who and what used the bandwidth and at what time. The analysis also involves having a detailed understanding on the network protocol distribution. One may ask why is there the need to identify the protocols in the network when you see the applications being used and their related conversations.

The protocol distribution helps network administrators find the bandwidth used by each protocol in the network. This helps find if any unwanted (read as: not mean to be used) protocols are being used in the network and based on this, the network administrator can reallocate this bandwidth to more critical applications using other protocols.

It also helps you determine if any inactive application protocol is being used in the network taking away valuable bandwidth. To give a real example, an administrator was expecting to see only negligible bandwidth usage by L2TP traffic in his network. He looked at the protocol distribution graph and what he found was L2TP occupying about 10% of the total traffic. Now, that is called sacrilege in network terminology !

Again, having a track on the network protocol distribution can even help quickly solve network problems. When the network is slow, instead of analyzing each application one by one, you can take a look at the protocol distribution to find if there is any unexpected change in the pattern and then analyze the protocol to find what application is involved in bandwidth.

And is it not much more easier to identify non compliance traffic based on protocol first and then drilling down to find the application and conversations involved rather than checking out for each applications in the list of thousands of applications?

Since Cisco and many of the major vendors in the market have already come up with NetFlow or a  similar flow format technology, one does not have to wonder how to obtain such an information from the routing or switching devices. All you need is configure your device to export NetFlow packets to ManageEngine NetFlow Analyzer which supports almost all the major flow formats, and the product will capture the flow packets to generate the reports. Now that is called Up and Running in a matter of minutes.

It really does not do a big deal if you can just see the protocol distribution in the network. What you need is the ability to see the source and destination associated with each conversation corresponding to a protocol and this is exactly what NetFlow Analyzer can also do. Check out the screen shots to see protocol distribution reports available in NetFlow Analyzer.


Protocol Distribution

Protocol Conversations

With NetFlow Analyzer, it is not just limited to showing the conversations involved, but we even have a graph option for each of the conversations. NetFlow Analyzer offers this and much more. Do take a look at the application monitoring capabilities also. Download and try the evaluation to see what more the product can do for your network.

Download | Interactive Demo | Product overview video | Twitter | Customers

Regards,
Don Thomas Jacob

Couple of days back, we had an interesting conversation going on in our forums. One of our privileged ManageEngine customer wanted to have speed based alerting mechanism and gave us a real good reason to have this feature. Please find the conversation on the below link. 

http://forums.manageengine.com/#Topic/49000003700030

I just wanted to check how the UI should look like and input configuration. Please share us your views and inputs to add the speed based alert feature. 

Please write your technical questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.

Thanks
Raj

Download | Interactive Demo | Product overview video | Twitter | Customers




Bandwidth monitoring and traffic analysis is turning out to be more important than ever with growing advances in networking technologies and advent of Web 2.0. It is no more possible to simply let the organization's traffic network pass through the WAN links, pushing each other for bandwidth. Prioritizing traffic, so that mission-critical applications receive the bandwidth they need, is the key word today.

There is a little feature called NBAR available in many Cisco devices, which lets you do a lot more than it spells and can play a great role in defining the network's traffic policies.

NBAR or Network-Based Application Recognition is a feature available in Cisco IOS that does a deep packet inspection of traffic passing through an interface and can recognize a wide variety of applications, including applications that dynamically assigns TCP or UDP port numbers or even undesired applications that uses well known port numbers to mask itself.

NBAR will show the details of the applications used on an interface basis. The feature can identify even peer to peer applications like Bit Torrent or applications like Skype which uses random port numbers for connectivity and hogs the organizational bandwidth. The results available from NBAR can also be used to define your QoS policies in a much better manner blocking out the unwanted applications.

NetFlow Analyzer, which uses NetFlow data and other similar flow data to give reports on bandwidth usage by host, port, protocol, applications, DiffServ and conversations, can also report on NBAR statistics from the your devices, making reporting an easy task.

NBAR Report

NBAR with its deep packet inspection capability is a great feature for security analysis also. An example is how NBAR helped to identify CODE-RED worm and the related Cisco information can be seen from here. You can even make use of the AutoQoS for the Enterprise feature available in some Cisco devices which can use NBAR data for prioritizing traffic. Do check out how to do this from here.

Since NBAR data help define CBQoS policies, NetFlow Analyzer can also report on the Class Based QoS policies and its pre and post policy traffic usage and drops. Get a first hand experience of the features in NetFlow Analyzer using the 30 day trail.

Download | Interactive Demo | Product overview video | Twitter | Customers

Regards,
Don Thomas Jacob

        This blog may need prior reading of my first blog about Flexible NetFlow. We have already discussed about the advantages of Flexible NetFlow and migration from traditional NetFlow versions to FNF. To make this transition smooth Cisco provides the option of pre-defined flow records which can be used to configure Flexible NetFlow without investing a lot of time. And as I mentioned earlier it also helps your existing NetFlow V9 collector to parse exported data. However to use Flexible NetFlow to its fullest potential or to monitor a specific network behavior, you should create your own customized records. 

        Let’s see how to configure Flexible NetFlow to export flow statistics. Flexible NetFlow export can be configured in three easy steps.

1. Configure the exporter

2. Configure the Flow Monitor with the pre-defined Flow Record and Flow Exporter attached to the monitor.

3. Add the Flow Monitor to the interface to monitor either ingress (input) or egress (output traffic).


1. Configuring Exporter

                    Flow exporter can be configured with a unique name. Multiple Flow exporter profiles can be configured. Below is the configuration to configure Flow Exporter.

flow exporter <exporter name>

destination <ip address of ME NFA>

transport udp <port number>

Example configuration:

flow exporter me_nfa_analyzer

destination 192.168.1.1

transport udp 9996   


2. Flow Monitor and Flow record configuration

Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow "netflow-original" and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields. Flow monitors can also include packet sampling information if sampling is required.

flow monitor <monitor name>

record netflow-original

exporter <exporter name>

cache timeout active <seconds>

cache timeout inactive <seconds>

Example Configuration:

flow monitor me_nfa_monitor

record netflow-original

exporter me_nfa_analyzer

cache timeout active 60


3. Adding Flow Monitor to the interface

Flow Monitor has to be attached to a specific physical or logical interface to export flow statistics for that particular interface. Below is the configuration to attach flow monitor to a specific interface.

interface <interface name>

ip flow monitor <monitor_name> input

Example Configuration:

interface serial0/0

ip flow monitor me_nfa_monitor input


   And the above configuration can be verified by "show flow monitor" command. As I mentioned earlier Flexible NetFlow has numerous advantages and has the power of supporting new performance monitoring statistics as soon as they are available.  Flexible NetFlow is an evolving technology available in Cisco devices to help with visibility into how network assets are being used and the network behavior. 

Please find more information on FNF here.

   ManageEngine constantly studies the market and user demands to support new technologies. In fact ManageEngine NetFlow Analyzer is the first tool to support multiple bandwidth and performance monitoring technologies like NetFlow, NBAR and CBQoS in the market. And currently ManageEngine NetFlow Analyzer supports Flexible NetFlow without any issues. Please write your questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.

Thanks

Raj 

Download | Interactive Demo | Product overview video | Twitter | Customers

Hello,

  Some of our community folks using ME NetFlow Analyzer to monitor their Juniper firewalls SSG 500 series. It supports policy based netflow/JFlow export. 

  Can you share us the netflow/JFlow configuration to enable NetFlow/JFlow on these firewalls?

Thanks

Raj

Download | Interactive Demo | Product overview video

 Flexible NetFlow is the next generation flow export technique promoted by Cisco Systems. As the word depicts it is highly flexible based on user requirements and to monitor specific network behaviour. Traditional NetFlow used a fixed seven tupple of IP information to identify a flow most of the time. Advantages of Flexible NetFlow 

1. Flexibility to choose the desired export fields. 

2. Reduce the number of flows and allows CPU to perform efficient routing and switching

3. Convergence of multiple accounting technologies into one accounting mechanism

Flexible NetFlow and NetFlow V9

  The export protocol of choice for Flexible NetFlow is the NetFlow Version 9 export protocol, but unfortunately and to date, NetFlow Version 5 has been a much more widely used protocol because of the legacy Cisco IOS® Software images that are still around that supported the NetFlow v5 export protocol only and worked very well. However Cisco claims the future is going to be Flexible NetFlow. And believe it this migration is going to very smooth since Flexible NetFlow can also be configured to export some predefined flow records using the NetFlow Version 5 protocol format for backward compatibility. This helps your existing collectors can work with Flexible NetFlow until you find a real requirement to use additional fields offered by Flexible NetFlow.

Flexible NetFlow Configuration

    Traditional NetFlow configuration is pretty much straight forward. Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface (CLI) configuration follows the same traditional logic.In this user-defined flow records and the component structure of Flexible NetFlow make it easy to create various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands. 

    Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface configuration follows the same traditional logic.

 Let's see this components in detail

Flow Monitor:

    A Flexible NetFlow Flow Monitor describes the NetFlow cache or information stored in the cache. The Flow Monitor contains the Flow Records or key and non-key fields within the cache. Also, part of the Flow Monitor is the Flow Exporter which contains information about the export of NetFlow information including the destination address of the NetFlow collector. The Flow Monitor includes various cache characteristics including the timers for exporting, the size of the cache and if required, the packet sampling rate.

Flow Record:

    A Flow Record is a set of key and non-key NetFlow field values used to characterize flows in the NetFlow cache. Flow Records may be pre-defined for ease of use or customized and user defined. A typical pre-defined record will aggregate flow data and allow users to target common applications for NetFlow. User defined records will allow selection of specific key or non-key fields in the Flow Record. The user defined field is the key to Flexible NetFlow allowing a wide range of information to be characterized and exported by NetFlow. It is expected that different network management applications will support specific user defined and pre-defined Flow Records based on what they are monitoring (ie: security detection, traffic analysis, capacity planning).

Flow Exporter:

    The Flexible NetFlow Exporter allows the user to define where the export can be sent, the type of transport for the export and properties for the export. Multiple exporters can be configured per Flow Monitor or the same exporter can be used by multiple monitors.

The following figure shows the flow monitor and it components.

Flexible NetFlow Flow Monitor

 In our next blog we are going to use a pre-defined (defined in IOS itself) flow record to export netflow records using Flexible Netflow. In the meanwhile if you have any queries. please write to netflowanalyzer-eesupport@manageengine.com

Thanks

Raj

Download | Interactive Demo | Product overview video


 Being a niche player in the SAAS market, Zoho brings an amazing level of engineering expertise to ManageEngine in building highly secure and scalable distributed applications. And hopefully you know, Adventnet has recently changed its name to Zoho Corp and formed three divisions namely ManageEngine, Zoho, and WebNMS.

 ManageEngine NetFlow Analyzer Enterprise Edition is a truly distributed NetFlow collection and reporting application, purpose-built for large organizations managing hundreds and thousands of networking devices and links across their geographically distributed business locations. When we started building NetFlow Analyzer Enterprise Edition, one of the biggest challenges we faced was improving the flow handling capacity and building a unified view of geographically separated networks. After experiments, the engineering team concluded that offloading flow collection from the reporting center drastically improved the flow handling capacity.

 Below is the architecture of our distributed edition. You can see the collectors are deployed at every major business locations and data centers for flow collection. These collectors compresses the exported flow data and sends it via HTTPS connection to the central server for reporting purposes. Here, most of the flow processing functionalities were offloaded to collectors which helps the central server to generate reports within seconds for any particular device.

NetFlow Analyzer EE Architecture
Many of the NetFlow Analyzers available in the market are not truely distributed in nature. They parse and store the flow records in the same collector and cannot give you the unified view of all the collection points. And there is no automatic crash recovery of data is possible. Unlike in ManageEngine, it involves individual backup and upgrade procedures which requires lot of maintenance activities. All these procedures are automated in ManageEngine NetFlow Analyzer Enterprise Engine via failover and smart upgrade manager technologies. And this is why we call ManageEngine NetFlow Analyzer is a Enterprise class distributed NetFlow collection and reporting engine suitable for any large organisations. And when we say distributed we mean it.

Before you start evaluating a distributed and scalable netflow monitoring solution, please ensure that you have the following Enterprise class features are available.

1. Distributed flow collection capability and optimized bandwidth usage between collectors and central reporting server.
2. Scales upto 20000 interface with 15000 flows per second. Any number of collectors can be added without any additional license.
3. Support for NetFlow V5,V7,V9 /sFlow, JFlow, NetStream, IPFIX.
4. Support for Cisco NBAR and correlate NBAR data with NetFlow data.
5. Support for CB-QoS (Class Based - Quality of Service) monitoring. Identify Pre and Post policy metrics and fine tune your QoS configurations.
6. Failover support - automatic crash recovery and data replication. Please visit this link for more information.
7. Ability to use your existing SAN (Storage Area Network).
8. Compatible with VM ware.
9. No data loss even after a link failure between Collectors and Central Server.
10. Ensure separate 64 bit binaries are available for increased flow handling and reporting performance.
11. Secure data transfer - https mode between collector and central server
12. Smart upgrade manager. Upgrade patchs are pushed automatically from the central console to collectors. 
12. User defined dashboards and views.
13. Group devices based on their location and build tree view for easy access and troubleshooting.
14. Ability to work in multiple time zones
15. Network Forensics using raw data


NetFlow Analyzer EE View


 And remember thousands of users like Cisco,Adobe, Ferrari and many fortune companies cannot be wrong.

 Please download and try our 30 day full featured trial edition in the following link


Full Feature List is available in the following link


  Kindly write your questions to netflowanalyzer-eesupport@manageengine.com. We are happy to assist you at any moment. 

Thanks
Raj

With Internet bandwidth being costly and transmission of business critical data being a priority, tracking of bandwidth taken by fun and entertainment sites is an essential in bandwidth management. Such tracking helps ensures that bandwidth taken for traffic to fun sites does not affect business critical applications traversing over the Internet links.

NetFlow Analyzer and NetFlow technology can be used for detailed traffic and bandwidth analysis to identify the applications used, find the hosts involved with the traffic and trace their QoS markings among many other reporting capabilities. But, how exactly would you distinguish between normal HTTP traffic and the traffic to sites such as facebook, myspace, youtube, sports sites and so on?

NetFlow Analyzer provides multiple options to track the traffic to specific sites or departments, separating them from the normal traffic for easier view and analysis. One is through the capability to combine application mapping  with  IP Address, network or range, helping categorize applications which use the same port but have different hosts involved as separate applications.

Application Mapping for Facebook

Such a mapping will show the traffic to this certain site in the list of total applications for an interface, thus giving you an idea on how much of the total traffic was taken by users connecting to the social site.


Facebook for each interface

If this sounds good, check the next option we have. The IP Group option in NetFlow Analyzer lets you group together IP Address, network or range, applications or a combination of all these as a separate category and see their specific reports. Such a grouping helps categorize the complete network traffic to fun sites, lets call them social sites, see the hosts involved and how much each are using every hour/day and even custom time periods. Sounds better ?

Social Sites total

Both these features can be used to quickly categorize applications based on their source and destination or to categorize traffic separately with a combination of criteria.

The feature is not limited to just classifying social site traffic, but can be used for traffic to a specific branch or office, traffic related to any business critical applications, and so on. Do let us know your suggestions on the product and its features and what more you would like to see in the future.

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob



Hello,

First we want to thank all our customers and prospects for their help in supporting NSEL. Last week our ManageEngine NetFlow Analyzer support team was terribly busy in handling ASA customers and prospects. Most of customers who enabled ASA - NSEL, started complaining about the interface names and indices. Actually they did not match with the statistic they have reported. We have verified the code twice about handling interface indices and SNMP get. There was no change made recently for ASA.

Fortunately one of our community folk updated our forums about the Cisco bug in NSEL with a bug ID. 

http://forums.manageengine.com/#Topic/49000003577055


 "There is currently an ASA bug (ID:CSCtb63825) that will give you inaccurate information. The doesn't use IfTable to store interface names, so NFA may report data for an interface that is actually sourced from a different interface. Cisco has informed me that this bug has been fixed in 8.2(12), but that the release is not available yet."

Lets wait for the new release to solve this issue.

Thanks

Raj


Great News for all who were looking for monitoring NetFlow data from Cisco ASA devices. ManageEngine NetFlow Analyzer now provides preliminary support for NetFlow data from ASA devices.

For those who have not caught up on this news, a couple of months back, Cisco released a new IOS which brings support for NetFlow capabilities to ASA devices. The NetFlow feature from ASA devices, termed as NetFlow Secure Event Logging (NSEL), is based on NetFlow version 9 flow format and can give real time bandwidth reports.

Ever since this release, we have had a huge demand to start supporting the new flow format. Working with some customers who provided packet captures from their ASA devices, our engineering team has successfully developed a patch which would provide support for these flows. The patch has to be applied on top of the latest version of NetFlow Analyzer.

This patch enables NetFlow Analyzer to report on traffic and bandwidth information using the NetFlow packets from ASA devices when exported in the same format as NetFlow version 5. We will be extending our support to the new fields in our next release.

You can find the recommended configuration for ASA NetFlow from this post in our forum. Please contact our technical support at netflowanalyzer-support@manageengine.com / +1 925 965 9435 to get more information.

Regards,
Don Thomas Jacob