NetFlow Tracker User GUide

NetFlow Tracker

User Guide

PN 3365122 August 2008 ©2008 Fluke Corporation. All rights reserved. All product names are trademarks of their respective companies.

NetFlow TrackerUser Guide

Third Party Software ComponentsNetFlow Tracker includes software developed by the Apache Software Foundation (http://www.apache.org/) and by Advantys (http://www.advantys.com).

NetFlow Tracker includes the following third party software components:• Apache Commons Collections 3.2, available at http://commons.apache.org/collections/. This is distributed

under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.• Apache Commons Logging 1.0.4, available at http://commons.apache.org/logging/. This is distributed under

the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.• Apache Log4j 1.2.15, available at http://logging.apache.org/log4j/. This is distributed under the Apache

Software License, a copy of which is available at http://www.apache.org/LICENSE.• Apache Xerces Java 2.9.0, available at http://xerces.apache.org/xerces2-j/. This is distributed under the

Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.• IE5.5+ PNG Alpha Fix 1.0RC4, available at http://www.twinhelix.com/css/iepngfix/demo/. This is distributed

under the CC-GNU Lesser GNU Public License, a copy of which is available at http://creativecommons.org/licenses/LGPL/2.1/deed.en.

• iText 2.0.6, available at http://www.lowagie.com/iText/. This is distributed under the Mozilla Public License, a copy of which is available at http://www.mozilla.org/MPL/MPL-1.1.html.

• Jakarta Tomcat 3.3.2, available at http://tomcat.apache.org/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.

• joeSNMP 0.2.6, available at http://opennms.svn.sourceforge.net/viewvc/opennms/opennms/branches/OPENNMS/src/joesnmp/. This is distributed under the Lesser GNU Public License, a copy of which is available at http://www.gnu.org/licenses/lgpl.html.

• jspSmartUpload 2.1 which is no longer available. This is distributed under the Advantys Freeware license contract, a copy of which is available at http://web.archive.org/web/20031209160524/http://www.jspsmart.com/liblocal/docs/legal.htm.

• Quartz 1.6.0, available at http://www.opensymphony.com/quartz/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE

End User LicenseThis is a legal agreement between you ("You"/ "the End User""), and Fluke Electronics Corporation, a Delaware corporation, including its division, Fluke Networks ("FNET"), with offices at 6920 Seaway Boulevard, Everett, Washington, 98203, USA.

BY DOWNLOADING OR OTHERWISE ELECTRONICALLY RECEIVING THIS SOFTWARE PRODUCT ("PRODUCT") IN ACCORDANCE WITH OUR SOFTWARE DELIVERY PROCEDURES OR BY OPENING THE SEALED DISK PACKAGE WHICH CONTAINS THE PRODUCT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, PROMPTLY DELETE THE DOWNLOADED OR ELECTRONICALLY RECEIVED SOFTWARE FROM YOUR COMPUTER SYSTEM AND NOTIFY US OF SAME IN ORDER TO CLAIM AND, IF YOU HAVE RECEIVED A SEALED CD-ROM PACKAGE, RETURN THE UNOPENED DISK PACKAGE AND THE ACCOMPANYING ITEMS (INCLUDING MANUALS) TO A FNET REPRESENTATIVE, FOR REFUND OF THE PRICE PAID.

1. GRANT OF LICENSE AND PAYMENT OF FEESProvided that You have paid the applicable License fee, FNET grants You a non-exclusive and non-transferable, revocable License to use one copy of the Product on the maximum number of servers and the maximum number of devices specified in your purchase order, or if not so specified, on a single server and a single device by a single user, and only for the purpose of carrying out your business in the country specified in your order. This Product is licensed for internal use by You, the end user only. The Product is not licensed for provision of a public service by You or for the provision of any fee generating service by You to a third party.

ii

http://www.apache.org/

http://www.advantys.com

http://commons.apache.org/collections/

http://www.apache.org/LICENSE

http://commons.apache.org/logging/


http://logging.apache.org/log4j/


http://xerces.apache.org/xerces2-j/


http://www.twinhelix.com/css/iepngfix/demo/

http://creativecommons.org/licenses/LGPL/2.1/deed.en

http://www.lowagie.com/iText/

http://www.mozilla.org/MPL/MPL-1.1.html

http://tomcat.apache.org/


http://opennms.svn.sourceforge.net/viewvc/opennms/opennms/branches/OPENNMS/src/joesnmp/.%20

http://www.gnu.org/licenses/lgpl.html

http://web.archive.org/web/20031209160524/http:/www.jspsmart.com/liblocal/docs/legal.htm

http://www.opensymphony.com/quartz/


In the event that at any time You wish to extend the permitted number of servers or devices above the permitted amount, You must contact FNET or the reseller from whom you purchased the Product ("the Reseller") and an additional License fee may be agreed upon and a new License issued for the requested additional number of servers/devices.

FNET or your Reseller may require that You provide written certification showing the geographical locations, type and serial number of all computer hardware on which the Software is being used, together with confirmation that the Product is being used in accordance with the conditions of this Agreement. You shall permit FNET or your Reseller, and/or their respective agents to inspect and have access to any premises, and to the computer equipment located there, at or on which the Software is being kept or used, and any records kept pursuant to this Agreement, for the purposes of ensuring that the Customer is complying with the terms of this License, provided that FNET/your Reseller provides reasonable advance notice to the Customer of such inspections, which shall take place at reasonable times.

2. EVALUATION AND GOLD SUPPORT EVALUATION. If a provided license key is labelled "Evaluation", FNET grants You the right to use the Product enabled by that key solely for the purpose of evaluation, and the Product will cease to function seven (7) days from enabling (or after such longer period as may be agreed by FNET and confirmed by FNET or your Reseller in writing), at which time the License grant for that Product also ends. After the evaluation period, You may either purchase a full License to use the Product from your Reseller or directly from FNET, or You must promptly return to FNET or cease to use the Evaluation Product and all associated documentation. The warranty set out in Clause 5 shall not apply in respect of Product downloaded for evaluation purposes.

GOLD SUPPORT. Gold Support for the Product is required with the initial purchase. Gold Support offers 24 hour, 7 days a week technical support and includes upgrades. Gold Support is an annual support, renewable by payment of the annual fee.

3. INTELLECTUAL PROPERTY RIGHTSAll intellectual property rights in the Product belong to FNET and its Supplier(s) and Licensors(s) and You acknowledge that the Product contains valuable Trade Secrets of FNET, its Supplier(s) and Licensor(s) and You have no ownership claims or rights whatsoever in the Product. You may (a) make one copy of the Product solely for backup or archival purposes and keep this securely, or (b) transfer the software to a secure single hard disk provided that You keep the original solely and securely for backup or archival purpose. You may not copy the written materials accompanying the Product. You shall not remove or alter FNET's copyright or other intellectual property rights notices included in the Product or in and any associated documentation. You must notify FNET forthwith if You become aware of any unauthorized use of the Product by any third party.

FNET's Supplier(s) and Licensor(s) are third party beneficiaries of this Agreement as it pertains to relevant intellectual property rights associated with the Product, and provisions of this Agreement related to intellectual property rights are enforceable by FNET, its Supplier(s) and Licensor(s).

4. OTHER RESTRICTIONSYou shall not sub-License, distribute, market, lease, sell, commercially exploit, loan or give away the Product or any associated documentation. For the avoidance of doubt, this License does not grant any rights in the Product to, and may not be assigned, sub-Licensed or otherwise transferred to, any connected person, where the term connected person includes but is not limited to the End User's subsidiaries, affiliates or any other persons in any way connected with the End User, whether present or future. The Product and accompanying written materials may not be used on more than the permitted number of servers at any one time or for in excess of the permitted number of devices. Subject always to any rights which You may enjoy under applicable law (provided that such rights are exercised strictly in accordance with applicable law) and except as expressly provided in this Agreement, You may not reproduce, modify, adapt, translate, decompile, disassemble or reverse engineer the Product in any manner. You shall not merge or integrate the Product into any other computer program or work, and You shall not create derivative works of the Product. FNET reserves all rights not expressly granted under this Agreement.

5. LIMITED WARRANTYFNET warrants that during the warranty period (a) the Product will perform substantially in accordance with its accompanying written materials, and (b) the media on which the Product is furnished shall be free from defects in materials and workmanship. The warranty period applicable to the Product shall be ninety (90) days from the date of delivery of the Product or, if longer, the shortest warranty period permitted in respect of the Product under applicable law ("Warranty

iii


Period"). The warranty for any hardware accompanying the Product shall be as stated on the warranty card shipped with the hardware.

If, within the Warranty Period, You notify FNET of any defect or fault in the Product in consequence of which the Product fails to perform substantially in accordance with its accompanying written materials, and such defect or fault does not result from You, or anyone acting with your authority, having amended, modified or used the Product for a purpose or in a context other than the purpose or context for which it was designed or licensed according to this Agreement, or as a result of accident, power failure or surge or other hazards, FNET shall, at FNET's sole option and absolute discretion, do one of the following:

(i) repair the Product; or

(ii) replace the Product; or

(iii) repay to You all license fees which You have paid to FNET under this Agreement.

FNET does not warrant that the operation of the Product will be uninterrupted or error or interruption free.

6. CUSTOMER REMEDIESYou must call your FNET representative to discuss remedies during the 90 day warranty period referred to in clause 5 above. You acknowledge that your sole remedy for any defect in the Product will be Your rights under clause 5.

7. NO OTHER WARRANTIESFNET AND/OR ITS SUPPLIERS, DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PRODUCT, THE ACCOMPANYING WRITTEN MATERIALS AND ANY ACCOMPANYING HARDWARE AND YOU AGREE THAT THIS IS FAIR AND REASONABLE. THE EXPRESS TERMS OF THIS AGREEMENT ARE IN LIEU OF ALL WARRANTIES, CONDITIONS, UNDERTAKINGS, TERMS OF OBLIGATIONS IMPLIED BY STATUTE, COMMON LAW, TRADE USAGE, COURSE OF DEALING OR OTHERWISE, ALL OF WHICH ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.

8. NO LIABILITY FOR CONSEQUENTIAL DAMAGESIN NO EVENT SHALL FNET AND/OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL OR ECONOMIC LOSS OR DAMAGES WHATSOEVER OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS, SAVINGS, GOODWILL, CAPITAL, ADDITIONAL ADMINISTRATIVE TIME OR DATA ARISING OUT A DEFECT IN THE PRODUCT OR THE USE OF OR INABILITY TO USE THE PRODUCT, EVEN IF FNET HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

9. TERMINATIONEither party shall be entitled forthwith to terminate this Agreement by written notice if the other Party commits any material breach of any of the provisions of this Agreement and, fails to remedy the same within sixty (60) days after receipt of a written notice from the non-breaching Party giving full particulars of the breach and requiring it to be remedied.

You shall be obliged to notify FNET in writing of any change in the control or ownership of the End User and FNET shall be entitled forthwith to terminate this Agreement by written notice.

This Agreement shall automatically terminate if replaced at any time with a new License agreement.

The right to terminate this Agreement given by this clause 9 will be without prejudice to any other accrued right or remedy of either Party including accrued rights or remedies in respect of the breach concerned (if any) or any other breach, or which the Parties have accrued prior to termination.

10. INDEMNIFICATIONYou shall indemnify FNET in full and hold FNET harmless in respect of any loss, damages, proceedings, suits, third party claims, judgements, awards, expenses and costs (including legal costs) incurred by or taken against FNET as a result of the negligence, fault, error, omission, act or breach of You or of your employees, staff, contractors, agents or representatives or for any breach of this Agreement whatsoever by You.

Notwithstanding any other provision of this Agreement, the aggregate liability of FNET for or in respect of all breaches of its contractual obligations under this Agreement and for all representations, statements and tortious acts or omissions

iv

(including negligence but excluding negligence causing loss of life or personal injury) arising under or in connection with this Agreement shall in no event exceed the License fee paid by You pursuant to this Agreement prior to the date of the breach.

11. CONFIDENTIAL INFORMATION AND SECURITYDuring and after this Agreement, the Parties will keep in confidence and use only for the purposes of this Agreement all Confidential Information. Confidential Information means information belonging or relating to the Parties, their business or affairs, including without limitation, information relating to research, development, Product, processes, analyses, data, algorithms, diagrams, graphs, methods of manufacture, trade secrets, business plans, customers, finances, personnel data, and other material or information considered confidential and proprietary by the Parties or which either Party is otherwise informed is confidential or might or ought reasonably expect that the other Party would regard as confidential or which is marked "Confidential". For the avoidance of doubt, You shall treat the Product and any accompanying documentation as Confidential Information. Confidential Information does not include any information (i) which one Party lawfully knew before the other Party disclosed it to that Party; (ii) which has become publicly known through no wrongful act of either Party, or either Parties' employees or agents; or (iii) which either Party developed independently, as evidenced by appropriate documentation; or (iv) which is required to be disclosed by law.

The Parties will procure and ensure that each of its employees, agents, servants, sub-contractors and advisers will comply with the provisions contained in this clause. If either Party becomes aware of any breach of confidence by any of its employees, officers, representatives, servants, agents or sub-contractors it shall promptly notify the other Party and give the other Party all reasonable assistance in connection with any proceedings which the other Party may institute against any such person. This clause 11 shall survive the termination of this Agreement.

Notwithstanding the above confidentiality provisions, in accepting this License agreement, You agree that, subject to any applicable data protection laws, FNET may use your business name and logo for the purposes of marketing and promotion of the product and its business and You hereby grant FNET a limited License to use your business name and logo for these purposes.

12. EXPORT CONTROLYou shall be responsible for and agree to comply with all laws and regulations of the United States and other countries ("Export Laws") to ensure that the Product is not exported directly, or indirectly in violation of Export Laws or used for any purpose prohibited by Export laws.

13. GOVERNING LAW AND JURISDICTIONThis Agreement and all relationships created hereby will in all respects be governed by and construed in accordance with the laws of the state of Washington, United States of America, in respect of all matters arising out of or in connection with this agreement. The Parties hereby submit to the exclusive jurisdiction of the Washington Courts. NOTHING IN THIS CLAUSE SHALL PREVENT FNET FROM TAKING AN ACTION FOR PROTECTIVE OR PROVISIONAL RELIEF IN THE COURTS OF ANY OTHER STATE.

14. MISCELLANEOUS14.1 The provisions of clauses 3, 7, 8, 10, 11, 12, 13 and 14 and the obligation on you to pay the License fee shall survive the termination or expiry of this Agreement.

14.2 This Agreement is personal to You and You shall not assign, sub-License or otherwise transfer this Agreement or any part of your rights or obligations hereunder whether in whole or in part save in accordance with this Agreement and with the prior written consent of FNET and You shall not allow the Product to become the subject of any charge, lien or encumbrance of whatever nature. Nothing in this Agreement shall preclude the Licensor from assigning the Product or any related documentation or its rights and obligations under this Agreement to a third party and You hereby consent to any such future assignment.

14.3 This Agreement supersede all prior representations, arrangements, understandings and agreements between the Parties herein relating to the subject matter hereof, and sets out the entire and complete agreement and understanding between the Parties relating to the subject matter hereof.

14.4 If any provisions of the Agreement are held to be unenforceable, illegal or void in whole or in part the remaining portions of the Agreement shall remain in full force and effect.

v


14.5 No party shall be liable to the other for any delay or non-performance of its obligations under this Agreement (save for your obligation to pay the fees in accordance with clause 1) arising from any cause or causes beyond its reasonable control including, without limitation, any of the following: act of God, governmental act, tempest, war, fire, flood, explosion, civil commotion, industrial unrest of whatever nature or lack of or inability to obtain power, supplies or resources.

14.6 A waiver by either party to this Agreement of any breach by the other party of any of the terms of this Agreement or the acquiescence of such party in any act which but for such acquiescence would be a breach as aforesaid, will not operate as a waiver of any rights or the exercise thereof.

14.7 No alterations to these terms and conditions shall be effective unless contained in a written document made subsequent to the date of the terms and conditions signed by the parties which are expressly stated to amend the terms and conditions of this Agreement.

vi

Contents

1: NetFlow Tracker Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Deploying NetFlow Trackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Product Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Obtaining Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Obtaining Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Obtaining Product Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2: Installing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing NetFlow Tracker on Microsoft Windows . . . . . . . . . . . . . . . . . . 8

Installing Java Runtime Environment on Windows . . . . . . . . . . . . . . . 9

Installing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installing NetFlow Tracker on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3: Setting Up NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Opening NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Selecting a Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Setting up NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Setting up Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Setting up Listener Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Applying SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Enabling Devices to Export Flow Data . . . . . . . . . . . . . . . . . . . . . . . . 18

Applying Device Settings in NetFlow Tracker . . . . . . . . . . . . . . . . . . . 18

Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

vii


Applying Traffic Class IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Applying Identified Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Applying Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Deleting a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Making Sure That Data is Received . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Applying Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

4: Viewing Real-Time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Viewing Network Overview Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Top Applications and Interfaces for a Device . . . . . . . . . . . . . . . . . . . 31

Application Conversations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Top Applications and Usage for an Interface . . . . . . . . . . . . . . . . . . . 32

Interface Conversations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Viewing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Viewing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Viewing Per-AS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Filtering Real-time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Viewing Chart Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Working with Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Working with Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5: Viewing Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Viewing Long-term Network Overview Data . . . . . . . . . . . . . . . . . . . . . . 47

Viewing Long-term Device and Interface Data . . . . . . . . . . . . . . . . . . . . 49

Filtering Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Saving a Long-term Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6: Setting up Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Applying General and Real-time Report Settings . . . . . . . . . . . . . . . . . . 54

Saving Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Creating Long-term Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Creating Executive Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Adding a Sub-report Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

viii

Contents

Adding an HTML Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Viewing Executive and Real-Time Reports . . . . . . . . . . . . . . . . . . . . . . . . 69

7: Working with Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Alarms Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Alarm Severity and Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Thresholds and Baseline Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Alarming for Persistent Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Baseline Learning and Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Tips and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Configuring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Creating an Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configuring Notification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Viewing Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Viewing the Events Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Viewing the Event List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Viewing the Event Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

8: Optimizing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Data Display and Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Management Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

How Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Using Apache as a Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

IP Application Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Defining a Simple Application Name . . . . . . . . . . . . . . . . . . . . . . 84

Defining a Grouped Application Name . . . . . . . . . . . . . . . . . . . . . 85

DiffServ Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Hostname Resolution Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Subnet Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

AS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Data Management and System Performance Monitoring . . . . . . . . . . . . 89

Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Memory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

A: Setting up NetFlow on Network Devices . . . . . . . . . . . . . . . . . . . 95Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch . . . . 95

ix


Enabling Netflow Export on an IOS Device . . . . . . . . . . . . . . . . . . . . . 96

Enabling NDE on a Native IOS Device . . . . . . . . . . . . . . . . . . . . . . . . . 97

Enabling NetFlow Export on a 4000 Series Switch . . . . . . . . . . . . . . . 98

Configuring NDE on a CatOS Device . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring NetFlow Input Filters for Traffic Class Reporting . . . . . . . 100

Enabling Flow Detail Records on a Packeteer Device . . . . . . . . . . . . . . 100

Enabling NetFlow on an Enterasys Device . . . . . . . . . . . . . . . . . . . . . . . 101

Enabling sFlow on a Foundry Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

B: Report Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Address Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Session Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

QoS Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Network Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Interface Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Traffic Identification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Full Flow Forensics Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Other Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

C: Report URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109General Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Report Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Time Range Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Setting Start and End Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Creating a Fixed Length URL with Current Time Range . . . . . . . . . 119

Setting a Simple Calendar-Based Time Range . . . . . . . . . . . . . . . . . 119

Setting an Advanced Calendar-Based Time Range . . . . . . . . . . . . . . 120

Applying a Time-of-Day Mask to the Time Range . . . . . . . . . . . . . . 122

Setting a Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Setting the Chart Sample Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Setting the Source Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Filter Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Management Portal Access Control Parameters . . . . . . . . . . . . . . . . . . 134

D: File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137CSV File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

x

Contents

Chart CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Pie chart CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Tabular report CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

XML Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Chart XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Pie chart XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Tabular report XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

xi


xii

1: NetFlow Tracker Overview

Topics include:

• Key Features

• Deploying NetFlow Trackers

• Data Management

• Product Services

Key FeaturesNetFlow Tracker lets you as a network administrator view flow traffic from routers and managed switches on the network. From a web-based interface, it provides a set of dynamic charts and reports to help you understand of network traffic flow data. You can analyze application and protocol information in depth, including user, server, and applications activity.

NetFlow Tracker supports data from a range of devices in formats including NetFlow versions 1, 5, and 9, IPFIX, Nortel IPFIX, sFlow, JFlow, Cflow, and netstream.

Key features include:

• Install and configure NetFlow Tracker on Windows or Linux servers. See Chapter 2, “Installing NetFlow Tracker.”

• Customize setup to determine how data is gathered and managed, and optimize NetFlow Tracker performance based on the data you need. See Chapter 3, “Setting Up NetFlow Tracker” and Chapter 8, “Optimizing NetFlow Tracker.”

1


• View real-time network traffic in detail at per-minute resolution for one week by default. Traffic views by user, user group, conversation, system and application are available. Drill down and zoom in on data. Filter all real-time reports and charts on any field. See Chapter 4, “Viewing Real-Time Data.”

• Create custom long-term reports and charts. Define and quickly access custom executive reports. Format reports and charts as CSV or XML for further processing or as simplified HTML or PDF for printing or emailing. Full flow forensic reports are available. See Chapter 6, “Setting up Reports.”

• Create threshold and baseline alarms. Receive notifications via email, logging or SNMP traps. See Chapter 7, “Working with Alarms.”

Deploying NetFlow TrackersYou can deploy NetFlow Tracker as stand-alone software on a dedicated server on your network or in the NetFlow Tracker Appliance. Because NetFlow Tracker is a web-based application, you can access the system from anywhere in the network.

NetFlow Tracker servers are typically deployed near large switches or tightly clustered switches or routers where there is a high degree of NetFlow traffic.

You can also deploy the NetFlow Tracker Appliance as part of the Visual Performance Manager network performance management system. This lets you view performance data and create reports from multiple NetFlow Trackers on the network through a single web portal interface. For more information, see the Visual Performance Manager System Administration Guide.

2

NetFlow Tracker OverviewData Management 1

Data ManagementNetFlow Tracker has two databases:

• The real-time database stores data at millisecond granularity. Report data is displayed in one-minute granularity. By default, data is stored for up to seven days. You can adjust this setting in Database Settings.

• The long-term database stores aggregated data for multiple years at a granularity that you set in Database Settings. By default, data is stored for 999 weeks at one-hour granularity. When you configure long-term reports using custom granularity, the database stores that data at that granularity for as long as the report is scheduled.

Real-time database maintenance occurs every six hours (you cannot run database maintenance on demand). During this time data is reorganized and transfers to the long-term database and then is aggregated in the long-term database. To monitor the length of time this takes, see “Making Sure That Data is Received” on page 24.

You can also archive and back up real-time data.

See:

• “Database Settings ” on page 89

• “Backup” on page 90

• “Archiving” on page 92

Product ServicesFor NetFlow Tracker product information, see:

www.flukenetworks.com

3

http://www.flukenetworks.com


Obtaining Technical SupportIf you require technical support for NetFlow Tracker, contact the Fluke Networks Technical Assistance Center (TAC) at the points listed below:

By phone: 1 800-283-5853 (U.S. only) or 1 425-446-4519 (international)

By email: [email protected]

Supervision Gold support packages are available from the Fluke Networks website.

Obtaining Professional ServicesFluke Networks has certified consultants available to assist you with the planning, installation, implementation, and deployment of the product. Contact Professional Services at the points listed below:

By phone: 1 800-283-5853 (U.S. only) or 425-446-4600 By fax: 421-446-4839 By email: [email protected]

Obtaining Product TrainingTraining is available. Direct training requests to your product vendor or the training coordinator at the contact points listed below:

By phone: 301-296-2300 By fax: 301-296-2651 By email: [email protected]

4

mailto:[email protected]



2: Installing NetFlow Tracker

Topics include:

• System Requirements

• Preparing for Installation

• Installing NetFlow Tracker on Microsoft Windows

• Installing NetFlow Tracker on Linux

Note

For upgrade information, see the Release Notes included with the NetFlow Tracker release.

System RequirementsThe type of system required to run NetFlow Tracker depends on the number of devices sending NetFlow information to it and the amount and nature of traffic handled by those devices.

Hardware RequirementsThe following requirements are a guideline. To determine your requirements, test the software’s performance in your network environment.

5


Software RequirementsNote

NetFlow Tracker requires high speed disk I/O to run effectively. If you run antivirus software on the NetFlow Tracker server you are likely to have periodic issues with storing and accessing flow data.

Table 1 Minimum Hardware Requirements

Component Minimum Requirement

Processor Intel Pentium D, Core 2 or Xeon or a compatible processor of similar performance. Multiple processors improve performance, but consider these only after increasing RAM and the performance of the disk subsystem.

RAM 2 GB. Performance increases with the amount of RAM available for the disk cache and database buffers.

Disk subsystem High performance disk subsystem with substantial free space. For all but the lightest loads, use a server RAID card running RAID 5 over at least three high-performance disks. NetFlow Tracker stores and queries real-time data for a week at one-minute granularity. A busy enterprise router can generate between 20GB to 50GB of data in this time.

6

Installing NetFlow TrackerPreparing for Installation 2

Preparing for InstallationBefore installing, complete the following tasks:

• NetFlow Tracker puts a heavy load on the system. It is strongly recommended that you install it on a dedicated server.

• Do not install any other MySQL-dependent software on the NetFlow Tracker server. Because of the large database size and optimized structure required by NetFlow Tracker, MySQL is set up in a way that can seriously degrade the performance of other software that use MySQL.

Table 2 Software Requirements

Software Requirement

Operating system English and Chinese language versions are supported.

• Windows XP Professional SP2• Windows Server 2003 R2 SP 2• Windows Server 2003 SP 2• Windows Server 2000• Linux—NetFlow Tracker has been tested and is

supported on Red Hat Enterprise Linux 5 and Fedora Core 8 running Java 1.6.0_05 or later and MySQL 5.0 (Intel-compatible processor).

For more information on installing NetFlow Tracker on other Linux distributions, contact Fluke Networks TAC.

Browser MS Internet Explorer (IE) 7.0

IE 6.0 with SP1, critical updates

Firefox 3.0

Other web browsers may run but have not been tested.

Java version Java 2 Runtime Environment SE v1.6.0_05 or later

Other components • MySQL 5.0, installed with NetFlow Tracker • Adobe Acrobat Reader 6.0 or later

7


• NetFlow Tracker uses a version of MySQL that differs significantly from that used by Fluke Networks NetFlow Monitor, NetWatch and ResponseWatch products. If you install NetFlow Tracker on a server running one of these products it will not function correctly. Likewise, if you install one of these products on a server running NetFlow Tracker, both products will not function correctly.

• NetFlow Tracker contains an embedded web server. Web servers normally run on port 80, but another web server on your system may be using this. You can choose a different port during installation or disable other web servers prior to installation.

• If you have previously configured a router for NetFlow Monitor, note: NetFlow Tracker requires a different active flow timeout or long aging timer.

Installing NetFlow Tracker on Microsoft Windows

You must log in as an administrator to install NetFlow Tracker. Installation takes several minutes.

• If you received NetFlow Tracker on CD, the setup program starts automatically when you insert the CD. If it does not, open the CD drive in My Computer and double-click setup.exe.

• If you downloaded NetFlow Tracker software, double-click the file you downloaded.

• Installation detects unsupported MySQL versions. If MySQL is installed on the server already, a message asks if you want to continue. Uninstall any unsupported MySQL version. NetFlow Tracker requires MySQL 5.0, which installed with the application. The installation program will fail if the installed version of MySQL uses a root password.

8

Installing NetFlow TrackerInstalling NetFlow Tracker on Microsoft Windows 2

Installing Java Runtime Environment on Windows

To install Java Runtime Environment:

1 Insert the NetFlow Tracker CD in your server.

2 If the server does not have the required version of the Java Runtime Environment installed, click OK to install it. The Java installer launches.

3 Accept Sun’s license agreement and click Next.

4 On the Setup Type screen, choose Typical or Custom. Select Custom if you do not want the web browser to use Sun’s Java Plug-in. Click Next.

5 When Java Runtime Environment installation is completed, click Finish.

Installing NetFlow TrackerOnce Java Runtime Environment installation completes, the NetFlow Tracker software begins installing.

9


To install NetFlow Tracker:

1 On the Welcome screen, click Next.

2 On the License Agreement screen, accept the agreement and click Next.

3 On the Customer Information screen, enter your name and organization name. Choose whether to install the software for yourself only or for every user that logs in to the system. If you install the software for yourself, only you will see the shortcut to the web front-end and only you can uninstall the software. Click Next.

4 On the Setup Type screen, choose:

• Complete to install NetFlow Tracker to the “nfNetFlow Tracker” folder on your system drive and MySQL to the “MySQL” folder on the same drive. The internal web server will run on port 80 if available. If port 80 is unavailable, you are prompted to choose another. Click Next. Proceed to step 7.

• Custom if you want to change the install folders or choose a different port even if 80 is available. Click Next.

10

Installing NetFlow TrackerInstalling NetFlow Tracker on Linux 2

5 If you chose Custom, the Custom Setup screen is shown. You can change the install folder for NetFlow Tracker and MySQL. Select the feature and click Change. Click Next.

6 If you chose Custom setup or if port 80 is in use, the Select HTTP Port screen is shown. Select a port and click Test to check if it is available. Click Next.

7 On the Ready to Install screen, click Install. Installation take several minutes. If installation stops for longer than that, contact Fluke Networks TAC. When installation completes, click Finish.

After installation, a shortcut is placed in the NetFlow Tracker folder under the Programs in the Windows Start menu.

Installing NetFlow Tracker on LinuxNote

The RPM installer works only for the supported distributions of Linux: Red Hat Enterprise Linux 5 and Fedora Core 8. If you are trying to upgrade on a different platform contact Fluke Networks TAC at [email protected].

The NetFlow Tracker web server runs on port 8000.

To install the RPM run the following as root (replace the RPM file below with the file you downloaded).

rpm -Uvh nftracker-4.0-0.i386.rpm

For an upgrade installation, use:

rpm -Uvh --nopreun --nopostun nftracker-4.0-0.i386.rpm

The following is an example of the install sequence:

11

mailt:[email protected]


The following graphic shows the successfully completed installation.

12

3: Setting Up NetFlow Tracker

After installation, you can set up NetFlow Tracker to monitor data. Topics include:

• Opening NetFlow Tracker

• Selecting a Language

• Setting up NetFlow Tracker

• Viewing Version Information

Opening NetFlow TrackerTo open and set up NetFlow Tracker:

1 Open NetFlow Tracker:

• To open NetFlow Tracker from the computer on which it is installed, from the Windows task bar select Start > All Pro-grams > NetFlow Tracker > NetFlow Tracker.

• To open NetFlow Tracker from a URL, open a web browser and type the IP address or DNS name of the NetFlow Tracker on the port set up during installation.

2 Click the splash screen to dismiss it. The Network Overview page is shown.

• If you have not yet configured NetFlow Tracker, the Network Overview page has no data. In the upper left part of the inter-face, select Main Menu > Settings. Configure the settings required so that NetFlow Tracker can start monitoring data. See “Setting up NetFlow Tracker.”

13


• If you have already configured NetFlow Tracker, data is shown on the Network Overview page. See “Viewing Network Over-view Data” on page 30.

Note:

• If you have password protection enabled you may need to log in as an administrative user to see the Main Menu > Settings link. See “Applying Security Settings” on page 26.

• The Settings link is not shown for NetFlow Trackers that have a portal secret configured in the Visual Performance Manager.

Selecting a LanguageYou can view the NetFlow Tracker interface in English or in Chinese, depending on the language settings of your browser.

To change language settings:

1 Access the language selection dialog:

• In Firefox, select Tools > Options. From the General tab (in Firefox 2.0) or Content tab (in Firefox 3.0), under Languages, click Choose.

• In Internet Explorer, select Tools > Internet Options. From the General tab, click Languages.

2 Click Add and select a supported language from the list:

• Chinese/China [zh-cn]

• English/United States [en-us]

3 Select the language you want to use and click Move Up to place it at the top of the list.

4 Click OK. Then click OK again in the Options or Internet Options dialog.

14

Setting Up NetFlow TrackerSetting up NetFlow Tracker 3

Setting up NetFlow TrackerFrom the Settings page (Main Menu > Settings) you can set up NetFlow Tracker to gather data from network devices, determine how that data is gathered and managed, and monitor and optimize NetFlow Tracker performance.

If you are using NetFlow Tracker for the first time after installation, set up NetFlow Tracker to start gathering data. Topics include:

• Setting up Licensing

• Setting up Listener Ports

• Applying SNMP Settings

• Enabling Devices to Export Flow Data

• Applying Device Settings in NetFlow Tracker

• Making Sure That Data is Received

• Applying Security Settings

Once NetFlow Tracker begins collecting data you can apply additional data filtering and management settings. For more information, see Chapter 8, “Optimizing NetFlow Tracker.”

When applying settings, note:

• Each settings page controls a single aspect of the software. To apply changes, click OK on that page. To return to the main Settings page without applying changes, click Cancel.

• Use the session path link on settings pages to return to the main Settings page. Using the web browser’s Back button can cause you to lose changes.

Setting up LicensingUse the Licensing page to apply a new full or trial license or check the status of an existing license.

15


To install a license:

1 Select Main Menu > Settings > Licensing.

2 Add license information:

• If from a file, click Browse, locate the file, and select it. Then click Load.

• If text, enter or paste the text and click Decode.

3. Click OK.

Setting up Listener PortsUse the Listener Ports page to set the UDP ports on which NetFlow Tracker will monitor NetFlow traffic from devices.

When you set up NetFlow exporting on a device, you provide a port number to which to send exports. By default, NetFlow Tracker listens on ports 2055 and 6343. For best performance, use a dedicated listener port for each device exporting flow data to NetFlow Tracker.

For more information about configuring devices for NetFlow, see Appendix A, “Setting up NetFlow on Network Devices.”

To add listener ports:

1 Select Main Menu > Settings > Listener Ports.

2 Add ports. Select All local addresses and enter a port number:

Note

When adding local addresses, you must specify a port number on the NetFlow Tracker server to receive NetFlow traffic.

3 Set the Receive buffer size. The default size is 32768. This setting applies to all ports.

Note

If traffic exceeds the buffer size, increase the buffer size to avoid dropping packets. If you increase the buffer size, monitor the system’s memory usage.

16


4 Assign each device its own listening port.

5 Click OK. If you receive an error message, one or more ports are already in use. An asterisk (*) marks these ports. Remove these ports and add others until no errors remain.

Applying SNMP SettingsUse the SNMP Settings page to add communities to devices you want to monitor that do not use the read-only “public” SNMP community.

When NetFlow Tracker receives exports from a previously unknown device, it scans the device using SNMP to find its name and interface properties. A password, called a community, is required to use SNMP. In many cases a default community of “public” is set for a device. If your devices do not use the “public” community, add the communities they use to the SNMP Settings list.

Note

A device is scanned when it reboots and when NetFlow Tracker software restarts. Because NetFlow Tracker checks each community when it detects a new device, place the most frequently used communities higher in the list for faster scanning.

You can change the community string used to rescan an existing device on the device configuration page. See “Applying Device Settings in NetFlow Tracker” on page 18.

In the Device List, devices that do not match the SNMP community setting show a . See “Device List” on page 20.

To apply SNMP settings:

1 Select Main Menu > Settings > SNMP Settings.

2 Enter at least one community for devices that do not use “public”.

3 Select a community on the list and click Up or Down. To reduce the scanning time, order communities by most frequently to least frequently used.

17


4 Leave the default settings for timeout (5000 ms) and number of attempts (3) used for SNMP requests.

5 Click OK.

Enabling Devices to Export Flow DataTo view data in NetFlow Tracker, you must enable network devices (routers and switches) to export flow data to the server running NetFlow Tracker. For more information, see Appendix A, “Setting up NetFlow on Network Devices.”

Once devices are enabled, to see whether NetFlow Tracker has started collecting data, see “Making Sure That Data is Received” on page 24

Applying Device Settings in NetFlow TrackerUse the Device Settings page to:

• Collect SNMP information from devices so that interfaces are named correctly.

• Apply BGP settings if BGP is used to establish routing between autonomous systems (ASes).

• Apply sampled data settings to collected flows, so that utilization information is scaled accurately in reports.

• Apply traffic class, identified applications, and interface settings.

To configure devices:

1 Select Main Menu > Settings > Device Settings.

2 Select a device from the Device List. See “Device List” on page 20.

3 Apply General settings:

• Override the name detected using SNMP.

• Choose whether to archive real-time data from the device. Note: When you archive data all NetFlow data monitored by the device is archived.

18


• Show interface descriptions entered on the network device or leave the default setting. Default does not show the interface descriptions.

4 Apply SNMP settings. For SNMP mode, select:

• Use SNMP if the device supports SNMP. Let NetFlow Tracker use SNMP to scan a device because the numbers used to iden-tify the inbound and outbound interfaces in NetFlow exports are not constant and SNMP is the only way NetFlow Tracker can make a correct correlation between an identifier and a physical interface or port. Select an SNMP version (SNMP v1 or SNMPv2c) and enter a community name.

• Don’t use SNMP if the device does not support SNMP. This assigns default properties to each interface encountered in NetFlow exports from the device.

• Keep current configuration to freeze a device’s configuration. This ignores any new interface encountered, so use this with caution.

To rescan an SNMP device using the SNMP version and community specified in the page, click Rescan. This scans but does not save the settings. You must click OK on the Device Settings page to apply changes. Because NetFlow Tracker rescans a device when the software restarts, a new interface is encountered, or the device reboots, you do not normally have to manually rescan a device.

5 Apply BGP settings if BGP is used:

• Local AS—The local AS number is required to get correct AS numbers for traffic routed to or from the local AS. If BGP is not used, leave this setting blank.

• Store peer/origin ASes—For a device that can send both the peer and origin AS number for each NetFlow record, choose which AS numbers are stored in the database.

• Store BGP next-hop—For a device that can send the BGP next-hop address in its NetFlow exports, store this value in place of the IP next-hop for the device.

6 Set Sampled Data Scaling.

• Scale sampled data—If a device samples packets to simplify the generation of NetFlow data, select this to scale each Net-Flow record by the sampling interval and thus produce traffic and packet rates that more accurately reflect the real levels.

19


• Scaling factor—In most cases NetFlow Tracker can extract the sampling interval from the NetFlow data. If it cannot, then supply a scaling factor.

7 Apply Traffic Class settings. See “Applying Traffic Class IDs” on page 21.

8 Apply Identified Applications settings. See “Applying Identified Applications” on page 21.

9 Apply settings for interfaces. See “Applying Interface Settings” on page 22.

10 Click OK.

11 Click OK on the Device Settings page.

Device List

Use the device list on the Device Settings page to check the status of known devices and override the interface descriptions and speeds collected by NetFlow Tracker. NetFlow Tracker performs an SNMP scan when it starts to populate this list. When devices reboot, they are rescanned.

The name and address of each known device are listed, along with a status indicator:

• (exclamation point)—Indicates that NetFlow Tracker could not contact the device using SNMP or is ignored due to a license violation.

• (hourglass)—Indicates that the device is being scanned and cannot be edited. To see if scanning has finished click Refresh.

• No icon—The device is working correctly.

Click a device name to edit its settings.

Note

Any changes you make to any device are only applied when you click OK in the main Device Settings page.

20


Applying Traffic Class IDs

In the Traffic Class IDs section of a device’s settings page, you can map traffic classes or manually add these using the list.

For devices that can export traffic class data that helps route the traffic involved in each flow, leave Automatically map traffic classes checked. If this option is not available for a device, add each traffic class to NetFlow Tracker and configure a map from the device’s class ID to the NetFlow Tracker traffic class. Give each class a unique identifier that is used if you create a URL with a traffic class filter. Note: This identifier does not need to match the identifier exported by any of your devices for the traffic class.

To add traffic class IDs



3 Expand Traffic Classes:

• For devices that can export traffic class data that helps to help route the traffic involved in each flow, leave Automatically map traffic classes checked.

• For devices that do not automatically map traffic classes, click add/delete in the Traffic Class column header.

4 On the Traffic Class Names page, enter a unique identifier and name.

5 Click Add. To delete an ID, select its checkbox and click Delete.

6 Click OK.

7 Click OK in the device’s settings page.

Applying Identified Applications

Identified applications are similar to traffic classes and you configure them in the same way. Packeteer devices support this feature.

As with traffic classes, leave mapping enabled for devices that support it. For devices that do not support automatic mapping, you must create a unique, NetFlow Tracker-specific identifier for each identified application that you want to report on. Then define a

21


mapping from the device-specific protocol or service ID to the NetFlow Tracker identified application for each device.

To add application identifiers:



3 Expand Identified Applications and click add/delete in the Identified Applications column header.

4 On the Identified Application Names page, enter an identifier and name.

5 Click Add. To delete an ID, select its checkbox and click Delete. Click OK.

6 Click OK on the device’s settings page.

Applying Interface Settings

If you cannot change the settings of the device or it has an asynchronous interface, you can override the description, inward speed, and outward speed for its interfaces. For non-SNMP compatible devices, you must provide interface descriptions and speeds.

You can associate any interface on any device with a uniquely named Virtual Private Network (VPN) for reporting and filtering. A VPN groups data from the devices and interfaces assigned to it. This data is included in the VPNs report and by the VPN filters. NetFlow Tracker assigns the customer-facing interfaces of an MPLS provider edge router (PER) using MPLS VPN and supports the standard SNMP MIB automatically. If your network device does not support this, you must create a unique identifier for each VPN.

Note

If you reset a speed or description setting and the device reboots or has an SNMP rescan, your settings are overridden.

You can also set an interface as inactive. Inactive interfaces do not show up in the interface status report or in the Filter Editor. This

22


option is useful to remove interfaces that do not report NetFlow data from reports.

To apply interface settings:



3 Expand Interfaces. You have the following options:

a Enter an interface name and description.

b Enter the speed.

c To associate an interface with a VPN, click add/delete in the VPN column header. On the VPNs page, enter a unique ID and name for each VPN. The description is optional. To delete a VPN from the list, select its checkbox and click Delete. Click OK.

d In the VPN column on the device’s settings page, select from the drop-down list. If the interface is not part of a VPN, leave the setting to none and make sure that the P interface(s) on an MPLS PER have their VPN set to none also because they carry traffic from multiple VPNs.

Note

VPNs are assigned to interfaces by name, so each VPN must have a unique name.

4 To mark an interface as inactive, check its Inactive box.

5 Click OK.

6 Click OK on the Device Settings page.

Deleting a Device

You can delete a device from the device’s settings page.

Note

When you delete a device, if the device is still sending NetFlow data to NetFlow Tracker it will reappear after you delete it.

23


To delete a device:

1 From the NetFlow Tracker Main Menu, select Settings > Device Settings.


3 On the Device page, click Delete.

Note

If you cancel the deletion at this point, you will lose any other changes you have made on the setting page.

4 Click Yes to continue.

5 On the Device Settings page, click OK. If you click Cancel, the device will remain, but other changes you applied will be lost.

Making Sure That Data is ReceivedTo check that NetFlow Tracker is receiving data from a device, first check the Device Settings page to make sure that SNMP access was successful. After several minutes, see that the Network Overview shows data. Then review information on the Performance Counters page.

Use the Performance Counters page to diagnose problems in NetFlow Tracker setup and ongoing operation. Counters are stored for each device from which the software has received data (see Table 3). Counts start when the system is started and you can reset them at any time.

Table 3 Performance Counters

Item Definition

Average sample storage duration

Length of time it takes the system to store a one-minute sample of real-time data. If this is more than fifteen seconds, the system is overloaded.

Last long-term database maintenance duration

Length of time it took to perform the last update of the long-term database. If this took longer than two to three hours, consider reducing the number of long-term reports or the number of devices they cover, or setting some long-term sample sizes to zero.

24


Last real-time database maintenance duration

The length of time it took to perform the last reorganization of the real-time database. If this took longer than 30 minutes, it may indicate a performance problem on the server, too much data in the database, or not enough memory allotted for NetFlow Tracker.

NetFlow data received Shows the number of exports and amount of NetFlow data received from each device. Note: This is not the amount of traffic described by the exports but the LAN traffic generated by the exports.

Traffic described Tracks the total amount of network traffic across all interfaces in each direction as described by NetFlow exports received from each device.

Ignored flows NetFlow Tracker ignores flows that arrive too late to be processed. If you see a large number of ignored flows make sure that the inactive timeout or short aging time settings on the router are correctly set.

For devices that do not have a configurable active flow timeout or if the active flow timeout is not working with a certain device, configure NetFlow Tracker to hold data in RAM longer to prevent ignored flows. See the “Hold back real-time data for” option in “Database Settings ” on page 89.

Unprocessed flowsets NetFlow version 9 flows are encoded in a flexible manner using templates exported by the router every few seconds. For several minutes after starting NetFlow Tracker or after a router reboots, NetFlow Tracker may receive flows that it cannot decode.

If you do not see data after 10 minutes, check the server, NetFlow Tracker settings, and the router configuration.

Interface scans NetFlow Tracker scans the interface list of each device exporting to it when the device or NetFlow Tracker software restarts. A large number of rescans, particularly failed ones, indicates a problem.

Missed flows NetFlow versions 5 and 7 exports contain a sequence number that NetFlow Tracker uses to detect when exports are missed. It can miss exports due to network congestion or a busy router. If a switch or router is reordering the UDP packets that contain NetFlow exports, missed flows are shown. Each export normally contains data on about 30 flows.

Note: If the NetFlow Tracker server is processing a very high volume of data it may drop packets. In this case, increase the receive buffer size in Listener Ports. See “Setting up Listener Ports” on page 16.

Missed exports NetFlow version 9 exports contain a sequence number that NetFlow Tracker uses to detect when exports are missed. Unlike the version 5 or 7 sequence numbers, only the number of missed exports can be counted and not the number of missed flows.

Table 3 Performance Counters (continued)

Item Definition

25


Applying Security SettingsUse the Security Settings page to set the protection level for user access to NetFlow Tracker. You can also set a new default or custom home page for all users and for individual users.

When adding a custom home page, make sure that the URL of any custom home page is relative to the server’s root. For example, the standard home page is specified as “index.jsp” and the Network Overview is specified as “report.jsp?cid=_topdevices”. The Network Overview is the default home page.

Security settings are optional.

To apply password protection:

1 Select Main Menu > Settings > Security Settings.

2 Choose a protection level:

• No password protection—No login or password is required and all pages are accessible.

• Protect configuration only—A login and password is required for access. Settings pages are accessible only to administrators.

• Protect all access—A login and password is required for access. Settings pages are accessible only to administrators and standard users have view-only access.

3 Set a custom home page. The default is “Network Overview.”

To use your own HTML page as a custom home page, place it in the “customweb” folder under the NetFlow Tracker install folder and enter the URL here. For example, if you enter

No out interface The router sends flows with “no out interface” when an access control list lookup fails or multicast traffic is routed. A high number of flows with no out interfaces is normal.

No in interface The arrival of flows with “no in interface” may indicate a configuration problem on a Catalyst switch. Contact Fluke Networks TAC.

Table 3 Performance Counters (continued)

Item Definition

26

Setting Up NetFlow TrackerViewing Version Information 3

http://server/customweb/file.html the home page is customweb/file.html.

4 If you applied password protection, add user login and password. You may apply user-specific home pages. You must set at least one user as an administrator who can configure settings.

5 Click Add. To delete users, select the user’s checkbox and click Delete.

6 Click OK. If you applied password protection or changed your own user login details you must log in again.

Viewing Version InformationThe About page (Main Menu > Settings > About) shows NetFlow Tracker, Java, MySQL, and operating system version information. It also shows the status of all main subsystems. Use this page when consulting with Fluke Networks TAC to help diagnose a problem.

27


28

4: Viewing Real-Time Data

After you complete initial setup, real-time data is available within a few minutes. You can view this data in chart and table formats.

Topics include:

• Viewing Network Overview Data

• Viewing Devices

• Viewing Interfaces

• Filtering Real-time Data

• Viewing Chart Data

See also:

• “Database Settings ” on page 89.

• “Applying General and Real-time Report Settings” on page 54.

29


Viewing Network Overview DataThe Network Overview (Main Menu > Network Overview) shows the top devices and interfaces on the network. From here, you can drill down to device and interface-specific application data. It is NetFlow Tracker’s default home page. This page shows:

• A pie chart, stacked bar chart over time, and table show the top five applications plus “Other” by percentage of total traffic rate. Average and peak traffic rates are also shown.

• A table shows the top five interfaces by peak percentage of usage, along with the direction and average percentage of usage.

• A table shows the top five interfaces by traffic rate, along with the direction and average traffic rate.

Viewing options include:

• Click a device in the list to see its top applications and busiest interfaces.

• Click an interface name to see its top applications and recent traffic.

• Right-click a pie segment to create a report for that segment. From the menu, select an item to create another chart for the selected time range.

30

Viewing Real-Time DataViewing Network Overview Data 4

Figure 1 Network Overview

Top Applications and Interfaces for a DeviceYou open the Top Applications and Interfaces page for a device by clicking an application on the Network Overview. This page shows:

• A pie chart, stacked bar chart over time, and table showing the top five applications plus “Other” by percentage of total traffic rate. Average and peak traffic rates are also shown.

• A table showing the top five interfaces by peak percentage of usage, along with the direction and average percentage of usage.

• A table showing the top five interfaces by traffic rate, along with the direction and average traffic rate.

Hold mouse over a segment to highlight corresponding table row

Right-click to run an ad hoc report

Click to view top applications and interfaces on device

Click to view top applications and traffic rate for interface

31


Application Conversations You open the Conversations page for an application by clicking an application on Top Applications and Interfaces page. This page shows:

• Traffic Rate tab—A stacked bar chart and table shows the top 10 conversations by percentage of total traffic. The source and destination address, source and destination application, and peak and average traffic rate are shown.

• Packet Rate tab—A stacked bar chart and table shows the top 10 conversations by packet rate. The source and destination address, source and destination application, and peak and average packet rate are shown.

Top Applications and Usage for an InterfaceYou open the Top Applications and Usage page for an interface by clicking an interface on the device’s Top Applications and Interfaces page. This page shows:


• A stacked bar chart over time and table showing average and peak percentage of usage for the In and Out directions.

Interface ConversationsYou open the Conversations page for an interface by clicking an application on Top Applications and Usage page for an interface. This page shows:

• In/out Interface - %Usage tab—A stacked bar chart and corresponding table show the top 10 conversations by percentage of total usage. The source and destination address, source and destination application, and the peak and average percentage of usage are shown.

32

Viewing Real-Time DataViewing Devices 4

• Traffic Rate tab—A stacked bar chart and table show the top 10 conversations by percentage of total traffic. The source and destination address, source and destination application, and peak and average traffic rate are shown.

Viewing Devices The Devices page (Main Menu > Devices) lists all devices that export flow data. Use this page to identify devices and their interfaces that show high traffic or packet rates (see Figure 2). The page refreshes every minute.

Options include:

• To sort data by device name, address, peak traffic rate, or peak packet rate, click the column header. By default, each peak rate is the highest two-minute rate in the last six hours. This differs if the default time range is altered.

• Click the Relative Traffic and Relative Packet Rate meters for a device to open a chart of the device’s recent activity over time. Each chart is scaled relative to the busiest device. This ensures that a high value on a chart indicates a relatively high traffic or packet rate. By default, the last six hours is shown.

33


Figure 2 NetFlow Tracker Devices and Drilldown

Viewing InterfacesYou can open the Interfaces page for a device by clicking the device name on the Devices page. The Interfaces page lists all known interfaces on the device. Information for each interface includes the interface description, percentage of usage, relative traffic, relative packets, peak percentage of usage In and Out, peak traffic rate In and Out, and peak packet rate In and Out.

Options include:

• Hold your mouse over an interface’s name to see its speed, type, and extended description if available.

• Click column headers to sort interfaces by name, description, peak percentage of usage in either direction, peak traffic rate in either direction, and recent peak packet rate in either direction.

Click device to view its interface list

Click meter to view traffic rate and packet rate details

34

Viewing Real-Time DataViewing Interfaces 4

• Click an interface name or the % Usage, Relative Traffic, or Relative Packet Rate meters to view detailed data on that interface. A chart shows the interface’s recent bi-directional utilization, traffic rate, or packet rate over time (see Figure 3).

Data in meters is scaled in the following ways:

• The % Usage column scales each row of each chart according to the configured speed of the interface in that direction.

• The Relative Traffic and Relative Packets columns are scaled relative to the busiest direction of the busiest interface. This ensures that a high value on a chart indicates either high usage or a relatively high traffic or packet rate.

You can change the speed of an interface in Device Settings. You must do this for an asynchronous interface. You can also use the Device Settings page to hide interfaces that never export any NetFlow data. For more information, see “Applying Interface Settings” on page 22.

Figure 3 Device Interfaces

Click name or meter to open drill-down page to its corresponding tab

35


Viewing Per-AS DataIf your router uses BGP to route traffic, it provides source and destination origin or peer autonomous system (AS) numbers in its NetFlow data. NetFlow Tracker creates optimized bi-directional charts for each AS just as it does for each interface. Because routers will likely count some or all traffic multiple times, an AS chart is only available for a single device. Use the Filter Editor to create a report or chart based upon an AS and data from multiple routers. See “Filtering Real-time Data.”

To view the ASes routed by a given router, click ASes in the navigation menu at the top of the interface report:

Filtering Real-time DataYou can create any chart or tabular report using the Filter Editor. Filters let you restrict the source data considered for the report. The report template and start and end times filters are shown by default. You can also select from over 30 additional filters (see Figure 4).

36

Viewing Real-Time DataFiltering Real-time Data 4

Figure 4 Filter Editor—Real-Time Data

Note:

• If you do not want to use a filter, leave it blank.

• For filters in which you add a range of items, enter the start and end of the range in the boxes provided. To select a single item, leave the right-hand box empty. You can include or exclude the items you select.

• For filters that have selectable items, select the items in the Available box on the left and click > to move them to the Selected box.

If you are an administrative user or your access to NetFlow Tracker does not require a password, you can save filters for use at another time.

Saved filters are available in the Filter drop-down list. You manage saved filters in Report Settings. See “Saving Report Filters” on page 55.

To filter data:

1 Select Main Menu > Filter Editor.

2 Select a report template and set whether to create a tabular report, chart, or pie chart. For more information, see Appendix B, “Report Templates.”

Set the start and end time or length

Select a filter and click Add to show it

37


3 Set a sample size. NetFlow Tracker picks an optimal sample size for a real-time chart based upon the amount of time covered. To override this, select a number of units. For example, you can create a report covering a day that has hour-long samples.

4 Click Start time/End time or Length to determine how much data the report will include:

• Pick the date and time of the earliest and latest data to con-sider. The default start time is six hours before you opened the Filter Editor.

• Set the length in units. The report will cover that number of units and end at the last full unit before the time it is opened.

5 Set a reload interval. If you selected a unit length or a time range that extends into the future you may want the report to refresh periodically to show new data. If so, enter the number of seconds between refreshes.

6 Select a source device or source data depending on the report:

• Source device—Select which router or switch you want to con-sider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times.

• Source data—Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection of the source data to create charts show-ing, for example, a month in day-long blocks.

7 Select a filter from the drop-down list and click Add. The filter is added to the Filter Editor page. See Table 4.

8 Click OK. Click Save to save the filter.

Table 4 Filter Definitions

Filter To Apply...

Time zone Change the time zone used to interpret the start and end times and time masks. The default is the time zone the NetFlow Tracker server uses.

38


Time mask Select a limited time range during a day. For example, to consider only data between 8:30 and 18:00 on a weekday, select Monday, Friday, 8:30 and 18:00 and click Add. Add as many masks as you want. Only data within one or more masked areas is considered. If you do not select a mask then all data between the start and end time is considered.

In interface Report on inbound traffic for an interface or set of interfaces. Available interfaces depend on the filtered source devices.

Out interface Restrict a report to just outbound traffic from a set of interfaces. Use this with an In interface filter to report on traffic that took a particular path through a router.

In/out interface Restrict the report to bi-directional traffic for the selected interfaces.

In VPN Restrict a report to just traffic where the inbound interface is part of the selected VPN(s). For this filter to work, you must associate interfaces with VPNs in Device Settings. See “Applying Interface Settings” on page 22.

Out VPN Select traffic where the outbound interface is part of the selected VPN(s).

VPN Select traffic where either interface is part of the selected VPN(s).

Source address Restrict the report to traffic with a given source IP address or a set of source IP addresses. Type the address or domain in the box and click Add.

Dest address Report on data with one of a set of destination IP addresses.

Src/dest address Consider traffic either originating from or destined for the given addresses.

Protocol Restrict the set of IP protocols considered. For example, you may want to consider only UDP or ICMP traffic while investigating a denial-of-service attack.

Source port Restrict the source application port number. Use this with the Protocol filter.

Dest port Restrict the destination application port number.

Src/dest port Consider traffic with the given port number as either the source or destination.

Table 4 Filter Definitions (continued)

Filter To Apply...

39


Source application

Restrict the IP protocol and source application port number. Enter a port number and protocol or select from those configured in the IP Application Names settings page. See “Applying Identified Applications” on page 21.

Dest application Restrict the protocol and destination application port, selectable by name.

Src/dest application

Consider traffic using the application as either the source or destination.

Recognized application

Select traffic with the given source or destination application. Consideration of the source or destination application depends on whether it has a name defined in the IP Application Names settings page or, if both or neither have names, which one has the lower port number. See “Applying Identified Applications” on page 21.

Identified application

Select traffic with the identified application. For NetFlow Tracker to identify applications, the device must support the functionality and you must set its identified application mapping in Device Settings. See “Applying Identified Applications” on page 21.

ToS Filter traffic bearing any one of a set of type-of-service (ToS) byte values. Select a priority from 0 to 7 and select Include or Exclude.

To filter on individual bits, from the drop-down lists, select 0 to filter on bits set to 0 in the flow. Select D (delay), T (throughput), R (reliability), or M (monetary cost) to filter on bits set to 1 in these flows. To ignore filtering for a bit, leave it blank.

DiffServ Select only traffic bearing one of the selected differentiated service code points. Because DiffServ and ToS use the same field in the IP header, do not use both filters at the same time. You can assign a name to a code point using the DiffServ Names settings page. See “DiffServ Names” on page 86.

Traffic class Select traffic within a traffic class. For NetFlow Tracker to identify traffic classes, the device must support the functionality and you must configure its traffic class mapping in Device Settings. See “Applying Traffic Class IDs” on page 21.


Filter To Apply...

40


See also:

• “Filtering Long-term Data” on page 50

Source AS Select traffic bearing one of a set of source AS numbers. The router’s settings determine whether this is the origin or peer AS. Enter an AS number or select from the set of private-use ASes configured in the AS Names settings page. Note: You cannot select public ASes by name.

Dest AS Restrict the source data to traffic bearing the destination origin or peer ASes.

Src/dest AS Consider traffic to or from the origin or peer ASes.

Source subnet Select traffic with the source subnet. Enter the network address and mask length or select from the subnets configured in the Subnet Names settings page. Note: The subnet mask used by the router to route the traffic is ignored when applying this filter. See “Subnet Names” on page 87.

Dest subnet Select traffic with the given destination subnets. Note: A destination subnet filter of 224.0.0.0/4 will select multicast traffic.

Src/dest subnet Select traffic to or from the subnets.

Source mask Select traffic routed using the source network mask.

Dest mask Select traffic with the destination network mask.

Src/dest mask Select traffic with the source or destination network mask.

Next hop Filter traffic based on the next hop used by the router in routing the traffic.

TCP Flags Filter TCP traffic. To filter on individual bits, from the drop-down lists, select 0 to filter on bits set to 0 in the flow. Select U (urgent), A (acknowledged), P (push), R (reset), S (synchronized), or F (finished) to filter on bits set to 1 in these flows. To ignore filtering for a bit, leave it blank.

Duration Include or exclude traffic based on length of time in milliseconds. Terms:

• ge—greater than or equal to• le—less than or equal to


Filter To Apply...

41


Viewing Chart DataUsing NetFlow Tracker charts and tables you can quickly see areas of interest and examine these in further detail (see Figure 5).

Charts display the elements that contributed most to the overall total traffic or packet rate over the charted time range. By default, at most ten elements are shown but you can configure this on the Report Settings page. See “Setting up Reports” on page 53.

Figure 5 NetFlow Tracker Chart

Chart navigation and viewing options include:

• To view earlier or later date, click (forward or back) at the upper left corner of the chart. Note: When you move forward or back, the chart does not refresh.

• In drill-down charts, to change the chart view, select a different tab above the chart.

View data from an earlier or later date

Select the entire time range, zoom, and perform other actions

Hold mouse over data for details; right-click to run a report

42

Viewing Real-Time DataViewing Chart Data 4

• To get more details on an item in the chart or table, click its link.

• To zoom in to the center of the chart, click . To zoom in on a particular selection, first select that time range. Zooming in stops the chart from refreshing.

• To zoom out from the center of the chart, click . Zooming out also stops the chart from refreshing.

• To select a time range, click and drag the mouse across the chart. You can then zoom in on the selection.

• To select the entire time range, click .

• To drill into selected data, select a time range and right-click the selection. From the menu, select an item to create another chart for the selected time range.

• To view data as a pie chart, click . See “Working with Pie Charts” on page 43.

• To view data in a table, click . See “Working with Tables” on page 44.

• To alter the filter applied to a standard chart, click .

• To view resolved domain names if a chart shows IP addresses, hold your mouse over the address.

• To refresh the view, click .

• To reload the chart with all resolvable domain names shown, click (resolve all).

• To revert from viewing resolvable domain names and view only IP addresses, click (resolve available).

• To convert a chart to a CSV file, click . You are prompted to open or save the file.

• To print the chart, click .

• To open the chart in a new window, click .

Working with Pie ChartsYou can view most charts as a pie chart. A pie chart shows each element’s proportion of the total octets or packets during the entire time range.

43


• To return to the standard chart view, click .

• Hold your mouse over a pie segment to highlight data in the table.

• Right-click a pie segment to create a report for that device. From the menu, select an item to create another chart for the selected time range.

Figure 6 Chart Report

Working with TablesDevice and Interface list pages use a tabular view, as do filtered reports you create. You can also view most charts as tables. A tabular



44

Viewing Real-Time DataViewing Chart Data 4

view shows the entire time range in one table. It also shows every contributing element rather than just the largest ones.

Figure 7 Table Report

Options include:

• To return to the standard chart view, click .

• To navigate through tables of more than 25 rows, use the page navigation at the top of the table.

• To go to a specific position in the view, click in the scrollbar; A blue line or box on the scrollbar indicates the page shown and how much of the view the page represents.

• To sort items by name, address, traffic rate, or packet rate, click the column heading. Click again to sort items in the opposite order.

• In reports, to drill into a row’s data, select the radio button at the left of a row. (You can select only one row at a time.) Select a sub-report type from drop-down list at the bottom of the page and click Go: For example, if you are viewing a report of source applications, you can select an application and view source addresses using that application. For more information, see Appendix B, “Report Templates.”

Select and click Go to drill into row’s data

45


46

5: Viewing Long-term Data

Use long-term reports (Main Menu > Long-term Reports) to view aggregated data for periods up to multiple years at a granularity level you define in Database Settings. NetFlow Tracker provides reports on top devices and interfaces. To view custom long-term data, you must set up a long-term report. Because data is aggregated, long-term reports can take less time to run than real-time reports.

Topics include:

• Viewing Long-term Network Overview Data

• Viewing Long-term Device and Interface Data

• Filtering Long-term Data

See also:

• “Database Settings ” on page 89.

• “Creating Long-term Reports” on page 60.

Viewing Long-term Network Overview Data

The long-term data Network Overview (Main Menu > Long-term Reports > Network Overview) shows the top exporting devices and busiest interfaces on the network based on long-term data. From here, you can drill down to device and interface-specific application data. This page shows:

47



• Tables showing the top five in and out interfaces by average and peak percentage of usage.

• Tables showing the top five in and out interfaces by average and peak traffic rate.


• Click a device in the list to see its busiest interfaces. See “Viewing Interfaces” on page 34.

• Click an interface name to see its recent usage percentage, traffic rate, and packet rate data.

• Right-click a pie segment to create a report for that device. From the menu, select Source Addresses, Destination Addresses, or Recognized Applications to create another chart for the selected time range.

The granularity of long-term report data is based on your database settings. See “Database Settings ” on page 89.

48

Viewing Long-term DataViewing Long-term Device and Interface Data 5

Figure 8 Network Overview—Long-term Data

Viewing Long-term Device and Interface Data

The long-term Devices and Interfaces pages (Main Menu > Long-term Reports > Devices) show NetFlow performance data from all devices and their interfaces. They are similar to the real-time versions, except for the following differences:



Click to view top devices and interfaces

Click to view traffic and packet rates for interface

49


• A selector at the bottom of the page lets you change the time range of the current report or chart, and any reports or charts opened by interacting with it. Time options span from hours to years. The default setting is seven days, based on the time zone of the NetFlow Tracker server. To change this setting, see “Creating Long-term Reports” on page 60.

Note

If you zoom into or out of a long-term chart or drill into a selection (other than one selected using Select All), the time range selector is not available on the resulting chart.

• The long-term Devices and Interfaces pages show the peak and average traffic and packet rates. By contrast, real-time pages show the peak and most recent rates.

• When you select a range of time on a long-term device or interface chart and right-click to drill down, you can only access reports created as per-device, per-inbound interface or per-outbound interface in Report Settings.

See also:

• “Viewing Devices” on page 33.

• “Viewing Interfaces” on page 34.

Filtering Long-term DataYou can create a long-term report using the long-term Filter Editor, a simpler version of the real-time Filter Editor. It is the only way you can access custom long-term reports that are created as basic reports. Reports for source addresses, destination addresses, and recognized applications (per source device and inbound and outbound interfaces) are available.

To apply filters to long-term reports:

1 Select Main Menu > Long-term Reports > Filter Editor.

50

Viewing Long-term DataSaving a Long-term Filter 5

2 Select a long-term report and set whether to create a tabular report, chart, or pie chart.

3 For Source Data, select the data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the selection of the source data to create charts showing, for example, a month in day-long blocks.

4 Click Start time/End time or Length to set how much data the report will include:

• Pick the date and time of the earliest and latest data to con-sider. The default start time is six hours before you opened the Filter Editor.

• Set the length in units. The report will cover that number of units and end at the last full unit before the time it is opened.

5 Select a source device or interface to report upon. To select more than one device or interface you must save the filter.

6 To add a Time zone or Time mask filter or a saved filter, select from the drop-down list and click Add. The filter is added to the Filter Editor page. For more information, see Table 4 on page 38.

7 Click OK to apply the filter settings. The filter is directly applied. Click Save to save the filter for future use. See “Saving a Long-term Filter.”

Saving a Long-term FilterWhen you save the filter, you can select multiple interfaces or devices for the filter, and you can apply the full range of filters to it.

To save a long-term filter:

1 Configure the long-term filter as described in “Filtering Long-term Data.” In the long-term Filter Editor, click Save.

2 Select an ID number and name.

3 (Optional) Add multiple interfaces or devices.

4 Select a filter from the drop-down list and click Add. For more information, see Table 4 on page 38.

51


52

6: Setting up Reports

Use the Report Settings page (Main Menu > Settings > Report Settings) to set up all reports and charts. Topics include:

• Reports Overview

• Applying General and Real-time Report Settings

• Saving Report Filters

• Scheduling Reports

• Creating Long-term Reports

• Creating Executive Reports

Reports OverviewYou can create three types of reports:

• Real-time reports—View the last seven days of data (by default) in real-time at one-minute granularity.

• Long-term reports—View aggregated data for up to multiple years at a granularity level you define in Database Settings.

• Executive reports—An executive report is a pre-configured template that contains one or more reports or charts and HTML content that you define. Use an executive report to access often-used reports or to group related reports on one page.

53


Note

Avoid reporting from multiple devices and over long periods of time. Doing so can cause NetFlow Tracker to count some traffic multiple times.

Applying General and Real-time Report Settings

Table 5 General and Real-time Report Settings

Section Option Definition

General Show hostnames in reports

Open reports and charts with all resolvable hostnames resolved and shown by default.

Show chart legends in descending order

Show the rows of a chart legend in the same order as the corresponding table or as the areas shown on the chart.

Show interface descriptions

Use the description of an interface, when available, in filter descriptions instead of the name.

Work around “click to activate”

Enable or disable the work-around for the “click to activate and use this control” message that appears over chart applets in Internet Explorer. Some combinations of operating system, browser, and Java plug-in do not work correctly when this is enabled. If applets do not show correctly or drilling down does not work, turn off this setting.

Default PDF page size

Set the default page size in a PDF version of a report or chart. If a report is too wide to fit on a page, the page is made proportionally bigger.

Landscape Set the orientation of the report. Leave blank for portrait.

54

Setting up ReportsSaving Report Filters 6

Saving Report FiltersIn Report Settings, you can save filters and use these in the Filter Editor when creating real-time or long-term reports. For example, you may use a saved filter to attach a name to a time-of-day mask or a filter that selects traffic related to a particular multi-port application or group of servers.

To create a saved filter:

1 Select Main Menu > Settings > Report Settings.

2 Expand the Saved Filters setting.

3 Type a name in the box and click New.

4 In the New Saved Filter page, assign an ID. Select a filter and click Add. Then click OK. The filter is added to the list.

5 In the Saved Filters list on the Report Settings page, you have the following options:

• To edit or delete a filter, click its name.

Real-time Reports

Rows per tabular report page

The number of rows shown on each page of a tabular report. Note: Device and interface status reports show all rows on a single page.

Elements considered per chart block

Determine the accuracy of a real-time chart. When a chart is generated only the largest elements are considered from each block. Because the highest overall elements may not be the highest elements in each block of the chart, set more elements from each block than the number of charted elements.

Charted elements

Set the maximum number of elements displayed on a chart, excluding the Others element.

Default time range

Set the time range used for any real-time report or chart where a time range is not specified. This is the time range of the Network Overview, device, interface, and AS status reports and charts and the default time range selected in the Filter Editor.

Reload interval Set the number of minutes between automatic refreshes of the device, interface, and AS status reports and charts.

Table 5 General and Real-time Report Settings

Section Option Definition

55


• To copy a filter, click its icon.

• To change the order in which saved filters appear, click the up or down arrows.

6 Click OK.

Scheduling ReportsYou can set up any real-time, long-term, or executive report as a scheduled report that you can email or save to a server location based on that schedule. In addition, you can generate scheduled reports on demand if they are included in the Reports page.

56

Setting up ReportsScheduling Reports 6

Figure 9 Report Settings—Scheduled Reports

To create a scheduled report:


2 Expand the Scheduled Reports setting (see Figure 9).

3 To receive reports by email:

• For Email server address, enter the IP address or domain name of the SMTP server used to send scheduled report emails.

• For Send emails from, set the email address that is used as the “From:” address of mails sent by NetFlow Tracker.

4 To save reports to a server, for Save reports to enter the folder where scheduled reports are saved to. You can override this default location for any scheduled report.

Enter name, select type, and click New

Set report distribution

57




5 Under Scheduled Report Name, enter a name. Use only alphanumeric characters.

6 Select a report type: Real-time, Long-term, Executive, or Custom. Choose Custom to create a report based on custom parameters. See Appendix C, “Report URL Parameters.”

7 Click New. The New Scheduled Report page is shown (see Figure 9). Here you can set up the report parameters (see Table 6).

8 Click OK. The scheduled report is added to the list on the Report Settings page.

9 In the Scheduled Reports list, you have the following options:

• To edit or delete a report, click its name.

• To copy a report, click its icon.

• To change the order in which reports appear, click the up or down arrows.

10 Click OK on the Report Settings page to apply the changes.

Table 6 New Scheduled Report Options

Option Definition

ID The report’s identification number.

Name The report name. Use only alphanumeric characters.

Description The report description.

Include in reports menu

Show the report in the Reports page.

Run on demand The report does not automatically generate and appears only in the Reports page.

Run once The report runs once at the specified time on the date supplied for “Begin running this schedule on.”

Run every day The report runs every day at the specified time, starting on the specified start date and optionally finishing in the specified end date.

Run every week The report runs on the specified days of every week.

Run every month The report runs on either the specified date of each month or on the specified week day (for example, the first Monday of each month).

58

Setting up ReportsScheduling Reports 6

Begin running this schedule on

Set the beginning date for the schedule.

End this schedule on

Set the end date for the schedule.

Delete report after schedule ends

If you select an end date, select this to delete the report on that date. Saved output is not deleted. Tip: You can use this with the “Run once” schedule option to run a particularly time-consuming report.

Output as Options are PDF, HTML single file (MHTML), HTML zipped (which contains the HTML, stylesheets, and images), CSV, and XML. When a report is generated on-demand from the Reports page it is formatted in the normal interactive HTML format.

Save to Save the report to a specified folder on the server.

Email to Email the report as an attachment to the specified address. Enter the subject line and body of the email.

Length or

Default/custom

Select Length to set the length of time covered in the report based on a number of minutes, hours, or days.

Configure the report type and its filters. You can add custom parameters to alter anything about the report that is not configurable using the Filter Editor.

Reload interval Set the number of minutes between automatic refreshes of the device, interface, and AS status reports and charts.

Source device or Source data

Set the source device or the source data sample size depending on the report.

• Source device—Select which router or switch you want to consider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times.

• Source data—Select a data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection.

Add Filter Select a filter and click Add. See Table 4 on page 38.

Custom Parameter Add a custom parameter name and value and click Add. See Appendix C, “Report URL Parameters.”

Table 6 New Scheduled Report Options (continued)

Option Definition

59


Creating Long-term ReportsYou can set up any report you created using the Filter Editor as a long-term report. A custom long-term report has a name, report template, and type. It can also have its own time mask, other filters, and storage settings that override those in Database Settings.

The report type determines how the report is accessed. Because a basic report is created across the entire system, put a filter on at least the source device. You can only access a basic report from the long-term report Filter Editor.

You can also create a long-term report for each device in the system or for each inbound or outbound interface. These reports can still have a filter or time mask. You can access a per-device, inbound, or outbound interface report from the long-term Filter Editor or by drilling down from the long-term device or interface charts.

Note

If you create a long-term report that includes only data from the real-time database, then the report’s granularity is one-minute.

60

Setting up ReportsCreating Long-term Reports 6

Figure 10 Report Settings—Long-term Reports

To create a long-term report:


2 Expand the Long-term Reports setting (see Figure 10).

3 For Elements stored per sample, set the number of elements to store per sample. This controls the accuracy of long-term charts and tabular reports. It is similar to the number of elements considered per chart block

4 For Tabular report rows, set the maximum number of rows to show on a tabular report. Note: The accuracy of a long-term tabular report depends upon the number of elements considered per sample.

5 For Charted elements, set the maximum number of elements shown on a long-term chart, excluding the Others element.

Enter name, select type, and click New

Set granularity

61


6 Select Standard long-term reports are disabled to turn off the standard set of per-device and per-interface long-term reports.

7 For Default time range, set the time span used for any long-term report where one is not set on a specific report.

8 Enter a report name. Use only alphanumeric characters.

9 Under Report Template, select a template. See Appendix B, “Report Templates.”

10 Select a report type. For more information, see Table 7.

11 Click New. The New Long-term Report page is shown (see Figure 9). Here you can set up the report parameters (see Table 6).

12 Click OK. The long-term report is added to the list on the Report Settings page.

13 In the Long-term Reports list, you have the following options:

• To edit or delete a report, click its name.You cannot change the report template, type, or time mask of an existing report.




Table 7 New Long-term Report Options

Option Definition

ID The report’s identification number

Name The report name.

Report Template See Appendix B, “Report Templates.”

Type Basic—Select source devices and interfaces for the report.

Per source device—Run this report on all source devices.

Per inbound interface—Run this report on all inbound interfaces.

Per outbound interface—Run this report on all outbound interfaces.

62

Setting up ReportsCreating Executive Reports 6

Creating Executive ReportsAn executive report is a pre-configured template that contains one or more sub-reports or charts and user-defined HTML content. Executive report filters are applied to sub-reports along with their own filters.

Storage Options Set the length of time to store data and its granularity.

Note: Storage settings can impact system performance. See “Database Settings ” on page 89.







Table 7 New Long-term Report Options (continued)

Option Definition

63


Figure 11 Report Settings—Executive Reports

To create an executive report:


2 Expand Executive Reports (see Figure 11).

3 Enter a report name and click New.

4 On the New Executive Report page, apply the following settings:

a Enter a report ID, name, and description. For the name, use only alphanumeric characters.

b Check Include in reports menu to show the report on the Reports page. Note: Use unfiltered sub-reports with care if

Enter name and click New

Set up sub-report contents and layout

64


you select this. You will not be able to filter the executive report from the Reports page.

c Under Sub-report tag, enter the name of a sub-report to embed in the executive report. Select a type: Real-time, Long-term, or Custom. Click New. On the Sub-report page, set the parameters for the sub-report (see Table 8) and click OK. You can add as many sub-reports as you want.

d Click Add Row to add a content row to the executive report. You can then add cells to the row. Each row has one or more cells. You can set up a cell to span a number of columns. There are two types of cells: sub-report cells and HTML cells. See “Adding a Sub-report Cell” on page 66 and “Adding an HTML Cell” on page 68.

5 Click OK. The executive report is added to the list on the Report Settings page.

6 In the Executive Reports list, you have the following options:

• To edit or delete a report, click its name. You cannot change the report template, type, or time mask of an existing report.




Table 8 Sub-report Options

Option Definition

Tag The sub-report name.

Report template See Appendix B, “Report Templates.”

Sample size: Length or Default/custom

Select Length to set the length of time covered in the report based on a number of minutes, hours, or days.

Configure the report type and its filters. You can add custom parameters.

Note: If you select Default/Custom and do not add custom time range parameters, the time range is passed to the executive report, or the default real-time or long-term time range, according to the report.

Reload interval The number of minutes between refreshes of the device, interface, and AS status reports and charts.

65


Adding a Sub-report CellOn the New Executive Report page, you can add sub-report cells to the report. Select a sub-report from the list. See Table 9 for options.







Table 8 Sub-report Options

Option Definition

66


Figure 12 Report Settings—Executive Reports

Table 9 Sub-report Cell Options

Option Definition

Sub-report Sub-report name.

Output as pie chart If the sub-report is a chart over time, select to output a pie chart.

Sections Select the sections of the sub-report you want the cell to display.

Controls Select the user-interface controls to enable.

67


Adding an HTML CellFrom the New Executive Report page, you can add HTML content, such as explanatory text, links, or a company logo, to the report using HTML cells. Store images to include in the report in the “customweb” folder under NetFlow Tracker’s install folder. You can access these as “customweb/<filename>.<ext>”.

CSS style controls an HTML cell’s appearance. Three standard styles are offered:

• Report Title produces a cell that matches a report title.

• Report Description produces a cell with the blue background of a report’s time range and filter description. If you use this, enclose the text in the following HTML tag. <span class=”repdesctext”>Test</span>

• Content Cell produces a cell with a white background.

Columns Select which columns to show.

Chart If the sub-report is a chart or pie chart, select which chart to show.

Output Parameter Name and Value

Enter a custom parameter name and value and click Add. See Appendix C, “Report URL Parameters.”

New Window Drilldown Settings

Select to include all sections, controls, and columns in the drill-down window.

If you have set the Drilldown or Open in a new window options for a report cell, you must also set how the URL is modified to create the new window. You can show all sections and columns and allow all controls (which is usually the case for a complex layout). You can also specify custom parameters. Note: To remove a parameter from the new window’s URL, leave its value blank.

Parameter Name and Value

Enter a custom parameter name and value and click Add. See Appendix C, “Report URL Parameters.”

Table 9 Sub-report Cell Options

Option Definition

68

Setting up ReportsViewing Executive and Real-Time Reports 6

When an executive report is formatted as PDF only the three standard styles are used and all HTML tags are removed from the text.

You can control the layout of the report by moving rows up and down and cells left and right within their rows. To create complex layouts, make cells span multiple columns.

• To increase the cell by a column, click .

• To decrease the cell by a column, click .

• To delete a cell or row, click .

Viewing Executive and Real-Time ReportsYou can view executive reports you have created from the Reports page (Main Menu > Reports). Select a report to view its contents. To create reports, see “Setting up Reports” on page 53.

69


70

7: Working with Alarms

Topics include:

• Alarms Overview

• Configuring Alarms

• Configuring Notification Settings

• Viewing Events

Alarms OverviewAlarms are pro-active notifications of user-impacting performance problems on the network. Alarms are triggered by events—problems or other important incidents on the network.

When configuring an alarm, you choose the alarm type, metric, and the threshold type for permitted performance. You can set thresholds from specified values or from a baseline. NetFlow Tracker supports two types of alarms:

• Threshold alarms indicate changes in performance for a selected metric, such as traffic rate or conversation rate over time, based on the filters applied in the alarm. Threshold alarms compare recent performance against configured thresholds. They can use a baseline or specified values.

• Profile alarms indicate changes in the network. For example, the Recognized Applications profile alarm indicates which applications make up the traffic or packets observed in the last minute against the configured baseline. They always use a baseline.

71


Alarm Severity and LifecycleAlarms have two levels of severity: degraded and excessive. These identify less and more severe performance conditions. You can independently set the thresholds for degraded and excessive alarms.

An alarm’s severity can change over its duration. For example, an alarm that is initially generated as degraded can later change to excessive. Similarly, an alarm that was once excessive can later change to degraded.

An alarm ends when the performance improves or after the alarm times out. This occurs after if traffic falls within the accepted threshold for one minute. This change in the severity of the alarm throughout its duration is referred to as the event lifecycle.

By default, alarms are removed after 7 days, as real-time data is replaced with more current data. You can set the length of time to keep real-time data in the database. For more information, see “Database Settings ” on page 89.

Thresholds and Baseline Sensitivity When configuring an alarm, you can set values for degraded (orange) and exceeded (red) thresholds or have the thresholds derived from a baseline.

Thresholds with specified values set minimum permitted standards for performance. Because of this, service level agreements (SLAs) are often defined in terms of fixed thresholds. This option can require more maintenance if you need to individually set thresholds for many different devices or addresses, or if performance thresholds are expected to change over time. Specified values are available for Threshold alarms only.

When you set alarm thresholds using baselines, the sensitivity setting is used to derive the alarm performance thresholds from the baselines. A baseline records normal network behavior against which future network problems and important incidents are measured. The alarm sensitivity controls how a threshold is calculated in relation to

72

Working with AlarmsAlarms Overview 7

the baseline average and standard deviation. Because a default sensitivity value must apply consistently across many different baselines and also across individual baselines as they change over time, sensitivity is a relative value.

There are two types of baselines:

• Static—This baseline is calculated at the beginning and not updated. It is useful when performance is usually stable and consistent. In these cases, static baselines are often simpler to configure and maintain than specified value thresholds.

• Weekly—This baseline is most useful for detecting sudden changes from recent performance. Weekly updated baselines change to reflect recent performance. As baselines change over time, the thresholds adapt to these changes

To configure alarm thresholds that use baselines, adjust the sensitivity slider. The maximum sensitivity for both thresholds is 10.

Alarming for Persistent ChangesThe “Alarm only for persistent change” option blocks out alarms that are based on random and transitory changes that are too short-lived to require attention. When this setting is enabled, an alarm is generated only when the most recent performance is consistently above the performance threshold. This lets you focus on user-impacting performance changes.

Alarms marked for persistent changes are based on the most recent 20 minutes of data taken at one-minute samples by NetFlow Tracker. Alarms not marked for persistent changes are based on the most recent minute of data only.

Alarm status is checked every minute. After every check, new alarms can be generated, existing alarms can end, or alarms can continue.

73


Baseline Learning and ResetFor the baseline to accurately reflect performance, time is required to gather data. The following states are possible:

• Learning—Baselines are still learning the typical network performance. Alarms are not generated.

• Available—There is enough data to calculate a profile of typical network performance. However, more data is desired for a more accurate profile. Alarms are generated.

• Complete—The profile has a good sample of data to calculate reliable profiles. Alarms are generated.

These states are shown in the Alarm List (Settings > Configure Alarms).

Only available and complete baselines are used to set thresholds and generate alarms. NetFlow Tracker can collect enough data in a day to create an available baseline. A complete baseline usually takes a week.

Note

When you first install NetFlow Tracker or change alarm parameters, baselines are reset. NetFlow Tracker must “learn” the normal network performance and generate new baseline profiles.

Static baselines are static only after the status is Complete. When status of a static baseline is Available, the baseline is still adjusting.

Tips and TechniquesIn general, configuring alarm thresholds too low results in too many alarms that are ignored and makes it difficult to identify the more serious problems as they arise.

Note:

• Always enable the “Alarm only for persistent change” option unless there is a specific reason to disable it.

74

Working with AlarmsConfiguring Alarms 7

• To disable Degraded alarms but leave Excessive alarms enabled, set the Degraded threshold to match the Excessive threshold.

• If your network experiences poor performance that an alarm is not identifying, decrease the threshold. If alarms are being generated but the performance is acceptable, increase the threshold.

Configuring AlarmsUse the Alarm List page (Settings > Configure Alarms) to manage and create alarms. For each alarm, the name, type, template, exceeded and degraded thresholds, filter, and persistent changes settings are shown.

Options include:

• To view events triggered by an alarm, click . See “Viewing the Event List” on page 79.

• To add a new alarm, click New. See “Creating an Alarm.”

• To edit an alarm, click its name.

• To delete an alarm, select its checkbox and click Delete.

Creating an AlarmIn NetFlow Tracker, you can create up to 100 alarms.

75


Figure 13 Creating an Alarm

To create an alarm:

1 Select Main Menu > Settings > Configure Alarms.

2 Click New. The Create Alarm page is shown

3 Enter a name.

4 Select an alarm type:

• Threshold Alarm—Indicates changes in performance. You can use a baseline or specified values.

• Profile Alarm—Indicates changes in the network. You can use a baseline only. Select a report template for the alarm.

5 Select a metric. Available metrics vary based on the alarm type and, for Profile alarms, the report template:

• For Threshold alarms, select: Traffic Rate, Packet Rate, Address Pair Rate, or Conversation Rate.

• For Profile alarms, select: Traffic Rate, Packet Rate, Destina-tion Address Count, or Conversation Count, and Source Address Count.

6 Set the source device. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices, some or all traffic may be counted multiple times.

76

Working with AlarmsConfiguring Notification Settings 7

7 Select a filter and click Add. For more information, see Table 4 on page 38.

8 Set Alarm only for persistent change to exclude alarms that do not fall into a consistent pattern over a 20-minute period and may represent random jumps in data.

9 Set the threshold type:

• Weekly Baseline—The baseline adjusts weekly, based on cur-rent data. Adjust the slider to set the alarm sensitivity.

• Static Baseline—The baseline does not adjust once it is com-plete. Adjust the slider to set the alarm sensitivity.

• Specified Values—Available only for Threshold alarms. Set the degraded and exceeded thresholds.

For more information, see “Thresholds and Baseline Sensitivity.”

10 Click OK.

Configuring Notification SettingsNetFlow Tracker generates SNMP traps when an alarm first exceeds its threshold, when it returns below its threshold, and when it changes from a degraded to excessive state for the first time. You can set up NetFlow Tracker to send event notifications to any platform that can receive them.

To configuring notification settings:

1 Select Main Menu > Settings > Notification Settings.

2 Enter the IP address of the trap receiver.

3 Enter the SNMP port number and community.

4 Select the SNMP version: SNMP V1 or SNMP V2C.

77


Viewing EventsEvents are displayed at one-minute granularity. Events are removed as real-time data is removed, by default after seven days. You can view events in the following ways:

Viewing the Events TimelineTo view degraded and exceeded events in chart format over time, select Main Menu > Events Timeline.

Figure 14 Events Timeline

Options include:

• To view data in chart format based on the report template used, click the alarm name.

• To view event data for a point in time, right-click and select from the menu.

• View data in the chart back and forward in time, zoom in and out, or in a table. For more information, see “Viewing Chart Data” on page 42.

78

Working with AlarmsViewing Events 7

Viewing the Event ListUse the Event List to view events in table format. To access the page:

• Select Main Menu > All Events.

• From the Events Overview, select a time view and click (table icon) to view events for that time.

• From the Event Details page, click OK.


• To view data in chart format based on the report template used, click the alarm name.

• To view the event lifecycle, click .

Figure 15 Event List

Viewing the Event LifecycleTo view event lifecycle information, click on the Event List.

The Event Lifecycle page shows the alarm name and type, the event start and end time, duration, current status, initial and maximum

79


severity levels, and a bar chart showing status over its life. Four states are:

• Exceeded— (Red) The conditions have surpassed the Excessive threshold or baseline setting.

• Degraded— (Orange) The conditions have surpassed the Degraded setting but have not reached the Excessive setting.

• Normal— Green. The conditions have not reached the Degraded setting.

• No Data— (Black) No data was available.

Click the chart to view data based on the selected alarm template. The resulting chart shows performance against the Degraded and Excessive thresholds for the alarm.

80

8: Optimizing NetFlow Tracker

Using Settings, you can determine how data is gathered and managed, and optimize NetFlow Tracker performance. Topics include:

• Data Display and Filtering Settings

• Data Management and System Performance Monitoring

For other settings, see:

• “Setting up NetFlow Tracker” on page 15.

• “Setting up Reports” on page 53.

• “Creating an Alarm” on page 75.

• “Configuring Notification Settings” on page 77.

Data Display and Filtering SettingsUse these settings to apply additional filters and to set up NetFlow Tracker for use through a management portal. Topics include:

• Management Portal Settings

• IP Application Names

• DiffServ Names

• Hostname Resolution Settings

• Subnet Names

• AS Names

81


Management Portal SettingsUse Management Portal Settings to set up access to NetFlow Tracker through a management portal (such as the Visual Performance Manager Web Portal).

NetFlow Tracker lets users of a management portal have device or interface-level access to interactive reports, as long as the portal’s HTTP proxy server can conceal the initial URL sent to NetFlow Tracker and can direct subsequent HTTP requests from the user interacting with the page to the NetFlow Tracker server. You may use an Apache web server as a proxy if the management portal does not contain one or is not sufficiently programmable. See “Using Apache as a Portal Server” on page 83.

Note

When using management portal settings, you must use password protection to prevent the system from being bypassed. See “Applying Security Settings” on page 26.

To set up portal access control:

1 Select Main Menu > Settings > Management Portal Settings.

2 Under Tag, enter a tag that is used to identify the secret value if you need to change or delete it.

3 Under Secret, enter the secret value and under Confirm, enter the secret value again. To remove a secret value, check its box and click Delete.

4 Click Add.

5 Click OK.

How Access Control Works

A user’s web browser requests a URL from the portal’s proxy server that identifies a particular NetFlow Tracker report. For example:

http://<proxy>/NetFlow Tracker1/report1

82

Optimizing NetFlow TrackerData Display and Filtering Settings 8

The portal’s proxy server sends a request to the NetFlow Tracker server that selects the report and contains one of the configured secret values and some access control parameters describing what the user can access:

http://<NetFlow Tracker1>/report.jsp?portalsecret=<secret>&aclif=...

NetFlow Tracker creates a session for the portal and logs it in. This session is restricted so that only requests containing access list identifiers are accepted.

The report generated by NetFlow Tracker ensures that any interaction (such as clicking a link) results in a request containing a securely-generated access list identifier:

http://<proxy>/NetFlow Tracker1/report.jsp?portalacl=...

The portal’s proxy server sends the unaltered request to the correct NetFlow Tracker server:

http://<NetFlow Tracker1>/report.jsp?portalacl=...

Using Apache as a Portal Server

The Apache web server supports several directives in its configuration file (httpd.conf) for use as a programmable proxy server:

Table 10 Apache Web Server Commands

Command Definition

RewriteEngine On Enables the URL rewriting module.

RewriteRule ^/NetFlow Tracker1/report1$ http://1.2.3.4/report.jsp?portalsecret=s3cr3t&acldevice=4.3.2.1&templid=0000 [P,L]

Sets up a rule to proxy requests for http://<proxy>/NetFlow Tracker1/report1 to an access controlled request to the NetFlow Tracker server.

RewriteRule ^/NetFlow Tracker1/(.*)$ http://1.2.3.4/$1 [P,L,QSA]

Sets up a rule to proxy any requests for URLs starting with http://<proxy>/NetFlow Tracker1/ to an equivalent request to the NetFlow Tracker server.

ProxyPassReverse /NetFlow Tracker1/ http://1.2.3.4/

Makes sure that NetFlow Tracker handles the HTTP redirects correctly when it creates a session for the portal and logs it in.

83


IP Application NamesUse IP Application Names to apply custom applications and ports that you want to track. You can define simple and grouped applications.

Figure 16 IP Application Name Settings

Defining a Simple Application Name

A simple IP application is determined by its protocol (for example TCP or UDP) and an application port number. Applications you define here are used to display readable names in reports.

Protocol name and port numbers correspond directly to specific network applications. Many are predefined (well-known ports) while others (registered ports) are defined by the software manufacturer.

Simple applications

Grouped applications

84


NetFlow Tracker comes configured with the well-known ports in addition to many others. For a list of all well-known and registered ports, see http://www.iana.org/assignments/port-numbers.

To define a single application:

1 Select Main Menu > Settings > IP Application Names.

2 Under Protocol, select a protocol from the drop-down list.

3 Under Port, enter a port number. By default, ports below 1024 are not shown on this page. To see them, click (more…).

4 Under Name, enter a unique name.

5 Click Add. To delete an application, select its checkbox and click Delete.

6 On the IP Application Names page, click OK.

Defining a Grouped Application Name

You often need more than a simple application port to correctly identify an application.

In IP Application Names settings, you can create multiple grouped applications, with each grouped application containing multiple rules. A rule consists of at least one IP address and a range of port numbers for a given protocol, traffic class, or identified application. Each item in a rule is optional. Traffic that passes at least one rule is considered part of that application.

To avoid double-counting data between single and grouped applications, grouped applications have a configurable precedence. Each group has a higher precedence than any simple application. If traffic is considered part of more than one grouped application, the one with the highest precedence is chosen.

A grouped application also has a unique identifier that is used when creating long-term report data and in filter URLs. Because long-term data uses identifiers, assign these carefully.

To define a grouped application:

1 Select Main Menu > Settings > IP Application Names.

85

http://www.iana.org/assignments/port-numbers


2 On the lower part of the page, enter a unique identification number and name for the application.

3 Set the precedence of the application.

4 Click New. The Grouped Application page is shown.

5 Apply an address range, protocol, port or port range, traffic class, identified application, and click Add. To delete a grouped application, select its checkbox and click Delete.

Note

Do not change the identifier of an existing grouped application because long-term data uses this. Use caution when deleting grouped applications.

6 Click OK.

7 On the IP Application Names page, click OK.

DiffServ NamesUse DiffServ Names settings to assign names to each of the 64 differentiated service code points. Standard code point names are already configured.

To add a DiffServ name:

1 From the NetFlow Tracker Main Menu, select Settings > IP Application Names.

2 Enter the DiffServ codepoint and name.

3 Click Add. To remove a code name from the list, select its checkbox and click Delete.

4 Click OK.

86


Hostname Resolution SettingsUse Hostname Resolution Settings to configure aspects of the resolution of hostnames for addresses encountered on reports. These names are kept to increase reporting speed and reduce the amount of network traffic NetFlow Tracker generates when generating a report. You can set the length of time to store resolved hostnames and failed lookups in cache. You can also control the size of the cache and the number of threads used to resolve hostnames.

Note:

• If hostname resolution is not working, click Defaults and then OK to return to useful default values.

• To clear the cache of resolved hostnames, clear Enable hostname resolution and click OK. Then return to the Hostname Resolution settings page and check this setting again.

To set hostname resolution:

1 Select Main Menu > Settings > Hostname Resolution.

2 Select Enable hostname resolution.

3 Set the length of time to cache successful lookups. The default is 1800 seconds (30 minutes).

4 Set the length of time to cache failed lookups. The default is 10 seconds.

5 Set the maximum number of cached lookups and concurrent resolutions.

6 Click OK.

Subnet NamesUse Subnet Names to assign names to the IP subnets that appear in reports. You define an IP subnet by its network address and mask length. Subnet names you define here are shown in subnet reports. Because routers may use different mask lengths to route different traffic, you can assign names to overlapping subnets.

87


To set subnet names:

1 Select Main Menu > Settings > Subnet Names.

2 Enter the subnet IP address and a mask.

3 Enter a unique subnet name.

4 Click Add. To delete a subnet, select its checkbox and click Delete.

5 Click OK.

AS NamesUse AS Names to assign names to autonomous system (AS) numbers appearing in reports.

• AS numbers from 0 to 34816 are assigned by several agencies; NetFlow Tracker comes with many of these ASes already named. You can, however, edit these.

• Numbers between 34816 and 64511 are held by the IANA and are not available for use.

• Numbers from 64512 to 65535 are available for use.

The AS names you define here are shown in reports.

To set AS names:

1 Select Main Menu > Settings > AS Names.

2 Enter an AS number. To assign or edit the name of a public or reserved AS, click (more…).

3 Enter a unique subnet name.

4 Click Add. To delete a subnet, select its checkbox and click Delete.

5 Click OK.

88

Optimizing NetFlow TrackerData Management and System Performance Monitoring 8

Data Management and System Performance Monitoring

Use these settings to management the database, back up and archive data, allocate memory, and monitor system performance. Topics include:

• Database Settings

• Backup

• Archiving

• Memory Settings

• Making Sure That Data is Received

Database Settings Use Database Settings to improve the performance of reports and charts and to change the number of days for which data is stored (see Table 11).

Table 11 Database Settings

Option Definition

Expect large result sets Controls how the database server manipulates raw data. Leave the default setting, Auto, to let the database optimize itself. If you have a fast disk subsystem, set this to Always to make sure reports with large amounts of data perform well. If you have a slower disk subsystem, a lot of RAM, and a relatively small amount of data, consider setting this to Never. Note, however, that reports with large amounts of data may take much longer to run.

Maximum in-memory temporary table size

The maximum amount of memory the database server will use during a query when you do set “Expect large result sets” to Never. Increasing this increases the amount of data that it can report before performance drops significantly.

Sort buffer size The size of the buffer used to reduce the amount of disk seeks when sorting rows for grouping or final display. Increasing this improves reporting speed. You are unlikely to see any benefit for sizes above 128MB.

89


BackupUse Backup settings to back up the configuration of your NetFlow Tracker server and its real-time and long-term databases.

Note

A full backup can take a long time to complete and uses a large amount of disk space. Test the effect a full backup has upon the system before scheduling it.

You can start a backup on demand or configure a schedule. The folder’s contents are erased before the backup, so make sure that you move scheduled backups to long-term storage if you need to save space. Schedule a backup to different locations on alternate days.

Hold back real-time data for

Set the number of seconds after its end that each one-minute sample of real-time data is held in RAM before being committed to disk. You may need to increase this to avoid ignored flows.

MySQL can not access temporary files

Leave clear to improve the database performance. However, on Unix if the user you run as has a umask that creates temporary files that MySQL cannot read, check this setting.

Number of threads to use to generate a report

Set the number of threads used to generate real-time charts over time and pie charts. Do not set this to more than the number of CPU cores in your system. You are unlikely to see any benefit beyond 4.

Store real-time data for Change the number of days full real-time data is stored for. Reduce this to save disk space. Increase this if you have enough free space.

Store long-term report data for...

Change how long the different types of long-term data are stored. Each type of data allows a long-term chart to display blocks of that size. If the block size is not specified when opening a long-term report, then the closest available size to the ideal for the selected time range is used.

Use compression Reduce the amount of disk space used. Note: Reducing the disk space is likely to slow down report generation.

Table 11 Database Settings

Option Definition

90


To back up data:

1 Select Main Menu > Settings > Backup.

2 For a scheduled backup:

a Enter the scheduled time and days.

b Select the databases to include.

c Enter the destination folder on the NetFlow Tracker server.

d Click Add. To delete a scheduled backup, select its checkbox and click Delete.

3 For an on-demand backup:

a Enter the destination folder on the server.

b Select the databases to include.

c Click Start.

4 Click OK.

To restore a backup:

1 Install your previous version of NetFlow Tracker. To obtain this, contact Fluke Networks TAC.

2 On Windows, open a command prompt and issue the following commands, replacing paths as appropriate. (<enter> means to press the Enter key.)

c: <enter>

cd \nftracker <enter>

runany c:\nftracker c:\progra~1\java\j2re14~1.2_0 com.crannogsoftware.ulysses.CRestore –sourcefolder c:\nftbackup <enter>

On Linux, type the following commands in a terminal, again replacing paths as appropriate:

cd /usr/local/nftracker <enter>

./runany com.crannogsoftware.ulysses.CRestore –sourcefolder /var/nftbackup <enter>

chown –R nft:nft .systemPrefs

chown –R mysql:mysql /var/lib/mysql/crannog_ulysses

chown –R mysql:mysql /var/lib/mysql/crannog_ulysses_longterm

91


ArchivingUse Archiving settings to archive real-time data instead of deleting it when it exceeds the length of storage time configured in Database Settings. You can set the archive location and access archived data by mounting the archive containing the data you want to examine and using the Filter Editor.

Note:

• You must enable archiving for each device that you want to archive data from in Device Settings. See “Database Settings ” on page 89.

• Archived data is not deleted. You must move archived data to long-term storage in a timely manner.

• You cannot mount an archive from a device that was deleted or was never present on the server.

• Mounting and unmounting archives does not affect the archive file itself.

• You can restore archived data from NetFlow Tracker v4.0.

You can store all archives in the archive folder or in subfolders for each device or day.

To mount an archive:

1 Select Main Menu > Settings > Archiving.

2 Under Mount Archives, enter the directory containing the archive and click List.

3 Select archives and click Mount. When archives are mounted they appear under Currently Mounted Archives. To unmount these, select and click Unmount.

4 Click OK.

92


Memory SettingsUse Memory Settings to control the amount of initial and maximum memory used by NetFlow Tracker. During normal operation, NetFlow Tracker uses a small amount of memory, so in most cases you do not need to change the default settings

Note the following:

• By incorrectly allocating memory you can prevent NetFlow Tracker from functioning properly.

• The Memory Settings page is not available on Unix installations. To change the memory settings on Unix you must edit the start script.

93


94

A: Setting up NetFlow on Network Devices

Topics include:

• Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch

• Configuring NetFlow Input Filters for Traffic Class Reporting

• Enabling Flow Detail Records on a Packeteer Device

• Enabling NetFlow on an Enterasys Device

• Enabling sFlow on a Foundry Device

For information about other supported flow standards and devices, see the Fluke Networks Knowledge Base.

Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch

Only users experienced in configuring Cisco devices should attempt to apply these commands. If you are in doubt, contact your network administrator or Cisco consultant. Note: If you are running hybrid mode on a layer 3 switch you must set up IOS on the MSFC and CatOS on the Supervisor Engine. Native IOS also requires extra commands which are documented in the following sections. For more information, see http://www.cisco.com/go/netflow.

95

http://www.cisco.com/go/netflow


Enabling Netflow Export on an IOS DeviceIn configure mode on the router or MSFC, issue the commands in Table 12 to enable NetFlow export:

Table 12 IOS NetFlow Commands

Command Definition

ip cef Enables Cisco Express Forwarding, which is required for NetFlow in most recent IOS releases.

ip flow-export destination <address> 2055

Use the address of your NetFlow Tracker server and one of the ports configured in the Listener Ports settings page. Port 2055 is monitored by default.

ip flow-export source loopback 0

The source interface is used to set the source IP address of the NetFlow exports that the router sends. NetFlow Tracker makes SNMP requests of the router on this address. If you experience problems, set the source interface to an Ethernet or WAN interface instead of the loopback.

ip flow-export version 5 [peer-as | origin-as] or ip flow-export version 9 [peer-as | origin-as]

Sets the export version. NefFlow Tracker supports IOS versions 5 and 9. If you have a Native IOS switch you may need to use version 9 to work around an issue. If your router uses BGP, you can include the origin or peer ASes in exports. You cannot include both.

Note: Enabling or disabling NetFlow versions 5 or 9 on a 12000 series router causes packet forwarding to stop for a few seconds while the route processor and line card CEF tables reload. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-configuration file to be executed during a router reboot.

ip flow-cache timeout active 1

Breaks up long-lived flows into one-minute segments.

ip flow-cache timeout inactive 15

Makes sure that flows that have finished are exported in a timely manner.

96

Setting up NetFlow on Network DevicesEnabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A

Enabling NDE on a Native IOS DeviceIn addition to commands listed in Table 12, use the commands in Table 13 to get NetFlow information on route-switched traffic from a Catalyst 6000 or above. These are not required for a Catalyst 4000 series.

interface <interface>

ip route-cache flow or ip flow ingress or ip route-cache cef

bandwidth <kbps>

exit

Enable NetFlow on each interface through which the traffic you are monitoring flows (normally the Ethernet and WAN interfaces. Note: There are several commands to enable NetFlow on an interface and you must use the same command for every interface.

ip route-cache flow and ip flow ingress enable NetFlow for inbound traffic on the interface, but you apply the latter to individual sub-interfaces and the former to the physical interface. Do not enable NetFlow for a physical interface and one or more of its sub-interfaces.

ip flow egress enables NetFlow for outbound traffic on the interface and is required if you are using input filters. You may enable NetFlow for both inbound and outbound traffic on a single interface. In this case, make sure that no other interface has NetFlow enabled.

Egress NetFlow is also useful if you are monitoring a router that applies QoS to the traffic it routes. By using egress NetFlow, you see QoS settings that the router applied rather than those on the traffic before it was routed.

You may also need to set the speed of the interface in kilobits per second. It is important to do this for frame relay or ATM virtual circuits. Note: A Catalyst 4000 series switch does not support any of the commands to enable NetFlow for an interface. Instead, NetFlow is enabled for all interfaces using the following special command.

show ip flow export Shows the current NetFlow configuration. Issue this in normal (not configuration) mode.

show ip cache flow

show ip cache verbose flow

These commands issued in normal mode summarize the active flows and indicate of how much NetFlow data the router is exporting.

Table 12 IOS NetFlow Commands (continued)

Command Definition

Table 13 IOS NDE Commands

Command Definition

mls netflow Enables NetFlow on the supervisor.

97


Enabling NetFlow Export on a 4000 Series SwitchThe 4000 and 4500 series switches require a Supervisor IV with a NetFlow Services daughter card (WS-F4531), or a Supervisor V, and IOS version 12.1(19)EW or above to support NetFlow. First configure the

mls nde sender version 5 or mls nde sender version 7

Sets the export version. Due to IOS issues, the export version you must use on the supervisor depends on your hardware configuration and IOS version:

Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S, 12.2(17a)SX or above: Use version 5. Note: This configuration causes Performance Counters to report missed flows that are not actually missed as a result of an IOS bug fixed in the SXF strains.

Distributed Forwarding Cards and older than 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S or 12.2(17a)SX: This configuration causes serious problems. Contact Fluke Networks TAC if your device matches this description.

No Distributed Forwarding Cards and 12.0(24)S, 12.2(18)S, 12.3(1) or above: Use version 5 and configure the MSFC to export version 9 as described above.

No Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S, 12.2(17a)SX or above: Use version 5.

All others: Use version 7. Note: Version 7 may not include AS or subnet mask information.

mls aging long 64 Breaks up long-lived flows into one-minute segments.

mls aging normal 32 Makes sure that completed flows are exported in a timely manner.

mls flow ip interface-full

mls nde interface or mls flow ip full

If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher, you must use the first two commands to put interface and routing information into the NetFlow Exports. This information is unavailable with any earlier IOS version on the Supervisor Engine 2 or 720.

If you have a Supervisor Engine 1, use the third command to put full information into the NetFlow Exports.

ip flow ingress layer2-switched vlan <vlanlist>

ip flow export layer2-switched vlan <vlanlist>

A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.

Table 13 IOS NDE Commands (continued)

Command Definition

98

Setting up NetFlow on Network DevicesEnabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A

device as for an IOS device, omitting the command ip route-cache flow on each interface, and then issue the following command:

ip route-cache flow infer-fields

This makes sure that routing information is included in the flows.

Configuring NDE on a CatOS DeviceA layer 3 switch running CatOS appears as two devices. You can set up the MSFC to export NetFlow information on all the packets it routes by following the instructions for configuring an IOS device above.

Table 14 IOS Commands on CatOS Device

Command Definition

set system name <name>

In privileged mode on the Supervisor Engine, issue this to enable NDE:

Set the name of your switch. Note: Even if the prompt has been set to the name of the switch you still need this command.

set mls nde <address> 2055

Use the address of the NetFlow Tracker server and one of the ports configured in the Listener Ports settings page. Port 2055 is monitored by default.

set mls nde version 7

Sets the export version. Version 7 is the most recent full export version supported by switches.

set mls agingtime long 64


set mls agingtime 32 Makes sure that completed flows are exported in a timely manner.

set mls flow full Sets the flow mask to full flows. This is required to get useful information from the switch.

set mls bridged-flow-statistics enable <vlanlist>

CatOS 7.(2) or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.

set mls nde enable Enables NDE.

show mls nde

show mls debug

These commands help debug your NDE configuration.

99


Configuring NetFlow Input Filters for Traffic Class Reporting

IOS versions 12.2(25)S, 12.2(27)SBC and 12.3(4)T and greater support the NetFlow Input Filters feature, which NetFlow Tracker can use to report upon the traffic class used to route each flow.

Enabling Flow Detail Records on a Packeteer Device

A Packeteer 1200, 1550, 2500, 4500, 6500, 8500, 9500, or 10000 series running PacketWise v7.0.0 or above and having 256MB or more of memory can send either NetFlow records or a similar proprietary format to NetFlow Tracker. For more information, see http://support.packeteer.com/documentation/packetguide/rc3.1/overviews/flowdetail.htm.

Table 15 NetFlow Input Filters for Traffic Class Reporting

Command Definition

flow-sampler-map allflows

mode random one-out-of 1

exit

Create a flow sampler that exports every flow record.

policy-map netflowpolicymap

class <class>

netflow-sampler allflows

exit

exit

Create a policy map containing NetFlow sampling actions. You must include each class for which you want information.

interface <interface>

service-policy input netflowpolicymap

exit

Associate the policy map with an interface. You must associate the policy map with each NetFlow-enabled interface from which you want traffic class information.

100

http://support.packeteer.com/documentation/packetguide/rc3.1/overviews/flowdetail.htm

http://support.packeteer.com/documentation/packetguide/rc3.1/overviews/flowdetail.htm

Setting up NetFlow on Network DevicesEnabling NetFlow on an Enterasys Device A

To enable Flow Detail Records:

1 Log in to the PacketShaper in touch mode.

2 Open the flow detail records page on the setup tab.

3 In a collector rows, enter the IP address of the NetFlow Tracker server and one of the ports configured in Listener Ports settings (2055 is monitored by default). Packeteer-1 is the recommended record type for use with NetFlow Tracker. Packeteer-2 is not recommended because NetFlow Tracker does not use the extra information and bandwidth is wasted.

You can also export NetFlow v5 records. This prevents the Traffic Classes and Identified Applications reports and filters from functioning for the device.

4 Set the value under Enabled to on and click apply changes.

5 To make sure that NetFlow Tracker receives enough information from the PacketShaper device, verify that the Look Community String configured in the SNMP page is set up in SNMP Settings, and set Packeteer-0 Packets to on in the system variables page.

6 If you have a recent version of PacketWise, you may need to change extra settings on the system variables page. Set Intermediate FDR to on, Intermediate FDR Timeout to 30000 milliseconds, and Reset Packeteer 1/2 counters to on. If these settings are not available, then the PacketShaper describes all traffic for a long-lived flow in one record, and NetFlow Tracker counts it all in the minute during which the flow ended. This leads to large spikes in charts for the device.

Enabling NetFlow on an Enterasys DeviceNetFlow Tracker supports Enterasys devices capable of exporting NetFlow version 9 exports. To enable NetFlow, enter the following commands while logged in to the router with read/write access:

101


Enabling sFlow on a Foundry DeviceNetFlow Tracker supports Foundry devices capable of exporting sFlow version 2 and 5 exports. To enable NetFlow, enter the following commands while logged in to the router with read/write access:

For more information, see the Foundry Command Reference Guide.

Table 16 NetFlow on an Enterasys Device

Command Definition

set netflow cache enable

Enables NetFlow.

set netflow export-destination <address> 2055

Use the address of your NetFlow Tracker server and a configured port in the Listener Ports settings page. Port 2055 is monitored by default.

set netflow export-interval 1


set netflow port <port-string> enable

You must enable NetFlow on each interface through which traffic you are monitoring flows, normally the Ethernet and WAN interfaces.

set netflow export-version 9

Sets the export version. Version 9 is required for NetFlow Tracker to associate NetFlow information with the interfaces it relates to.

Table 17 sFlow on a Foundry Device

Command Definition

(config)# sflow enable Enable sFlow globally

(config)# sflow destination x.x.x.x Configure a destination

(config)# interface eth 1 or (config)# interface eth 1 to 48)

(config-if-1)# sflow forwarding

Enable sFlow on a port or ports

102

http://www.foundrynet.com/services/documentation/AccessIron/FoundryCommandReference.pdf

B: Report Templates

When you create a report or chart you can choose from the report templates, depending on the type of data you want to examine.

• Address Reports

• Session Reports

• QoS Reports

• Network Reports

• Interface Reports

• Traffic Identification Reports

• Full Flow Forensics Reports

• Other Reports

Address Reports

Report Shows...

Source Addresses The IP addresses that were the source of most traffic or packets.

Destination Addresses The destination IP addresses that were the destination of most traffic or packets.

Addresses Busiest addresses. Includes total traffic, source traffic, destination traffic, total packets, source packets, and destination packets. For each metric, includes percentage of total traffic.

103


Session Reports

Address Pairs The pairs of connected IP addresses that exchanged most traffic or packets.

Bi-directional Address Pairs

In extra columns, the traffic and packets sent from destination to source for each address pair.

Source Address Dissemination

The source addresses that conversed with the most distinct destination addresses and that were involved in the most distinct endpoint-to-endpoint conversations. This can help detect file sharing or virus infected hosts.

Destination Address Popularity

The destination addresses that conversed with the most distinct source addresses and that were involved in the most distinct conversations.

Report Shows...

Report Shows...

Protocols The IP protocols, such as TCP or UDP, used by most traffic or packets.

Source Applications The IP applications that were the source of the most traffic or packets. An IP application is a combination of an application port and protocol: for example, HTTP or FTP. You can assign names to applications using the IP Application Names settings page. Examining the source applications inwards on an interface can show you what applications are using your Internet bandwidth.

Destination Applications The IP applications that were the destination of most traffic or packets. The destination applications outwards can show the most requested applications on a link.

104

Report TemplatesSession Reports B

Recognized Applications The IP applications that were the source or destination of most traffic or packets. Whether the application was the source or destination depends on whether it has a name defined in the IP Application Names settings page or, if both or neither have names, which has the lower port number.

Conversations The pairs of connected endpoints that exchanged most traffic or packets. A single conversation represents, for example, a web browser downloading a single image.

Bi-directional Conversations

In extra columns, the traffic and packets sent from destination to source for each conversation.

Source Endpoints The IP addresses and corresponding applications that were the source of most traffic or packets. The top source endpoints inwards on a link are the remote services using your bandwidth.

Destination Endpoints The IP addresses and corresponding applications that were the destination of most traffic or packets.

Server-Client Sessions The pairs of connected source endpoints and destination addresses that exchanged most traffic or packets. A session might represent, for example, a web browser downloading several web pages with images from a web server.

Client-Server Sessions The pairs of connected source addresses and destination endpoints that exchanged the most traffic or packets. A session could represent a client’s requests to a web server for several pages and images.

Sessions Source and address destination, application, traffic, percentage of total traffic, packets, and percentage of total packets.

Bi-directional Sessions Data in Sessions report, plus forward and reverse traffic and packets.

Report Shows...

105


QoS Reports

Network Reports

Report Shows...

Types of Service The ToS levels with most traffic or packets.

Differentiated Services The DiffServ code points with most traffic or packets.

Report Shows...

Source ASes The autonomous systems that were the source of most traffic or packets. Note: A switch does not know anything about ASe.s

Destination ASes The autonomous systems that were the destination of most traffic or packets.

ASes Busiest ASes. Includes total traffic, source traffic, destination traffic, total packets, source packets, and destination packets. For each metric, includes percentage of total traffic.

AS Pairs The pairs of connected ASes that exchanged most traffic or packets.

Bi-directional AS Pairs In extra columns, the traffic and packets sent from destination to source for each AS pair.

Source Networks The IP subnets that were the source of most traffic or packets. Note: A router may not know the subnet of a particular address and a switch never knows it.

Destination Networks The IP subnets that were the destination of most traffic or packets.

Network Pairs The pairs of connected IP subnets that exchanged most traffic or packets.

Bi-directional Network Pairs

In extra columns, the traffic and packets sent from destination to source for each network pair.

106

Report TemplatesInterface Reports B

Interface Reports

Traffic Identification Reports

Report Shows...

In Interfaces The router interfaces or switch ports that were the arrival point of most traffic or packets. Note: This is only meaningful for the outwards direction.

Out Interfaces The router interfaces or switch ports that were the departure point of most traffic or packets. Note: This is only meaningful for the inwards direction.

Interface Pairs In and out interfaces, in and out percentage of usage, traffic, percentage of total traffic, packets, and percentage of packets for devices.

VPNs The VPNs with most traffic or packets. You must associate interfaces with VPNs in Device Settings for this report to function.

Next Hops The next-hop addresses that received most traffic or packets. Note: Only a router can supply a next-hop address.

Report Shows...

Identified Applications Identified applications with the most traffic or packets.

Traffic Classes Traffic classes that with the most traffic or packets.

107


Full Flow Forensics Reports

Other Reports

Report Shows...

TCP Flags TCP flag, traffic, percentage of total traffic, packets, and percentage of total packets.

Duration Flows ranked by duration—the full length of a flow. Includes amount of traffic, percentage of total traffic, number of packets, and percentage of total packets.

Full Flow Conversations Start and end times, source and destination addresses and applications, in and out interfaces, TCP flags, and traffic for each flow.

Report Shows...

Total Address Pairs Total number of address pairs.

Total Conversations Total number of conversations.

Total Traffic, percentage of total traffic, packets, and percentage of total packets.

108

C: Report URL Parameters

In addition to the filters used when configuring NetFlow Tracker reports, you can apply additional custom parameters to further define data. You can generate your own URLs or modify automatically created ones for use in network management portals favorites lists.

Table 18 Customizable Filter Parameters

Parameter Specifies...

templid The report template to use.

id The long-term report to open.

cid The executive report to open

output The type of report to generate: tabular or chart.

nrecords The number of rows to show per page of a tabular view.

others That a tabular view shows an “others” row instead of a page navigator.

visible A visible column of a table or chart.

nelements The number of elements to chart.

chartTitle The chart to show.

chartWidth The width of the chart.

chartHeight The height of the chart.

sections The report sections to output.

features The available interactive report features.

resolve How domain names will be handled in a report with an IP address column.

format The output format of the report or chart.

reload The number of seconds between automatic refreshes of the report.

splash Show the splash screen.

109


stime The start of the required time range.

etime The end of the required time range.

length The length of the required time range.

unit The unit to measure the time range in.

nunitsago The number of units before the time of report generation the time range should end.

nunits The number of units required.

date_unit The unit to measure how long before the report is generated the time range starts and ends.

sdate_unit The unit to measure how long before the report is generated the time range starts.

sdate_nunitsago The number of units before the time of report generation of the first day of the time range.

edate_unit The unit to measure how long before the report is generated the time range end.

edate_nunitsago The number of units before the time of report generation of the last day of the time range.

stime The time of day at which the time range starts (simple calendar).

etime The time of day at which the time range ends (simple calendar).

timemask An inclusive mask to apply the to time range.

timezone The time zone of the view.

sample_unit The unit to measure the sample size in.

sample_nunits The number of units in each sample.

range The source long-term data to use.

sample The source long-term data to use.

sf Saved filter to apply to the report.

device The address of a permitted NetFlow-exporting device.

inif A permitted input interface, thus selecting inbound traffic on the interface.

outif A permitted output interface, thus selecting outbound traffic on the interface.

if A permitted input or output interface of the flow, thus selecting traffic passed in both directions across the interface.

invpn A Virtual Private Network (VPN) that the input interface must be part of.

outvpn A VPN that the output interface must be part of.

Table 18 Customizable Filter Parameters (continued)


110

Report URL Parameters C

vpn A VPN that either interface must be part of.

srcaddr A permitted source address.

dstaddr A permitted destination address.

addr A permitted source or destination address.

proto A permitted IP protocol.

srcport A permitted source application port number.

dstport A permitted destination application port number.

srcappl A permitted source IP application.

dstappl A permitted destination IP application.

appl A permitted source or destination IP application port.

recappl A permitted recognized IP application port.

applid A permitted identified application.

tos A permitted Type-of-Service byte.

ds A permitted differentiated service codepoint.

class A permitted traffic class.

srcas A permitted source autonomous system number.

dstas A permitted destination autonomous system number.

as A permitted source or destination autonomous system number.

srcnet A permitted source subnet.

dstnet A permitted destination subnet.

net A permitted source or destination subnet.

srcmask A permitted source subnet mask, as supplied by the router.

dstmask A permitted destination subnet mask.

mask A permitted source or destination subnet mask.

nexthop A next-hop address.

j_username The username.

j_password The password.

portalsecret The secret value assigned to the management portal.

acldevice The address of a permitted device that exports NetFlow.

aclif A permitted interface.



111


General Formathttp://<server>:<port>/report.jsp?prm=value&prm=value...

Report Parameterstemplid – specifies the report template to use. Do not use this parameter with id or cid.

aclvpn A permitted VPN.

acltemplid A permitted report template.

aclid A permitted long-term report.

aclcid A permitted executive report.

aclfiltereditor A filter that will show in the Filter Editor

aclsf A visible saved filter.

aclfeatures The permitted interactive report features.



server The domain name or IP address of the NetFlow Tracker server

port The HTTP port of the NetFlow Tracker server

prm, value A named parameter and its value. Supply as many parameters as necessary in any order with each prm=value pair separated by an ampersand.

0000 Source Addresses

0001 Destination Addresses

0002 Address Pairs

112

Report URL ParametersReport Parameters C

0003 Protocols

0006 Source Applications

0007 Destination Applications

0008 Source Endpoints

0009 Destination Endpoints

0010 Server-Client Sessions

0011 Client-Server Sessions

0012 Conversations

0013 Types of Service

0014 Differentiated Services

0015 Source ASes

0016 Destination ASes

0017 AS Pairs

0018 Source Networks

0019 Destination Networks

0020 Network Pairs

0021 In Interfaces

0022 Out Interfaces

0023 Next Hops

0024 Source Address Dissemination

0025 Destination Address Popularity

0026 Recognized Applications

0027 Traffic Classes

0028 Identified Applications

0029 Bi-directional Address Pairs

0030 Bi-directional Conversations

0031 Bi-directional AS Pairs

0032 Bi-directional Network Pairs

0033 Total

0034 VPNs

0035 Addresses

113


id – specifies the long-term report to open. You can enable several standard long-term reports in Report Settings. The IDs for these reports are given below. The ID for a custom report is available in Report Settings. Do not use this parameter with templid or cid.

cid – specifies the executive report to open. The ID for an executive report is available in Report Settings. Do not use this parameter with templid or id.

0036 Endpoints

0037 Networks

0038 Ass

0039 Sessions

0040 Bi-directional Sessions

0041 Interface Pairs

_flows Full flows

0000 Source Addresses per inbound interface

0001 Source Addresses per outbound interface

0002 Destination Addresses per inbound interface

0003 Destination Addresses per outbound interface

0004 Recognized Applications per inbound interface

0005 Recognized Applications per outbound interface

0100 Source Addresses per source device

0101 Destination Addresses per source device

0102 Recognized Applications per source device

<id> A custom long-term report ID

<id> An executive report ID

114


output – specifies the type of report to generate: tabular or chart.

nrecords – specifies the number of rows to show per page of a tabular view.

others – specifies that a tabular view shows an Others row instead of a page navigator. The long-term tabular view always show an Others row.

visible – specifies a visible column of a table or chart. Apply this as often as needed to include all desired columns. By default, all columns are visible.

nelements – specifies the number of elements to chart.

table A tabular report is generated (default)

chart A chart over time is generated

pie A pie chart is generated

<number> The number of rows per page

-1 Show all rows

true An Others row is shown instead of a page navigator

false No Others row is shown (default)

<heading> The URL-encoded column heading; note that % is URL-encoded as %25

-<heading> A column to make invisible; parameters specifying invisible columns cannot be mixed with those specifying visible columns

<number> The number of elements to chart

115


chartTitle – specifies the chart to show.

chartWidth – specifies the width of the chart. Use this as an output parameter in an executive report.

chartHeight – specifies the height of the chart. Use this as an output parameter in an executive report.

sections – specifies the report sections to output.

features – specifies the available interactive report features.

<title> The chart title

<width> The chart width in pixels

<height> The chart height in pixels

<sections> The sections, formed by summing the values for each section

1 Title

2 Time range & filter description

4 Main report or chart body

8 Chart title, if applicable

16 Chart legend, if applicable

32 Result information, if applicable

-<sections> The sections that are not displayed

116


resolve – specifies how domain names are handled in a report with an IP address column.

format – specifies the output format of the report or chart.

<features> The features, formed by adding the values for each feature

1 Navigation Menu

2 Select All button, if applicable

4 Zoom In button, if applicable

8 Zoom Out button, if applicable

48 Open as Tabular Report, Chart or Pie buttons as applicable

64 Filter Editor button, if applicable

128 Refresh and Resolve All buttons, if applicable

256 Print and CSV buttons, if applicable

512 Open in New Window button

1024 Drilldown controls

2048 Direct drilldown links (found in navigation reports)

4096 Page navigator

8192 Sortable column headers

16384 Chart scrollbar

32768 Chart selection headers

65536 Time range editor, if specified

-<features> The features that are not displayed

all All domain names will be resolved and shown in full

available Only already resolved names will be shown, as tooltips (default)

html Fully interactive HTML (default)

print Printable/saveable HTML

117


reload – specifies the number of seconds between automatic refreshes of the report. Use this with one of the dynamic time ranges (see “Time Range Parameters” on page 118). Only the interactive HTML format supports this parameter.

splash – controls whether the splash screen is shown.

Time Range Parameters

Setting Start and End TimesYou can specify a fixed start and end time in plain text or in UTC, which is the number of milliseconds since 1 Jan 1970.

stime – specifies the start of the required time range.

csv Comma separated values

-1 The report will not reload automatically (default)

<seconds> Number of seconds between refreshes

true The splash screen is shown if it has not already been shown (default).

false The splash screen is not shown.

<time> The time in milliseconds UTC

<dd>/<MM>/<yyyy>%20<HH>:<mm>

The time: <dd> is the date, <MM> the month, <yyyy> the year, %20 a URL-encoded space character, <HH> the hour in the 24-hour clock and <mm> the minutes

118

Report URL ParametersTime Range Parameters C

etime – specifies the end of the required time range.

Creating a Fixed Length URL with Current Time RangeTo create a URL that always shows a current time range, specify a number of milliseconds ending at the time the report is generated.

length – specifies the length of the required time range.

Setting a Simple Calendar-Based Time RangeA simple calendar-based time range is a given number of units ending when the report generates or at the end of the last full unit before the report generates.

unit – specifies the unit to measure the time range in.

<time> The time in milliseconds UTC

<dd>/<MM>/<yyyy>%20<HH>:<mm>

The time: <dd> is the date, <MM> the month, <yyyy> the year, %20 a URL-encoded space character, <HH> the hour in the 24-hour clock and <mm> the minutes

<millis> The length in milliseconds

hour Hours

day Days

week Weeks

mon Weeks starting on a Monday

tue Weeks starting on a Tuesday

wed Weeks starting on a Wednesday

thu Weeks starting on a Thursday

fri Weeks starting on a Friday

119


nunitsago – specifies the number of units before the time of report generation the time range should end.

nunits – specifies the number of units required. This may include a partial unit.

Setting an Advanced Calendar-Based Time RangeAn advanced calendar-based time range has an optional start date specified as a given number of units before the time of report generation, defaulting to the day of report generation. Specify the start time in plain text. Specify the optional end date in the same way as the start date, defaulting to the same day as the start date. Specify the end time in plain text.

sat Weeks starting on a Saturday

sun Weeks starting on a Sunday

month Months

quarter Quarters

halfyear Half-years

year Years

0 The time range will end at end of the current unit at the time of report generation; this is likely to be later than the time of report generation

1 The time range will extend to the end of the last full unit before the time of report generation (default)

<number> The time range will extend to the end of this number of full units before the time of report generation

1 The time range will extend for a single unit (default)

<number> The time range will extend for this number of units

120


date_unit – (optional) specifies the unit to measure how long before the report is generated that the time range starts and ends.

sdate_unit – (optional) specifies the unit to measure how long before the report is generated that the time range starts. Format as for date_unit above.

sdate_nunitsago – (optional) specifies the number of units before the time of report generation of the first day of the time range.

edate_unit – (optional) specifies the unit to measure how long before the report is generated that the time range ends. Format as for date_unit above.

day Days

week Weeks

mon Weeks starting on a Monday

tue Weeks starting on a Tuesday

wed Weeks starting on a Wednesday

thu Weeks starting on a Thursday

fri Weeks starting on a Friday

sat Weeks starting on a Saturday

sun Weeks starting on a Sunday

month Months

quarter Quarters

halfyear Half-years

year Years

1 The first day of the time range is the first day of the current unit at the time of report generation (default)

<number> The first day of the time range is at the start of this number of full units before the time of report generation

121


edate_nunitsago – (optional) specifies the number of units before the time of report generation of the last day of the time range.

stime – specifies the time of day at which the time range starts.

<HH>:<mm>

The time, with <HH> being the hour in the 24-hour clock and <mm> being the minutes

etime – specifies the time of day at which the time range ends.

<HH>:<mm>

The time, with <HH> being the hour in the 24-hour clock and <mm> being the minutes

Applying a Time-of-Day Mask to the Time RangeIf the time range is longer than a day, you may want to restrict it to just certain times on each day. For example, you can select only working hours or only non-working hours.

If a long-term report has a configured time zone or mask, this parameter will have no effect.

timemask – specifies an inclusive mask to apply the to time range. To specify multiple inclusive masks, include a parameter name and value in the URL for each mask.

0 The last day of the time range is the first day of the unit following the current unit at the time of report generation

1 The last day of the time range is the first day of the current unit at the time of report generation (default)

<number> The time range extends to the end of this number of full units before the time of report generation

122


Setting a Time ZoneBy default, the time zone of the NetFlow Tracker is used to interpret calendar-based time ranges and time-of-day masks. You can specify a non-default time zone. Note: If a long-term report has a configured time zone or mask, this parameter has no effect.

timezone – specifies the time zone of the view.

<day1>-<day2>/<time1>-<time2>

The range of weekdays and the times on those weekdays to include in the mask. A weekday is SUN, MON, TUE, WED, THU, FRI or SAT, day2 coming on or after day1 in the list above. Time is in the 24-hour form hh:mm, and time2 is after time1

0 (GMT-12:00) International Date Line West

1 (GMT-11:00) Midway Island, Samoa

2 (GMT-10:00) Hawaii

3 (GMT-09:00) Alaska

4 (GMT-08:00) Pacific Time (US & Canada); Tijuana

15 (GMT-07:00) Arizona

10 (GMT-07:00) Mountain Time (US & Canada)

13 (GMT-07:00) Chihuahua, La Paz, Mazatlan

33 (GMT-06:00) Central America

20 (GMT-06:00) Central Time (US & Canada)

30 (GMT-06:00) Guadalajara, Mexico City, Monterrey

25 (GMT-06:00) Saskatchewan

45 (GMT-05:00) Bogota, Lima, Quito

35 (GMT-05:00) Eastern Time (US & Canada)

40 (GMT-05:00) Indiana (East)

50 (GMT-04:00) Atlantic Time (Canada)

55 (GMT-04:00) Caracas, La Paz

56 (GMT-04:00) Santiago

123


60 (GMT-03:30) Newfoundland

65 (GMT-03:00) Brasilia

70 (GMT-03:00) Buenos Aires, Georgetown

73 (GMT-03:00) Greenland

75 (GMT-02:00) Mid-Atlantic

80 (GMT-01:00) Azores

83 (GMT-01:00) Cape Verde Is.

90 (GMT) Casablanca, Monrovia

85 (GMT) Greenwich Mean Time: Dublin, Edinburgh, Lisbon, London

110 (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

95 (GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague

105 (GMT+01:00) Brussels, Copenhagen, Madrid, Paris

100 (GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb

113 (GMT+01:00) West Central Africa

130 (GMT+02:00) Athens, Beirut, Istanbul, Minsk

115 (GMT+02:00) Bucharest

120 (GMT+02:00) Cairo

140 (GMT+02:00) Harare, Pretoria

125 (GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius

135 (GMT+02:00) Jerusalem

158 (GMT+03:00) Baghdad

150 (GMT+03:00) Kuwait, Riyadh

145 (GMT+03:00) Moscow, St. Petersburg, Volgograd

155 (GMT+03:00) Nairobi

160 (GMT+03:30) Tehran

165 (GMT+04:00) Abu Dhabi, Muscat

170 (GMT+04:00) Baku, Tbilisi, Yerevan

175 (GMT+04:30) Kabul

180 (GMT+05:00) Ekaterinburg

185 (GMT+05:00) Islamabad, Karachi, Tashkent

190 (GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi

124


Setting the Chart Sample SizeWhen you create a real-time chart, the system chooses a sample size that creates as close to 150 samples over the full width of the chart as

193 (GMT+05:45) Kathmandu

201 (GMT+06:00) Almaty, Novosibirsk”

195 (GMT+06:00) Astana, Dhaka

200 (GMT+06:00) Sri Jayawardenepura

203 (GMT+06:30) Rangoon

205 (GMT+07:00) Bangkok, Hanoi, Jakarta

207 (GMT+07:00) Krasnoyarsk"

210 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi

227 (GMT+08:00) Irkutsk, Ulaan Bataar

215 (GMT+08:00) Kuala Lumpur, Singapore

225 (GMT+08:00) Perth

220 (GMT+08:00) Taipei

235 (GMT+09:00) Osaka, Sapporo, Tokyo

230 (GMT+09:00) Seoul

240 (GMT+09:00) Yakutsk

250 (GMT+09:30) Adelaide

245 (GMT+09:30) Darwin

260 (GMT+10:00) Brisbane

255 (GMT+10:00) Canberra, Melbourne, Sydney

275 (GMT+10:00) Guam, Port Moresby

265 (GMT+10:00) Hobart

270 (GMT+10:00) Vladivostok

280 (GMT+11:00) Magadan, Solomon Is., New Caledonia

290 (GMT+12:00) Auckland, Wellington

285 (GMT+12:00) Fiji, Kamchatka, Marshall Is.

300 (GMT+13:00) Nuku'alofa

125


possible. You can specify a different sample size to show, for example, a day in hour-long samples or a month in day-long samples.

sample_unit – specifies the unit to measure the sample size in.

sample_nunits – specifies the number of units in each sample.

Setting the Source Long-term DataWhen you create a long-term chart or tabular report, the source data is chosen so the time range will be in as close to 150 samples as possible. You can override this if you wish.

range – specifies the source long-term data to use.

minute Minutes

hour Hours

day Days

week Weeks

month Months

quarter Quarters

halfyear Half-years

year Years

1 Each sample will be one unit long (default)

<number> Each sample will be this number of units long

daily Daily data (ten minute samples) are used

weekly Weekly data (one hour samples) are used

monthly Monthly data (six hour samples) are used

quarterly Quarterly data (twelve hour samples) are used

126


sample – specifies the source long-term data to use.

Filter ParametersYou can apply any number of filters to a report. Each filter is a set of acceptable values for a certain aspect of the source data. If you do not specify a filter, then all values element are accepted.

To specify multiple acceptable values for a filter, include the parameter name and value in the URL once for each value.

Note: The filters that you can apply to a long-term report depend upon the report’s type.

sf – specifies a saved filter to apply to the report. The ID for a saved filter is available in Report Settings.

device – specifies the address of a permitted NetFlow-exporting device.

halfyearly Half-yearly data (one-day samples) are used

yearly Yearly data (two-day samples) are used

10minute Daily data (ten minute samples) are used

1hour Weekly data (one hour samples) are used

6hour Monthly data (six hour samples) are used

12hour Quarterly data (twelve hour samples) are used

1day Half-yearly data (one-day samples) are used

2day Yearly data (two-day samples) are

<id> A saved filter ID

<addr> The address in dotted-decimal format (a.b.c.d)

127


inif – specifies a permitted input interface, thus selecting inbound traffic on the interface.

outif – specifies a permitted output interface, thus selecting outbound traffic on the interface. Format as for inif above.

if – specifies a permitted input or output interface of the flow, thus selecting traffic passed in both directions across the interface. Format as for inif above.

invpn – specifies a Virtual Private Network (VPN) that the input interface must be part of.

outvpn – specifies a VPN that the output interface must be part of. Format as for invpn above.

vpn – specifies a VPN that either interface must be part of. Format as for invpn above.

srcaddr – specifies a permitted source address.

srcaddr_exclude=true – specifies that the supplied source addresses are excluded rather than included.

<addr>/<id> The interface: addr is the address of the NetFlow-exporting device in dotted-decimal format and id is the NetFlow Tracker-specific interface identifier

<addr>/-<ifindex>

The interface: addr is the address of the NetFlow-exporting device in dotted-decimal format and ifindex is the current SNMP interface index assigned to the interface

<name> The VPN name; see Device Settings for more information

<id> The VPN identifier

<addr> The address in dotted-decimal format

128


dstaddr – specifies a permitted destination address. Format as for srcaddr above.

dstaddr_exclude=true – specifies that the supplied destination addresses are excluded rather than included.

addr – specifies a permitted source or destination address. Format as for srcaddr above.

addr_exclude=true – specifies that the supplied source or destination addresses are excluded rather than included.

proto – specifies a permitted IP protocol.

proto_exclude=true – specifies that the supplied protocols are excluded rather than included.

srcport – specifies an acceptable source application port number.

srcport_exclude=true – specifies that the supplied source application port numbers are excluded rather than included.

dstport – specifies an acceptable destination application port number. Format as for srcport above.

dstport_exclude=true – specifies that the supplied destination application port numbers are excluded rather than included.

srcappl – specifies a permitted source IP application.

<name> The protocol name, such as TCP or UDP

<number> The protocol number, in the range 0-255

<port> The application port number in the range 0-65535

<port1>-<port2>

A range of port numbers, with port1 being the start of the range and port2 the end

129


srcappl_exclude=true – specifies that the supplied source applications are excluded rather than included.

dstappl – specifies a permitted destination IP application. Format as for srcappl above.

dstappl_exclude=true – specifies that the supplied destination applications are excluded rather than included.

appl – specifies a permitted source or destination IP application port. Format as for srcappl above.

appl_exclude=true – specifies that the supplied source or destination applications are excluded rather than included.

recappl – specifies a permitted recognized IP application port. Format as for srcappl above.

recappl_exclude=true – specifies that the supplied recognized applications are excluded rather than included.

applid – specifies a permitted identified application.

<port>/<name> The application: port is the application port number in the range 0-65535 and name is the protocol name, such as TCP or UDP

<port>/<number> The application: port is the application port number in the range 0-65535 and num is the protocol number in the range 0-255

<name> The name of a grouped application

<name> The identified application name; see Device Settings for more information

<id> The identified application identifier

130


applid_exclude=true – specifies that the supplied identified applications are excluded rather than included.

tos – specifies a permitted Type-of-Service byte.

tos_exclude=true – specifies that the supplied Type-of-Service values are excluded rather than included.

ds – specifies a permitted differentiated service codepoint.

ds_exclude=true – specifies that the supplied differentiated service codepoints are excluded rather than included.

class – specifies a permitted traffic class.

class_exclude=true – specifies that the supplied traffic classes are excluded rather than included.

<prec> The precedence, in the range 0-7

<tos> A string of letters indicating which ToS bits you must set or unset.

D - low delay, d - normal delay

T - high througput, t - normal througput

R - high reliability, r - normal reliability

M - minimize monetary cost, m normal monetary cost.

Any bits not specified as set or unset are disregarded.

<prec>%20<tos>

The precedence and ToS as above; %20 being a URL-encoded space character

<name> The assigned name of the codepoint

<code> The six-digit binary representation of the codepoint

<byte> The value of the entire Type-of-Service byte, in the range 0-255

<name> The traffic class name. See “Applying Traffic Class IDs” on page 21.

<id> The traffic class identifier

131


srcas – specifies a permitted source autonomous system number.

srcas_exclude=true – specifies that the supplied source autonomous system numbers are excluded rather than included.

dstas – specifies a permitted destination autonomous system number. Format as for srcas above.

dstas_exclude=true – specifies that the supplied destination autonomous system numbers are excluded rather than included.

as – specifies a permitted source or destination autonomous system number. Format as for srcas above.

as_exclude=true – specifies that the supplied source or destination autonomous system numbers are excluded rather than included.

srcnet – specifies a permitted source subnet. Note that the subnet mask supplied by the router is ignored.

srcnet_exclude=true – specifies that the supplied source subnets are excluded rather than included.

dstnet – specifies a permitted destination subnet. Format as for srcnet above.

dstnet_exclude=true – specifies that the supplied destination subnets are excluded rather than included.

net – specifies a permitted source or destination subnet. Format as for srcnet above.

<as> The AS number, in the range 0-65535

<addr>/<mask> The subnet: addr is the network address in dotted-decimal format and mask is the mask length, in the range 0-32

132

Report URL ParametersSecurity Parameters C

net_exclude=true – specifies that the supplied source or destination subnets are excluded rather than included.

srcmask – specifies a permitted source subnet mask, as supplied by the router.

srcmask_exclude=true – specifies that the supplied source subnet masks are excluded rather than included.

dstmask – specifies a permitted destination subnet mask. Format as for srcmask above.

dstmask_exclude=true – specifies that the supplied destination subnet masks are excluded rather than included.

mask – specifies a permitted source or destination subnet mask. Format as for srcmask above.

mask_exclude=true – specifies that the supplied source or destination subnet masks are excluded rather than included.

nexthop – specifies a next-hop address.

nexthop_exclude=true – specifies that the supplied next-hop addresses are excluded rather than included.

Security ParametersIf a username and password is required to access a report you can specify it in the URL.

<mask> The mask length, in the range 0-32

<addr> The address in dotted-decimal format

133


j_username – specifies the username.

j_password – specifies the password.

Management Portal Access Control Parameters

A management portal that provide users with access to NetFlow Tracker reports uses the following parameters. For more information, see “Management Portal Settings” on page 82.

portalsecret – specifies the secret value assigned to the management portal in Management Portal Settings.

acldevice – specifies the address of a permitted device that exports NetFlow data. Format as for device above.

aclif – specifies a permitted interface. Format as for inif above.

aclvpn – specifies a permitted VPN. Format as for invpn above.

acltemplid – specifies a permitted report template.

<username> The username

<password> The password

<secret> The secret value

null No report templates are permitted

<id> A permitted report template; see templid in Report Format Parameters above for permitted values

134

Report URL ParametersManagement Portal Access Control Parameters C

aclid – specifies a permitted long-term report.

aclcid – specifies a permitted executive report.

aclfiltereditor – specifies a filter that will appear in the Filter Editor. Note that it will be possible for the user to create reports with other filters by drilling down or manually editing a URL.

null No long-term reports are permitted

<id> A permitted long-term report; see id in Report Format Parameters above for permitted values

null No executive reports are permitted

<id> A permitted executive report; see cid in Report Format Parameters above for permitted values

null No filter editors are permitted

0 Source Device

1 Source Address

2 Dest Address

3 Src/Dest Address

4 Next Hop

5 In Interface

6 Out Interface

7 In/Out Interface

8 Protocol

9 Source Port

10 Dest Port

11 Src/Dest Port

12 Source Application

13 Dest Application

14 Src/Dest Application

135


aclsf – specifies a visible saved filter.

aclfeatures – specifies the permitted interactive report features. For parameters, see features.

15 ToS

16 DiffServ

17 Source AS

18 Dest AS

19 Src/Dest AS

20 Source Subnet

21 Dest Subnet

22 Src/Dest Subnet

23 Source Mask

24 Dest Mask

25 Src/Dest Mask

26 Recognised Application

27 Traffic Class

28 Identified Application

29 VPN

30 In VPN

31 Out VPN

null No saved filters are visible

<id> A visible saved filter; see sf in Filter Parameters above for permitted values

136

D: File Formats

CSV File FormatYou can convert every standard chart and tabular report to comma-separated-value format for import into a database server or spreadsheet.

Chart CSV formatEach section is separated by a row of “=” signs. The first section is the chart title; the second is the time range and filter.

Each following section represents a single chart, equivalent to the tabs above the chart in interactive mode. The first line of the section is the name of the chart. The next two rows contain the start and end time of each sample in milliseconds UTC. Each has an empty column at the start to accommodate the description of each data row below. Each data row consists of a description followed by a usage, octet count or packet count for each sample.

Pie chart CSV formatEach section is separated by a row of “=” signs. The first section is the chart title; the second is the time range and filter.

Each following section represents a single chart, equivalent to the tabs above the chart in interactive mode. The first line of the section is the name of the chart, followed by a row for each charted element

137


consisting of a description followed by a usage, octet count or packet count.

Tabular report CSV formatEach section is separated by a row of “=” signs. The first section is the report title; the second is the time range and filter.

The third section starts with the title of each column, separated by a comma. Each following line in the section is a row with each value separated by a comma, and text values contained within double quotes. There are several differences between a report viewed in a browser and one converted to CSV. In CSV format all rows are included, information normally available by hovering the mouse over a label is unavailable, and traffic and packets passed are output as simple counts rather than rates.

The fourth section contains column totals, again separated by commas. There are usually empty values in the total row corresponding to non-numeric columns.

XML FormatYou can convert every standard chart and tabular report to XML for use in external software. The XML schemas in the xml subfolder underneath the NetFlow Tracker installation folder.

The root of each XML document contains the report title. The first tag in the root contains data about the NetFlow Tracker version that generated the document.

The next tag contains data about the filter applied to the report. The time range is set as a start and end in both milliseconds UTC and year, month, day, hour, etc. The number of milliseconds spanned by the

138

File FormatsXML Format D

time range is provided, taking into account the time mask applied, if any.

Chart XML formatEach chart is described in a separate tag with a title attribute equivalent to the title in the tabs above the chart in interactive mode. The next tag describes the types and headings of each column in the description of each charted element; the subsequent tag provides the type, heading and overall total for each summary column.

The final tag describes each charted element, or dataset. Each dataset has a value for each description column (unless it is marked as being an “others” dataset) and a value for each summary column. This is followed by the start and end time and value for each sample that makes up the dataset.

Pie chart XML formatThe pie chart format is very similar to the chart format, but there are no datasets.

Tabular report XML formatA tabular report is described using two tags. The first describes the type and heading of each column in the report; any column totals are included here.

The second section describes each row in the table. If the number of rows is restricted, the attributes of the result tag provide the start result, number of results output and the total number of results in the report. Each result contains a value for each column.

139


140

Index

AAcrobat Reader, version supported 7Address Pairs report 104Addresses report 103alarms 71

baselines 72, 74configuring 75, 76metrics 76persistent changes 73, 77severity and life cycle 72thresholds and sensitivity 72, 77tips 74types 71

applicationsconversations 32top for device 31top for interface 32

archiving data 92AS names 88AS Pairs report 106ASes report 106

Bbaselines 72

setting 77status 74

BGPapplying for devices 18, 19per-AS data 36

Bi-directional Address Pairs report 104Bi-directional AS Pairs report 106Bi-directional Conversations report 105Bi-directional Network Pairs report 106Bi-directional Sessions report 105

CCflow 1charts 42

navigating 42pie 43viewing data on 42

cid URL parameter 114Client-Server Sessions view 105contacting Fluke Networks 2conversations 32Conversations report 105creating

alarms 75custom home page 26reports 53

executive 63long-term 60real-time 54scheduled 56

Ddata

archiving 92management 3, 24scaling samples 19

database 3backing up 90, 91maintenance 24restoring backup 91settings 89

Destination Address Popularity report 104

Destination Addresses report 103Destination Applications report 104Destination ASes report 106Destination Endpoints report 105Destination Networks report 106

141

142

NetFlow Tracker User Guide

devicedeleting 23top applications and interfaces 31

device settings 18–??deleting a device 23device list 20identified applications 21interface 22traffic class IDs 21

device settings<$sendrange 24devices

deleting 23viewing 33viewing long-term 49

Differentiated Services report 106diffserv names 86dstport URL parameter 129Duration report 108

Eetime URL parameter 122events

forwarding notifications 77events, viewing 78

lifecycle 79list 79timeline 78

executive reports 69creating 63

HTML cells 68sub-report cells 66

viewing 69

Ffeatures URL parameter 116filter parameters 38

custom 109–133saving 55

filtering datafor long-term reports 50real-time 36

Fluke Networks, contacting 2Forensic Conversations report 108forensics reports 108

Hhostname resolution settings 87

Iid URL parameter 114Identified Applications report 107identified applications, applying 21In Interfaces report 107installing

Java on Windows 9NetFlow Tracker

on Linux 11on Windows 9preparing 7

interfaceconversations 32marking as inactive 22scans 24top applications and usage 32

Interface Pairs report 107interface settings, applying 22interfaces

top for device 31viewing long-term 49viewing on NetFlow Tracker 34

IP application names 84grouped applications 85simple applications 84

IPFIX 1

Jj_password URL parameter 134j_username URL parameter 134Java

installing on Windows 9versions supported 7

JFlow 1

Llanguage, selecting 14licensing 15Linux

installing NetFlow Tracker on 11restoring database backup on 91

IndexM

versions supported 7listener ports 16long-term data

creating reports for 60database 3, 24filtering 50network overview 47viewing devices and interfaces 49

Mmanagement portal settings 82

URL parameters 134using Apache as portal server 83

memory settings 93Microsoft Windows

installing Java on 9installing NetFlow Tracker on 8, 9versions supported 6

MPLS 22MySQL

installation 8requirements for installation 7

NNetFlow 2

data received 25devices exporting 33enabling on network devices 18,

95–101versions supported 1

NetFlow Monitor 8NetFlow Tracker 1

appliance 2applying settings 15

devices 18licensing 15listener ports 16security 26SNMP 17

data management 3deploying 2filtering real-time data 36installing

on Linux 11on Windows 8, 9

monitoring performance 24opening 13preparing for installation 7product services 3

reports 53selecting language 14settings

alarm 75archiving 92AS names 88backup 90database 89diffserv names 86hostname resolution 87IP application names 84management portal 82memory 93notification 77performance counters 24report settings 53subnet names 87

system requirements 5version information 27web server 8

netstream 1NetWatch 8network devices, enabling NetFlow 18,

95–101network overview

long-term data 47real-time data 30

Network Pairs report 106Next Hops report 107Nortel IPFIX 1notification settings 77nrecords URL parameter 115

OOut Interfaces report 107output URL parameter 115

Ppacket rate, for application 32passwords, choosing a protection level 26performance counters 24profile alarms 71, 76Protocols report 104

RRAID 6RAM 6

143

144


range URL parameter 126real-time data

database 3, 24filter parameters 38filtering data 36network overview 30reports

creating 54viewing 69

Recognized Applications report 105reports

address 103chart data 42executive 63full flow forensics 108interface 107long-term 60network 106other 108QoS 106scheduling 56session 104setting up 53tabular 44templates 103

for real-time filtering 37traffic identification 107

ResponseWatch 8

Ssample URL parameter 127scheduling reports 56security settings 26Server-Client Sessions report 105Sessions report 105settings 15

alarms 75archiving 92AS names 88backup 90database 89devices 18diffserv names 86hostname resolution 87IP application names 84licensing 15listener ports 16management portal 82

memory 93notification 77performance counters 24reports 53security 26SNMP 17subnet names 87

sf URL parameter 127sFlow 1

enabling on network devices 102SNMP

overriding properties for a device 18, 19

setting up trap notifications 77settings 17

Source Address Dissemination report 104Source Addresses report 103Source Applications report 104Source ASs report 106Source Endpoints report 105Source Networks report 106splash URL parameter 118srcport URL parameter 129static baseline 73stime stime URL parameter 122subnet names 87system requirements 5, 6

Ttables 44TCP Flags report 108technical support 4templid URL parameter 112threshold alarms 71, 76Total Address Pairs report 108Total Conversations report 108Total report 108traffic class IDs, applying 21Traffic Classes report 107traffic rate

for application 32interface 32

training 4Types of Service report 106

Uunprocessed flowsets 25

IndexV

URL parameters 109–136general format 112

usage, top for interface 32

VVisual Performance Manager, NetFlow

Tracker deployment in 2VPNs

associating interface with 22report 107

Wweb browsers 6weekly baseline 73Windows

restoring database backup on 91versions supported 6

145

146


Documents

NetFlow Tracker User GUide