Traffic analysis involves monitoring the network to find out who and what used the bandwidth and at what time. The analysis also involves having a detailed understanding on the network protocol distribution. One may ask why is there the need to identify the protocols in the network when you see the applications being used and their related conversations.

The protocol distribution helps network administrators find the bandwidth used by each protocol in the network. This helps find if any unwanted (read as: not mean to be used) protocols are being used in the network and based on this, the network administrator can reallocate this bandwidth to more critical applications using other protocols.

It also helps you determine if any inactive application protocol is being used in the network taking away valuable bandwidth. To give a real example, an administrator was expecting to see only negligible bandwidth usage by L2TP traffic in his network. He looked at the protocol distribution graph and what he found was L2TP occupying about 10% of the total traffic. Now, that is called sacrilege in network terminology !

Again, having a track on the network protocol distribution can even help quickly solve network problems. When the network is slow, instead of analyzing each application one by one, you can take a look at the protocol distribution to find if there is any unexpected change in the pattern and then analyze the protocol to find what application is involved in bandwidth.

And is it not much more easier to identify non compliance traffic based on protocol first and then drilling down to find the application and conversations involved rather than checking out for each applications in the list of thousands of applications?

Since Cisco and many of the major vendors in the market have already come up with NetFlow or a  similar flow format technology, one does not have to wonder how to obtain such an information from the routing or switching devices. All you need is configure your device to export NetFlow packets to ManageEngine NetFlow Analyzer which supports almost all the major flow formats, and the product will capture the flow packets to generate the reports. Now that is called Up and Running in a matter of minutes.

It really does not do a big deal if you can just see the protocol distribution in the network. What you need is the ability to see the source and destination associated with each conversation corresponding to a protocol and this is exactly what NetFlow Analyzer can also do. Check out the screen shots to see protocol distribution reports available in NetFlow Analyzer.

Download | Interactive Demo | Product overview video | Twitter | Customers

Once sFlow is enabled on the HP devices, NetFlow Analyzer server will receive the packets and the product will capture the packets to automatically generate the reports. You also need to ensure that no access control lists (ACLs) or firewalls block the NetFlow packets (on UDP 9996) and that even the software firewalls on the server are allowing the packets to reach the NetFlow Analyzer installation.

After enabling the sFlow on the HP devices, we need ensure a few points to get the accurate traffic statistics about the device in NetFlow Analyzer.

The first and foremost is the sampling rate. We suggest setting the sampling rate to 4096. We have observed from various setups and from our existing customers feedback that the sampling rate of 4096 gives the most accurate traffic statistics in NetFlow Analyzer.Most of the other sFlow collectors in the market suggest the sampling rate to 256 which means more number of exported sFlow datagrams. With a sampling rate of 4096, you get the additional benefit that the device is not being overloaded by sampling large number of datagrams and exporting to the NetFlow Analyzer.

Next point we need verify is the "sFlow receiver timeout". This determines how long sFlow remains active on the exporting device. When the value has expired, sFlow also gets disabled on the device forcing you to re-enable sFlow export. Due to this, we recommend setting the sFlow Receiver Timeout to the maximum possible value, which is 2147483647 seconds which is 68 years ! The command to be used on the HP device for setting the sFlow receiver timeout is:

setmib sFlowRcvrOwner.1 -D NetFlow Analyzer IP sFlowRcvrTimeout.1 -i 2147483647

sFlow Disable Utility:

Of course. We have thought about that too. Just in case you want to export sFlow to different server or stop the flows for some time or whatever be the reason, NetFlow Analyzer provides you the script to disable sFlow export on the HP device.

The disable can be done using the script sFlowDisable.bat (for Windows and .sh for Linux) and the file is present under <\AdventNet\ME\NetFlow\troubleshooting > directory. The usage of the script is as below:

SFlowDisable.bat switchIp snmpPort snmpWriteCommunity

Example :-

C:\AdventNet\ME\NetFlow\troubleshooting>sFlowDisable.bat 192.168.188.30 161 private

Go ahead and try our 30 day trial to see for yourself on how well NetFlow Analyzer works with sFlow and HP devices.

Thanks

Praveen Kumar

Download | Interactive Demo | Product overview video | Twitter | Customers

http://forums.manageengine.com/#Topic/49000003700030

I just wanted to check how the UI should look like and input configuration. Please share us your views and inputs to add the speed based alert feature. 

Please write your technical questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.

Thanks
Raj

Download | Interactive Demo | Product overview video | Twitter | Customers

Free tool with no data storage is as needless!

At the end of the day, "relative results" matter. To be able to show that one has made certain changes and how it has affected the network for good, hopefully! All this is possible only if a large amount of data is available for analysis. There are free tools which offer to store data for up to one wHOLE day. All a user will find the next day is a hole in the previous day data. A clean data base and a blank look on one's face. For analysis, data size is very critical. And it doesn't take a genius to say that one day data does not contribute to any analyzable data. Time and data are somethings that cannot be got back once lost (data can be, if you have fail-over, but, hey! how many free tools have that!).

Even when you are going for a free tool, you have a choice to make. To make the choice between something that is going to cost your time and data or the one that is useful-AND-free, which can store the data forever, carry out the necessary analysis.

NetFlow Analyzer free edition lets you monitor two most critical interfaces in your network and the data can be stored forever - that is absolutely free AND useful. An useful solution which gives better analysis with the data that can be stored forever. You can see the history of security threats, the trend of bandwidth requirement growth over a period of time, answers questions such as "who are the top talkers?, is the bandwidth used for the business critical applications ?" and much more.

So you want a "free" tool or a free AND useful tool?

Cheers

Joe

Follow NetFlow Analyzer on twitter!

Download | Interactive Demo | Product overview video | Twitter | Customers

Regards,
Don Thomas Jacob

        Let’s see how to configure Flexible NetFlow to export flow statistics. Flexible NetFlow export can be configured in three easy steps.

1. Configure the exporter

2. Configure the Flow Monitor with the pre-defined Flow Record and Flow Exporter attached to the monitor.

3. Add the Flow Monitor to the interface to monitor either ingress (input) or egress (output traffic).

1. Configuring Exporter

                    Flow exporter can be configured with a unique name. Multiple Flow exporter profiles can be configured. Below is the configuration to configure Flow Exporter.

flow exporter <exporter name>

destination <ip address of ME NFA>

transport udp <port number>

Example configuration:

flow exporter me_nfa_analyzer

destination 192.168.1.1

transport udp 9996   

2. Flow Monitor and Flow record configuration

Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow "netflow-original" and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields. Flow monitors can also include packet sampling information if sampling is required.

flow monitor <monitor name>

record netflow-original

exporter <exporter name>

cache timeout active <seconds>

cache timeout inactive <seconds>

Example Configuration:

flow monitor me_nfa_monitor

record netflow-original

exporter me_nfa_analyzer

cache timeout active 60

3. Adding Flow Monitor to the interface

Flow Monitor has to be attached to a specific physical or logical interface to export flow statistics for that particular interface. Below is the configuration to attach flow monitor to a specific interface.

interface <interface name>

ip flow monitor <monitor_name> input

Example Configuration:

interface serial0/0

ip flow monitor me_nfa_monitor input

   And the above configuration can be verified by "show flow monitor" command. As I mentioned earlier Flexible NetFlow has numerous advantages and has the power of supporting new performance monitoring statistics as soon as they are available.  Flexible NetFlow is an evolving technology available in Cisco devices to help with visibility into how network assets are being used and the network behavior. 

Please find more information on FNF here.

   ManageEngine constantly studies the market and user demands to support new technologies. In fact ManageEngine NetFlow Analyzer is the first tool to support multiple bandwidth and performance monitoring technologies like NetFlow, NBAR and CBQoS in the market. And currently ManageEngine NetFlow Analyzer supports Flexible NetFlow without any issues. Please write your questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.

Thanks

Raj 

Download | Interactive Demo | Product overview video | Twitter | Customers

• Validating QoS policies with Cisco CBQoS - Enterprise edition now supports Cisco CBQoS and provides report on the per-class pre policy, post policy drops and queues. This new feature complements the already existing support for Cisco's Network based application recognition (NBAR), helping in application mapping and providing better quality of service. Read more...
  


• User based dashboard page for guests / Operators - Each user can have their own dashboard, only viewing devices that need to be monitored by them, which can be sorted based on utilization, speed etc.


• Business hour alerts - makes sure that the users do not have to worry about the alerts that might be generated during non-business hours. With the new version of NetFlow Analyzer, business hours can be preset as per the enterprise's need and the alerts can be activated only during that period.


• Exclude IP address(es) option in IP groups - During creations of IP groups, the exclude option makes it much easier to exclude only particular addresses from a network as the requirement may be.


• Radius authentication - Radius Server is useful in centralised management of user credential details. Once the user roles are defined in the User Management feature of NetFlow Analyzer, subsequent authentication of the user profiles can be done from the Radius Server.


• Exclude encrypted applications - Enabling NetFlow on cryptomap tunnel interfaces double counts the ESP / GRE traffic. That can be prevented by applying this filter on cryptomap tunnel interfaces.


• Output interface suppression - WAN optimizers compress the packets and therefore the flow size varies. The size of the packet going in and coming out is not the same, and the readings can be misleading and confusing, to say the least. To avoid this, "Output Interface Suppression" can be used. The interface in which the compression takes place (destination/output interface) can be suppressed.


• ACL related drops - Access control filter drops the flow information which contains data pertaining to dropped traffic due to Access Control List.

Hello,

  Some of our community folks using ME NetFlow Analyzer to monitor their Juniper firewalls SSG 500 series. It supports policy based netflow/JFlow export. 

  Can you share us the netflow/JFlow configuration to enable NetFlow/JFlow on these firewalls?

Thanks

Raj

Download | Interactive Demo | Product overview video

1. Flexibility to choose the desired export fields. 

2. Reduce the number of flows and allows CPU to perform efficient routing and switching

3. Convergence of multiple accounting technologies into one accounting mechanism

Flexible NetFlow and NetFlow V9

  The export protocol of choice for Flexible NetFlow is the NetFlow Version 9 export protocol, but unfortunately and to date, NetFlow Version 5 has been a much more widely used protocol because of the legacy Cisco IOS® Software images that are still around that supported the NetFlow v5 export protocol only and worked very well. However Cisco claims the future is going to be Flexible NetFlow. And believe it this migration is going to very smooth since Flexible NetFlow can also be configured to export some predefined flow records using the NetFlow Version 5 protocol format for backward compatibility. This helps your existing collectors can work with Flexible NetFlow until you find a real requirement to use additional fields offered by Flexible NetFlow.

Flexible NetFlow Configuration

    Traditional NetFlow configuration is pretty much straight forward. Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface (CLI) configuration follows the same traditional logic.In this user-defined flow records and the component structure of Flexible NetFlow make it easy to create various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands. 

    Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface configuration follows the same traditional logic.

 Let's see this components in detail

Flow Monitor:

    A Flexible NetFlow Flow Monitor describes the NetFlow cache or information stored in the cache. The Flow Monitor contains the Flow Records or key and non-key fields within the cache. Also, part of the Flow Monitor is the Flow Exporter which contains information about the export of NetFlow information including the destination address of the NetFlow collector. The Flow Monitor includes various cache characteristics including the timers for exporting, the size of the cache and if required, the packet sampling rate.

Flow Record:

    A Flow Record is a set of key and non-key NetFlow field values used to characterize flows in the NetFlow cache. Flow Records may be pre-defined for ease of use or customized and user defined. A typical pre-defined record will aggregate flow data and allow users to target common applications for NetFlow. User defined records will allow selection of specific key or non-key fields in the Flow Record. The user defined field is the key to Flexible NetFlow allowing a wide range of information to be characterized and exported by NetFlow. It is expected that different network management applications will support specific user defined and pre-defined Flow Records based on what they are monitoring (ie: security detection, traffic analysis, capacity planning).

Flow Exporter:

    The Flexible NetFlow Exporter allows the user to define where the export can be sent, the type of transport for the export and properties for the export. Multiple exporters can be configured per Flow Monitor or the same exporter can be used by multiple monitors.

The following figure shows the flow monitor and it components.

 In our next blog we are going to use a pre-defined (defined in IOS itself) flow record to export netflow records using Flexible Netflow. In the meanwhile if you have any queries. please write to netflowanalyzer-eesupport@manageengine.com

Thanks

Raj

Download | Interactive Demo | Product overview video