Traffic analysis involves monitoring the network to find out who and what used the bandwidth and at what time. The analysis also involves having a detailed understanding on the network protocol distribution. One may ask why is there the need to identify the protocols in the network when you see the applications being used and their related conversations.

The protocol distribution helps network administrators find the bandwidth used by each protocol in the network. This helps find if any unwanted (read as: not mean to be used) protocols are being used in the network and based on this, the network administrator can reallocate this bandwidth to more critical applications using other protocols.

It also helps you determine if any inactive application protocol is being used in the network taking away valuable bandwidth. To give a real example, an administrator was expecting to see only negligible bandwidth usage by L2TP traffic in his network. He looked at the protocol distribution graph and what he found was L2TP occupying about 10% of the total traffic. Now, that is called sacrilege in network terminology !

Again, having a track on the network protocol distribution can even help quickly solve network problems. When the network is slow, instead of analyzing each application one by one, you can take a look at the protocol distribution to find if there is any unexpected change in the pattern and then analyze the protocol to find what application is involved in bandwidth.

And is it not much more easier to identify non compliance traffic based on protocol first and then drilling down to find the application and conversations involved rather than checking out for each applications in the list of thousands of applications?

Since Cisco and many of the major vendors in the market have already come up with NetFlow or a  similar flow format technology, one does not have to wonder how to obtain such an information from the routing or switching devices. All you need is configure your device to export NetFlow packets to ManageEngine NetFlow Analyzer which supports almost all the major flow formats, and the product will capture the flow packets to generate the reports. Now that is called Up and Running in a matter of minutes.

It really does not do a big deal if you can just see the protocol distribution in the network. What you need is the ability to see the source and destination associated with each conversation corresponding to a protocol and this is exactly what NetFlow Analyzer can also do. Check out the screen shots to see protocol distribution reports available in NetFlow Analyzer.

Download | Interactive Demo | Product overview video | Twitter | Customers

 Some tools claim to be free and some are free AND useful. Talking with relation to the so many free network traffic analysis tools available online. The main objective of a traffic monitoring and analysis tool is to be able to see the history of threats, threshold violations, bandwidth utilization and extrapolate it to the future for taking better informed capacity planning decisions. All this analysis is carried out with the data (from NetFlow, sFlow, IPFIX, jfLow and more) available (stored) with the tool. One should be able to compare traffic through a particular device various time periods to see the effectiveness of the policies that have been recently changed / set.

Free tool with no data storage is as needless!

At the end of the day, "relative results" matter. To be able to show that one has made certain changes and how it has affected the network for good, hopefully! All this is possible only if a large amount of data is available for analysis. There are free tools which offer to store data for up to one wHOLE day. All a user will find the next day is a hole in the previous day data. A clean data base and a blank look on one's face. For analysis, data size is very critical. And it doesn't take a genius to say that one day data does not contribute to any analyzable data. Time and data are somethings that cannot be got back once lost (data can be, if you have fail-over, but, hey! how many free tools have that!).

Even when you are going for a free tool, you have a choice to make. To make the choice between something that is going to cost your time and data or the one that is useful-AND-free, which can store the data forever, carry out the necessary analysis.

NetFlow Analyzer free edition lets you monitor two most critical interfaces in your network and the data can be stored forever - that is absolutely free AND useful. An useful solution which gives better analysis with the data that can be stored forever. You can see the history of security threats, the trend of bandwidth requirement growth over a period of time, answers questions such as "who are the top talkers?, is the bandwidth used for the business critical applications ?" and much more.

So you want a "free" tool or a free AND useful tool?

Cheers

Joe

Follow NetFlow Analyzer on twitter!

Download | Interactive Demo | Product overview video | Twitter | Customers

Regards,
Don Thomas Jacob

        This blog may need prior reading of my first blog about Flexible NetFlow. We have already discussed about the advantages of Flexible NetFlow and migration from traditional NetFlow versions to FNF. To make this transition smooth Cisco provides the option of pre-defined flow records which can be used to configure Flexible NetFlow without investing a lot of time. And as I mentioned earlier it also helps your existing NetFlow V9 collector to parse exported data. However to use Flexible NetFlow to its fullest potential or to monitor a specific network behavior, you should create your own customized records. 

        Let’s see how to configure Flexible NetFlow to export flow statistics. Flexible NetFlow export can be configured in three easy steps.

1. Configure the exporter

2. Configure the Flow Monitor with the pre-defined Flow Record and Flow Exporter attached to the monitor.

3. Add the Flow Monitor to the interface to monitor either ingress (input) or egress (output traffic).

1. Configuring Exporter

                    Flow exporter can be configured with a unique name. Multiple Flow exporter profiles can be configured. Below is the configuration to configure Flow Exporter.

flow exporter <exporter name>

destination <ip address of ME NFA>

transport udp <port number>

Example configuration:

flow exporter me_nfa_analyzer

destination 192.168.1.1

transport udp 9996   

2. Flow Monitor and Flow record configuration

Flow record configuration defines the fields exported via NetFlow protocol. Flexible pre-defined flow records are based on the original NetFlow ingress or egress caches. Cisco provides a unique keyword to identify the pre-defined records and these records can associated with a Flexible NetFlow Flow record configuration. The Flexible NetFlow "netflow-original" and netflow ipv4 original-input are predefined records and these two records can be used interchangeably to export the basic key fields and time stamp fields. Flow monitors can also include packet sampling information if sampling is required.

flow monitor <monitor name>

record netflow-original

exporter <exporter name>

cache timeout active <seconds>

cache timeout inactive <seconds>

Example Configuration:

flow monitor me_nfa_monitor

record netflow-original

exporter me_nfa_analyzer

cache timeout active 60

3. Adding Flow Monitor to the interface

Flow Monitor has to be attached to a specific physical or logical interface to export flow statistics for that particular interface. Below is the configuration to attach flow monitor to a specific interface.

interface <interface name>

ip flow monitor <monitor_name> input

Example Configuration:

interface serial0/0

ip flow monitor me_nfa_monitor input

   And the above configuration can be verified by "show flow monitor" command. As I mentioned earlier Flexible NetFlow has numerous advantages and has the power of supporting new performance monitoring statistics as soon as they are available.  Flexible NetFlow is an evolving technology available in Cisco devices to help with visibility into how network assets are being used and the network behavior. 

Please find more information on FNF here.

   ManageEngine constantly studies the market and user demands to support new technologies. In fact ManageEngine NetFlow Analyzer is the first tool to support multiple bandwidth and performance monitoring technologies like NetFlow, NBAR and CBQoS in the market. And currently ManageEngine NetFlow Analyzer supports Flexible NetFlow without any issues. Please write your questions to netflowanalyzer-support@manageengine.com. We are happy to assist you at any moment.

Thanks

Raj 

Download | Interactive Demo | Product overview video | Twitter | Customers

 Flexible NetFlow is the next generation flow export technique promoted by Cisco Systems. As the word depicts it is highly flexible based on user requirements and to monitor specific network behaviour. Traditional NetFlow used a fixed seven tupple of IP information to identify a flow most of the time. Advantages of Flexible NetFlow 

1. Flexibility to choose the desired export fields. 

2. Reduce the number of flows and allows CPU to perform efficient routing and switching

3. Convergence of multiple accounting technologies into one accounting mechanism

Flexible NetFlow and NetFlow V9

  The export protocol of choice for Flexible NetFlow is the NetFlow Version 9 export protocol, but unfortunately and to date, NetFlow Version 5 has been a much more widely used protocol because of the legacy Cisco IOS® Software images that are still around that supported the NetFlow v5 export protocol only and worked very well. However Cisco claims the future is going to be Flexible NetFlow. And believe it this migration is going to very smooth since Flexible NetFlow can also be configured to export some predefined flow records using the NetFlow Version 5 protocol format for backward compatibility. This helps your existing collectors can work with Flexible NetFlow until you find a real requirement to use additional fields offered by Flexible NetFlow.

Flexible NetFlow Configuration

    Traditional NetFlow configuration is pretty much straight forward. Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface (CLI) configuration follows the same traditional logic.In this user-defined flow records and the component structure of Flexible NetFlow make it easy to create various configurations for traffic analysis and data export on a networking device with a minimum number of configuration commands. 

    Flexible NetFlow consists of components that can be used together in several variations to perform traffic analysis and data export, and the new command-line interface configuration follows the same traditional logic.

 Let's see this components in detail

Flow Monitor:

    A Flexible NetFlow Flow Monitor describes the NetFlow cache or information stored in the cache. The Flow Monitor contains the Flow Records or key and non-key fields within the cache. Also, part of the Flow Monitor is the Flow Exporter which contains information about the export of NetFlow information including the destination address of the NetFlow collector. The Flow Monitor includes various cache characteristics including the timers for exporting, the size of the cache and if required, the packet sampling rate.

Flow Record:

    A Flow Record is a set of key and non-key NetFlow field values used to characterize flows in the NetFlow cache. Flow Records may be pre-defined for ease of use or customized and user defined. A typical pre-defined record will aggregate flow data and allow users to target common applications for NetFlow. User defined records will allow selection of specific key or non-key fields in the Flow Record. The user defined field is the key to Flexible NetFlow allowing a wide range of information to be characterized and exported by NetFlow. It is expected that different network management applications will support specific user defined and pre-defined Flow Records based on what they are monitoring (ie: security detection, traffic analysis, capacity planning).

Flow Exporter:

    The Flexible NetFlow Exporter allows the user to define where the export can be sent, the type of transport for the export and properties for the export. Multiple exporters can be configured per Flow Monitor or the same exporter can be used by multiple monitors.

The following figure shows the flow monitor and it components.

 In our next blog we are going to use a pre-defined (defined in IOS itself) flow record to export netflow records using Flexible Netflow. In the meanwhile if you have any queries. please write to netflowanalyzer-eesupport@manageengine.com

Thanks

Raj

Download | Interactive Demo | Product overview video

 Growing network needs complicate the job of network administrators and bring in new challenges. Network Administrators need robust,cutting-edge network management tools to quickly troubleshoot network incidents and increase the network performance. However considering the economic situation, it is very important to choose the right application which can leverage on network performance management data from multiple technologies and of course at an affordable cost. 

       ManageEngine NetFlow Analyzer team constantly interacts with its customers, technology companies and VARS to prioritize the road map. Whenever a new technology is introduced in the product, all existing customers see an immediate value by means of simple free upgrade instead of paying a hefty price. Here the ROI includes cutting bandwidth upgrade costs due to increased visibility using ManageEngine NetFlow Analyzer, avoid unauthorized bandwidth usage and increase the efficiency of business critical applications with almost zero implementation cost.

Multiple technologies - Single Solution:

Cisco NetFlow:

       Cisco's NetFlow technology exports flow records from any IOS capable routers and switches. The exported flow records contain information about protocols, ports, source, destination IP addresses and much more. 

       NetFlow Analyzer provides several instant reports to monitor bandwidth including top talkers, top protocols, top conversations, and more. Apart from these pre-defined bandwidth reports, NetFlow Analyzer also includes options to search for specific bandwidth usage details based on IP address, host name, protocol, and more.

Bandwidth Monitoring without Probes

       NetFlow Analyzer does network bandwidth monitoring using NetFlow. NetFlow exports are collected, correlated, and analyzed to get granular details to monitor bandwidth usage across each WAN link. There is no need for hardware probes to monitor bandwidth usage. NetFlow Analyzer is an all software solution which is suitable for both Windows and Linux.

Real-time Bandwidth Monitoring

       Bandwidth monitoring reports for each interface shows the current, average, and peak bandwidth usage patterns across each NetFlow-enabled interface. With these bandwidth usage statistics you can get instant visibility into how much bandwidth was used up by hosts, applications, and conversations across a specific interfaces.

Application-wise Bandwidth Distribution

       To monitor bandwidth utilized by different applications, NetFlow Analyzer gives you instant visibility into which applications are using up maximum bandwidth. You can also drill down to see the top sources, destinations and conversations using the bandwidth. With such granular detail, network troubleshooting and problem resolution take far less time than with traditional tools.

Cisco NBAR:

    Cisco NBAR (Network Based Application Recognition) engine runs on the IOS and does deep packet inspection to identify applications riding on regular ports. For example TCP 80 can be identified as kazza2, BitTorrent, Napster etc. The respective utilization, volume and speed can be polled through SNMP protocol over time.

    NBAR reports are very useful to set the Quality of Service (CB-QoS) policies. NBAR and QoS policies can work together to prevent bandwidth stealing applications and increase the efficiency of business critical applications.

Cisco CB-QoS (Class Based - Quality of Service):

      We have discussed a lot about deploying CB-QoS policies for improved network performance. You can find CB-QoS blog series in this link.  Cisco    CB-QoS is the simplest way to prioritize network traffic. 

Having insights over pre and post policy metrics, network administrators can modify their CB-QoS policy configuration for improved performance and to avoid any impact to business critical applications due to misconfiguration.

       This is why we call ManageEngine NetFlow Analyzer is a powerful traffic analysis and forensic solution for a network of any size. Try our 30 days all feature version and write your queries to  netflowanalyzer-support@manageengine.com

Thanks

Raj

Download | Interactive Demo | Product overview video

Regards,
Don Thomas Jacob

Couple of day’s back one of our customer wants to know the best practice to monitor the VOIP/IP Phone traffic using NetFlow Analyzer. I felt this deserves a blog really.

By default NetFlow Analyzer identifies SKINNY & SIP (port numbers 2000 & 5060) applications and show the usage with the IP address or phone involved on each and every interface. But to monitor the voice traffic as a separate entity or for a specific phone, you have two ways. Either by using the application mapping using voice gateway IP or individual IP network/range of phones with IP group.

Let’s see the options in detail.

1.    Application mapping using voice gateway IP

    ManageEngine NetFlow Analyzer detects applications based on the port and protocol values available in the flow records. And it is possible to add, modify and delete the port - protocol mappings from the user interface. As an added advantage NetFlow Analyzer also provides an ability to associate the IP addresses into this application mapping for precise classification. So if you create an application mapping "MyAPP" with an IP address - port - protocol match, NetFlow Analyzer starts classifying the all conversations/calls originated or designated to the mapped IP address with the defined port & protocol as “MyApp”.

Using this functionality one can create a new application mapping using the "Application Mapping" link with the voice gateway IP and port & protocol used for IP phone traffic. If you are not sure about the port and protocol, you can also use 0-65535 as a port range in the application mapping. Since this is going to be your voice gateway, mostly it deals with VOIP traffic.
  This new VOIP tracking application will be shown under the application tab with the respective traffic volume and further drills down to conversation/call information.

2. Using IP groups

    As a second option, it is also possible to monitor the IP phone traffic by creating an IP group. The IP groups feature lets you monitor departmental, intranet or application specific traffic exclusively. You can create IP groups based on IP addresses and/or a combination of port and protocol. You can even choose to monitor traffic from specific interfaces across different routers. After creating an IP group, you can view the top applications, top protocols, top hosts, and top conversations in this IP group alone.

Now create an IP group with a VOIP gateway or VOIP IP network or VOIP phone range. You can create as many IP groups based on your requirement. The possibility of associating the port, protocol and interface information with IP groups helps to make the classification to be more precise.
Each IP group gives you the complete traffic, application and conversation information pertained to the IP addresses or port-protocol mapping involved in the group.

Note: In both the options, ensure that the desired IP address (voice gateway IP or IP address of IP phone(s)) is visible to your router or L3 switch. So that it can be exported through the NetFlow packet.

Please write your questions to support@netflowanalyzer.com. You can download our 30 days all feature trial software from the following link.

Download:

http://www.manageengine.com/products/netflow/download.html?ab

Features:

http://www.manageengine.com/products/netflow/netflow-features.html

Live Demo:

http://demo.netflowanalyzer.com

Thanks
Raj

I'm sure you would have heard about the ManageEngine NetFlow Analyzer and the Riverbed Technology Alliance(RTA). I just wanted to let you know the what, why and of course, the end user benefits of the RTA.

What and why - this RTA?

RTA is a program by riverbed which allows companies with complementary technology to bring additional value to the end users. Riverbed Steelhead appliances are used for WAN optimization and much more. And these Steelhead appliances export NetFlow, this is where ManageEngine NetFlow Analyzer comes useful. NetFlow Analyzer collects and analyzes these NetFlow packets exported from the Steelhead appliances and gives in-depth visibility of your network such as top talkers, top applications, DSCP values and much more.

Over the past four years, the time since NetFlow Analyzer came into being, and with 4000 businesses using this solution, we have seen at least 500 of them using Riverbed Steelhead appliances. And the value the joint solution brings is immense.

"The joint solution from Riverbed and ManageEngine NetFlow Analyzer provides in–depth visibility into our WAN traffic and accelerates applications crossing the WAN," said George Caraker, Manager of IT Operations at Kennedy⁄Jenks Consultants. "We can now quickly and easily identify the root cause of many network issues, resolve bandwidth utilization problems, and track long term trends. We can also do application monitoring and IP monitoring to ensure quality of business critical applications like MS Exchange and SAP. ManageEngine NetFlow Analyzer is easy to install and use and represents excellent value."

End user benefits:

Check out the Riverbed ManageEngine joint solution brief here.

Cheers

Joe