Professional Documents
Culture Documents
Netflow Tracker: User Guide
Netflow Tracker: User Guide
User Guide
PN 3365122 Rev 1, 11/08 August 2008 2008 Fluke Corporation. All rights reserved. All product names are trademarks of their respective companies.
Apache Commons Collections 3.2, available at http://commons.apache.org/collections/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE. Apache Commons Logging 1.0.4, available at http://commons.apache.org/logging/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE. Apache Log4j 1.2.15, available at http://logging.apache.org/log4j/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE. Apache Xerces Java 2.9.0, available at http://xerces.apache.org/xerces2-j/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE. IE5.5+ PNG Alpha Fix 1.0RC4, available at http://www.twinhelix.com/css/iepngfix/demo/. This is distributed under the CC-GNU Lesser GNU Public License, a copy of which is available at http://creativecommons.org/licenses/LGPL/2.1/deed.en. iText 2.0.6, available at http://www.lowagie.com/iText/. This is distributed under the Mozilla Public License, a copy of which is available at http://www.mozilla.org/MPL/MPL-1.1.html. Jakarta Tomcat 3.3.2, available at http://tomcat.apache.org/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE. joeSNMP 0.2.6, available at http://opennms.svn.sourceforge.net/viewvc/opennms/opennms/branches/OPENNMS/src/joesnmp/. This is distributed under the Lesser GNU Public License, a copy of which is available at http://www.gnu.org/licenses/lgpl.html. jspSmartUpload 2.1 which is no longer available. This is distributed under the Advantys Freeware license contract, a copy of which is available at http://web.archive.org/web/20031209160524/http://www.jspsmart.com/liblocal/docs/legal.htm. Quartz 1.6.0, available at http://www.opensymphony.com/quartz/. This is distributed under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE
ii
In the event that at any time You wish to extend the permitted number of servers or devices above the permitted amount, You must contact FNET or the reseller from whom you purchased the Product ("the Reseller") and an additional License fee may be agreed upon and a new License issued for the requested additional number of servers/devices. FNET or your Reseller may require that You provide written certification showing the geographical locations, type and serial number of all computer hardware on which the Software is being used, together with confirmation that the Product is being used in accordance with the conditions of this Agreement. You shall permit FNET or your Reseller, and/or their respective agents to inspect and have access to any premises, and to the computer equipment located there, at or on which the Software is being kept or used, and any records kept pursuant to this Agreement, for the purposes of ensuring that the Customer is complying with the terms of this License, provided that FNET/your Reseller provides reasonable advance notice to the Customer of such inspections, which shall take place at reasonable times.
4. OTHER RESTRICTIONS
You shall not sub-License, distribute, market, lease, sell, commercially exploit, loan or give away the Product or any associated documentation. For the avoidance of doubt, this License does not grant any rights in the Product to, and may not be assigned, sub-Licensed or otherwise transferred to, any connected person, where the term connected person includes but is not limited to the End User's subsidiaries, affiliates or any other persons in any way connected with the End User, whether present or future. The Product and accompanying written materials may not be used on more than the permitted number of servers at any one time or for in excess of the permitted number of devices. Subject always to any rights which You may enjoy under applicable law (provided that such rights are exercised strictly in accordance with applicable law) and except as expressly provided in this Agreement, You may not reproduce, modify, adapt, translate, decompile, disassemble or reverse engineer the Product in any manner. You shall not merge or integrate the Product into any other computer program or work, and You shall not create derivative works of the Product. FNET reserves all rights not expressly granted under this Agreement.
5. LIMITED WARRANTY
FNET warrants that during the warranty period (a) the Product will perform substantially in accordance with its accompanying written materials, and (b) the media on which the Product is furnished shall be free from defects in materials and workmanship. The warranty period applicable to the Product shall be ninety (90) days from the date of delivery of the Product or, if longer, the shortest warranty period permitted in respect of the Product under applicable law ("Warranty
iii
6. CUSTOMER REMEDIES
You must call your FNET representative to discuss remedies during the 90 day warranty period referred to in clause 5 above. You acknowledge that your sole remedy for any defect in the Product will be Your rights under clause 5.
7. NO OTHER WARRANTIES
FNET AND/OR ITS SUPPLIERS, DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PRODUCT, THE ACCOMPANYING WRITTEN MATERIALS AND ANY ACCOMPANYING HARDWARE AND YOU AGREE THAT THIS IS FAIR AND REASONABLE. THE EXPRESS TERMS OF THIS AGREEMENT ARE IN LIEU OF ALL WARRANTIES, CONDITIONS, UNDERTAKINGS, TERMS OF OBLIGATIONS IMPLIED BY STATUTE, COMMON LAW, TRADE USAGE, COURSE OF DEALING OR OTHERWISE, ALL OF WHICH ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.
9. TERMINATION
Either party shall be entitled forthwith to terminate this Agreement by written notice if the other Party commits any material breach of any of the provisions of this Agreement and, fails to remedy the same within sixty (60) days after receipt of a written notice from the non-breaching Party giving full particulars of the breach and requiring it to be remedied. You shall be obliged to notify FNET in writing of any change in the control or ownership of the End User and FNET shall be entitled forthwith to terminate this Agreement by written notice. This Agreement shall automatically terminate if replaced at any time with a new License agreement. The right to terminate this Agreement given by this clause 9 will be without prejudice to any other accrued right or remedy of either Party including accrued rights or remedies in respect of the breach concerned (if any) or any other breach, or which the Parties have accrued prior to termination.
10. INDEMNIFICATION
You shall indemnify FNET in full and hold FNET harmless in respect of any loss, damages, proceedings, suits, third party claims, judgements, awards, expenses and costs (including legal costs) incurred by or taken against FNET as a result of the negligence, fault, error, omission, act or breach of You or of your employees, staff, contractors, agents or representatives or for any breach of this Agreement whatsoever by You. Notwithstanding any other provision of this Agreement, the aggregate liability of FNET for or in respect of all breaches of its contractual obligations under this Agreement and for all representations, statements and tortious acts or omissions
iv
(including negligence but excluding negligence causing loss of life or personal injury) arising under or in connection with this Agreement shall in no event exceed the License fee paid by You pursuant to this Agreement prior to the date of the breach.
14. MISCELLANEOUS
14.1 The provisions of clauses 3, 7, 8, 10, 11, 12, 13 and 14 and the obligation on you to pay the License fee shall survive the termination or expiry of this Agreement. 14.2 This Agreement is personal to You and You shall not assign, sub-License or otherwise transfer this Agreement or any part of your rights or obligations hereunder whether in whole or in part save in accordance with this Agreement and with the prior written consent of FNET and You shall not allow the Product to become the subject of any charge, lien or encumbrance of whatever nature. Nothing in this Agreement shall preclude the Licensor from assigning the Product or any related documentation or its rights and obligations under this Agreement to a third party and You hereby consent to any such future assignment. 14.3 This Agreement supersede all prior representations, arrangements, understandings and agreements between the Parties herein relating to the subject matter hereof, and sets out the entire and complete agreement and understanding between the Parties relating to the subject matter hereof. 14.4 If any provisions of the Agreement are held to be unenforceable, illegal or void in whole or in part the remaining portions of the Agreement shall remain in full force and effect.
vi
Contents
vii
6: Setting up Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Applying General and Real-time Report Settings . . . . . . . . . . . . . . . . . . 54 Saving Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Creating Long-term Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Creating Executive Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Adding a Sub-report Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
viii
Contents
ix
Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
xi
xii
Topics include: Key Features Deploying NetFlow Trackers Data Management Product Services
Key Features
NetFlow Tracker lets you as a network administrator view flow traffic from routers and managed switches on the network. From a webbased interface, it provides a set of dynamic charts and reports to help you understand of network traffic flow data. You can analyze application and protocol information in depth, including user, server, and applications activity. NetFlow Tracker supports data from a range of devices in formats including NetFlow versions 1, 5, and 9, IPFIX, Nortel IPFIX, sFlow, JFlow, Cflow, and netstream. Key features include: Install and configure NetFlow Tracker on Windows or Linux servers. See Chapter 2, Installing NetFlow Tracker. Customize setup to determine how data is gathered and managed, and optimize NetFlow Tracker performance based on the data you need. See Chapter 3, Setting Up NetFlow Tracker and Chapter 8, Optimizing NetFlow Tracker. 1
NetFlow Tracker User Guide View real-time network traffic in detail at per-minute resolution for one week by default. Traffic views by user, user group, conversation, system and application are available. Drill down and zoom in on data. Filter all real-time reports and charts on any field. See Chapter 4, Viewing Real-Time Data. Create custom long-term reports and charts. Define and quickly access custom executive reports. Format reports and charts as CSV or XML for further processing or as simplified HTML or PDF for printing or emailing. Full flow forensic reports are available. See Chapter 6, Setting up Reports. Create threshold and baseline alarms. Receive notifications via email, logging or SNMP traps. See Chapter 7, Working with Alarms.
Data Management
NetFlow Tracker has two databases: The real-time database stores data at millisecond granularity. Report data is displayed in one-minute granularity. By default, data is stored for up to seven days. You can adjust this setting in Database Settings. The long-term database stores aggregated data for multiple years at a granularity that you set in Database Settings. By default, data is stored for 999 weeks at one-hour granularity. When you configure long-term reports using custom granularity, the database stores that data at that granularity for as long as the report is scheduled.
Real-time database maintenance occurs every six hours (you cannot run database maintenance on demand). During this time data is reorganized and transfers to the long-term database and then is aggregated in the long-term database. To monitor the length of time this takes, see Making Sure That Data is Received on page 24. You can also archive and back up real-time data. See: Database Settings on page 89 Backup on page 90 Archiving on page 92
Product Services
For NetFlow Tracker product information, see: www.flukenetworks.com
Topics include: System Requirements Preparing for Installation Installing NetFlow Tracker on Microsoft Windows Installing NetFlow Tracker on Linux Note For upgrade information, see the Release Notes included with the NetFlow Tracker release.
System Requirements
The type of system required to run NetFlow Tracker depends on the number of devices sending NetFlow information to it and the amount and nature of traffic handled by those devices.
Hardware Requirements
The following requirements are a guideline. To determine your requirements, test the softwares performance in your network environment.
Component
Processor
Minimum Requirement
Intel Pentium D, Core 2 or Xeon or a compatible processor of similar performance. Multiple processors improve performance, but consider these only after increasing RAM and the performance of the disk subsystem. 2 GB. Performance increases with the amount of RAM available for the disk cache and database buffers. High performance disk subsystem with substantial free space. For all but the lightest loads, use a server RAID card running RAID 5 over at least three high-performance disks. NetFlow Tracker stores and queries real-time data for a week at one-minute granularity. A busy enterprise router can generate between 20GB to 50GB of data in this time.
Software Requirements
Note NetFlow Tracker requires high speed disk I/O to run effectively. If you run antivirus software on the NetFlow Tracker server you are likely to have periodic issues with storing and accessing flow data.
Software
Operating system
Requirement
English and Chinese language versions are supported. Windows XP Professional SP2 Windows Server 2003 R2 SP 2 Windows Server 2003 SP 2 Windows Server 2000 LinuxNetFlow Tracker has been tested and is supported on Red Hat Enterprise Linux 5 and Fedora Core 8 running Java 1.6.0_05 or later and MySQL 5.0 (Intel-compatible processor). For more information on installing NetFlow Tracker on other Linux distributions, contact Fluke Networks TAC.
Browser
MS Internet Explorer (IE) 7.0 IE 6.0 with SP1, critical updates Firefox 3.0 Other web browsers may run but have not been tested.
Java 2 Runtime Environment SE v1.6.0_05 or later MySQL 5.0, installed with NetFlow Tracker Adobe Acrobat Reader 6.0 or later
NetFlow Tracker User Guide NetFlow Tracker uses a version of MySQL that differs significantly from that used by Fluke Networks NetFlow Monitor, NetWatch and ResponseWatch products. If you install NetFlow Tracker on a server running one of these products it will not function correctly. Likewise, if you install one of these products on a server running NetFlow Tracker, both products will not function correctly. NetFlow Tracker contains an embedded web server. Web servers normally run on port 80, but another web server on your system may be using this. You can choose a different port during installation or disable other web servers prior to installation. If you have previously configured a router for NetFlow Monitor, note: NetFlow Tracker requires a different active flow timeout or long aging timer.
3 4
NetFlow Tracker User Guide To install NetFlow Tracker: 1 2 3 On the Welcome screen, click Next. On the License Agreement screen, accept the agreement and click Next. On the Customer Information screen, enter your name and organization name. Choose whether to install the software for yourself only or for every user that logs in to the system. If you install the software for yourself, only you will see the shortcut to the web front-end and only you can uninstall the software. Click Next. On the Setup Type screen, choose: Complete to install NetFlow Tracker to the nfNetFlow Tracker folder on your system drive and MySQL to the MySQL folder on the same drive. The internal web server will run on port 80 if available. If port 80 is unavailable, you are prompted to choose another. Click Next. Proceed to step 7. Custom if you want to change the install folders or choose a different port even if 80 is available. Click Next.
10
If you chose Custom, the Custom Setup screen is shown. You can change the install folder for NetFlow Tracker and MySQL. Select the feature and click Change. Click Next. If you chose Custom setup or if port 80 is in use, the Select HTTP Port screen is shown. Select a port and click Test to check if it is available. Click Next. On the Ready to Install screen, click Install. Installation take several minutes. If installation stops for longer than that, contact Fluke Networks TAC. When installation completes, click Finish.
After installation, a shortcut is placed in the NetFlow Tracker folder under the Programs in the Windows Start menu.
11
12
After installation, you can set up NetFlow Tracker to monitor data. Topics include: Opening NetFlow Tracker Selecting a Language Setting up NetFlow Tracker Viewing Version Information
Click the splash screen to dismiss it. The Network Overview page is shown. If you have not yet configured NetFlow Tracker, the Network Overview page has no data. In the upper left part of the interface, select Main Menu > Settings. Configure the settings required so that NetFlow Tracker can start monitoring data. See Setting up NetFlow Tracker.
13
NetFlow Tracker User Guide If you have already configured NetFlow Tracker, data is shown on the Network Overview page. See Viewing Network Overview Data on page 30.
Note: If you have password protection enabled you may need to log in as an administrative user to see the Main Menu > Settings link. See Applying Security Settings on page 26. The Settings link is not shown for NetFlow Trackers that have a portal secret configured in the Visual Performance Manager.
Selecting a Language
You can view the NetFlow Tracker interface in English or in Chinese, depending on the language settings of your browser. To change language settings: 1 Access the language selection dialog: In Firefox, select Tools > Options. From the General tab (in Firefox 2.0) or Content tab (in Firefox 3.0), under Languages, click Choose. In Internet Explorer, select Tools > Internet Options. From the General tab, click Languages. Chinese/China [zh-cn] English/United States [en-us]
3 4
Select the language you want to use and click Move Up to place it at the top of the list. Click OK. Then click OK again in the Options or Internet Options dialog.
14
Once NetFlow Tracker begins collecting data you can apply additional data filtering and management settings. For more information, see Chapter 8, Optimizing NetFlow Tracker. When applying settings, note: Each settings page controls a single aspect of the software. To apply changes, click OK on that page. To return to the main Settings page without applying changes, click Cancel. Use the session path link on settings pages to return to the main Settings page. Using the web browsers Back button can cause you to lose changes.
Setting up Licensing
Use the Licensing page to apply a new full or trial license or check the status of an existing license.
15
NetFlow Tracker User Guide To install a license: 1 2 Select Main Menu > Settings > Licensing. Add license information: If from a file, click Browse, locate the file, and select it. Then click Load. If text, enter or paste the text and click Decode.
3. Click OK.
16
Setting Up NetFlow Tracker Setting up NetFlow Tracker 4 5 Assign each device its own listening port.
Click OK. If you receive an error message, one or more ports are already in use. An asterisk (*) marks these ports. Remove these ports and add others until no errors remain.
NetFlow Tracker User Guide 4 5 Leave the default settings for timeout (5000 ms) and number of attempts (3) used for SNMP requests. Click OK.
To configure devices: 1 2 3 Select Main Menu > Settings > Device Settings. Select a device from the Device List. See Device List on page 20. Apply General settings: Override the name detected using SNMP. Choose whether to archive real-time data from the device. Note: When you archive data all NetFlow data monitored by the device is archived.
18
Show interface descriptions entered on the network device or leave the default setting. Default does not show the interface descriptions. Use SNMP if the device supports SNMP. Let NetFlow Tracker use SNMP to scan a device because the numbers used to identify the inbound and outbound interfaces in NetFlow exports are not constant and SNMP is the only way NetFlow Tracker can make a correct correlation between an identifier and a physical interface or port. Select an SNMP version (SNMP v1 or SNMPv2c) and enter a community name. Dont use SNMP if the device does not support SNMP. This assigns default properties to each interface encountered in NetFlow exports from the device. Keep current configuration to freeze a devices configuration. This ignores any new interface encountered, so use this with caution.
To rescan an SNMP device using the SNMP version and community specified in the page, click Rescan. This scans but does not save the settings. You must click OK on the Device Settings page to apply changes. Because NetFlow Tracker rescans a device when the software restarts, a new interface is encountered, or the device reboots, you do not normally have to manually rescan a device. 5 Apply BGP settings if BGP is used: Local ASThe local AS number is required to get correct AS numbers for traffic routed to or from the local AS. If BGP is not used, leave this setting blank. Store peer/origin ASesFor a device that can send both the peer and origin AS number for each NetFlow record, choose which AS numbers are stored in the database. Store BGP next-hopFor a device that can send the BGP nexthop address in its NetFlow exports, store this value in place of the IP next-hop for the device. Scale sampled dataIf a device samples packets to simplify the generation of NetFlow data, select this to scale each NetFlow record by the sampling interval and thus produce traffic and packet rates that more accurately reflect the real levels.
19
NetFlow Tracker User Guide Scaling factorIn most cases NetFlow Tracker can extract the sampling interval from the NetFlow data. If it cannot, then supply a scaling factor.
7 8 9
Apply Traffic Class settings. See Applying Traffic Class IDs on page 21. Apply Identified Applications settings. See Applying Identified Applications on page 21. Apply settings for interfaces. See Applying Interface Settings on page 22.
Device List
Use the device list on the Device Settings page to check the status of known devices and override the interface descriptions and speeds collected by NetFlow Tracker. NetFlow Tracker performs an SNMP scan when it starts to populate this list. When devices reboot, they are rescanned. The name and address of each known device are listed, along with a status indicator: (exclamation point)Indicates that NetFlow Tracker could not contact the device using SNMP or is ignored due to a license violation. (hourglass)Indicates that the device is being scanned and cannot be edited. To see if scanning has finished click Refresh. No iconThe device is working correctly.
Click a device name to edit its settings. Note Any changes you make to any device are only applied when you click OK in the main Device Settings page.
20
4 5 6 7
On the Traffic Class Names page, enter a unique identifier and name. Click Add. To delete an ID, select its checkbox and click Delete. Click OK. Click OK in the devices settings page.
NetFlow Tracker User Guide mapping from the device-specific protocol or service ID to the NetFlow Tracker identified application for each device. To add application identifiers: 1 2 3 4 5 6 Select Main Menu > Settings > Device Settings. Select a device from the Device List. See Device List on page 20. Expand Identified Applications and click add/delete in the Identified Applications column header. On the Identified Application Names page, enter an identifier and name. Click Add. To delete an ID, select its checkbox and click Delete. Click OK. Click OK on the devices settings page.
22
option is useful to remove interfaces that do not report NetFlow data from reports. To apply interface settings: 1 2 3 Select Main Menu > Settings > Device Settings. Select a device from the Device List. See Device List on page 20. Expand Interfaces. You have the following options: a b c Enter an interface name and description. Enter the speed. To associate an interface with a VPN, click add/delete in the VPN column header. On the VPNs page, enter a unique ID and name for each VPN. The description is optional. To delete a VPN from the list, select its checkbox and click Delete. Click OK. In the VPN column on the devices settings page, select from the drop-down list. If the interface is not part of a VPN, leave the setting to none and make sure that the P interface(s) on an MPLS PER have their VPN set to none also because they carry traffic from multiple VPNs. Note VPNs are assigned to interfaces by name, so each VPN must have a unique name. 4 5 6 To mark an interface as inactive, check its Inactive box. Click OK. Click OK on the Device Settings page.
Deleting a Device
You can delete a device from the devices settings page. Note When you delete a device, if the device is still sending NetFlow data to NetFlow Tracker it will reappear after you delete it.
23
NetFlow Tracker User Guide To delete a device: 1 2 3 From the NetFlow Tracker Main Menu, select Settings > Device Settings. Select a device from the Device List. See Device List on page 20. On the Device page, click Delete. Note If you cancel the deletion at this point, you will lose any other changes you have made on the setting page. 4 5 Click Yes to continue. On the Device Settings page, click OK. If you click Cancel, the device will remain, but other changes you applied will be lost.
Item
Average sample storage duration Last long-term database maintenance duration
Definition
Length of time it takes the system to store a one-minute sample of real-time data. If this is more than fifteen seconds, the system is overloaded. Length of time it took to perform the last update of the long-term database. If this took longer than two to three hours, consider reducing the number of longterm reports or the number of devices they cover, or setting some long-term sample sizes to zero.
24
Item
Last real-time database maintenance duration
Definition
The length of time it took to perform the last reorganization of the real-time database. If this took longer than 30 minutes, it may indicate a performance problem on the server, too much data in the database, or not enough memory allotted for NetFlow Tracker. Shows the number of exports and amount of NetFlow data received from each device. Note: This is not the amount of traffic described by the exports but the LAN traffic generated by the exports. Tracks the total amount of network traffic across all interfaces in each direction as described by NetFlow exports received from each device. NetFlow Tracker ignores flows that arrive too late to be processed. If you see a large number of ignored flows make sure that the inactive timeout or short aging time settings on the router are correctly set. For devices that do not have a configurable active flow timeout or if the active flow timeout is not working with a certain device, configure NetFlow Tracker to hold data in RAM longer to prevent ignored flows. See the Hold back real-time data for option in Database Settings on page 89.
Unprocessed flowsets
NetFlow version 9 flows are encoded in a flexible manner using templates exported by the router every few seconds. For several minutes after starting NetFlow Tracker or after a router reboots, NetFlow Tracker may receive flows that it cannot decode. If you do not see data after 10 minutes, check the server, NetFlow Tracker settings, and the router configuration.
Interface scans
NetFlow Tracker scans the interface list of each device exporting to it when the device or NetFlow Tracker software restarts. A large number of rescans, particularly failed ones, indicates a problem. NetFlow versions 5 and 7 exports contain a sequence number that NetFlow Tracker uses to detect when exports are missed. It can miss exports due to network congestion or a busy router. If a switch or router is reordering the UDP packets that contain NetFlow exports, missed flows are shown. Each export normally contains data on about 30 flows. Note: If the NetFlow Tracker server is processing a very high volume of data it may drop packets. In this case, increase the receive buffer size in Listener Ports. See Setting up Listener Ports on page 16.
Missed flows
Missed exports
NetFlow version 9 exports contain a sequence number that NetFlow Tracker uses to detect when exports are missed. Unlike the version 5 or 7 sequence numbers, only the number of missed exports can be counted and not the number of missed flows.
25
Item
No out interface
Definition
The router sends flows with no out interface when an access control list lookup fails or multicast traffic is routed. A high number of flows with no out interfaces is normal. The arrival of flows with no in interface may indicate a configuration problem on a Catalyst switch. Contact Fluke Networks TAC.
No in interface
Set a custom home page. The default is Network Overview. To use your own HTML page as a custom home page, place it in the customweb folder under the NetFlow Tracker install folder and enter the URL here. For example, if you enter
26
Setting Up NetFlow Tracker Viewing Version Information http://server/customweb/file.html the home page is customweb/file.html. 4
If you applied password protection, add user login and password. You may apply user-specific home pages. You must set at least one user as an administrator who can configure settings. Click Add. To delete users, select the users checkbox and click Delete. Click OK. If you applied password protection or changed your own user login details you must log in again.
5 6
27
28
After you complete initial setup, real-time data is available within a few minutes. You can view this data in chart and table formats. Topics include: Viewing Network Overview Data Viewing Devices Viewing Interfaces Filtering Real-time Data Viewing Chart Data
See also: Database Settings on page 89. Applying General and Real-time Report Settings on page 54.
29
Viewing options include: Click a device in the list to see its top applications and busiest interfaces. Click an interface name to see its top applications and recent traffic. Right-click a pie segment to create a report for that segment. From the menu, select an item to create another chart for the selected time range.
30
Hold mouse over a segment to highlight corresponding table row Right-click to run an ad hoc report
Application Conversations
You open the Conversations page for an application by clicking an application on Top Applications and Interfaces page. This page shows: Traffic Rate tabA stacked bar chart and table shows the top 10 conversations by percentage of total traffic. The source and destination address, source and destination application, and peak and average traffic rate are shown. Packet Rate tabA stacked bar chart and table shows the top 10 conversations by packet rate. The source and destination address, source and destination application, and peak and average packet rate are shown.
Interface Conversations
You open the Conversations page for an interface by clicking an application on Top Applications and Usage page for an interface. This page shows: In/out Interface - %Usage tabA stacked bar chart and corresponding table show the top 10 conversations by percentage of total usage. The source and destination address, source and destination application, and the peak and average percentage of usage are shown.
32
Traffic Rate tabA stacked bar chart and table show the top 10 conversations by percentage of total traffic. The source and destination address, source and destination application, and peak and average traffic rate are shown.
Viewing Devices
The Devices page (Main Menu > Devices) lists all devices that export flow data. Use this page to identify devices and their interfaces that show high traffic or packet rates (see Figure 2). The page refreshes every minute. Options include: To sort data by device name, address, peak traffic rate, or peak packet rate, click the column header. By default, each peak rate is the highest two-minute rate in the last six hours. This differs if the default time range is altered. Click the Relative Traffic and Relative Packet Rate meters for a device to open a chart of the devices recent activity over time. Each chart is scaled relative to the busiest device. This ensures that a high value on a chart indicates a relatively high traffic or packet rate. By default, the last six hours is shown.
33
Viewing Interfaces
You can open the Interfaces page for a device by clicking the device name on the Devices page. The Interfaces page lists all known interfaces on the device. Information for each interface includes the interface description, percentage of usage, relative traffic, relative packets, peak percentage of usage In and Out, peak traffic rate In and Out, and peak packet rate In and Out. Options include: Hold your mouse over an interfaces name to see its speed, type, and extended description if available. Click column headers to sort interfaces by name, description, peak percentage of usage in either direction, peak traffic rate in either direction, and recent peak packet rate in either direction.
34
Viewing Real-Time Data Viewing Interfaces Click an interface name or the % Usage, Relative Traffic, or Relative Packet Rate meters to view detailed data on that interface. A chart shows the interfaces recent bi-directional utilization, traffic rate, or packet rate over time (see Figure 3).
Data in meters is scaled in the following ways: The % Usage column scales each row of each chart according to the configured speed of the interface in that direction. The Relative Traffic and Relative Packets columns are scaled relative to the busiest direction of the busiest interface. This ensures that a high value on a chart indicates either high usage or a relatively high traffic or packet rate.
You can change the speed of an interface in Device Settings. You must do this for an asynchronous interface. You can also use the Device Settings page to hide interfaces that never export any NetFlow data. For more information, see Applying Interface Settings on page 22.
Figure 3 Device Interfaces
35
36
Note: If you do not want to use a filter, leave it blank. For filters in which you add a range of items, enter the start and end of the range in the boxes provided. To select a single item, leave the right-hand box empty. You can include or exclude the items you select. For filters that have selectable items, select the items in the Available box on the left and click > to move them to the Selected box.
If you are an administrative user or your access to NetFlow Tracker does not require a password, you can save filters for use at another time. Saved filters are available in the Filter drop-down list. You manage saved filters in Report Settings. See Saving Report Filters on page 55. To filter data: 1 2 Select Main Menu > Filter Editor. Select a report template and set whether to create a tabular report, chart, or pie chart. For more information, see Appendix B, Report Templates. 37
NetFlow Tracker User Guide 3 Set a sample size. NetFlow Tracker picks an optimal sample size for a real-time chart based upon the amount of time covered. To override this, select a number of units. For example, you can create a report covering a day that has hour-long samples. Click Start time/End time or Length to determine how much data the report will include: Pick the date and time of the earliest and latest data to consider. The default start time is six hours before you opened the Filter Editor. Set the length in units. The report will cover that number of units and end at the last full unit before the time it is opened.
Set a reload interval. If you selected a unit length or a time range that extends into the future you may want the report to refresh periodically to show new data. If so, enter the number of seconds between refreshes. Select a source device or source data depending on the report: Source deviceSelect which router or switch you want to consider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times. Source dataLong-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection of the source data to create charts showing, for example, a month in day-long blocks.
7 8
Select a filter from the drop-down list and click Add. The filter is added to the Filter Editor page. See Table 4. Click OK. Click Save to save the filter.
Filter
Time zone
To Apply...
Change the time zone used to interpret the start and end times and time masks. The default is the time zone the NetFlow Tracker server uses.
38
Filter
Time mask
To Apply...
Select a limited time range during a day. For example, to consider only data between 8:30 and 18:00 on a weekday, select Monday, Friday, 8:30 and 18:00 and click Add. Add as many masks as you want. Only data within one or more masked areas is considered. If you do not select a mask then all data between the start and end time is considered. Report on inbound traffic for an interface or set of interfaces. Available interfaces depend on the filtered source devices. Restrict a report to just outbound traffic from a set of interfaces. Use this with an In interface filter to report on traffic that took a particular path through a router. Restrict the report to bi-directional traffic for the selected interfaces. Restrict a report to just traffic where the inbound interface is part of the selected VPN(s). For this filter to work, you must associate interfaces with VPNs in Device Settings. See Applying Interface Settings on page 22. Select traffic where the outbound interface is part of the selected VPN(s). Select traffic where either interface is part of the selected VPN(s). Restrict the report to traffic with a given source IP address or a set of source IP addresses. Type the address or domain in the box and click Add. Report on data with one of a set of destination IP addresses.
Dest address
Src/dest address Consider traffic either originating from or destined for the given addresses. Protocol Restrict the set of IP protocols considered. For example, you may want to consider only UDP or ICMP traffic while investigating a denial-of-service attack. Restrict the source application port number. Use this with the Protocol filter. Restrict the destination application port number. Consider traffic with the given port number as either the source or destination.
39
Filter
Source application
To Apply...
Restrict the IP protocol and source application port number. Enter a port number and protocol or select from those configured in the IP Application Names settings page. See Applying Identified Applications on page 21.
Dest application Restrict the protocol and destination application port, selectable by name. Src/dest application Recognized application Consider traffic using the application as either the source or destination. Select traffic with the given source or destination application. Consideration of the source or destination application depends on whether it has a name defined in the IP Application Names settings page or, if both or neither have names, which one has the lower port number. See Applying Identified Applications on page 21. Select traffic with the identified application. For NetFlow Tracker to identify applications, the device must support the functionality and you must set its identified application mapping in Device Settings. See Applying Identified Applications on page 21. Filter traffic bearing any one of a set of type-of-service (ToS) byte values. Select a priority from 0 to 7 and select Include or Exclude. To filter on individual bits, from the drop-down lists, select 0 to filter on bits set to 0 in the flow. Select D (delay), T (throughput), R (reliability), or M (monetary cost) to filter on bits set to 1 in these flows. To ignore filtering for a bit, leave it blank. DiffServ Select only traffic bearing one of the selected differentiated service code points. Because DiffServ and ToS use the same field in the IP header, do not use both filters at the same time. You can assign a name to a code point using the DiffServ Names settings page. See DiffServ Names on page 86. Select traffic within a traffic class. For NetFlow Tracker to identify traffic classes, the device must support the functionality and you must configure its traffic class mapping in Device Settings. See Applying Traffic Class IDs on page 21.
Identified application
ToS
Traffic class
40
Filter
Source AS
To Apply...
Select traffic bearing one of a set of source AS numbers. The routers settings determine whether this is the origin or peer AS. Enter an AS number or select from the set of private-use ASes configured in the AS Names settings page. Note: You cannot select public ASes by name. Restrict the source data to traffic bearing the destination origin or peer ASes. Consider traffic to or from the origin or peer ASes. Select traffic with the source subnet. Enter the network address and mask length or select from the subnets configured in the Subnet Names settings page. Note: The subnet mask used by the router to route the traffic is ignored when applying this filter. See Subnet Names on page 87. Select traffic with the given destination subnets. Note: A destination subnet filter of 224.0.0.0/4 will select multicast traffic. Select traffic to or from the subnets. Select traffic routed using the source network mask. Select traffic with the destination network mask. Select traffic with the source or destination network mask. Filter traffic based on the next hop used by the router in routing the traffic. Filter TCP traffic. To filter on individual bits, from the dropdown lists, select 0 to filter on bits set to 0 in the flow. Select U (urgent), A (acknowledged), P (push), R (reset), S (synchronized), or F (finished) to filter on bits set to 1 in these flows. To ignore filtering for a bit, leave it blank. Include or exclude traffic based on length of time in milliseconds. Terms: gegreater than or equal to leless than or equal to
Dest subnet
Src/dest subnet Source mask Dest mask Src/dest mask Next hop TCP Flags
Duration
41
Select the entire time range, zoom, and perform other actions View data from an earlier or later date
Chart navigation and viewing options include: To view earlier or later date, click (forward or back) at the upper left corner of the chart. Note: When you move forward or back, the chart does not refresh. In drill-down charts, to change the chart view, select a different tab above the chart.
42
To get more details on an item in the chart or table, click its link. To zoom in to the center of the chart, click . To zoom in on a particular selection, first select that time range. Zooming in stops the chart from refreshing. To zoom out from the center of the chart, click also stops the chart from refreshing. . Zooming out
To select a time range, click and drag the mouse across the chart. You can then zoom in on the selection. To select the entire time range, click .
To drill into selected data, select a time range and right-click the selection. From the menu, select an item to create another chart for the selected time range. To view data as a pie chart, click Charts on page 43. To view data in a table, click page 44. . See Working with Pie
To view resolved domain names if a chart shows IP addresses, hold your mouse over the address. To refresh the view, click .
To reload the chart with all resolvable domain names shown, click (resolve all). To revert from viewing resolvable domain names and view only IP addresses, click (resolve available). To convert a chart to a CSV file, click open or save the file. To print the chart, click . . . You are prompted to
NetFlow Tracker User Guide To return to the standard chart view, click .
Hold your mouse over a pie segment to highlight data in the table. Right-click a pie segment to create a report for that device. From the menu, select an item to create another chart for the selected time range.
44
Viewing Real-Time Data Viewing Chart Data view shows the entire time range in one table. It also shows every contributing element rather than just the largest ones.
Figure 7 Table Report
Select and click Go to drill into rows data Options include: To return to the standard chart view, click .
To navigate through tables of more than 25 rows, use the page navigation at the top of the table. To go to a specific position in the view, click in the scrollbar; A blue line or box on the scrollbar indicates the page shown and how much of the view the page represents. To sort items by name, address, traffic rate, or packet rate, click the column heading. Click again to sort items in the opposite order. In reports, to drill into a rows data, select the radio button at the left of a row. (You can select only one row at a time.) Select a subreport type from drop-down list at the bottom of the page and click Go: For example, if you are viewing a report of source applications, you can select an application and view source addresses using that application. For more information, see Appendix B, Report Templates.
45
46
Use long-term reports (Main Menu > Long-term Reports) to view aggregated data for periods up to multiple years at a granularity level you define in Database Settings. NetFlow Tracker provides reports on top devices and interfaces. To view custom long-term data, you must set up a long-term report. Because data is aggregated, long-term reports can take less time to run than real-time reports. Topics include: Viewing Long-term Network Overview Data Viewing Long-term Device and Interface Data Filtering Long-term Data
See also: Database Settings on page 89. Creating Long-term Reports on page 60.
47
NetFlow Tracker User Guide A pie chart, stacked bar chart over time, and table showing the top five applications plus Other by percentage of total traffic rate. Average and peak traffic rates are also shown. Tables showing the top five in and out interfaces by average and peak percentage of usage. Tables showing the top five in and out interfaces by average and peak traffic rate.
Viewing options include: Click a device in the list to see its busiest interfaces. See Viewing Interfaces on page 34. Click an interface name to see its recent usage percentage, traffic rate, and packet rate data. Right-click a pie segment to create a report for that device. From the menu, select Source Addresses, Destination Addresses, or Recognized Applications to create another chart for the selected time range.
The granularity of long-term report data is based on your database settings. See Database Settings on page 89.
48
49
NetFlow Tracker User Guide A selector at the bottom of the page lets you change the time range of the current report or chart, and any reports or charts opened by interacting with it. Time options span from hours to years. The default setting is seven days, based on the time zone of the NetFlow Tracker server. To change this setting, see Creating Long-term Reports on page 60. Note If you zoom into or out of a long-term chart or drill into a selection (other than one selected using Select All), the time range selector is not available on the resulting chart. The long-term Devices and Interfaces pages show the peak and average traffic and packet rates. By contrast, real-time pages show the peak and most recent rates. When you select a range of time on a long-term device or interface chart and right-click to drill down, you can only access reports created as per-device, per-inbound interface or peroutbound interface in Report Settings.
See also: Viewing Devices on page 33. Viewing Interfaces on page 34.
50
Viewing Long-term Data Saving a Long-term Filter 2 3 Select a long-term report and set whether to create a tabular report, chart, or pie chart.
For Source Data, select the data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the selection of the source data to create charts showing, for example, a month in day-long blocks. Click Start time/End time or Length to set how much data the report will include: Pick the date and time of the earliest and latest data to consider. The default start time is six hours before you opened the Filter Editor. Set the length in units. The report will cover that number of units and end at the last full unit before the time it is opened.
5 6
Select a source device or interface to report upon. To select more than one device or interface you must save the filter. To add a Time zone or Time mask filter or a saved filter, select from the drop-down list and click Add. The filter is added to the Filter Editor page. For more information, see Table 4 on page 38. Click OK to apply the filter settings. The filter is directly applied. Click Save to save the filter for future use. See Saving a Longterm Filter.
52
6: Setting up Reports
Use the Report Settings page (Main Menu > Settings > Report Settings) to set up all reports and charts. Topics include: Reports Overview Applying General and Real-time Report Settings Saving Report Filters Scheduling Reports Creating Long-term Reports Creating Executive Reports
Reports Overview
You can create three types of reports: Real-time reportsView the last seven days of data (by default) in real-time at one-minute granularity. Long-term reportsView aggregated data for up to multiple years at a granularity level you define in Database Settings. Executive reportsAn executive report is a pre-configured template that contains one or more reports or charts and HTML content that you define. Use an executive report to access oftenused reports or to group related reports on one page.
53
NetFlow Tracker User Guide Note Avoid reporting from multiple devices and over long periods of time. Doing so can cause NetFlow Tracker to count some traffic multiple times.
Section
General
Option
Show hostnames in reports Show chart legends in descending order
Definition
Open reports and charts with all resolvable hostnames resolved and shown by default. Show the rows of a chart legend in the same order as the corresponding table or as the areas shown on the chart.
Show interface Use the description of an interface, when available, in filter descriptions instead descriptions of the name. Work around click to activate Enable or disable the work-around for the click to activate and use this control message that appears over chart applets in Internet Explorer. Some combinations of operating system, browser, and Java plug-in do not work correctly when this is enabled. If applets do not show correctly or drilling down does not work, turn off this setting. Set the default page size in a PDF version of a report or chart. If a report is too wide to fit on a page, the page is made proportionally bigger. Set the orientation of the report. Leave blank for portrait.
54
Section
Option
Definition
The number of rows shown on each page of a tabular report. Note: Device and interface status reports show all rows on a single page.
Elements Determine the accuracy of a real-time chart. When a chart is generated only the considered per largest elements are considered from each block. Because the highest overall chart block elements may not be the highest elements in each block of the chart, set more elements from each block than the number of charted elements. Charted elements Default time range Set the maximum number of elements displayed on a chart, excluding the Others element. Set the time range used for any real-time report or chart where a time range is not specified. This is the time range of the Network Overview, device, interface, and AS status reports and charts and the default time range selected in the Filter Editor.
Reload interval Set the number of minutes between automatic refreshes of the device, interface, and AS status reports and charts.
To change the order in which saved filters appear, click the up or down arrows.
Click OK.
Scheduling Reports
You can set up any real-time, long-term, or executive report as a scheduled report that you can email or save to a server location based on that schedule. In addition, you can generate scheduled reports on demand if they are included in the Reports page.
56
Enter name, select type, and click New Set report distribution
To create a scheduled report: 1 2 3 Select Main Menu > Settings > Report Settings. Expand the Scheduled Reports setting (see Figure 9). To receive reports by email: For Email server address, enter the IP address or domain name of the SMTP server used to send scheduled report emails. For Send emails from, set the email address that is used as the From: address of mails sent by NetFlow Tracker.
To save reports to a server, for Save reports to enter the folder where scheduled reports are saved to. You can override this default location for any scheduled report.
57
NetFlow Tracker User Guide 5 6 Under Scheduled Report Name, enter a name. Use only alphanumeric characters. Select a report type: Real-time, Long-term, Executive, or Custom. Choose Custom to create a report based on custom parameters. See Appendix C, Report URL Parameters. Click New. The New Scheduled Report page is shown (see Figure 9). Here you can set up the report parameters (see Table 6). Click OK. The scheduled report is added to the list on the Report Settings page. In the Scheduled Reports list, you have the following options: To edit or delete a report, click its name. To copy a report, click its icon. To change the order in which reports appear, click the up or down arrows.
7 8 9
Option
ID Name Description Include in reports menu Run on demand Run once Run every day
Definition
The reports identification number. The report name. Use only alphanumeric characters. The report description. Show the report in the Reports page. The report does not automatically generate and appears only in the Reports page. The report runs once at the specified time on the date supplied for Begin running this schedule on. The report runs every day at the specified time, starting on the specified start date and optionally finishing in the specified end date. The report runs on the specified days of every week. The report runs on either the specified date of each month or on the specified week day (for example, the first Monday of each month).
58
Option
Begin running this schedule on End this schedule on Delete report after schedule ends
Definition
Set the beginning date for the schedule. Set the end date for the schedule. If you select an end date, select this to delete the report on that date. Saved output is not deleted. Tip: You can use this with the Run once schedule option to run a particularly time-consuming report. Options are PDF, HTML single file (MHTML), HTML zipped (which contains the HTML, stylesheets, and images), CSV, and XML. When a report is generated on-demand from the Reports page it is formatted in the normal interactive HTML format. Save the report to a specified folder on the server. Email the report as an attachment to the specified address. Enter the subject line and body of the email. Select Length to set the length of time covered in the report based on a number of minutes, hours, or days. Configure the report type and its filters. You can add custom parameters to alter anything about the report that is not configurable using the Filter Editor.
Output as
Set the number of minutes between automatic refreshes of the device, interface, and AS status reports and charts. Set the source device or the source data sample size depending on the report. Source deviceSelect which router or switch you want to consider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times. Source dataSelect a data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection.
Select a filter and click Add. See Table 4 on page 38. Add a custom parameter name and value and click Add. See Appendix C, Report URL Parameters.
59
60
To create a long-term report: 1 2 3 Select Main Menu > Settings > Report Settings. Expand the Long-term Reports setting (see Figure 10). For Elements stored per sample, set the number of elements to store per sample. This controls the accuracy of long-term charts and tabular reports. It is similar to the number of elements considered per chart block For Tabular report rows, set the maximum number of rows to show on a tabular report. Note: The accuracy of a long-term tabular report depends upon the number of elements considered per sample. For Charted elements, set the maximum number of elements shown on a long-term chart, excluding the Others element. 61
NetFlow Tracker User Guide 6 7 8 9 Select Standard long-term reports are disabled to turn off the standard set of per-device and per-interface long-term reports. For Default time range, set the time span used for any long-term report where one is not set on a specific report. Enter a report name. Use only alphanumeric characters. Under Report Template, select a template. See Appendix B, Report Templates.
10 Select a report type. For more information, see Table 7. 11 Click New. The New Long-term Report page is shown (see Figure 9). Here you can set up the report parameters (see Table 6). 12 Click OK. The long-term report is added to the list on the Report Settings page. 13 In the Long-term Reports list, you have the following options: To edit or delete a report, click its name.You cannot change the report template, type, or time mask of an existing report. To copy a report, click its icon. To change the order in which reports appear, click the up or down arrows.
Option
ID Name Report Template Type
Definition
The reports identification number The report name. See Appendix B, Report Templates. BasicSelect source devices and interfaces for the report. Per source deviceRun this report on all source devices. Per inbound interfaceRun this report on all inbound interfaces. Per outbound interfaceRun this report on all outbound interfaces.
62
Option
Storage Options
Definition
Set the length of time to store data and its granularity. Note: Storage settings can impact system performance. See Database Settings on page 89.
Set the source device or the source data sample size depending on the report. Source deviceSelect which router or switch you want to consider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times. Source dataSelect a data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection.
Select a filter and click Add. See Table 4 on page 38. Add a custom parameter name and value and click Add. See Appendix C, Report URL Parameters.
63
To create an executive report: 1 2 3 4 Select Main Menu > Settings > Report Settings. Expand Executive Reports (see Figure 11). Enter a report name and click New. On the New Executive Report page, apply the following settings: a b Enter a report ID, name, and description. For the name, use only alphanumeric characters. Check Include in reports menu to show the report on the Reports page. Note: Use unfiltered sub-reports with care if
64
Setting up Reports Creating Executive Reports you select this. You will not be able to filter the executive report from the Reports page. c
Under Sub-report tag, enter the name of a sub-report to embed in the executive report. Select a type: Real-time, Longterm, or Custom. Click New. On the Sub-report page, set the parameters for the sub-report (see Table 8) and click OK. You can add as many sub-reports as you want. Click Add Row to add a content row to the executive report. You can then add cells to the row. Each row has one or more cells. You can set up a cell to span a number of columns. There are two types of cells: sub-report cells and HTML cells. See Adding a Sub-report Cell on page 66 and Adding an HTML Cell on page 68.
5 6
Click OK. The executive report is added to the list on the Report Settings page. In the Executive Reports list, you have the following options: To edit or delete a report, click its name. You cannot change the report template, type, or time mask of an existing report. To copy a report, click its icon. To change the order in which reports appear, click the up or down arrows.
Option
Tag Report template
Definition
The sub-report name. See Appendix B, Report Templates.
Sample size: Length Select Length to set the length of time covered in the or Default/custom report based on a number of minutes, hours, or days. Configure the report type and its filters. You can add custom parameters. Note: If you select Default/Custom and do not add custom time range parameters, the time range is passed to the executive report, or the default real-time or long-term time range, according to the report. Reload interval The number of minutes between refreshes of the device, interface, and AS status reports and charts.
65
Option
Source device or Source data
Definition
Set the source device or the source data sample size depending on the report. Source deviceSelect which router or switch you want to consider. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices some or all traffic may be counted multiple times. Source dataSelect a data sample size. Long-term data is stored in sample sizes that are optimal for different lengths of charts. You can override the automatic selection.
Select a filter and click Add. See Table 4 on page 38. Add a custom parameter name and value and click Add. See Appendix C, Report URL Parameters.
66
Option
Sub-report Output as pie chart Sections Controls
Definition
Sub-report name. If the sub-report is a chart over time, select to output a pie chart. Select the sections of the sub-report you want the cell to display. Select the user-interface controls to enable.
67
Option
Columns Chart Output Parameter Name and Value New Window Drilldown Settings
Definition
Select which columns to show. If the sub-report is a chart or pie chart, select which chart to show. Enter a custom parameter name and value and click Add. See Appendix C, Report URL Parameters. Select to include all sections, controls, and columns in the drill-down window. If you have set the Drilldown or Open in a new window options for a report cell, you must also set how the URL is modified to create the new window. You can show all sections and columns and allow all controls (which is usually the case for a complex layout). You can also specify custom parameters. Note: To remove a parameter from the new windows URL, leave its value blank.
Enter a custom parameter name and value and click Add. See Appendix C, Report URL Parameters.
68
When an executive report is formatted as PDF only the three standard styles are used and all HTML tags are removed from the text. You can control the layout of the report by moving rows up and down and cells left and right within their rows. To create complex layouts, make cells span multiple columns. To increase the cell by a column, click To decrease the cell by a column, click To delete a cell or row, click . . .
69
70
Topics include: Alarms Overview Configuring Alarms Configuring Notification Settings Viewing Events
Alarms Overview
Alarms are pro-active notifications of user-impacting performance problems on the network. Alarms are triggered by eventsproblems or other important incidents on the network. When configuring an alarm, you choose the alarm type, metric, and the threshold type for permitted performance. You can set thresholds from specified values or from a baseline. NetFlow Tracker supports two types of alarms: Threshold alarms indicate changes in performance for a selected metric, such as traffic rate or conversation rate over time, based on the filters applied in the alarm. Threshold alarms compare recent performance against configured thresholds. They can use a baseline or specified values. Profile alarms indicate changes in the network. For example, the Recognized Applications profile alarm indicates which applications make up the traffic or packets observed in the last minute against the configured baseline. They always use a baseline. 71
Working with Alarms Alarms Overview the baseline average and standard deviation. Because a default sensitivity value must apply consistently across many different baselines and also across individual baselines as they change over time, sensitivity is a relative value. There are two types of baselines: StaticThis baseline is calculated at the beginning and not updated. It is useful when performance is usually stable and consistent. In these cases, static baselines are often simpler to configure and maintain than specified value thresholds.
WeeklyThis baseline is most useful for detecting sudden changes from recent performance. Weekly updated baselines change to reflect recent performance. As baselines change over time, the thresholds adapt to these changes
To configure alarm thresholds that use baselines, adjust the sensitivity slider. The maximum sensitivity for both thresholds is 10.
73
These states are shown in the Alarm List (Settings > Configure Alarms). Only available and complete baselines are used to set thresholds and generate alarms. NetFlow Tracker can collect enough data in a day to create an available baseline. A complete baseline usually takes a week. Note When you first install NetFlow Tracker or change alarm parameters, baselines are reset. NetFlow Tracker must learn the normal network performance and generate new baseline profiles. Static baselines are static only after the status is Complete. When status of a static baseline is Available, the baseline is still adjusting.
74
To disable Degraded alarms but leave Excessive alarms enabled, set the Degraded threshold to match the Excessive threshold. If your network experiences poor performance that an alarm is not identifying, decrease the threshold. If alarms are being generated but the performance is acceptable, increase the threshold.
Configuring Alarms
Use the Alarm List page (Settings > Configure Alarms) to manage and create alarms. For each alarm, the name, type, template, exceeded and degraded thresholds, filter, and persistent changes settings are shown. Options include: To view events triggered by an alarm, click Event List on page 79. . See Viewing the
To add a new alarm, click New. See Creating an Alarm. To edit an alarm, click its name. To delete an alarm, select its checkbox and click Delete.
Creating an Alarm
In NetFlow Tracker, you can create up to 100 alarms.
75
To create an alarm: 1 2 3 4 Select Main Menu > Settings > Configure Alarms. Click New. The Create Alarm page is shown Enter a name. Select an alarm type: 5 Threshold AlarmIndicates changes in performance. You can use a baseline or specified values. Profile AlarmIndicates changes in the network. You can use a baseline only. Select a report template for the alarm.
Select a metric. Available metrics vary based on the alarm type and, for Profile alarms, the report template: For Threshold alarms, select: Traffic Rate, Packet Rate, Address Pair Rate, or Conversation Rate. For Profile alarms, select: Traffic Rate, Packet Rate, Destination Address Count, or Conversation Count, and Source Address Count.
Set the source device. If you need more than one device, click Multiple. Then select devices in the left column and click > to include them. Note: If you select multiple devices, some or all traffic may be counted multiple times.
76
Select a filter and click Add. For more information, see Table 4 on page 38. Set Alarm only for persistent change to exclude alarms that do not fall into a consistent pattern over a 20-minute period and may represent random jumps in data. Set the threshold type: Weekly BaselineThe baseline adjusts weekly, based on current data. Adjust the slider to set the alarm sensitivity. Static BaselineThe baseline does not adjust once it is complete. Adjust the slider to set the alarm sensitivity. Specified ValuesAvailable only for Threshold alarms. Set the degraded and exceeded thresholds.
For more information, see Thresholds and Baseline Sensitivity. 10 Click OK.
77
Viewing Events
Events are displayed at one-minute granularity. Events are removed as real-time data is removed, by default after seven days. You can view events in the following ways:
Options include: To view data in chart format based on the report template used, click the alarm name. To view event data for a point in time, right-click and select from the menu. View data in the chart back and forward in time, zoom in and out, or in a table. For more information, see Viewing Chart Data on page 42.
78
Viewing options include: To view data in chart format based on the report template used, click the alarm name. To view the event lifecycle, click .
NetFlow Tracker User Guide severity levels, and a bar chart showing status over its life. Four states are: Exceeded (Red) The conditions have surpassed the Excessive threshold or baseline setting. Degraded (Orange) The conditions have surpassed the Degraded setting but have not reached the Excessive setting. Normal Green. The conditions have not reached the Degraded setting. No Data (Black) No data was available.
Click the chart to view data based on the selected alarm template. The resulting chart shows performance against the Degraded and Excessive thresholds for the alarm.
80
Using Settings, you can determine how data is gathered and managed, and optimize NetFlow Tracker performance. Topics include: Data Display and Filtering Settings Data Management and System Performance Monitoring
For other settings, see: Setting up NetFlow Tracker on page 15. Setting up Reports on page 53. Creating an Alarm on page 75. Configuring Notification Settings on page 77.
81
4 5
82
The portals proxy server sends a request to the NetFlow Tracker server that selects the report and contains one of the configured secret values and some access control parameters describing what the user can access:
http://<NetFlow Tracker1>/report.jsp?portalsecret=<secret>&aclif=...
NetFlow Tracker creates a session for the portal and logs it in. This session is restricted so that only requests containing access list identifiers are accepted. The report generated by NetFlow Tracker ensures that any interaction (such as clicking a link) results in a request containing a securelygenerated access list identifier:
http://<proxy>/NetFlow Tracker1/report.jsp?portalacl=...
The portals proxy server sends the unaltered request to the correct NetFlow Tracker server:
http://<NetFlow Tracker1>/report.jsp?portalacl=...
Command
RewriteEngine On
Definition
Enables the URL rewriting module.
RewriteRule ^/NetFlow Tracker1/report1$ Sets up a rule to proxy requests for http://1.2.3.4/report.jsp?portalsecret= http://<proxy>/NetFlow Tracker1/report1 to an s3cr3t&acldevice=4.3.2.1&templid=0000 access controlled request to the NetFlow Tracker server. [P,L] RewriteRule ^/NetFlow Tracker1/(.*)$ http://1.2.3.4/$1 [P,L,QSA] ProxyPassReverse /NetFlow Tracker1/ http://1.2.3.4/ Sets up a rule to proxy any requests for URLs starting with http://<proxy>/NetFlow Tracker1/ to an equivalent request to the NetFlow Tracker server. Makes sure that NetFlow Tracker handles the HTTP redirects correctly when it creates a session for the portal and logs it in.
83
IP Application Names
Use IP Application Names to apply custom applications and ports that you want to track. You can define simple and grouped applications.
Figure 16 IP Application Name Settings
Simple applications
Grouped applications
NetFlow Tracker comes configured with the well-known ports in addition to many others. For a list of all well-known and registered ports, see http://www.iana.org/assignments/port-numbers. To define a single application: 1 2 3 4 5 6 Select Main Menu > Settings > IP Application Names. Under Protocol, select a protocol from the drop-down list. Under Port, enter a port number. By default, ports below 1024 are not shown on this page. To see them, click (more). Under Name, enter a unique name. Click Add. To delete an application, select its checkbox and click Delete. On the IP Application Names page, click OK.
NetFlow Tracker User Guide 2 3 4 5 On the lower part of the page, enter a unique identification number and name for the application. Set the precedence of the application. Click New. The Grouped Application page is shown. Apply an address range, protocol, port or port range, traffic class, identified application, and click Add. To delete a grouped application, select its checkbox and click Delete. Note Do not change the identifier of an existing grouped application because long-term data uses this. Use caution when deleting grouped applications. 6 7 Click OK. On the IP Application Names page, click OK.
DiffServ Names
Use DiffServ Names settings to assign names to each of the 64 differentiated service code points. Standard code point names are already configured. To add a DiffServ name: 1 2 3 4 From the NetFlow Tracker Main Menu, select Settings > IP Application Names. Enter the DiffServ codepoint and name. Click Add. To remove a code name from the list, select its checkbox and click Delete. Click OK.
86
To set hostname resolution: 1 2 3 4 5 6 Select Main Menu > Settings > Hostname Resolution. Select Enable hostname resolution. Set the length of time to cache successful lookups. The default is 1800 seconds (30 minutes). Set the length of time to cache failed lookups. The default is 10 seconds. Set the maximum number of cached lookups and concurrent resolutions. Click OK.
Subnet Names
Use Subnet Names to assign names to the IP subnets that appear in reports. You define an IP subnet by its network address and mask length. Subnet names you define here are shown in subnet reports. Because routers may use different mask lengths to route different traffic, you can assign names to overlapping subnets.
87
NetFlow Tracker User Guide To set subnet names: 1 2 3 4 5 Select Main Menu > Settings > Subnet Names. Enter the subnet IP address and a mask. Enter a unique subnet name. Click Add. To delete a subnet, select its checkbox and click Delete. Click OK.
AS Names
Use AS Names to assign names to autonomous system (AS) numbers appearing in reports. AS numbers from 0 to 34816 are assigned by several agencies; NetFlow Tracker comes with many of these ASes already named. You can, however, edit these. Numbers between 34816 and 64511 are held by the IANA and are not available for use. Numbers from 64512 to 65535 are available for use.
The AS names you define here are shown in reports. To set AS names: 1 2 3 4 5 Select Main Menu > Settings > AS Names. Enter an AS number. To assign or edit the name of a public or reserved AS, click (more). Enter a unique subnet name. Click Add. To delete a subnet, select its checkbox and click Delete. Click OK.
88
Database Settings
Use Database Settings to improve the performance of reports and charts and to change the number of days for which data is stored (see Table 11).
Table 11 Database Settings
Option
Expect large result sets
Definition
Controls how the database server manipulates raw data. Leave the default setting, Auto, to let the database optimize itself. If you have a fast disk subsystem, set this to Always to make sure reports with large amounts of data perform well. If you have a slower disk subsystem, a lot of RAM, and a relatively small amount of data, consider setting this to Never. Note, however, that reports with large amounts of data may take much longer to run. The maximum amount of memory the database server will use during a query when you do set Expect large result sets to Never. Increasing this increases the amount of data that it can report before performance drops significantly. The size of the buffer used to reduce the amount of disk seeks when sorting rows for grouping or final display. Increasing this improves reporting speed. You are unlikely to see any benefit for sizes above 128MB.
89
Option
Hold back real-time data for MySQL can not access temporary files
Definition
Set the number of seconds after its end that each one-minute sample of realtime data is held in RAM before being committed to disk. You may need to increase this to avoid ignored flows. Leave clear to improve the database performance. However, on Unix if the user you run as has a umask that creates temporary files that MySQL cannot read, check this setting.
Number of threads to use Set the number of threads used to generate real-time charts over time and pie to generate a report charts. Do not set this to more than the number of CPU cores in your system. You are unlikely to see any benefit beyond 4. Store real-time data for Store long-term report data for... Change the number of days full real-time data is stored for. Reduce this to save disk space. Increase this if you have enough free space. Change how long the different types of long-term data are stored. Each type of data allows a long-term chart to display blocks of that size. If the block size is not specified when opening a long-term report, then the closest available size to the ideal for the selected time range is used. Reduce the amount of disk space used. Note: Reducing the disk space is likely to slow down report generation.
Use compression
Backup
Use Backup settings to back up the configuration of your NetFlow Tracker server and its real-time and long-term databases. Note A full backup can take a long time to complete and uses a large amount of disk space. Test the effect a full backup has upon the system before scheduling it. You can start a backup on demand or configure a schedule. The folders contents are erased before the backup, so make sure that you move scheduled backups to long-term storage if you need to save space. Schedule a backup to different locations on alternate days.
90
Backing Up Data
To back up data: 1 2 Select Main Menu > Settings > Backup. For a scheduled backup: a b c d 3 Enter the scheduled time and days. Select the databases to include. Enter the destination folder on the NetFlow Tracker server. Click Add. To delete a scheduled backup, select its checkbox and click Delete. Enter the destination folder on the server. Select the databases to include. Click Start.
Click OK.
91
Archiving
Use Archiving settings to archive real-time data instead of deleting it when it exceeds the length of storage time configured in Database Settings. You can set the archive location and access archived data by mounting the archive containing the data you want to examine and using the Filter Editor. Note: You must enable archiving for each device that you want to archive data from in Device Settings. See Database Settings on page 89.
92
Optimizing NetFlow Tracker Data Management and System Performance Monitoring Archived data is not deleted. You must move archived data to long-term storage in a timely manner.
You cannot mount an archive from a device that was deleted or was never present on the server. Mounting and unmounting archives does not affect the archive file itself. You can restore archived data from NetFlow Tracker v4.0.
You can store all archives in the archive folder or in subfolders for each device or day. To mount an archive: 1 2 3 Select Main Menu > Settings > Archiving. Under Mount Archives, enter the directory containing the archive and click List. Select archives and click Mount. When archives are mounted they appear under Currently Mounted Archives. To unmount these, select and click Unmount. Click OK.
Memory Settings
Use Memory Settings to control the amount of initial and maximum memory used by NetFlow Tracker. During normal operation, NetFlow Tracker uses a small amount of memory, so in most cases you do not need to change the default settings Note the following: By incorrectly allocating memory you can prevent NetFlow Tracker from functioning properly. The Memory Settings page is not available on Unix installations. To change the memory settings on Unix you must edit the start script.
93
94
Topics include: Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch Configuring NetFlow Input Filters for Traffic Class Reporting Enabling Flow Detail Records on a Packeteer Device Enabling NetFlow on an Enterasys Device Enabling sFlow on a Foundry Device
For information about other supported flow standards and devices, see the Fluke Networks Knowledge Base.
95
Command
ip cef ip flow-export destination <address> 2055 ip flow-export source loopback 0
Definition
Enables Cisco Express Forwarding, which is required for NetFlow in most recent IOS releases. Use the address of your NetFlow Tracker server and one of the ports configured in the Listener Ports settings page. Port 2055 is monitored by default. The source interface is used to set the source IP address of the NetFlow exports that the router sends. NetFlow Tracker makes SNMP requests of the router on this address. If you experience problems, set the source interface to an Ethernet or WAN interface instead of the loopback. Sets the export version. NefFlow Tracker supports IOS versions 5 and 9. If you have a Native IOS switch you may need to use version 9 to work around an issue. If your router uses BGP, you can include the origin or peer ASes in exports. You cannot include both. Note: Enabling or disabling NetFlow versions 5 or 9 on a 12000 series router causes packet forwarding to stop for a few seconds while the route processor and line card CEF tables reload. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startupconfiguration file to be executed during a router reboot. Breaks up long-lived flows into one-minute segments. Makes sure that flows that have finished are exported in a timely manner.
96
Setting up NetFlow on Network Devices Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
Table 12 IOS NetFlow Commands (continued)
Command
interface <interface> ip route-cache flow or ip flow ingress or ip route-cache cef bandwidth <kbps> exit
Definition
Enable NetFlow on each interface through which the traffic you are monitoring flows (normally the Ethernet and WAN interfaces. Note: There are several commands to enable NetFlow on an interface and you must use the same command for every interface. ip route-cache flow and ip flow ingress enable NetFlow for inbound traffic on the interface, but you apply the latter to individual sub-interfaces and the former to the physical interface. Do not enable NetFlow for a physical interface and one or more of its sub-interfaces. ip flow egress enables NetFlow for outbound traffic on the interface and is required if you are using input filters. You may enable NetFlow for both inbound and outbound traffic on a single interface. In this case, make sure that no other interface has NetFlow enabled. Egress NetFlow is also useful if you are monitoring a router that applies QoS to the traffic it routes. By using egress NetFlow, you see QoS settings that the router applied rather than those on the traffic before it was routed. You may also need to set the speed of the interface in kilobits per second. It is important to do this for frame relay or ATM virtual circuits. Note: A Catalyst 4000 series switch does not support any of the commands to enable NetFlow for an interface. Instead, NetFlow is enabled for all interfaces using the following special command.
show ip flow export show ip cache flow show ip cache verbose flow
Shows the current NetFlow configuration. Issue this in normal (not configuration) mode. These commands issued in normal mode summarize the active flows and indicate of how much NetFlow data the router is exporting.
Command
mls netflow
Definition
Enables NetFlow on the supervisor.
97
Command
mls nde version or mls nde version sender 5 sender 7
Definition
Sets the export version. Due to IOS issues, the export version you must use on the supervisor depends on your hardware configuration and IOS version: Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S, 12.2(17a)SX or above: Use version 5. Note: This configuration causes Performance Counters to report missed flows that are not actually missed as a result of an IOS bug fixed in the SXF strains. Distributed Forwarding Cards and older than 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S or 12.2(17a)SX: This configuration causes serious problems. Contact Fluke Networks TAC if your device matches this description. No Distributed Forwarding Cards and 12.0(24)S, 12.2(18)S, 12.3(1) or above: Use version 5 and configure the MSFC to export version 9 as described above. No Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S, 12.2(15.1)S, 12.2(17a)SX or above: Use version 5. All others: Use version 7. Note: Version 7 may not include AS or subnet mask information.
mls aging long 64 mls aging normal 32 mls flow ip interface-full mls nde interface or mls flow ip full
Breaks up long-lived flows into one-minute segments. Makes sure that completed flows are exported in a timely manner. If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher, you must use the first two commands to put interface and routing information into the NetFlow Exports. This information is unavailable with any earlier IOS version on the Supervisor Engine 2 or 720. If you have a Supervisor Engine 1, use the third command to put full information into the NetFlow Exports.
ip flow ingress A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command, layer2-switched vlan which enables NDE for all traffic within the specified VLANs rather than just <vlanlist> inter-VLAN traffic. ip flow export layer2-switched vlan <vlanlist>
98
Setting up NetFlow on Network Devices Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
device as for an IOS device, omitting the command ip route-cache flow on each interface, and then issue the following command:
ip route-cache flow infer-fields
Command
set system name <name>
Definition
In privileged mode on the Supervisor Engine, issue this to enable NDE: Set the name of your switch. Note: Even if the prompt has been set to the name of the switch you still need this command. Use the address of the NetFlow Tracker server and one of the ports configured in the Listener Ports settings page. Port 2055 is monitored by default. Sets the export version. Version 7 is the most recent full export version supported by switches. Breaks up long-lived flows into one-minute segments.
set mls nde <address> 2055 set mls nde version 7 set mls agingtime long 64
set mls agingtime 32 Makes sure that completed flows are exported in a timely manner. set mls flow full set mls bridgedflow-statistics enable <vlanlist> set mls nde enable show mls nde show mls debug Sets the flow mask to full flows. This is required to get useful information from the switch. CatOS 7.(2) or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic. Enables NDE. These commands help debug your NDE configuration.
99
Command
flow-sampler-map allflows mode random one-out-of 1 exit policy-map netflowpolicymap class <class> netflow-sampler allflows exit exit interface <interface> service-policy input netflowpolicymap exit
Definition
Create a flow sampler that exports every flow record.
Create a policy map containing NetFlow sampling actions. You must include each class for which you want information.
Associate the policy map with an interface. You must associate the policy map with each NetFlow-enabled interface from which you want traffic class information.
100
Setting up NetFlow on Network Devices Enabling NetFlow on an Enterasys Device To enable Flow Detail Records: 1 2 3 Log in to the PacketShaper in touch mode. Open the flow detail records page on the setup tab.
In a collector rows, enter the IP address of the NetFlow Tracker server and one of the ports configured in Listener Ports settings (2055 is monitored by default). Packeteer-1 is the recommended record type for use with NetFlow Tracker. Packeteer-2 is not recommended because NetFlow Tracker does not use the extra information and bandwidth is wasted. You can also export NetFlow v5 records. This prevents the Traffic Classes and Identified Applications reports and filters from functioning for the device.
4 5
Set the value under Enabled to on and click apply changes. To make sure that NetFlow Tracker receives enough information from the PacketShaper device, verify that the Look Community String configured in the SNMP page is set up in SNMP Settings, and set Packeteer-0 Packets to on in the system variables page. If you have a recent version of PacketWise, you may need to change extra settings on the system variables page. Set Intermediate FDR to on, Intermediate FDR Timeout to 30000 milliseconds, and Reset Packeteer 1/2 counters to on. If these settings are not available, then the PacketShaper describes all traffic for a long-lived flow in one record, and NetFlow Tracker counts it all in the minute during which the flow ended. This leads to large spikes in charts for the device.
101
Command
set netflow cache enable set netflow exportdestination <address> 2055 set netflow exportinterval 1
Definition
Enables NetFlow. Use the address of your NetFlow Tracker server and a configured port in the Listener Ports settings page. Port 2055 is monitored by default. Breaks up long-lived flows into one-minute segments.
set netflow port You must enable NetFlow on each interface through which traffic you are <port-string> enable monitoring flows, normally the Ethernet and WAN interfaces. set netflow exportversion 9 Sets the export version. Version 9 is required for NetFlow Tracker to associate NetFlow information with the interfaces it relates to.
Command
(config)# sflow enable (config)# sflow destination x.x.x.x (config)# interface eth 1 or (config)# interface eth 1 to 48) (config-if-1)# sflow forwarding
Definition
Enable sFlow globally Configure a destination Enable sFlow on a port or ports
102
B: Report Templates
When you create a report or chart you can choose from the report templates, depending on the type of data you want to examine. Address Reports Session Reports QoS Reports Network Reports Interface Reports Traffic Identification Reports Full Flow Forensics Reports Other Reports
Address Reports
Report
Source Addresses Destination Addresses Addresses
Shows...
The IP addresses that were the source of most traffic or packets. The destination IP addresses that were the destination of most traffic or packets. Busiest addresses. Includes total traffic, source traffic, destination traffic, total packets, source packets, and destination packets. For each metric, includes percentage of total traffic.
103
Shows...
The pairs of connected IP addresses that exchanged most traffic or packets. In extra columns, the traffic and packets sent from destination to source for each address pair. The source addresses that conversed with the most distinct destination addresses and that were involved in the most distinct endpoint-to-endpoint conversations. This can help detect file sharing or virus infected hosts. The destination addresses that conversed with the most distinct source addresses and that were involved in the most distinct conversations.
Session Reports
Report
Protocols Source Applications
Shows...
The IP protocols, such as TCP or UDP, used by most traffic or packets. The IP applications that were the source of the most traffic or packets. An IP application is a combination of an application port and protocol: for example, HTTP or FTP. You can assign names to applications using the IP Application Names settings page. Examining the source applications inwards on an interface can show you what applications are using your Internet bandwidth. The IP applications that were the destination of most traffic or packets. The destination applications outwards can show the most requested applications on a link.
Destination Applications
104
Report
Recognized Applications
Shows...
The IP applications that were the source or destination of most traffic or packets. Whether the application was the source or destination depends on whether it has a name defined in the IP Application Names settings page or, if both or neither have names, which has the lower port number. The pairs of connected endpoints that exchanged most traffic or packets. A single conversation represents, for example, a web browser downloading a single image. In extra columns, the traffic and packets sent from destination to source for each conversation. The IP addresses and corresponding applications that were the source of most traffic or packets. The top source endpoints inwards on a link are the remote services using your bandwidth. The IP addresses and corresponding applications that were the destination of most traffic or packets. The pairs of connected source endpoints and destination addresses that exchanged most traffic or packets. A session might represent, for example, a web browser downloading several web pages with images from a web server. The pairs of connected source addresses and destination endpoints that exchanged the most traffic or packets. A session could represent a clients requests to a web server for several pages and images. Source and address destination, application, traffic, percentage of total traffic, packets, and percentage of total packets. Data in Sessions report, plus forward and reverse traffic and packets.
Conversations
Client-Server Sessions
Sessions
Bi-directional Sessions
105
QoS Reports
Report
Types of Service Differentiated Services
Shows...
The ToS levels with most traffic or packets. The DiffServ code points with most traffic or packets.
Network Reports
Report
Source ASes
Shows...
The autonomous systems that were the source of most traffic or packets. Note: A switch does not know anything about ASe.s The autonomous systems that were the destination of most traffic or packets. Busiest ASes. Includes total traffic, source traffic, destination traffic, total packets, source packets, and destination packets. For each metric, includes percentage of total traffic. The pairs of connected ASes that exchanged most traffic or packets. In extra columns, the traffic and packets sent from destination to source for each AS pair. The IP subnets that were the source of most traffic or packets. Note: A router may not know the subnet of a particular address and a switch never knows it. The IP subnets that were the destination of most traffic or packets. The pairs of connected IP subnets that exchanged most traffic or packets. In extra columns, the traffic and packets sent from destination to source for each network pair.
106
Interface Reports
Report
In Interfaces
Shows...
The router interfaces or switch ports that were the arrival point of most traffic or packets. Note: This is only meaningful for the outwards direction. The router interfaces or switch ports that were the departure point of most traffic or packets. Note: This is only meaningful for the inwards direction. In and out interfaces, in and out percentage of usage, traffic, percentage of total traffic, packets, and percentage of packets for devices. The VPNs with most traffic or packets. You must associate interfaces with VPNs in Device Settings for this report to function. The next-hop addresses that received most traffic or packets. Note: Only a router can supply a next-hop address.
Out Interfaces
Interface Pairs
VPNs
Next Hops
Shows...
Identified applications with the most traffic or packets. Traffic classes that with the most traffic or packets.
107
Shows...
TCP flag, traffic, percentage of total traffic, packets, and percentage of total packets. Flows ranked by durationthe full length of a flow. Includes amount of traffic, percentage of total traffic, number of packets, and percentage of total packets. Start and end times, source and destination addresses and applications, in and out interfaces, TCP flags, and traffic for each flow.
Other Reports
Report
Total Address Pairs Total Conversations Total
Shows...
Total number of address pairs. Total number of conversations. Traffic, percentage of total traffic, packets, and percentage of total packets.
108
In addition to the filters used when configuring NetFlow Tracker reports, you can apply additional custom parameters to further define data. You can generate your own URLs or modify automatically created ones for use in network management portals favorites lists.
Table 18 Customizable Filter Parameters
Parameter
templid id cid output nrecords others visible nelements chartTitle chartWidth chartHeight sections features resolve format reload splash
Specifies...
The report template to use. The long-term report to open. The executive report to open The type of report to generate: tabular or chart. The number of rows to show per page of a tabular view. That a tabular view shows an others row instead of a page navigator. A visible column of a table or chart. The number of elements to chart. The chart to show. The width of the chart. The height of the chart. The report sections to output. The available interactive report features. How domain names will be handled in a report with an IP address column. The output format of the report or chart. The number of seconds between automatic refreshes of the report. Show the splash screen.
109
Parameter
stime etime length unit nunitsago nunits date_unit sdate_unit sdate_nunitsago edate_unit edate_nunitsago stime etime timemask timezone sample_unit sample_nunits range sample sf device inif outif if invpn outvpn
Specifies...
The start of the required time range. The end of the required time range. The length of the required time range. The unit to measure the time range in. The number of units before the time of report generation the time range should end. The number of units required. The unit to measure how long before the report is generated the time range starts and ends. The unit to measure how long before the report is generated the time range starts. The number of units before the time of report generation of the first day of the time range. The unit to measure how long before the report is generated the time range end. The number of units before the time of report generation of the last day of the time range. The time of day at which the time range starts (simple calendar). The time of day at which the time range ends (simple calendar). An inclusive mask to apply the to time range. The time zone of the view. The unit to measure the sample size in. The number of units in each sample. The source long-term data to use. The source long-term data to use. Saved filter to apply to the report. The address of a permitted NetFlow-exporting device. A permitted input interface, thus selecting inbound traffic on the interface. A permitted output interface, thus selecting outbound traffic on the interface. A permitted input or output interface of the flow, thus selecting traffic passed in both directions across the interface. A Virtual Private Network (VPN) that the input interface must be part of. A VPN that the output interface must be part of.
110
Parameter
vpn srcaddr dstaddr addr proto srcport dstport srcappl dstappl appl recappl applid tos ds class srcas dstas as srcnet dstnet net srcmask dstmask mask nexthop j_username j_password portalsecret acldevice aclif
Specifies...
A VPN that either interface must be part of. A permitted source address. A permitted destination address. A permitted source or destination address. A permitted IP protocol. A permitted source application port number. A permitted destination application port number. A permitted source IP application. A permitted destination IP application. A permitted source or destination IP application port. A permitted recognized IP application port. A permitted identified application. A permitted Type-of-Service byte. A permitted differentiated service codepoint. A permitted traffic class. A permitted source autonomous system number. A permitted destination autonomous system number. A permitted source or destination autonomous system number. A permitted source subnet. A permitted destination subnet. A permitted source or destination subnet. A permitted source subnet mask, as supplied by the router. A permitted destination subnet mask. A permitted source or destination subnet mask. A next-hop address. The username. The password. The secret value assigned to the management portal. The address of a permitted device that exports NetFlow. A permitted interface.
111
Parameter
aclvpn acltemplid aclid aclcid aclfiltereditor aclsf aclfeatures
Specifies...
A permitted VPN. A permitted report template. A permitted long-term report. A permitted executive report. A filter that will show in the Filter Editor A visible saved filter. The permitted interactive report features.
General Format
http://<server>:<port>/report.jsp?prm=value&prm=value...
server port prm, value The domain name or IP address of the NetFlow Tracker server The HTTP port of the NetFlow Tracker server A named parameter and its value. Supply as many parameters as necessary in any order with each prm=value pair separated by an ampersand.
Report Parameters
templid specifies the report template to use. Do not use this parameter with id or cid.
112
0003 0006 0007 0008 0009 0010 0011 0012 0013 0014 0015 0016 0017 0018 0019 0020 0021 0022 0023 0024 0025 0026 0027 0028 0029 0030 0031 0032 0033 0034 0035
113
id specifies the long-term report to open. You can enable several standard long-term reports in Report Settings. The IDs for these reports are given below. The ID for a custom report is available in Report Settings. Do not use this parameter with templid or cid.
0000 0001 0002 0003 0004 0005 0100 0101 0102 <id>
Source Addresses per inbound interface Source Addresses per outbound interface Destination Addresses per inbound interface Destination Addresses per outbound interface Recognized Applications per inbound interface Recognized Applications per outbound interface Source Addresses per source device Destination Addresses per source device Recognized Applications per source device A custom long-term report ID
cid specifies the executive report to open. The ID for an executive report is available in Report Settings. Do not use this parameter with templid or id.
<id>
An executive report ID
114
nrecords specifies the number of rows to show per page of a tabular view.
<number> -1
others specifies that a tabular view shows an Others row instead of a page navigator. The long-term tabular view always show an Others row.
true false
An Others row is shown instead of a page navigator No Others row is shown (default)
visible specifies a visible column of a table or chart. Apply this as often as needed to include all desired columns. By default, all columns are visible.
<heading> -<heading>
The URL-encoded column heading; note that % is URL-encoded as %25 A column to make invisible; parameters specifying invisible columns cannot be mixed with those specifying visible columns
<number>
115
<title>
chartWidth specifies the width of the chart. Use this as an output parameter in an executive report.
<width>
chartHeight specifies the height of the chart. Use this as an output parameter in an executive report.
<height>
<sections>
The sections, formed by summing the values for each section 1 2 4 8 16 32 Title Time range & filter description Main report or chart body Chart title, if applicable Chart legend, if applicable Result information, if applicable
-<sections>
116
<features>
The features, formed by adding the values for each feature 1 2 4 8 48 64 128 256 512 1024 2048 4096 8192 16384 32768 65536 Navigation Menu Select All button, if applicable Zoom In button, if applicable Zoom Out button, if applicable Open as Tabular Report, Chart or Pie buttons as applicable Filter Editor button, if applicable Refresh and Resolve All buttons, if applicable Print and CSV buttons, if applicable Open in New Window button Drilldown controls Direct drilldown links (found in navigation reports) Page navigator Sortable column headers Chart scrollbar Chart selection headers Time range editor, if specified
-<features>
resolve specifies how domain names are handled in a report with an IP address column.
all available
All domain names will be resolved and shown in full Only already resolved names will be shown, as tooltips (default)
html print
117
reload specifies the number of seconds between automatic refreshes of the report. Use this with one of the dynamic time ranges (see Time Range Parameters on page 118). Only the interactive HTML format supports this parameter.
-1 <seconds>
The report will not reload automatically (default) Number of seconds between refreshes
true false
The splash screen is shown if it has not already been shown (default). The splash screen is not shown.
<time>
<dd>/<MM>/<yyyy>%20<HH> The time: <dd> is the date, <MM> the month, :<mm> <yyyy> the year, %20 a URL-encoded space character, <HH> the hour in the 24-hour clock and <mm> the minutes
118
Report URL Parameters Time Range Parameters etime specifies the end of the required time range.
<time>
<dd>/<MM>/<yyyy>%20<HH>: The time: <dd> is the date, <MM> the month, <mm> <yyyy> the year, %20 a URL-encoded space character, <HH> the hour in the 24-hour clock and <mm> the minutes
<millis>
Hours Days Weeks Weeks starting on a Monday Weeks starting on a Tuesday Weeks starting on a Wednesday Weeks starting on a Thursday Weeks starting on a Friday
119
nunitsago specifies the number of units before the time of report generation the time range should end.
The time range will end at end of the current unit at the time of report generation; this is likely to be later than the time of report generation The time range will extend to the end of the last full unit before the time of report generation (default) The time range will extend to the end of this number of full units before the time of report generation
1 <number>
nunits specifies the number of units required. This may include a partial unit.
1 <number>
The time range will extend for a single unit (default) The time range will extend for this number of units
120
date_unit (optional) specifies the unit to measure how long before the report is generated that the time range starts and ends.
day week mon tue wed thu fri sat sun month quarter halfyear year
Days Weeks Weeks starting on a Monday Weeks starting on a Tuesday Weeks starting on a Wednesday Weeks starting on a Thursday Weeks starting on a Friday Weeks starting on a Saturday Weeks starting on a Sunday Months Quarters Half-years Years
sdate_unit (optional) specifies the unit to measure how long before the report is generated that the time range starts. Format as for date_unit above. sdate_nunitsago (optional) specifies the number of units before the time of report generation of the first day of the time range.
1 <number>
The first day of the time range is the first day of the current unit at the time of report generation (default) The first day of the time range is at the start of this number of full units before the time of report generation
edate_unit (optional) specifies the unit to measure how long before the report is generated that the time range ends. Format as for date_unit above.
121
NetFlow Tracker User Guide edate_nunitsago (optional) specifies the number of units before the time of report generation of the last day of the time range.
0 1 <number>
The last day of the time range is the first day of the unit following the current unit at the time of report generation The last day of the time range is the first day of the current unit at the time of report generation (default) The time range extends to the end of this number of full units before the time of report generation
stime specifies the time of day at which the time range starts. <HH>:<mm> The time, with <HH> being the hour in the 24-hour clock and <mm> being the minutes etime specifies the time of day at which the time range ends. <HH>:<mm> The time, with <HH> being the hour in the 24-hour clock and <mm> being the minutes
122
<day1><day2>/<time1><time2>
The range of weekdays and the times on those weekdays to include in the mask. A weekday is SUN, MON, TUE, WED, THU, FRI or SAT, day2 coming on or after day1 in the list above. Time is in the 24-hour form hh:mm, and time2 is after time1
0 1 2 3 4 15 10 13 33 20 30 25 45 35 40 50 55 56
(GMT-12:00) International Date Line West (GMT-11:00) Midway Island, Samoa (GMT-10:00) Hawaii (GMT-09:00) Alaska (GMT-08:00) Pacific Time (US & Canada); Tijuana (GMT-07:00) Arizona (GMT-07:00) Mountain Time (US & Canada) (GMT-07:00) Chihuahua, La Paz, Mazatlan (GMT-06:00) Central America (GMT-06:00) Central Time (US & Canada) (GMT-06:00) Guadalajara, Mexico City, Monterrey (GMT-06:00) Saskatchewan (GMT-05:00) Bogota, Lima, Quito (GMT-05:00) Eastern Time (US & Canada) (GMT-05:00) Indiana (East) (GMT-04:00) Atlantic Time (Canada) (GMT-04:00) Caracas, La Paz (GMT-04:00) Santiago
123
124
193 201 195 200 203 205 207 210 227 215 225 220 235 230 240 250 245 260 255 275 265 270 280 290 285 300
125
NetFlow Tracker User Guide possible. You can specify a different sample size to show, for example, a day in hour-long samples or a month in day-long samples. sample_unit specifies the unit to measure the sample size in.
1 <number>
Each sample will be one unit long (default) Each sample will be this number of units long
Daily data (ten minute samples) are used Weekly data (one hour samples) are used Monthly data (six hour samples) are used Quarterly data (twelve hour samples) are used
126
halfyearly yearly
Daily data (ten minute samples) are used Weekly data (one hour samples) are used Monthly data (six hour samples) are used Quarterly data (twelve hour samples) are used Half-yearly data (one-day samples) are used Yearly data (two-day samples) are
Filter Parameters
You can apply any number of filters to a report. Each filter is a set of acceptable values for a certain aspect of the source data. If you do not specify a filter, then all values element are accepted. To specify multiple acceptable values for a filter, include the parameter name and value in the URL once for each value. Note: The filters that you can apply to a long-term report depend upon the reports type. sf specifies a saved filter to apply to the report. The ID for a saved filter is available in Report Settings.
<id>
A saved filter ID
<addr>
127
NetFlow Tracker User Guide inif specifies a permitted input interface, thus selecting inbound traffic on the interface.
<addr>/<id>
The interface: addr is the address of the NetFlow-exporting device in dotted-decimal format and id is the NetFlow Tracker-specific interface identifier The interface: addr is the address of the NetFlow-exporting device in dotted-decimal format and ifindex is the current SNMP interface index assigned to the interface
<addr>/<ifindex>
outif specifies a permitted output interface, thus selecting outbound traffic on the interface. Format as for inif above. if specifies a permitted input or output interface of the flow, thus selecting traffic passed in both directions across the interface. Format as for inif above. invpn specifies a Virtual Private Network (VPN) that the input interface must be part of.
<name> <id>
The VPN name; see Device Settings for more information The VPN identifier
outvpn specifies a VPN that the output interface must be part of. Format as for invpn above. vpn specifies a VPN that either interface must be part of. Format as for invpn above. srcaddr specifies a permitted source address.
<addr>
srcaddr_exclude=true specifies that the supplied source addresses are excluded rather than included.
128
dstaddr specifies a permitted destination address. Format as for srcaddr above. dstaddr_exclude=true specifies that the supplied destination addresses are excluded rather than included. addr specifies a permitted source or destination address. Format as for srcaddr above. addr_exclude=true specifies that the supplied source or destination addresses are excluded rather than included. proto specifies a permitted IP protocol.
<name> <number>
The protocol name, such as TCP or UDP The protocol number, in the range 0-255
proto_exclude=true specifies that the supplied protocols are excluded rather than included. srcport specifies an acceptable source application port number.
<port> <port1><port2>
The application port number in the range 0-65535 A range of port numbers, with port1 being the start of the range and port2 the end
srcport_exclude=true specifies that the supplied source application port numbers are excluded rather than included. dstport specifies an acceptable destination application port number. Format as for srcport above. dstport_exclude=true specifies that the supplied destination application port numbers are excluded rather than included. srcappl specifies a permitted source IP application.
129
<port>/<name>
The application: port is the application port number in the range 0-65535 and name is the protocol name, such as TCP or UDP
<port>/<number> The application: port is the application port number in the range 0-65535 and num is the protocol number in the range 0-255 <name> The name of a grouped application
srcappl_exclude=true specifies that the supplied source applications are excluded rather than included. dstappl specifies a permitted destination IP application. Format as for srcappl above. dstappl_exclude=true specifies that the supplied destination applications are excluded rather than included. appl specifies a permitted source or destination IP application port. Format as for srcappl above. appl_exclude=true specifies that the supplied source or destination applications are excluded rather than included. recappl specifies a permitted recognized IP application port. Format as for srcappl above. recappl_exclude=true specifies that the supplied recognized applications are excluded rather than included. applid specifies a permitted identified application.
<name> <id>
The identified application name; see Device Settings for more information The identified application identifier
130
Report URL Parameters Time Range Parameters applid_exclude=true specifies that the supplied identified applications are excluded rather than included. tos specifies a permitted Type-of-Service byte.
<prec> <tos>
The precedence, in the range 0-7 A string of letters indicating which ToS bits you must set or unset. D - low delay, d - normal delay T - high througput, t - normal througput R - high reliability, r - normal reliability M - minimize monetary cost, m normal monetary cost. Any bits not specified as set or unset are disregarded.
<prec>%20<tos The precedence and ToS as above; %20 being a URL-encoded > space character
tos_exclude=true specifies that the supplied Type-of-Service values are excluded rather than included. ds specifies a permitted differentiated service codepoint.
The assigned name of the codepoint The six-digit binary representation of the codepoint The value of the entire Type-of-Service byte, in the range 0-255
ds_exclude=true specifies that the supplied differentiated service codepoints are excluded rather than included. class specifies a permitted traffic class.
<name> <id>
The traffic class name. See Applying Traffic Class IDs on page 21. The traffic class identifier
class_exclude=true specifies that the supplied traffic classes are excluded rather than included.
131
NetFlow Tracker User Guide srcas specifies a permitted source autonomous system number.
<as>
srcas_exclude=true specifies that the supplied source autonomous system numbers are excluded rather than included. dstas specifies a permitted destination autonomous system number. Format as for srcas above. dstas_exclude=true specifies that the supplied destination autonomous system numbers are excluded rather than included. as specifies a permitted source or destination autonomous system number. Format as for srcas above. as_exclude=true specifies that the supplied source or destination autonomous system numbers are excluded rather than included. srcnet specifies a permitted source subnet. Note that the subnet mask supplied by the router is ignored.
<addr>/<mask>
The subnet: addr is the network address in dotted-decimal format and mask is the mask length, in the range 0-32
srcnet_exclude=true specifies that the supplied source subnets are excluded rather than included. dstnet specifies a permitted destination subnet. Format as for srcnet above. dstnet_exclude=true specifies that the supplied destination subnets are excluded rather than included. net specifies a permitted source or destination subnet. Format as for srcnet above.
132
Report URL Parameters Security Parameters net_exclude=true specifies that the supplied source or destination subnets are excluded rather than included.
<mask>
srcmask_exclude=true specifies that the supplied source subnet masks are excluded rather than included. dstmask specifies a permitted destination subnet mask. Format as for srcmask above. dstmask_exclude=true specifies that the supplied destination subnet masks are excluded rather than included. mask specifies a permitted source or destination subnet mask. Format as for srcmask above. mask_exclude=true specifies that the supplied source or destination subnet masks are excluded rather than included. nexthop specifies a next-hop address.
<addr>
nexthop_exclude=true specifies that the supplied next-hop addresses are excluded rather than included.
Security Parameters
If a username and password is required to access a report you can specify it in the URL.
133
acldevice specifies the address of a permitted device that exports NetFlow data. Format as for device above. aclif specifies a permitted interface. Format as for inif above. aclvpn specifies a permitted VPN. Format as for invpn above. acltemplid specifies a permitted report template.
null <id> No report templates are permitted A permitted report template; see templid in Report Format Parameters above for permitted values
134
Report URL Parameters Management Portal Access Control Parameters aclid specifies a permitted long-term report.
null <id> No long-term reports are permitted A permitted long-term report; see id in Report Format Parameters above for permitted values
aclfiltereditor specifies a filter that will appear in the Filter Editor. Note that it will be possible for the user to create reports with other filters by drilling down or manually editing a URL.
null 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 No filter editors are permitted Source Device Source Address Dest Address Src/Dest Address Next Hop In Interface Out Interface In/Out Interface Protocol Source Port Dest Port Src/Dest Port Source Application Dest Application Src/Dest Application
135
aclfeatures specifies the permitted interactive report features. For parameters, see features.
136
D: File Formats
137
NetFlow Tracker User Guide consisting of a description followed by a usage, octet count or packet count.
XML Format
You can convert every standard chart and tabular report to XML for use in external software. The XML schemas in the xml subfolder underneath the NetFlow Tracker installation folder. The root of each XML document contains the report title. The first tag in the root contains data about the NetFlow Tracker version that generated the document. The next tag contains data about the filter applied to the report. The time range is set as a start and end in both milliseconds UTC and year, month, day, hour, etc. The number of milliseconds spanned by the
138
time range is provided, taking into account the time mask applied, if any.
139
140
Index
A
Acrobat Reader, version supported 7 Address Pairs report 104 Addresses report 103 alarms 71 baselines 72, 74 configuring 75, 76 metrics 76 persistent changes 73, 77 severity and life cycle 72 thresholds and sensitivity 72, 77 tips 74 types 71 applications conversations 32 top for device 31 top for interface 32 archiving data 92 AS names 88 AS Pairs report 106 ASes report 106
C
Cflow 1 charts 42 navigating 42 pie 43 viewing data on 42 cid URL parameter 114 Client-Server Sessions view 105 contacting Fluke Networks 2 conversations 32 Conversations report 105 creating alarms 75 custom home page 26 reports 53 executive 63 long-term 60 real-time 54 scheduled 56
D
data archiving 92 management 3, 24 scaling samples 19 database 3 backing up 90 maintenance 24 settings 89 Destination Address Popularity report 104 Destination Addresses report 103 Destination Applications report 104 Destination ASes report 106 Destination Endpoints report 105 Destination Networks report 106 device
B
baselines 72 setting 77 status 74 BGP applying for devices 18, 19 per-AS data 36 Bi-directional Address Pairs report 104 Bi-directional AS Pairs report 106 Bi-directional Conversations report 105 Bi-directional Network Pairs report 106 Bi-directional Sessions report 105
141
I
id URL parameter 114 Identified Applications report 107 identified applications, applying 21 In Interfaces report 107 installing Java on Windows 9 NetFlow Tracker on Linux 11 on Windows 9 preparing 7 interface conversations 32 marking as inactive 22 scans 24 top applications and usage 32 Interface Pairs report 107 interface settings, applying 22 interfaces top for device 31 viewing long-term 49 viewing on NetFlow Tracker 34 IP application names 84 grouped applications 85 simple applications 84 IPFIX 1
E
etime URL parameter 122 events forwarding notifications 77 events, viewing 78 lifecycle 79 list 79 timeline 78 executive reports 69 creating 63 HTML cells 68 sub-report cells 66 viewing 69
J
j_password URL parameter 134 j_username URL parameter 134 Java installing on Windows 9 versions supported 7 JFlow 1
F
features URL parameter 116 filter parameters 38 custom 109133 saving 55 filtering data for long-term reports 50 real-time 36 Fluke Networks, contacting 2 Forensic Conversations report 108 forensics reports 108
L
language, selecting 14 licensing 15 Linux installing NetFlow Tracker on 11 versions supported 7 listener ports 16 long-term data creating reports for 60 database 3, 24 filtering 50
H
hostname resolution settings 87
142
Index M
network overview 47 viewing devices and interfaces 49 backup 90 database 89 diffserv names 86 hostname resolution 87 IP application names 84 management portal 82 memory 93 notification 77 performance counters 24 report settings 53 subnet names 87 system requirements 5 version information 27 web server 8 netstream 1 NetWatch 8 network devices, enabling NetFlow 18, 95101 network overview long-term data 47 real-time data 30 Network Pairs report 106 Next Hops report 107 Nortel IPFIX 1 notification settings 77 nrecords URL parameter 115
M
management portal settings 82 URL parameters 134 using Apache as portal server 83 memory settings 93 Microsoft Windows installing Java on 9 installing NetFlow Tracker on 8, 9 versions supported 6 MPLS 22 MySQL installation 8 requirements for installation 7
N
NetFlow 2 data received 25 devices exporting 33 enabling on network devices 18, 95101 versions supported 1 NetFlow Monitor 8 NetFlow Tracker 1 appliance 2 applying settings 15 devices 18 licensing 15 listener ports 16 security 26 SNMP 17 data management 3 deploying 2 filtering real-time data 36 installing on Linux 11 on Windows 8, 9 monitoring performance 24 opening 13 preparing for installation 7 product services 3 reports 53 selecting language 14 settings alarm 75 archiving 92 AS names 88
O
Out Interfaces report 107 output URL parameter 115
P
packet rate, for application 32 passwords, choosing a protection level 26 performance counters 24 profile alarms 71, 76 Protocols report 104
R
RAID 6 RAM 6 range URL parameter 126 real-time data database 3, 24 filter parameters 38 filtering data 36 network overview 30
143
S
sample URL parameter 127 scheduling reports 56 security settings 26 Server-Client Sessions report 105 Sessions report 105 settings 15 alarms 75 archiving 92 AS names 88 backup 90 database 89 devices 18 diffserv names 86 hostname resolution 87 IP application names 84 licensing 15 listener ports 16 management portal 82 memory 93 notification 77 performance counters 24 reports 53 security 26 SNMP 17
T
tables 44 TCP Flags report 108 technical support 4 templid URL parameter 112 threshold alarms 71, 76 Total Address Pairs report 108 Total Conversations report 108 Total report 108 traffic class IDs, applying 21 Traffic Classes report 107 traffic rate for application 32 interface 32 training 4 Types of Service report 106
U
unprocessed flowsets 25 URL parameters 109136 general format 112 usage, top for interface 32
144
Index V
V
Visual Performance Manager, NetFlow Tracker deployment in 2 VPNs associating interface with 22 report 107
W
web browsers 6 weekly baseline 73 Windows versions supported 6
145
146