NetFlow | netflowanalyzer | Enterprise IT Management, Network performance management, IT Servicedesk, Desktop Management, Datacenter Management, Server Management, Log Analysis and Security Management, Network Tools, ManageEngine Blogs

NetFlow Analyzer, though the name says NetFlow, can work with quite a number of flow formats like sFlow, jFlow, NetStream, IPFIX etc. This blog will give you a brief idea on sFlow technology and also guide you on how to use NetFlow Analyzer with sFlow from HP Procurve devices.

What is sFlow?

sFlow is a monitoring technology which allows you to capture the traffic data from a switched or routed network to give complete visibility into the use of network bandwidth. This data helps in performance optimization, accounting/billing for usage, defense against security threats, capacity planning and much more.

sFlow datagrams are exported based on sampling due to which impact on the device CPU/Memory and available bandwidth is minimal. Based on a defined sampling rate, 1 out of N packets (where N is the sampling rate) is captured and sent to the NetFlow Analyzer for traffic analysis by the device. Though, this type of sampling does not provide 100% accurate statistics, it does provide a result with quantifiable accuracy.

sFlow analysis with NetFlow Analyzer:

NetFlow Analyzer can work with any devices which are capable of exporting NetFlow, sFlow and other compatible flow which are completely vendor dependent. You can check out the list of flow formats and devices with which NetFlow Analyzer can work from here.

HP Procurve and sFlow:

Just like Cisco has NetFlow and other vendors have thier flow formarts, some vendors use a technolgy called sFlow. HP Procurve devices are capable of exporting sFlow datagrams which can be used for bandwidth monitoring and traffic analysis. NetFlow Analyzer is capable of analyzing the sFlow datagram exported from the HP Procurve to give you the traffic statiscs on each active ports.

sFlow export on the HP procuve device can be configured using two different methods, We can enable sFlow on the HP device either by logging in to the router and configuring them for sFlow export. But this is available only in the older device models or OS.

On the new HP devices, sFlow can be enabled only through SNMP. To make the sFlow configuration on HP device a simple task, NetFlow Analyzer provides scripts to enable and disable the sFlow export. So, lets see how we can use the script and enable sFlow.

sFlow Enable utility:

The script to enable sFlow, named as sFlowEnable.bat (for Windows and .sh for Linux), is present under <\AdventNet\ME\NetFlow\troubleshooting> directory.

The usage for the script is as follows:

SFlowEnable.bat switchIp snmpPort snmpWriteCommunity collectorIP collectorPort samplingRate

Example:-

C:\AdventNet\ME\NetFlow\troubleshooting>sFlowEnable.bat 192.168.188.30 161 private 192.168.133.1 9996 4096

Once sFlow is enabled on the HP devices, NetFlow Analyzer server will receive the packets and the product will capture the packets to automatically generate the reports. You also need to ensure that no access control lists (ACLs) or firewalls block the NetFlow packets (on UDP 9996) and that even the software firewalls on the server are allowing the packets to reach the NetFlow Analyzer installation.

After enabling the sFlow on the HP devices, we need ensure a few points to get the accurate traffic statistics about the device in NetFlow Analyzer.

The first and foremost is the sampling rate. We suggest setting the sampling rate to 4096. We have observed from various setups and from our existing customers feedback that the sampling rate of 4096 gives the most accurate traffic statistics in NetFlow Analyzer.Most of the other sFlow collectors in the market suggest the sampling rate to 256 which means more number of exported sFlow datagrams. With a sampling rate of 4096, you get the additional benefit that the device is not being overloaded by sampling large number of datagrams and exporting to the NetFlow Analyzer.

Next point we need verify is the "sFlow receiver timeout". This determines how long sFlow remains active on the exporting device. When the value has expired, sFlow also gets disabled on the device forcing you to re-enable sFlow export. Due to this, we recommend setting the sFlow Receiver Timeout to the maximum possible value, which is 2147483647 seconds which is 68 years ! The command to be used on the HP device for setting the sFlow receiver timeout is:

setmib sFlowRcvrOwner.1 -D NetFlow Analyzer IP sFlowRcvrTimeout.1 -i 2147483647

sFlow Disable Utility:

Of course. We have thought about that too. Just in case you want to export sFlow to different server or stop the flows for some time or whatever be the reason, NetFlow Analyzer provides you the script to disable sFlow export on the HP device.

The disable can be done using the script sFlowDisable.bat (for Windows and .sh for Linux) and the file is present under <\AdventNet\ME\NetFlow\troubleshooting > directory. The usage of the script is as below:

SFlowDisable.bat switchIp snmpPort snmpWriteCommunity

Example :-

C:\AdventNet\ME\NetFlow\troubleshooting>sFlowDisable.bat 192.168.188.30 161 private

Go ahead and try our 30 day trial to see for yourself on how well NetFlow Analyzer works with sFlow and HP devices.

Thanks

Praveen Kumar

Download | Interactive Demo | Product overview video | Twitter | Customers

When wondering what to write about for our blog, came this question from a user. They needed to get alerts when the hosts in his network communicated with a set of blacklisted IP Address. Felt this could be useful for a number of users which is why we now have this blog here.

For his requirement, the user could have opted for an expensive flow based anomaly detection solution and achieve it the costly way. The cost effective method was to work with features already available in the easy to use, all software bandwidth monitoring solution from ManageEngine, which is NetFlow Analyzer.

Now in detail about what was wanted and how this can be done.

There is a set of IP Addresses with which the hosts in a company's network is not expected to communicate. If there is traffic either to or from these blacklisted IPs, the network administrator needs to be alerted, find the violating host and then carry out cautionary steps.

NetFlow (or any similar flows), with its capabilities for in-depth reports, is the only technology that can tell you about the application used, source and destination of traffic, priority of the traffic and much more. NetFlow Analyzer, which supports all the major flow formats, has an IP Group feature with which you can group together IP Address/Network or Range and monitor the traffic to and from it. Making use of this, one can create an IP Group and associate all the blacklisted IP Addresses with it. When creating the IP Group, the speed which is taken for utilization calculation is set at the lowest possible value, 1bps. This way, even a single conversation will account for more than 1 percentage utilization.

After creating the IP Group, we can use the alert profiles to receive alerts when the traffic utilization exceeds 1% in the IP Group. The alerts can be emailed to the email address specified and you can even give multiple threshold actions in the same alert.

With this, you will be able to ensure that no traffic passed to or from the blacklisted IP Addresses and even if there was traffic, you are alerted. Drilling down on the IP Group to the conversation tab shows the hosts involved thus helping you take your cautionary measures.

A combination of simple features for proactive troubleshooting !

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob

NetFlow technology and ManageEngine NetFlow Analyzer makes bandwidth monitoring and traffic analysis easy by giving you detailed reports about the traffic, applications used, source and destination of traffic, traffic conversations, DSCP based QoS values and so on. All these reports, available for time periods ranging from the last minute to the time at which the product was installed, can show the hosts participating in the traffic making further analysis easier and aiding in proactive network troubleshooting.

But there is a dark side to this coin. The number of hosts involved in the traffic can be quite large and in case of huge networks, a daily or weekly reports will involve a few thousands of IP Addresses. Identifying the top 10 or so hosts from their IP Address could be easy, but what if there are more than hundred conversations in each of your main interfaces? Here, you can make use of the 'Resolve DNS' option available to resolve the IP Address to the DNS name making identification easier.

The DNS name resolution makes use of the mapping available in your primary or secondary DNS server to resolve the DNS names for IP Address. The names displayed using this resolution will be based on your organization's standard naming policy and may not be easiest of the names to remember ! This is why NetFlow Analyzer has an option for custom DNS names. Custom or user defined DNS names can be set in the product for any number of IP Addresses and the next time you opt for showing the DNS names, it is these names that will be shown overriding the system resolved DNS names.

To set your own DNS names, navigate to Product Settings - Server Settings, and here under the DNS Settings option click on the 'Add/Modify' option next to the 'User defined DNS names' option. You can also set user defined DNS names for IP Address from the Source or Destination tab using the edit icon next to an IP Address shown in the reports. A small feature that is a big help to the large enterprises !

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob

Get smart - use NetFlow Analyzer for sFlow from HP ProCurve !

Alert ! - Traffic to a blacklisted IP

Custom DNS - Making Host Identification Easier

ManageEngine Blogs