Professional Documents
Culture Documents
Introduction
This data provides granular details about network traffic that has passed through an interface.
NetFlow Analyzer processes this information to show you what applications are using bandwidth,
who is using them, and when. Extensive graphs and intuitive reports make this information easy to
analyze, and also help accelerate the troubleshooting process.
NetFlow Analyzer comes pre-loaded with a set of features that provide in-depth bandwidth usage
statistics and let you drill down to see more details about a bandwidth traffic, application, or
conversation etc. NetFlow Analyzer also includes other administrative options that help in managing
enterprise networks and bandwidth utilization with ease.
Regardless of different types of flows, now you can view a complete picture of the usage, network
performance, and traffic statistics of various network devices in single console. Support's NetFlow,
IPFIX, jFlow, sFlow, Netstream, Appflow etc.
View the status of your links, and generate reports from just a web browser that is built on a
JavaScript framework powered by Ember.js. This new Fluidic web client offers 10x more
productivity and performance compared to the previous UI. The new user interfaces also features
keyboard navigation across interface snapshot pages, alarms and performance graphs which helps
network admins to access the information they are looking for even more quickly and easily.
View instant graphs for bandwidth utilization and traffic per link up to previous minute.
Generate daily, weekly, monthly, and custom time period bandwidth reports showing peak traffic
patterns from the day 1.
Application-level QoS shaping
Reconfigure application QoS with ACL to filter application traffic, thus reserve bandwidth for mission
critical activities. Now you can shape app traffic via service policy and allocate % to particular
application and thus regulate the bandwidth usage with the help of CBQoS monitoring.
Validate the effectiveness of your QoS policies using CBQoS reports from NetFlow Analyzer.
Prioritize your network traffic accordingly.
High Scalability
Now, NetFlow Analyzer can scale up to 250K flows per second without raw data storage and with
raw data storage it can process upto 100k flow per second.
Helps you accurately measure your bandwidth growth over a period of time and helps to anticipate
the changes in bandwidth with capacity planning reports. You can also generate on-demand billing
for accounting and departmental chargebacks.
Advanced security analytics module helps to detect a broad spectrum of external and internal
security threats and categorize threats/anomalies as problems such as Bad Src-Dst, DDoS,
Suspect Flows.
Traffic Profiling
View bandwidth reports based on top applications, top hosts, and top conversations, DSCP,
multicast.
Consolidated Reports
View bandwidth reports per Device and interfaces, showing top applications, top talkers in a single
report.
Device Grouping
Categorize NetFlow devices into logical groups and grant reporting access to specific users based
on hierarchy. Group IP addresses and address ranges into department wise , and monitor
bandwidth usage individually.
Identify most standard applications out-of-the-box and configure custom applications and monitor
the same. Add users with different privileges, assign device groups, and selectively allow access for
monitoring and reporting.
This User Guide will help you install NetFlow Analyzer, understand netflow port details, Cisco
netflow configuration and other flow configuration steps and get familiar with the user interface. If
you are unable to find the information you are looking for in this document, please let us know
at netflowanalyzer-support@manageengine.com
Enterprise Edition
Parameter Essential Edition
Central Server Collector
2.4 GHz Quad Core 2.4 GHz Dual 3.2 GHz Quad
Processor
Processor Core core
RAM 4 GB 4 GB 8 GB
Operating
64 bit 64 bit 64 bit
System
Please note that change in flow rate will lead to change in system requirements as
below:
Disk Additional
space for Disk
Rate of Server
Processor RAM Aggregate space for
Flow/Second Type
Data RawData
(Forever) (Optional)
For the device exporting NetFlow, ensure that the NetFlow export version format is
exactly the same as the Cisco NetFlow version 5 or version 7 or version 9 format.
For information on Cisco devices and IOS versions supporting Netflow, consult
the Cisco NetFlow Device Support table.
Software Requirements
Supported Operating
Supported Browsers Database supported
System
Port Requirements
Default Port
Port Name Usage
Numbers
32000-
Wrapper
32999
31000-
JVM To connect to Wrapper.
31999
Database Requirements
The following table lists the basic requirements for your OpManager database server.
PostgreSQL
Comes bundled with the product.
In case of failover, please use MS SQL.
Microsoft SQL
1. Supported versions:
SQL 2017 | SQL 2016 | SQL 2014 | SQL 2012 | SQL 2008
2. Important Notices:
3. Collation:
English with collation setting (SQL_Latin1_General_CP1_CI_AS)
Norwegian with collation setting (Danish_Norwegian_CI_AS)
Simplified Chinese with collation setting (Chinese_PRC_CI_AS)
Japanese with collation setting (Japanese_CI_AS)
German with collation setting (German_PhoneBook_CI_AS)
4. Authentication:
5. BCP:
The "bcp.exe" and "bcp.rll" must be available in the bin directory.
The BCP utility provided with Microsoft SQL Server is a command line utility that
allows you to import and export large amounts of data in and out of SQL server
databases quickly. The bcp.exe and bcp.rll will be available in the MSSQL installation
directory. If MSSQL is in a remote machine, copy bcp.exe and bcp.rll files and paste
them in the <\OpManager\bin> directory.
The SQL server version compliant with the SQL Native Client must be installed in
the same Server.
Note: NetFlow Analyzer runs in both Windows and Linux, supports NetFlow® versions
5/7/9,sFlow® , cflowd® ,J-Flow® , IPFIX® , NetStream®. To know which devices it
supports refer Configuring Cisco Devices section of the User Guide.
NetFlow Analyzer is available for Windows and Linux platforms. For information on supported
versions and other specifications, look up System Requirements.
Installing NetFlow Analyzer
Windows:
1. Download NetFlow Analyzer for Windows
2. Double-click it to start installation. Follow the instructions as they appear on screen to
successfully install NetFlow Analyzer on to your machine. NetFlow Analyzer supports both,
PostgreSQL and MSSQL as database. Select the database and click Next.
Linux:
This is a quick walk-through of the console mode installation of NetFlow Analyzer on a Linux
box - an easy thing to do if you are working on a Windows box and want to install on a remote
Linux system.
Step 1: Execute the binary with administrator privileges (sudo) and -i console option.
Step 2: Go through the license agreement and enter 'Y' to proceed. You can register for
technical support by providing the required details. (Name, E-mail ID, Phone, Company Name)
Step 6: Verify the installation details and press 'Enter' to complete the installation.
During installation if you get an error message stating that the temp folder does not have
enough space, try executing this command with the -is:tempdiroption, where is the
absolute path of an existing directory.
Once you have successfully installed NetFlow Analyzer, start the NetFlow Analyzer server by
following the steps below.
Starting NetFlow Analyzer
Windows:
Click on Start > Services > start the ManageEngine NetFlow Analyzer to start the service.
Alternatively you can navigate to the bin folder in a CMD prompt and invoke the run.bat file to start
as application.
Linux:
Navigate to the /bin directory and execute the ./run.sh file.
When the server is started, a command prompt window opens up showing startup information on
several modules of NetFlow Analyzer. Once all the modules have been successfully created, the
following message is displayed:
Server started.
Please connect your client at http://localhost:8060
The default port is 8060 and it will be replaced by the port you have specified as the web server
port during installation.
Starting as Service
Windows:
If you have chosen the Start as Service option during installation, NetFlow Analyzer will run as
a service on Windows.
Linux:
2. Navigate to the bin directory.
3. Execute the linkAsService.sh file
Follow the steps below to shut down the NetFlow Analyzer server. Please note that once the server
is successfully shut down, the MySQL/Pgsql database connection is automatically closed, and all
the ports used by NetFlow Analyzer are freed.
Windows:
1. Navigate to the Program folder in which NetFlow Analyzer has been installed. By default,
this is Start > Programs > ManageEngine NetFlow Analyzer
2. Select the option Shut Down NetFlow Analyzer
3. Alternatively, you can navigate to the bin folder and invoke the shutdown.bat file.
4. You will be asked to confirm your choice, after which the NetFlow Analyzer server is shut
down.
Linux:
1. Navigate to the /bin directory.
2. Execute the shutdown.sh file.
3. You will be asked to confirm your choice, after which the NetFlow Analyzer server is shut
down.
4. Also you can execute systemctl stop OpManager.service--> This will stop the service.
Antivirus scanners interfering with database files may affect normal functioning of database.
Define exception for the C:\ManageEngine\OpManager_scrnsht\OpManager directories in
the antivirus scanners.
Cisco Routers
11.1CA, 11.1CC Cisco 7200 and 7500 series, RSP 7200 series
RSM series
12.0(3)T, 12.0(3)S Cisco 1720, 2600, 3600, 4500, 4700, AS5300, AS5800
NetFlow is also supported by these devices Cisco 800, 1700, 1800, 2800, 3800, 6500, 7300,
7600, 10000, CRS-1 and these Catalyst series switches: 45xx, 55xx, 6xxx and Cisco Meraki.
These devices do not support NetFlow: Cisco 2900, 3500, 3660, 3750.
Cisco Switches
NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card
(NFFC) or NFFC II and the Route Switch Module (RSM), or Route Switch Feature Card
(RSFC). However, check whether version 5 is supported, as most switches export version 7 by
default.
NetFlow Version 9 Support
Supported Platforms
Cisco 2600 series
Cisco 3600 series
Cisco 7100 series
Cisco 7200 series
Cisco 7300 series
Cisco 7400 series
Cisco 7500 series
Cisco 12000 series
Other Vendors
Supported
Vendor Flows Device List
AlaxalA
Networks sFlow AX7800R , AX7800S , AX7700R , AX5400S
Refer AlaxalA Networks website
Alcatel sFlow OmniSwitch 6850 , OmniSwitch 9000
Comtec
Systems sFlow !-Rex 16Gi & 24Gi & 24Gi-Combo
Juniper NetFlow, J-
Networks Flow Refer Juniper Networks website
IP8800/R400 series , IP8800/S400
NEC sFlow series , IP8800/S300 series
CheckPoint
Firewall NetFlow Checkpoint IPSO 6.1 and above
NetFlow Analyzer Enterprise Edition has seperate UI logins for Central UI and Collector UI.
NetFlow Analyzer Central UI provides you to option to monitor all the collector and do
configuration changes on the Collectors. The changes done in the Central server UI will be
pushed to the Collectors automatically.
NetFlow Analyzer Collector UI gives the single view of the devices that are sending flows to
that Collector server alone.
Once the service has successfully started, follow the steps below to access NetFlow Analyzer.
1. Open a supported web browser window
2. Type the URL address as http://NetflowServer_IP:8060 (where NetflowServer is the
name of the machine on which NetFlow Analyzer is running, and 8060 is the default web
server port)
3. Log in to NetFlow Analyzer using the default username/password combination
of admin/admin
Once you log in, you can start managing devices exporting NetFlow, generate bandwidth
reports, and more.
License Information
Free Edition - collect, analyze, and report on Netflow data for a upto two interfaces
with limited features
Essential Edition - collect, analyze, and report on Netflow data for a maximum of n
interfaces (where 'n' is the number of interfaces for which NetFlow Analyzer has been
purchased)
Add-ons - Reporting on Cisco IPSLA , Hi-Perf Reporting Engine, NCM (Network
Configuration Manager), Wireless LAN Controller (WLC) and deep packet inspection (DPI).
Enterprise Edition - is scalable bandwidth monitoring for distributed networks for
unlimited interfaces upto 80k flows support. (all add-ons included)
Once installed, NetFlow Analyzer runs in evaluation mode for 30 days. You can obtain a
registered license for NetFlow Analyzer at any time during the evaluation period by contacting
NetFlow Analyzer Support.
If you have not upgraded to the Licensed Edition by the end of the evaluation period, NetFlow
Analyzer automatically reverts to the Free Edition.
The new license is applied with immediate effect. You do not have to shut down or
restart the NetFlow Analyzer server after the license is applied.
NetFlow Analyzer Enterprise Edition -
Installation and Uninstallation
Central Server Installation
Windows
The Windows download for NetFlow Analyzer is available as an EXE file
at https://www.manageengine.com/products/netflow/download.html#ent Download the EXE file
for the Central Server to your local machine, and double-click it to start installation.Follow the
instructions as they appear on screen to successfully install NetFlow Analyzer on to your
machine.
Linux:
The Linux download for NetFlow Analyzer is available as a BIN file
at https://www.manageengine.com/products/netflow/download.html#ent
1. Download the BIN file and assign execute permission using the command: chmod a+x
<file_name>.bin.where <file_name> is the name of the downloaded BIN file.
2. Execute the following command: sudo ./<file_name>.bin
During installation if you get an error message stating that the temp folder does not have
enough space, try executing this command with the -is:tempdir <directoryname> option,
where <directoryname> is the absolute path of an existing directory. sudo
./<file_name>.bin -is:tempdir <directory_name>
3. Follow the instructions as they appear on the screen to successfully install NetFlow
Analyzer on to your machine.
Collector Installation
Windows
Step 1: On the Welcome Screen, Click ‘Next’ to continue.
Step 2: Read the License agreement carefully and click ‘Next’ to proceed to the next step.
Step 3: Verify destination folder and Click ‘Next’ to continue.
Step 4: Select your desired server type.
There are two options for server-type:
1) Central Reporting Server 2) Collector Server
Step 5: Select your desired port and language and click ‘Next’ to continue.
Step 6: Provide communication details such as Host Name, HTTPs port number etc. for both
Central Server & Collector. Click ‘Next’ when you are done.
Step 7: Please enter server details such as Name, user-name and password. Click ‘Next’ to
continue.
Step 8: Mention the default SNMP community and port information. This is an optional step.
Click ‘Next’ to continue.
Step 9: Provide proxy server host, server port, proxy user- name and password. Click ‘Next’ to
continue.
Step 10: Choose your desired Program Folder.
Step 11: Registration for technical support. An optional form to register yourself for technical
support would appear. You may choose to skip this form.
Step 12: Review the information that appears and click ‘Next’ to begin the installation.
Step 13: Please wait till the installation is completed.
Step 14: Once installation is complete, click on ‘Finish’. This will start NetFlow Analyzer as a
service.
Linux
The Linux download for NetFlow Analyzer is available as a BIN file
at https://www.manageengine.com/products/netflow/download.html#ent
1. Download the BIN file and assign execute permission using the command: chmod a+x
<file_name>.bin.where <file_name> is the name of the downloaded BIN file.
2. Execute the following command: sudo ./<file_name>.bin
During installation if you get an error message stating that the temp folder does not have
enough space, try executing this command with the -is:tempdir <directoryname> option,
where <directoryname> is the absolute path of an existing directory. sudo
./<file_name>.bin -is:tempdir <directory_name>
3. Follow the instructions as they appear on the screen to successfully install NetFlow
Analyzer on to your machine.
Note: While Installing the collector please give the proper entries in the communication panel
and in the proxy server settings so that the collector can communicate with the central server
properly.
Once you have successfully installed NetFlow Analyzer, start the NetFlow Analyzer server for
central and collector.
Central Server
Step 1: Execute ManageEngine_NFA_DE_64.bin with administrator privileges (sudo) and -i
console option.
Step 2: Go through the license agreement and enter 'Y' to proceed. You can register for
technical support by providing the required details. (Name, E-mail ID, Phone, Company Name)
Probe Server
Step 1: Execute ManageEngine_NetFlowAnalyzer_Probe_64bit.bin with security privileges
(sudo) and -i console option.
Step 2: Go through the license agreement and enter 'Y' to proceed. You can register for
technical support by providing the required details. (Name, E-mail ID, Phone, Company Name)
Step 3: Select the location.
Step 4: Choose the installation directory, and configure the Webserver and Listener Ports.
Step 5: Verify the installation details, the installation status and press 'Enter' to complete the
installation.
Starting NetFlow Analyzer Central Server
Windows
Click on Start > Programs > ManageEngine NetFlow Analyzer Central Reporting Server >
Central Server.
Alternatively you can navigate to the \bin folder and invoke the run.bat file.
Linux
Navigate to the /bin directory and execute the run.sh file.
When the server is started, a command prompt window opens up showing startup information
on several modules of NetFlow Analyzer. Once all the modules have been successfully
created, the following message is displayed:
Server started.
Please connect your client at https://localhost
where 8060 is replaced by the port you have specified as the web server port during
installation.
Windows
Click on Start > Programs > ManageEngine NetFlow Analyzer Collector > Collector
Server. Alternatively you can navigate to the \bin folder and invoke the run.bat file.
Linux
Navigate to the /bin directory and execute the run.sh file.
When the server is started, a command prompt window opens up showing startup
information on several modules of NetFlow Analyzer. Once all the modules have been
successfully created, the following message is displayed:
Server started.
Please connect your client at http://localhost:8060
where 8060 is replaced by the port you have specified as the web server port during
installation.
Starting as a Service
Windows
If you have chosen the Start as Service option during installation, NetFlow Analyzer will run
as a service on Windows.
Linux
1. Login as root user.
2. Navigate to the \bin directory.
3. Execute the linkAsservice.sh file.
4. Then execute the command systemctl start OpManager.service.
Configuration data: There are quite a few configurations an administrator effects in NetFlow
Analyzer or easy management and monitoring. The configurations include user settings,
details of discovered devices, custom monitors, threshold settings, notification profiles, etc.
Most configuration data is persisted in the database while a few configurations are written in
conf files. So when you backup configuration data, you must take care to back up the ones
you need.
Backup & restoration steps for NetFlow Analyzer build 12300 and above
Backup
Following table lists the backup utilities bundled with NetFlow Analyzer and their purpose.
Make sure you use the one that fits your backup need:
S.N Utility Path Database
o
Restoration
1. Go to <OpManager Home>/bin/backup directory
2. Execute RestoreDB.bat (use RestoreDB.sh for linux) with the backup file name as
argument. See example below:
C:\<OpManager Home>\bin\backup>RestoreDB.bat
"OpManager\backup\BackUp_APR3_2009_17_43_38_8100.zip"
To restore the backed up data for MSSQL
1. Go to <OpManager Home>/bin/backup directory
2. Restore the data using RestoreDB.bat present under OpManager/bin/backup
directory and restart OpManager.
For ex : C:\<OpManager Home>\bin\backup>RestoreDB.bat
"c:\OpManager\backup\BackUp_APR3_2009_17_43_38_8100.zip"
Note: The directory structure for the backup folder should be the same as in the new server
(C:\NFA backup).
Restore:
Once the folder is copied to the new server follow the below steps to restore.
Note: The directory structure of the backup folder should be the same as in the old
server (C:\NFA backup).
1. Stop the Netflow Analyzer service.
2. Open a command prompt as 'Administrator' and navigate to OpManager\bin (or)
NetFlow\bin. Execute VWstartdb.bat
3. If HighPerf is installed on NetFlow Analyzer server, execute VWcreatedb.bat. Users
can skip this step if HighPerf is installed on a remote server.
4. In command prompt, navigate to C:\NFA backup.
5. Execute sql OpManagerDB < copy.in (or) sql netflow < copy.in
6. Start the NetFlow Analyzer service.
Linux:
Backup:
1. Stop the NetFlow Analyzer service.
2. Open a terminal and login as 'installation owner'.
3. Navigate to OpManager/bin (or) NetFlow/bin. Execute
. ./VWenv.sh
./VWstartdb.sh
Note: This step can be ignored, if you get the message - "Vectorwise is already running.
Use ingstop to shut down Vectorwise".
Once the folder is copied to the new server follow the below steps to restore.
Note: The directory structure of the backup folder should be same as in the old
server (/tmp/NFAHighPerfBackup/ )
1. Stop the Netflow Analyzer service.
2. Open a terminal, and login as 'installation owner'.
3. Navigate to OpManager/bin (or) NetFlow/bin. Execute
. ./VWenv.sh
./VWreinitializeDB.sh
./VWstartdb.sh
4. In the same terminal, navigate to /tmp/NFAHighPerfBackup/
5. Execute sql OpManagerDB < copy.in (or) sql netflow < copy.in
6. Start the NetFlow Analyzer service.
Migration steps for NetFlow Analyzer
from the build 9860 and above with
MySQL database (Windows)
Please follow the below steps to migrate NetFlow Analyzer build 9860 from 32 bit to 64 bit.
Steps
1. Shut down NetFlow Analyzer service.
2. Backup the following directories\files:
1. Data folder from <NetFlow> home directory.
2. Data folder from <NetFlow\Mysql> directory.
3. AdventnetLicense.xml file from <NetFlow\lib> directory.
4. database_params.conf, Persistence folder
and Wrapper.conf from <NetFlow\conf>
5. startDB.bat, stopDB.bat and setcommonenv.bat files from <NetFlow\bin>
Note:The above mentioned i & ii are two different directories but have been named the same.
Kindly ensure to note down in order to avoid confusion during restoration.
3. Install same NetFlow Analyzer BUILD 64 on the new server and run the NetFlow
Analyzer service once. You can download the same BUILD from this
link: http://archives.manageengine.com/netflow.
4. Run the service once and shutdown the NetFlow Analyzer service.
5. Download and unzip the Mysql folder from the following link and copy it to the
NetFlow_Home
directory. https://uploads.zohocorp.com/Internal_Useruploads/dnd/NetFlow_Analyzer/o_19dem
irre16voijnnar1rqk1obb1/mysql.zip
6. Restore the backed up folders to the new installation under the same location:
1. Data folder backed up from <NetFlow> home directory to <NetFlow> home
directory.
2. Data folder backed up from <NetFlow\Mysql> directory to <NetFlow\Mysql>
directory.
3. database_params.conf, Wrapper.conf and Persistence backed up from
<NetFlow\conf> directory to <NetFlow\conf> directory.
4. startDB.bat, stopDB.bat and setcommonenv.bat from bin folder backed up
from <NetFlow_Home>\bin directory to <NetFlow_home>\bin directory.
Start the NetFlow Analyzer service and apply the license file from License
Management page in the product GUI.
Note: The build number of the NetFlow Analyzer should be the same on both the
servers. You can find the Build number by clicking on the 'About' link on the top right
corner of the user interface.
Steps:
1. Shut down NetFlow Analyzer service.
2. Backup the below directories\files to a safe location.
data folder from <OpManager> home directory.
pgsql folder from <OpManager> home directory.
AdventnetLicense.xml file from <OpManager\lib> directory.
3. Uninstall the current build after taking backup and install same NetFlow Analyzer build
64 on the server and run the NetFlow Analyzer service once. You can download the same
build from this link: http://archives.manageengine.com/netflow/
4. Run the service once and shutdown the NetFlow Analyzer service.
5. Restore the backed up folders to the new installation under the same location:
data folder backed up from <OpManager> home directory to <OpManager>
home directory.
pgsql folder backed up from <OpManager> directory to <OpManager>
directory.
6. Once copied, open Command Prompt as 'Administrator' and navigate
to OpManager_Home/bin and execute initPgsql.bat / sh once.
7. Start the NetFlow Analyzer service and apply the license file from License
Management
Configure flows in NetFlow Analyzer
The first step to begin analyzing your flow data, NetFlow Analyzer lets you export flows from
your network devices. The different flow formats supported by NetFlow Analyzer are NetFlow,
sFLow, jFlow, IPFIX, Netstream, Appflow, etc. Once the flow data is exported from your
routers, switches and firewalls, NetFlow Analyzer will show traffic data in the dashboard and
inventory tab.
Nortel IPFIX
Fortigate NetFlow
This device support Flexible netstream flow export. Please configure the device as mentioned
below:
netstream export ip index-switch 32// to set the interface index exported to be in 32
bit format
netstream timeout ip active 1// to set the active timeout of the flows packets to 1 min
netstream timeout ip inactive 15
netstream template ip timeout 1// to set the v9 template timeout to 1 min
netstream export ip source source interfaceIP// Source IP can be any which
has routing to NFA server
netstream export ip host NFAserver IP 9996 // Enter the IP address of NFA
installed server and over the UDP port 9996
netstream export ip version 9
netstream record NetFlow ip
match ip tos match ip protocol
match ip source-address
match ip destination-address
match ip source-port
match ip destination-port
collect counter packets
collect counter bytes
collect interface input
collect interface output
Sflow Configuration:
Sflow export happed from the device only over the default UDP port 6343 to the NetFlow
Analyzer server and it is not configurable in the device:
system-view
For example:
system-view
sflow agent 1.1.1.1
sflow source 1.1.1.1
sflow collector 1 ip 192.162.1.10
interface 10ge 0/1/2
sflow sampling collector 1 rate 1000 inbound outbound
sflow counter collector 1 interval 60
Please configure the Huawei device to export sFlow packets to the NetFlow Analyzer server:
Under System-view:
Example:
On Huawei Devices:
Follow the below command to enable NetStream on huawei devices
This exports the NetStream exports to the specified IP address. Use the IP address of the
NetFlow Analyzer server and the configured listener port. The default port is 9996.
Sets the source IP address of the NetStream exports sent by the device to the specified IP
address. NetFlow Analyzer will make SNMP requests of the device on this address. For
enabling Netstream on the desired interface, please execute the following command
ip netstream inbound
ip netstream inbound
ip netstream inbound
Dashboard Overview
NetFlow Analyzer Dashboard gives detailed information on all the top activities happening in
your network in a quick view with extensive customization options. We have different view to
give specific information on each category like Traffic, Applications, QOS, WAAS, WLC,
Attacks, NCM ( Advanced Security Analytics module) etc. Also NetFlow Analyzer provides
options to create custom Dashboards for different view and that you can set as default
dashboard for your login screen in a single click.
Widget names can be changed by clicking on the edit icon next to the
widget
Top N Conversations
The table gives a glance about the top 5 or 10 conversations based on the Device, Interfaces ,
Interface Groups or IPGroups with information on Source IP, Destination IP, Application and
Traffic utilized. By default the widget will show the top conversations from all the devices
monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces, interface groups or
IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and
Yesterday by clicking on the edit icon on the right top of the Widget.
You can get the widget information based on IP address or Network address by selecting the
Resource Category in the Edit view.
Top N QOS
The chart gives a glance about the top 10 DSCP and its utilization based on the Device,
Interfaces, Interface Groups or IPGroups. By default the widget will show the top DSCP based
information from all the devices monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces or IP groups for
different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by
clicking on the edit icon on the right top of the Widget.
Top N Applications
The table gives a glance about the top 10 Application and its utilization based on the Device,
Interface, Interface Groups or IPGroups. By default the widget will show the top Applications
based information from all the devices monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces or IP groups for
different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by
clicking on the edit icon on the right top of the Widget.
Top N Protocols
The table gives a glance about the top 10 Protocol and its utilization based on the Device,
Interfaces, Interface Groups or IPGroups. By default the widget will show the top Protocols
based information from all the devices monitored in NetFlow Analyzer.
You can customize the Widget to view the information based on Interfaces or IP groups for
different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by
clicking on the edit icon on the right top of the Widget.
Device Summary
Quick Details on Devices Monitored with Device Summary details based on categories like
Routers, Switches, Firewalls and WLC. You can get to the Device details view by directly
cliking on any device.
Recent Alarms
The alerts report provides an at-a-glance view of the alerts generated in the network for the
last hour and a specified time period. The alerts are generated based on the list of criteria
provided in the alert profile.Click on the last hour or all alert link to view the type of alerts.
The report lists the device name, the interface and the time at which the alert was last
generated and the number of such alerts.
Apps Overview
This view provides the information on Top 10 Layer 4 and Layer 7 application and its traffic
utilization.
Layer 4
Layer 4 pplications are the application that are categorized based on the port and protocol
mapping available in NetFlow Analyzer. We have around 10,000 + port and protocol mapping
available based on IANA standards in NetFlow Analyzer to get the application details.
You can customize the Widget to view the information for different time periods like Last 30
mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by clicking on the edit icon on the right
top of the Widget.
Layer 7
Layer 7 application have the NBAR based application information that can be exported by
Cisco Devices. If the device is configured to export NBAR information we show this
information.
You can customize the Widget to view the information for different time periods like Last 30
mins, Hourly, 6 Hours, 24 Hours, Today and Yesterday by clicking on the edit icon on the right
top of the Widget.
Top N Applications By Device
The table gives a glance about the top 10 Application and its utilization based on the Devices.
You can customize the Widget to view the information based on Interfaces, Interface group or
IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24 Hours, Today and
Yesterday for IN and OUT direction by selecting the Flow Type option by clicking on the edit
icon on the right top of the Widget.
You can customize the Widget to view the information based on the Device, Interfaces,
Interface group or IP groups for different time periods like Last 30 mins, Hourly, 6 Hours, 24
Hours, Today and Yesterday for IN and OUT direction by selecting the Flow Type option by
clicking on the edit icon on the right top of the Widget.
QOS Overview
This View provides top DSCP based qos information that is collected from the flow export by
the devices monitored in NetFlow Analyzer.
Top N QOS
The table gives a glance about the top 10 DSCP and its utilization across multiple Devices,
Interfaces or IPGroups. By default the widget will show the top DSCP based information from
all the devices monitored in NetFlow Analyzer.
Top N QOS By Device
The widget gives a glance about the top 10 DSCP and its utilization based on the Device,
Interfaces, Interface group or IPGroups for both IN and OUT direction by selecting the Flow
Type option by clicking on the edit icon the right top of the Widget.
Traffic Graph
The graph gives a glance of all the top In and Out traffic based on the Devices, Interfaces,
Interface groups or IPGroups. The default value of the graph is bps.
WAN Overview
WAN dashboard view shows a detailed overview based on the IPSLA Voip monitor created in
NetFlow Analyzer. IPSLA voip details are collected using SNMP from the Cisco device.
These view show the locations and their destinations along with the jitter, latency and packet
loss details. The bad call details and the top 10 call paths by jitter, latency, MOS and packet
loss are also displayed. This provides you to have a quick view on VOIP link performance and
helps to react proactively.
WLC Overview
NetFlow Analyzer provides information on the wireless controllers and connected Access
Points with SSID and connected Clients with application, QOS and bandwidth utilization based
on Controller, Access Point, Time Frame, Resource Type, Client and SSID with different
widgets.
Top In N User by Wlan SSID
Displays Top 10 details based on Wireless SSID and its traffic utilization for IN direction.
Top Out N User by Wlan SSID
Displays Top 10 details based on Wireless SSID and its traffic utilization for OUT direction.
Top In N Application
Displays Top 10 details based on Application and its traffic utilization for IN direction for WLAN.
Top Out N Application
Displays Top 10 details based on Application and its traffic utilization for OUT direction for
WLAN.
Top In N Application by Wireless Host
Displays Top 10 details based on wireless Host IP and its traffic utilization for IN direction for
WLAN.
Top Out N Application by Wireless Host
Displays Top 10 details based on wireless Host IP and its traffic utilization for OUT direction for
Wireless Host.
Top In N User by Mac
Displays Top 10 details based on wireless client MAC address, Access Point and its traffic
utilization for IN direction.
Top Out N User by Mac
Displays Top 10 details based on wireless client MAC address, Access Point and its traffic
utilization for OUT direction.
Top In N Qos
Displays Top 10 details based on QOS and its traffic utilization for IN direction for WLAN
Controller.
Top Out N Qos
Displays Top 10 details based on QOS and its traffic utilization for OUT direction for WLAN.
Attacks Overview
Attacks or Advanced Security Analytics Module (ASAM) is a flow based network security
analytics tool that helps detect and classify network intrusions. It offers intelligence to detect a
broad spectrum of external and internal security threats. Using the "Continuous Stream Mining
Engine" technology, ASAM analyzes NetFlow packets in real time and matches multiple events
without duplication. It also offers continuous overall assessment of network security. ASAM is
available as an add-on module for NetFlow Analyzer and requires a license to run. Since
NetFlow packets are exported directly from NetFlow Analyzer there is no configuration required
on the module.
Top N Problem
Displays the top 10 problem classes and their respective problems by default. It also lists the
start and end time for each problem types withnumber of events involved. You can click on the
Edit icon to change the Top view from 10 to 5 and get the information based on different
time periods.
Top N Offender
Display the information on top 10 Offender IP with the Geo location with the number of events
involved. You can click on the Edit icon to change the Top view from 10 to 5 and get the
information based on different time periods.
Top N Target
Display the information on top 10 Target IP with the Geo location with the number of events
involved. You can click on the Edit icon to change the Top view from 10 to 5 and get the
information based on different time periods.
Top N Offender Location
Display the information about the top offender location and events involved. You can click on
the Edit icon to change the Top view from 10 to 5 and get the information based on
different time periods.
Top N Target location
Display the information about the top target location and events involved. You can click on the
Edit icon to change the Top view from 10 to 5 and get the information based on different
time periods.
Top N Devices
Display the information based on the Devices involved in problem classes in the network with
the events involved. You can click on the Edit icon to change the Top view from 10 to 5
and get the information based on different time periods.
Display the information about top device and interface involved in a problem with the events
involved. You can click on the Edit icon to change the Top view from 10 to 5 and get the
information based on different time periods.
NCM Overview
This view provided an quick view on number of applications and URLs accessed within the network
with different widgets like:
Views Description
Flow Analysis Represents the information based on the Flow packets
exported by the Devices.
IPSLA Represents the view for IPSLA VOIP, WAN and VIDEO
monitors created.
Flow Analysis
NetFlow Analyzer Flow Analysis show the details and in-depth informations on Device
bandwidth, Interface real-time bandwidth statistics and top talker information, Apps, IP
groups and Interface Groups, Attacks and WLC in separate view.
Devices Details
Interfaces Details
Groups
Apps
QOS
WLC
Attacks
Devices Tab in NetFlow Analyzer
This view lists all the devices that are actively exporting flows to the NetFlow Analyzer.
NetFlow Analyzer auto detect the device over you have configured your devices to export the
flow packets to the UDP 9996 (Default).
Device Discovery
NetFlow Analyzer discover the device with the source interface IP configured in the device flow
export and Interfaces with Ifindex. NetFlow Analyzer use SNMP to get the Device Names,
Interface names and Interface speed. You can also get the Device DNS names discovered in
NetFlow Analyzer.
To view the Devices based on the Device Group created, you can select the Group name on
the right hand side to view only the devices available in the selected group.
To view the Router, Switches and Firewall separately, you can select the appropriate option
from to get the view:
You can sort the Device view based on each column i.e Router Name, IP address , Interface
Count and Flow Count by clicking on the respective column name.
Click on the device name and you will see the Device traffic graph for the device for Today
average by default.
Device Details
Drill down by clicking on the icon to see the particular device-based 10 top interfaces
based on utilization and speed, top protocols, top application, top source, top destination, top
conversation, top DSCP and AS information for the device.
By default you will see the information for Today(last 24 hours) time period. You can select the
different time period by clicking on the icon and can set Custom time selection and get
the reports.
You can view the Interface traffic graph of the devices based on speed and utilization.
Application tab will list up top 10 applications by default, you can change the Type to Protocol
to view top 10 Protocols used.
By default NetFlow Analyzer show the Source IP, Destination IP and conversation only by IP
address, you can select the Resolve DNS toggle to get the view based on DNS names of the
IP address. NetFlow Analyzer do nslookup in the local installed server to get the DNS names
of the IP address.
You cannot drill down further under Application, Source, Destination or QOS as we only show
top 10 information for the device for the selected time period and remaining will be listed as
Others.
Setting SNMP in NetFlow Analyzer
NetFlow Analyzer uses RFC1213 MIB to get the Interface names, Interface speed and Device
names using SNMP.
Allows to do SNMP update for a single device or All devices in bulk using the SNMP
credentials configured under Settings -> Discovery -> Credentials.
You can click on the to get the below various settings to update for Devices:
Edit Device Details:
This view allows you to change the Display name of the router manually. Also you can get the
Display name of the router using DNS and SNMP by selecting the appropriate option as shown
below:
Set SNMP :
Select the Correct SNMP credentials configured on the device -> Click Test Credentials -> You
will get the status of the Test.
If it shows OK, you can click on Save to do the update>This will get the Device name, Interface
name and Interface speed updated with SNMP names.
Status of interfaces can be detected based on the below icons presented beside the
interface names.
Down Interfaces The interface is responding to SNMP request and the link is Down
and no flow received from last 10 mins
InActive interfaces The status of the interfaces is unknown and no flows received from
last 10 minutes.
The interfaces sending flows but not managed due to the license
New Interfaces limit.
List view
The IN Traffic and OUT Traffic columns show the utilization and speed of IN and OUT
Traffic on the respective interfaces for the past 12 hour(Today) average, you can
change the average view by clicking on the clock icon %click icon%. You can click
on the IN Traffic or OUT traffic bar to view the respective application traffic graph
for that interface.
Traffic Details
To get the real time traffic details for the interface you have to drill down the interface that
you want to monitor. Clicking the interface name will give a quick view of traffic graph for
the selected interface for last 12 hours.
Click on the arrow to expand the view to get the detailed information on the
interface like:
Real Time traffic
Application
Source
Destination
QOS
Conversation
CBQOS
NBAR
Top Sites
Application Group
Multicast traffic
Medianet traffic
NBAR2 Application
Http Host
QOS Stats
ART ( Application Response Time )
NetFlow Analyzer generates traffic graphs as soon as Netflow data is received. The Traffic tab
shows real-time traffic graphs for incoming and outgoing traffic. Depending on which link was
clicked, you can see traffic graphs for an interface.
The Traffic reports are displayed based on Volume of traffic, Speed, Bandwidth utilization, and
number of packets received/sent by a specific resource. The graph and the data points can be
viewed as Today, last 15 mins, last month or other by selecting from the top left.
The Packets tab shows the number of actual packets of traffic data received. This information is included in expo
Time Filters
The default graph is for the "Last Day". You can choose to see hour-based data in the traffic graphs
for daily and weekly reports. To do this, first select the Last Day Report or Last Week
Report option in the top time selection bar. When the respective traffic graph is displayed, the table
below the graph includes manual selectable area to view details in depth.
95-th Percentile
The 95th percentile is the number that is greater than 95% of the numbers in a given set. The
reason this statistic is so useful in measuring data throughput is that it gives a very accurate picture
of the maximum traffic generated on an interface. This is a standard measure that is used for
interpreting the performance data.
The 95th Percentile is the highest value left when the top 5% of a numerically sorted set of collected
data is discarded. It is used as a measure of the peak value used when one discounts a fair amount
for transitory spikes. This makes it markedly different from the average. The following example
would help you understand it better.
Selectable Graph
NetFlow Analyzer brings you the added advantage of drill-down to the traffic graphs presented. As
you hover the mouse over the plot-area you can see a "+ " - cross-hair icon. Click on an area of the
graph and holding the mouse down, drag it to the point(time period), you wish to further drill down
to. For example : Having chosen a Last week report you could choose to study two specific days by
selecting them. You could further drill down on until the time period you have chosen is more than 1
minute. Click on "reset graph" link to take you to a time period depending on the time difference
between the From time and the system time.
Illustration
If you choose Last Hour Report at 18:15 hours, then a graph with a plot of data from 17:15 to 18:15
is shown. If you choose the time period 17: 25 to 17:50 then a corresponding graph with 1 Minute
Average is shown. When you click on the "reset graph" link the screen changes to the Last Hour
report. ( as the time difference between the From Time 17:25 and system time 18:20 is less than 1
hour)
Thus depending on the time difference you are either taken to the Last Hour or Last Day or
The Applications tab displays all the applications that pass through a specific interface for a
selected period of time. Choose between IN and OUT to display the application-wise distribution of
incoming or outgoing traffic respectively for selected interface using the radio
button above the widget . The default view of the application report shows
Traffic IN details. The applications, for the ease of monitoring can be grouped as application groups
and top-sites.
We have 2 views to view the Application view. You can select view by click on the Radio
Applications Report
The report shows application-wise distribution of incoming and outgoing traffic. The list of
applications are ordered to show the top applications that contribute to maximum network traffic
along with the volume of traffic and the total percentage of network traffic it occupies. Clicking on
the application name will highlight the detailed report of the traffic.
// The Show Ports Link next to an application name indicates that that application is not identified by
NetFlow Analyzer. When you click on Show Ports Link, a window opens up showing the port and
protocol details for this application. If it is a valid application you can then add it to the list of
applications in the Application Mapping page. ( This Option will be available in next release )
The Show Ports Link will be displayed next to an unknown application only in the Last Hour
report.
Click on an application's name to see the Top Conversations that contributed to this application's
traffic.
Applications Group
This report displays different applications that are grouped together for the ease of view. This
feature enables you to group the applications as a single entity.
Creating an application group:
To create applications group navigate to Settings -> NetFlow -> Group Settings -> Application
Group
1. Select Application Group
3. Specify the group name, a description about the group and select the applications you want
to group together
The "Add Sub App" options allows you to add a sub application to the list of applications under
top sites tab. Through this, you can add a name to the IP address, range, or network and associate
it with an application name. This helps identify the IP network, range or address that has accessed
a particular application.
Viewing Top Protocols
Click on the drop arrow and select Protocol link to see the top protocols for the selected Devices in
Devices reports view:
Choose between IN and OUT to display the protocol-wise distribution of incoming or outgoing traffic
respectively.
This report sorts traffic based on the protocol used, while the Application IN/OUT
Report sorts traffic based on the application, i.e., the combination of port and protocol.
The pie chart shows what percentage of bandwidth is being used by each protocol. From here, you
IP version 6 (IPv6) is a new version of the Internet Protocol, designed as the successor to IP
version 4 (IPv4). IPv6 increases the IP address size from 32 bits to 128 bits, to support more levels
of addressing hierarchy.
NetFlow Analyzer now offers support for IPV6. You can view the raw data records for the last two
hours in IPV6 format. since the IPV6 addressing format yet to be adapted by most people worldwide
we are offering support for IPV6 format only at raw data level. The raw data collected for top ten
applications, source, and destination for the past two hours can be viewed in IPV6 format.
Top Hosts
The Source tab shows the top source hosts contributing to traffic in the selected time period. The
default view shows the Top SourceIN Report.
The Destination tab shows the top destination hosts contributing to traffic in the selected time
period. The default view shows the Top DestinationIN Report.
Choose between IN and OUT to display the top hosts in incoming or outgoing traffic.
Exand the widget by clicking on to get the details list of Source and Destination reports.
When you drill down from an IP group, traffic is unidirectional, and hence
the IN and OUT options are not available.
The Time Period icon lets you choose between options available in the drop-down as per
your requirement at the top. The From and Toboxes let you choose custom time periods for the
graphs. The time period for these graphs is based on the current system time. Once you select the
desired date and time, click the OK button to display the appropriate source or destination traffic
report.
The default report view shows the IP addresses of the hosts. Click the Resolve DNS link to see the
corresponding DNS values.
Click the Network link to ON to see the network-wise top sources and destinations.
Ex: 192.168.4.0 / 24 . Here 192.168.4.0 is the IP address and 24 is the network mask.
QoS
QoS or Quality of service is the most important factor that determines how effectively the available
enterprise bandwidth is being used in the WAN. It is also an index of the overall User Experience of the
available Bandwidth.
The QoS feature by default lists out the Top DSCP IN Report. Clicking on the icon next to the DSCP
value gives a detailed traffic graph in a pop-up screen.
DSCP
The DSCP Groups can be viewed by clicking on the drop down arrow on the widget and select DSCP Group.
If no DSCP Groups have been created earlier, then an appropriate message is displayed and the user is
prompted to create a DSCP group.
The time period for which the report is shown can be controlled by using the time selection icon at the
top.
TOS
You can view the top TOS information by clicking on the drop down arrow at the top of the widget:
Conversations
The Conversation tab shows the top conversations contributing to traffic in the selected time
period. The conversations detail report lists the number of resources accessed the specific
application. It gives the details of the conversation like source, destination, application type,
DSCP, volume of traffic, and the perecentage of traffic the specific conversation contributes.
Choose between IN and OUT to display the top conversations in incoming or outgoing traffic.
Expand the widget by clicking on the icon to get the detailed list of converstion for selected
time period.
The Time Period icon lets you choose between options available in the drop-down as per
your requirement.
The default report view shows the IP addresses of the hosts. Click the Resolve DNS side button to
see the corresponding DNS names.
The default list shows the conversations sorted in descending order of number of bytes of traffic.
Because the Internet by itself has no direct knowledge of optimizing the path for a particular application or
user, the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about
how the trade-offs should be made for a particular packet. This facility is the "Type of Service" facility,
abbreviated as the "TOS facility".
The TOS facility is one of the features of the Type of Service octet in the IP datagram header. The Type of
Service octet consists of three fields. The first 3 bits ( 0,1,2) are for the first field, labeled "Precedence" ,
intended to denote the importance or priority of the datagram. The second field, labeled "TOS" , denotes how
the network should make tradeoffs between throughput, delay, reliability, and cost.The last field, labeled
"MBZ" ( for "must be zero" ) above, is currently unused. The originator of a datagram sets this field to zero
(unless participating in an Internet protocol experiment which makes use of that bit). Routers and recipients
of datagrams ignore the value of this field.This field is copied on fragmentation.
Although the semantics of values other than the five listed above are not defined , they are perfectly legal
TOS values, and hosts and routers must not preclude their use in any way. Only the default TOS is in any
way special. A host or router need not make any distinction between TOS values
For example, setting the TOS field to 1000 (minimize delay) does not guarantee that the path taken by the
datagram will have a delay that the user considers "low". The network will attempt to choose the lowest
delay path available, based on its (often imperfect) information about path delay. The network will not
discard the datagram simply because it believes that the delay of the available paths is "too high" (actually,
the network manager can override this behavior through creative use of routing metrics, but this is strongly
discouraged: setting the TOS field is intended to give better service when it is available, rather than to deny
service when it is not).
Neither hosts nor routers should need to have any explicit knowledge of whether TOS affects routing in the
local routing domain.
Inherent Limitations:
The most important of all the inherent limitations is that the TOS facility is strictly an advisory mechanism. It
is not an appropriate mechanism for requesting service guarantees. There are two reasons why this is so:
Not all networks will consider the value of the TOS field when deciding how to handle and route
packets.Partly this is a transition issue: there will be a (probably lengthy) period when some networks will
use equipment that predates this specification. Even long term, many networks will not be able to provide
better service by considering the value of the TOS field. For example, the best path through a network
composed of a homogeneous collection of
interconnected LANs is probably the same for any possible TOS value. Inside such a network, it would make
little sense to require routers and routing protocols to do the extra work needed to consider the value of the
TOS field when forwarding packets.
The TOS mechanism is not powerful enough to allow an application to quantify the level of service
it desires. For example, an application may use the TOS field to request that the network choose a path
which maximizes throughput, but cannot use that mechanism to say that it needs or wants a particular
number of kilobytes or megabytes per second. Because the network cannot know what the application
requires, it would be inappropriate for the network to discard a packet which requested maximal
throughput because no "high throughput" path was available.
Top Sites
This report displays the applications contributing to the maximum network traffic.
Expanding the applications displays name of the website (if the DNS is resolved) and names of top
10 machines in your network (if the DNS is resolved) connecting to that website. It will also give the
contribution of traffic in terms of upload & download volume (and % of total traffic) from each IP
address to the particular site through that application. You can also view the total traffic percentage
across each application. The report gives a detailed view about the traffic in terms of upload &
download volume and percentage of total traffic from each IP address to the specific site via the
application. Further drill-down to the website name gives you information on the upload or download
traffic detail and the specific IP address that accessed that site.
NBAR
NBAR is a more of an intelligent classification and has the ability to identify web based and client-
server applications that uses dynamic ports as well as those using well known port numbers (like Bit
Torrent). This helps the network administrator identify what really is going on in the network and
then define QoS policies to ensure that the bandwidth is used for its original purpose – run business
applications.
You can select the Grid option to view the list of NBAR apps and its bandwidth utilization.
Expand the widget by clicking on the to get the complete list of NBAR apps of the
selected interface.
Click on the NBAR app to get the Conversation details based on the NBAR applications.
Application Mapping
The Application Mapping option lets you configure the applications identified by NetFlow
Analyzer. You can add new applications, modify existing ones, or delete them. Please see
the Additional Notes on Application Mapping section to understand this feature more clearly. Also
it is possible to associate an IP address with an application.
Adding an Application
Follow the steps below to add a new application:
5. To enter a port range, separate the start and end points of the range with a hyphen.
(eg.) 1400-1700
6. Choose the protocol from the list of protocols
7. Choose one of the options from IP Address / IP Network / IP Range. Depending on
what you opt a set of fields are enabled and should be filled.
If you opt for IP Address then you have to enter the address in the IP Address
box.
If you opt for IP Network then you have to enter the IP Network and IP
Netmask details.
If you opt for IP Range then you have to enter the Start IP, End IP and IP
Netmask Enter a unique name for the application
8. The Application Name has to be entered finally by which the IP address is associated
with an application.
Ensure that the combination of port number and protocol is unique. If not, the older
application mapping will be deleted.
Modifying an Application
Select an application and click the Modify window will pop up to modify its properties
You can only change the name of the application. If you need to change the port or the
protocol, you have to delete the application, and add it as a new application.
Deleting an Application
Select an application and click the Delete button to delete it. The application is permanently
deleted, the corresponding port is freed, and can be assigned to another application.
The check is done first with the smaller of the 2 ports (source port / destination port), and if no
match is found the bigger of the 2 ports is mapped
Application mappings created with specific IP address / IP Range / IP Network is given higher
priority over applications mappings with no IP address. For example assume you have 2 application
mappings as below:
If a flow is received with source address 10.10.10.10 and Port as TCP-80 then it is classified as
APP1. Only TCP-80 flows from non-10.10.10.0 network will be classified as APP2.
Application mappings created with single port is given higher priority over applications mappings
with port range. For example assume you have application mappings as below:
Applications are categorized based on the source address, destination address, source port,
destination port and protocol values in the flow record.
The smaller of the 2 ports (source port / destination port) and protocol is matched with the port-
protocol in the application mapping list
If no match is found, the bigger of the 2 ports (source port / destination port) and protocol is
matched with the port-protocol in the application mapping list.
If no match is found, the smaller of the 2 ports (source port / destination port) and protocol is
matched with the port range-protocol in the application mapping list.
If no match is found, the bigger of the 2 ports (source port / destination port) and protocol is
matched with the port range-protocol in the application mapping list.
In case the protocol is not available in the application mapping list, the application is categorized as
Unknown_App
Application Group
Application Groups allow you to define your own class of applications by including one or more
applications. For example, you might want to classify all your database applications like Oracle,
MySql, MS-Sql in to one group called the DataBase group. Initially when no application groups have
been created a message to that effect is displayed. The Application Group report can be viewed on
the Application tab for each interface.
Adding an ApplicationGroup
Follow the steps below to add a new application group:
5. Enter the Group Name and the Group Description (eg.) DataBase Group - Contains the
Oracle DB and MySql DB
6. Choose the applications from the list of applications in the left pane
Select an application by clicking on it.
Use the " >> " button to include the selected application to the right pane -
"Selected Applications" list.
Add as many applications as you want to this group.
7. Click on update for the application group to be created with the list of applications you
had selected.
You may create additional Application Groups by clicking on the Add button and following the above
steps.
DSCP Mapping
The DiffServ model for DSCP Mapping was developed to differentiate IP traffic so that the traffic's
relative priority could be determined on a per-hop basis. Using DSCP Mapping you can name the
DiffServ code points and monitor their traffic in troubleshooting reports under the DSCP tab. Note
that the DSCP reports can be viewed on the Troubleshooting page by clicking on the DSCP tab.
DSCP Group
Quality of Service is used to measure, improve and guarantee transmission rates, error rates and
other characteristics in a network's setting. The DiffServ model for DSCP Mapping was developed
to differentiate IP traffic so that the traffic's relative priority could be determined on a per-hop basis.
Using DSCP Mapping you can name the DiffServ code points and monitor their traffic in
troubleshooting reports under the DSCP tab. Note that the DSCP reports can be viewed on the
Troubleshooting page by clicking on the DSCP tab.The DCSP group is very valuable in the
deployment of QoS.
5. Enter the Group Name and the Group Description (eg.) DataBase Group - Contains the
Oracle DB and MySql DB
6. Choose the DSCP Names from the list of names in the left pane
Select a name by clicking on it.
Use the " >> " button to include the selected DSCP Name to the right pane -
"Selected DSCP Names" list.
Add as many DSCP Names as you want to this group.
7. Click on Save for the DSCP Group to be created with the list of DSCP Names you had
selected.
You may create additional DSCP Group by clicking on the Add button and following the above
steps.
Top Sites
The Top Sites report displays the applications contributing to the maximum network traffic.The top
sites option maps application to the resolved DNS names. Using this option you can now Add,
Modify or Delete the pre-defined IP addresses and its corresponding application.
IP Multicasting allows a host to send packets to a specific group of hosts. These hosts are
called group members. In a multicast environment, packets delivered to group members are
identified by a single multicast group address. A group of hosts consists of both senders and
receivers. Any host, regardless of whether it is a member of a group, can send to a group.
However, only the members of a group receive the message. NetFlow Analyzer displays IP
Multicasting reports based on volume, speed, utilization and packets.
Enabling Multicast routing in Cisco routers
Follow the commands below to be enable Multicast on Cisco routers:
(config) ip multicast-routing
(config) ip multicast netflow output-counters
(config) ip multicast netflow rpf-failure
(config) interface fastethernet 0/0
(config-if) ip multicast netflow egress
IP Multicasting can be viewed using the Flexible NetFlow, including the multicasting fields in
exports. Given below is an example to export the flows.
Once the configuration is done and saved, flows will be exported to the server where NetFlow
Analyzer is installed. NetFlow Analyzer is based on automatic discovery and so the NetFlow
exporting devices are automatically discovered and reports are generated within seconds of
receiving the flows.
NetFlow Analyzer uses Medianet to report on volume and quality of media traffic in your
network. NetFlow Analyzer reports on the volume of media traffic (IN and OUT), round trip
time, packet loss and jitter. You can also view source, destination and applications that are
responsible for the media traffic. These reports help you isolate network issues for rich media
applications and determine the quality of media traffic.
Drill down to each interface of the router for which Medianet export is configured and generate
desired reports from the Medianet tab. The reports can be generated for following parameters
individually:
Media volume
RTT
Jitter average
Packet loss
Group by
The group by option allows you to display the performance metrics by source, destination or
application. The below report is grouped by "Application" where metrics such as RTT, jitter and
packet loss is shown wrt the applications
Network and Resolve DNS
Turning the Network "ON" will combine the source and destination IPs in the same network
and show the combined stats. Resolve DNS option will provide the DNS names to the source
and destination IPs.
NBAR 2 Apps
NBAR 2, also known as Next-Generation NBAR, is an advanced version of Cisco NBAR that helps
in identifying Layer-3-7 applications in the network based on some advanced techniques that are
accurate and reliable. Over a 1000 applications are covered through Cisco NBAR 2 and that gives
unprecedented amount of visibility into the applications on the network.
NetFlow Analyzer's NBAR2 reports show the list of applications that are identified with NBAR2
along with their traffic details and the contribution of a particular application's traffic to the total traffic
in the network. Drilling down an application lists the conversations that happened and has fields
such as source IP, destination IP, source port, destination port, DSCP value etc.
To get the NBAR 2 application information in NetFlow Analyzer, you have to configure you CISCO
devices to export netflow packets using Flexible netflow configuration and create flow record to
export NBAR information in the flows.
ART refers to Application Response time and the ART report helps identifying the
most latent applications in the network based on their response times. The report
shows client packets, server packets, transactions, retransmission, new
connections, responses and traffic. Drilling down a particular application shows the
following graphically:
Response time distribution
New connections
Transactions
Traffic
Retransmission
You have to configure the Cisco devices to export the ART information to the
NetFlow Analyzer server to get the statistics. You can get the detailed information
on ART based on each NBAR2 application exported by the device.
You can drill down each NBAR 2 application and get the details information on
Client Packets, Server Packets, Retransmissions, Transactions, Connections,
Responses and Traffic.
Application Response Time is only supported for Cisco ASR and ISRG2 routers.
Please refer the below link to configure ART is ASR routers:
https://forums.manageengine.com/topic/steps-to-enable-avc-in-cisco-ios-and-ios-
xe-routers-using-easy-performance-monitor-%E2%80%9Ceasy-perf-mon
%E2%80%9D-or-%E2%80%9Cezpm%E2%80%9D
https://blogs.manageengine.com/network/netflowanalyzer/2014/02/27/analyzing-
art-using-netflow-analyzer.html
What is CBQoS?
CBQoS (Class-Based Quality of Service) is a Cisco feature set that is part of the IOS 12.4(4)T
and above. This data is retrieved using SNMP and provides information on the QoS policies
applied and class-based traffic patterns within an enterprise's network.
Initially, CBQoS has to be enabled on the router manually. Further, policies have to be defined
on the router. Usually, Traffic Policies are dependent on the type of enterprise and its business
needs. ( heavy voice traffic, heavy document transfer, heavy streaming video traffic, etc ). The
policy / classification can be done on the basis of Class Maps and Policy Maps.
A class map is a mechanism that you use to isolate and name a specific traffic flow (or class)
from all other traffic. The class map defines the criterion used to match against a specific traffic
flow to further classify it; the criteria can include matching the access group defined by the ACL
or matching a specific list of DSCP or IP precedence values. If you have more than one type of
traffic that you want to classify, you can create another class map and use a different name.
After a packet is matched against the class-map criteria, you can specify the QoS actions via a
policy map. A policy map specifies the QoS actions for the traffic classes. Actions can include
trusting the CoS or DSCP values in the traffic class; setting a specific DSCP or IP precedence
value in the traffic class; or specifying the traffic bandwidth limitations and the action to take
when the traffic is out of profile. Before a policy map can be effective, you must attach it to an
interface.
After a packet is classified and has an internal DSCP value assigned to it, the policing and
marking process has to be done. Policing involves creating a policy that specifies the
bandwidth limits for the traffic. Packets that exceed the limits are out of profile or
nonconforming. Each policy specifies the action to take for packets that are in or out of profile.
These actions, carried out by the marker, include passing through the packet without
modification, dropping the packet, or marking down the packet with a new DSCP value that is
obtained from the configurable policed-DSCP map.
Command or Purpose
Action
Step Router> enable Enables privileged EXEC mode.
1
Step Router(config-cmap)#
4 match access-group (Optional) Configures the match criteria for a class
{access-group | name map on the basis of the specified access control list
access-group-name (ACL).
Step Router(config-cmap)# m
21 atch protocol protocol- (Optional) Configures the match criteria for a class
name map on the basis of the specified protocol.
To create a traffic policy (or policy map) and enable one or more QoS features, perform the
following steps.
This procedure lists many of the commands you can use to enable one or more QoS features.
For example, to enable Class-Based Weighted Fair Queuing (CBWFQ), you would use the
bandwidth command. Not all QoS features are available on all platforms or in all Cisco IOS
releases. For the features and commands available to you, see the Cisco IOS documentation
for your platform and version of Cisco IOS software you are using.
Configuration Steps
Use one or more of the following commands to enable the specific QoS feature you want to
use.
Step Router(config-pmap-c)# se (Optional) Sets the cell loss priority (CLP) bit when
11 t atm-clp a policy map is configured.
Step Router (config-pmap- (Optional) Sets a QoS group identifier (ID) that can
18 c)# set qos-group{group- be used later to classify packets.
id | from-field [table table-
map-name]}
Depending on the platform and Cisco IOS release you are using, a traffic policy can be
attached to an ATM permanent virtual circuit (PVC) subinterface, a Frame Relay data-link
connection identifier (DLCI), or another type of interface.
Command or Purpose
Action
Multiple traffic policies on tunnel interfaces and physical interfaces are not supported if the
interfaces are associated with each other. For instance, if a traffic policy is attached to a tunnel
interface while another traffic policy is attached to a physical interface with which the tunnel
interface is associated, only the traffic policy on the tunnel interface works properly.
Command or Purpose
Action
Step Router# show class- (Optional) Displays all class maps and their matching
2 map [type {stack | criteria.
access-control}] [class-
map-name]
Step Router# show policy- (Optional) Displays the configuration for the specified
3 map policy-mapclass cl class of the specified policy map.
ass-name
Step Router# show policy- (Optional) Displays the configuration of all classes for
4 map policy-map a specified policy map or all classes for all existing
policy maps.
Step Router# show policy- (Optional) Displays the packet statistics of all classes
5 map interface[type that are configured for all service policies either on
access-control] type the specified interface or subinterface or on a specific
number [vc[vpi/] vci] [dlci permanent virtual circuit (PVC) on the interface.
dlci] [input | output]
CBQoS reports can be exported as PDF or can be mailed by going to "Actions" and clicking on
the necessary action.
Based on these information suitable corrections can be done to the policies to make it best suit
the business goals of the organization.
class class-name
no class class-name
For the class-name argument, use the name of the class you created when you used
the class-map command to create the previous traffic class (Step 3 of the "Creating a Traffic
Class" section).
After entering the class command, you are automatically in policy-map class configuration
mode. The policy-map class configuration mode is the mode used for enabling the specific
QoS features.
Procedure
To create a traffic policy (or policy map) and enable one or more QoS features, perform the
following steps.
This procedure lists many of the commands you can use to enable one or more QoS features.
For example, to enable Class-Based Weighted Fair Queuing (CBWFQ), you would use
the bandwidth command. Not all QoS features are available on all platforms or in all Cisco
IOS releases. For the features and commands available to you, see the Cisco IOS
documentation for your platform and version of Cisco IOS software you are using.
Configuration Steps
Command or Purpose
Action
Use one or more of the following commands to enable the specific QoS feature you want to
use.
Step Router(config-pmap-c)# se (Optional) Sets the cell loss priority (CLP) bit when
11 t atm-clp a policy map is configured.
Step Router (config-pmap- (Optional) Sets a QoS group identifier (ID) that can
18 c)# set qos-group{group- be used later to classify packets.
id | from-field [table table-
map-name]}
Traffic policy can be nested within another traffic policy using the service-policy command. It’s
called Hierarchical traffic policy. This policy that holds another policy is the parent policy and
the nested one is called child policy.
Sample configuration of policy with parent-child relationship:
Router(config)# policy-map child
Router(config-pmap)# class voice
Router(config-pmap-c)# priority 50
Router(config)# policy-map parent
Router(config-pmap)# class class-default
Router(config-pmap-c)# shape average 10000000
Router(config-pmap-c)# service-policy child
Router(config-pmap-c)# exit
APPS
These are the application detected by NetFlow Analyzer based on the port and
protocol mappings. NetFlow Analyzer traffic calculation is based on the port and protocol map
available, we have around 10000 application mapped based on the IANA which you can find it
under Application/QoS mapping.
Layer 7 Apps:
QoS
The QoS stats tab lists QoS-specific information in the network. QoS or Quality of service is the
most important factor that determines how effectively the available enterprise bandwidth is being
used in the WAN. It is also an index of the overall User Experience of the available Bandwidth.
Here you see the top DSCP that is utilizing the maximum traffic from accross all the devices that are
sending flows to the NetFlow Analyzer server. Also you can see the Device and Interface specific
QOS information by clicking on the device or interface name on the right hand side view.
Overview
Analysis by numerous IT experts have time and again revealed that the commonest cause for
most Network outages is faulty configuration changes. In this age of the Internet, IT
applications dominate almost all aspects of business enterprises. To cater to various business
needs, network administrators carry out frequent configuration changes to network devices.
Every single change to a network device configuration carries with it the risk of creating a
network outage, security issues and even performance degradation. The problem becomes still
more complex when there are multiple devices from multiple vendors and multiple
administrators manage the network and carryout changes. Unplanned changes make the
network vulnerable for unexpected outages.
Besides, the network administrator is fraught with the challenge of keeping track of all the
happenings in the network devices - who did what and when. In mission critical environments,
network downtime, even for a few minutes, might prove to be costly. When a configuration
error occurs in the network, it becomes a cumbersome task to identify the exact cause and
initiate corrective action. Network administrators indeed face a daunting task when it comes to
effectively doing the Network Change and Configuration Management !
Network Configuration Manager can manage network devices such as switches, routers,
firewalls, wireless access points, integrated access devices etc., from multiple vendors. It
discovers network devices, builds up an inventory database and allows IT administrators to
take control of configuring the devices from a central console. The web-based administrator
console provides the User Interface to perform all the configuration operations. Additionally, it
can be accessed from anywhere using any standard web browser.
Alarms
NetFlow Analyzer generate and show alerts once the configured threshold is violated, you can
create Alert profiles based on you requirement from Settings -> NetFlow
-> Aggregated/Real-Time Alert Profiles. Alerts are generated based on the RAW data
collected in the database.
You can see the alerts and its events based on the severity configured in Alert Profile
like Critical, Trouble, Attention and Service down. You can click on the severity to get the list of
Alarms generated for that severity.
You can click on the Filter icon to change the view of the Alarms in NetFlow Analyzer, also you
can sort the alarms by time on which it is generated by clicking on the icon on the left
side column.
Filter Description
Active Alarms List up all the recent active alarms.
You can set the different view from the right hand side top for Alarms to display under the
Alarms tab using the below option:
View Description
You can click on each alarm for a detailed view on the Alert generated, and view the Traffic
and Application statistics during the time the Alert was generated. Any technician who checks
the alert can add notes for others to understand.
You can also delete an Alert form the view by selecting the Alert and then click on the delete
Events
When an threshold is violated in your network, an event occurs and multiple events correlate to
trigger an alarm. An event can not be deleted from the UI. Event for an Alert is stored for 7
days by default in the database and deleted automatically.
Types of Alerts
NetFlow Analyzer allows you to customise alerts and the type of notification. You can choose
to be notified via SMS, email, SNMP trap or log a ticket.
For emails alerts, you must provide details such as the To email address and the email subject.
For SNMP Trap you must provide Server:Port:Community details.
You can receive SMS notifications by providing the mobile number.
For logging the alert as a ticket, provide ticket details such as category, priority, and group.
You can also assign it to a particular technician based on severity and category of the alert.
Every time an alert is generated, it will automatically be logged in as an SDP ticket and
assigned to the particular technician, based on the details provided. You create a private
knowledge base in SDP to resolve repetitive network bottlenecks quickly. You can also
announce known network issues in SDP’s ‘announcements’ to help reduce number of tickets
created for the same issue.
Zoho Maps
NetFlow Analyzer uses Zoho Maps as the default map provider for the Maps feature. You can
use it to visualize your network by placing the devices on the maps according to their
geographic distribution.
Adding Devices on the Zoho Map
1. Now, zoom in/out the map and double-click on the location where you want to place a
discovered device.
2. A device list box pops up allowing you to select a device to be placed in that location.
3. Select the device and click on Add.
4. Add the required devices on to the map by double-clicking the location.
Google Maps
Network diagram or Network layout defines how the network is distributed and spread across
globally. As a network administrator, its a huge task to consolidate and manage network devices
spread globally. NetFlow Analyzer as a comprehensive network monitoring tool which allow the
users to draw their network layout and provides an easiest way to manage network resources.
Google maps feature lets you physically locate your network resources on a map. This enables
network administrators to have a feel of how devices are distributed and more importantly provide a
quick and easy drill down to specific information. NetFlow Analyzer, by using Google maps API, lets
you position your devices on a map for a graphical presentation.
Network Layout
The network layout configuration on the Google map allow users to draw their network diagrams
according to the device connectivity. To configure network layout, navigate to Maps icon on the
user interface and click on anywhere in the map to place the network device in Google Map View.
You will be prompted with a pop-up to select the nodes (routers or switches) for connectivity once
you click on the Add Link button. Provide the link name and description and click on next. Select
the interface relative to which you need to see the traffic details and “ save”. Now you can see the
traffic between the two link as per your need.
Google Maps
NetFlow Analyzer allows you to integrate Google Maps and place the devices on the maps
according to the geographic distribution. Please refer to the Google licensing terms and pricing
plans before you proceed further.
4. Once you have updated the key, upload the updated maps.html.
Reports
NetFlow Analyzer has many reporting options available based on Interfaces and IP groups out of
box.
Reports Description
Search Search Report provide you the options to generate reports based on search criteria. We have 2
Report different kind of search reports Global search and Custom search reports.
Compare Allows you to compare statistics of bandwidth utilization of different interfaces or IP groups for same
Report time or different time periods.
More Allows you to generate reports like Consolidated Report, Protocol Distribution Report, IPGroup
Reports Consolidated Report and Capacity Planning Report.
Schedule Allows you create schedule automatic report generation daily, weekly, monthly and export to
Reports your email address.
Billing Allows you Add and generate billing reports based on utilization of Speed or Volume
Forensic Allows you to generate reports based on the RAW data collected in NetFlow Analyzer
s
WAAS Allows you to view data based on the CM added in NetFlow Analyzer UI
Explore the following sections to know more about the Reports available in NetFlow Analyzer.
Search Reports
Search Reports can be used to generate reports specific to the user. This is especially useful
in finding out the bandwidth utilization of a specific host or application.
While Troubleshooting Reports can be used to derive information on one interface at a time,
Search Reports can be generated across interfaces. Data for Troubleshooting reports is taken
directly from raw data, whose maximum retention period can be set from Settings. But data for
Custom Reports is taken from aggregated data in the database.
You can select the device or its interfaces for which you need to generate an report based on
the custom criteria.
Under Select Criteria, enter the criteria on which traffic needs to be filtered. You can enter any
of the following criteria to filter traffic:
Source/Destination Address
Source/Destination Network
Source/Destination Nodes
Source/Destination AS
Application
Port/Port Range
DSCP
Once the criteria is selected, please Define the appropriate criteria and click on add icon to
set the criteria that you want to filter, here you can multiple criteria's. Select option using the
radio button to generate report either by matching all the criteria or by matching selected
criteria.
Match all the following option will only generate the report is all the custom criteria you
provided match.
Match any of the following option will generate the report is any of the provided custom
criteria matches.
Once done select on which Data you need the report to be generated either IN or OUT using
the radio button. The From and To boxes let you choose custom time periods for the report.
Once you select all the desired criteria, click the Generate Report button to display the
corresponding traffic report. The default report view shows the IP addresses of the hosts. You
can also sort the data displayed either by Number of packets or Bytes.
You can export the report as CSV, Excel, or email by clicking on the export icon.
Compare Reports
Compare Report feature lets the user Compare multiple devices for the same time period or
Compare the same Device over different time periods. eg: Every Day Report, Every Hour
Report, Every Week Report, Every Month Report.
Report type
The report type could be one of :
When the Report Type is chosen as - Compare Multiple Devices over the same time
period, the available Periods are Last Hour, Last 6 Hour, Today, Last 24 Hours, Yesterday,
Last Week, Last Month, Last Quarter.
When the Report Type is chosen as -Compare same device over different time periods, the
available Periods are Every Day Report, Every Hour Report, Every Week Report, Every Month
Report.
Data Points
Data Point option allows you to select the average in which you want the reports to be
generated, you can select either 1min, 5mins or 15 mins average using the radio button.
Report Option
The Report Options could be chosen to be one of below to generate the reports in terms of
Speed, Volume, Utilization or Packets
Speed
Volume
Utilization
Packets
Select Device
You can generate Compare Report either based on Device/Interfaces or IP groups. You can
select any one of the option to generate the report.
Once all the fields are selected based on the requirement, click in the Generate Report button
to generate the report the report will be shown as below:
You can select the traffic graphs to show in different style by selecting the
icons on the right top. You can export ouput of each traffic details in
Consolidated Reports
Consolidated reports let you see all the traffic details for an interface, interface group or IP group at
a glance. Click the Reports Tab -> More Reports -> Consolidated Report link to see all traffic
details for an interface, interface group or IP Group at one glance.
Select the Interface, Interface Group or IP group based on which you need the consolidated report
under Select Source tab. Once you Select the Interface you will have the option to select the
Device and Interface interface based on which you need the report in the same way you can select
IP Group and for Interface groups as well.
Select Top allows you to show view with top 5,10 or top 20 outputs for top Source, destination and
Application.
Traffic Type give the option to select the view for the traffic graph details in either Speed, Volume
or Utilization.
You can choose to generate hourly, daily or reports based only on business hours and
also customise time period by selecting Custom option under Time Period option.
Click on Generate Report to generate the report. The report gives the Graphical and Tabular
representation for Traffic Graph, Application IN/OUT, Source IN/OUT and Destination IN/OUT
You can export ouput of each widget in CSV or Excel by click on the icon at
Protocol Distribution report lets you to view the information on top protocol utilizing the
bandwidth from Interface, Interface Group or IP group.
Select the Interface, Interface Group or IP group based on which you need the Protocol
Distribution report under Select Source tab. Once you Select the Interface you will have the option
to select the Device and Interface interface based on which you need the report in the same way
you can select IP Group and for Interface groups as well.
Traffic Type give the option to select the view for the traffic graph details in either Speed, Volume
or Utilization.
You can choose to generate hourly, daily or reports based only on business hours and
also customise time period by selecting Custom option under Time Period option.
Flow Type allows you the select IN or OUT, to get the Protocol Distribution report based on either
IN or OUT traffic you need the report to be generated.
Click on Generate Report to generate the report. The report has 2 views, Graph view and Table
view.
Graph view:
You can select the traffic graphs to show in different style by selecting the
Table View:
This show the detailed list output of Protocol and its volume used and percentage of total traffic:
You can export ouput list report in CSV or Excel by click on the icon at the
bottom of the view.
Inventory Report
In the absence of a proactive network monitoring solution, network monitoring can become a
daunting task. Network administrators will have to monitor the entire network manually which
can be a rather monotonous, time-consuming and error-prone task. With Inventory reports,
these repetitive network monitoring tasks have been simplified. With an easy-to-use interface
and a consolidated view of your preference, the Inventory report delivers a bird's-eye view over
your network traffic.
Inventory report enables you to choose amongst the traffic source - Interface/IP
Group/Interface Group/Access Point/AS View/Access Point Group/SSID Group.
The traffic type allows you to generate a report based on speed, volume or utilization.
Furthermore, you can also set the criteria based on the selected traffic type.
Inventory report can be generated in the period of your preference and additional business
hour filters can also be enabled.
Also note that a violation report will be generated if the selected criteria are violated. This
report can be viewed by clicking on the graph icon in the generated report.
Capacity Planning Reports
Capacity Planning feature in NetFlow Analyzer helps you make informed decisions about your
network bandwidth. It details on the traffic trend and bandwidth utilization pattern over a period
of time. The capacity planning Report is available for all interfaces and IPgroups monitored
under the NetFlow Analyzer.
1 Minute Average
The graph gives you traffic IN and Traffic OUT on an one minute average. The report also
displays the 95th percentile value for both IN and OUT traffic. The table below the graph
provide Total amount of Traffic IN and OUT along with the Min, Max and Average values. It
also calculates and displays Standard Deviation and 95th percentile value for the total amount
of IN and OUT traffic. The graph displays the traffic deviation from the average amount of daily
traffic.
Application Report
The pie chart displays the traffic associated each application. This is also calculated on the
basis of IN and OUT traffic. The table below displays the application name, the amount of
traffic and the total traffic percentage by each application.
Graph view show the Graphical representation for graphs and pie charts to show the
information for each widget.
Table View show the detailed list output for the generated report. You can export each widget
in the list view as csv or excel format by clicking on the icon at the bottom
of the view.
Schedule Reports
Schedule feature in NetFlow Analyzer is an easy way to generate reports in Daily, weekly and
Monthly basis. A scheduler is configured to set the parameters for automating the generation of
reports.
To create an schedule navigate to reports tab and click on Schedule.
Netflow Analyzer calculates the bandwidth utilization on the specified Interfaces, Interface groups,
IP Group, WLC Devices, Access point groups, SSID groups for every minute. Based on the
schedule opted for, reports are generated at various time intervals.The Schedule Reports feature
lets you Create new Schedules and Delete existing ones. The Scheduler List page lists all
existing schedules , along with the Schedule details,Status, Report types,and the Last Report
Generated time.
Schedule Profile
Schedule Profile show the Schedule Profiles you have created and the status of the Profiles:
Column Description
Profile The name of the Schedule when it was created. Click on the Schedule's name to see more
Name information about the schedule's configuration
Description Show the Description you have set for the schedule
Schedule Show what type for schedule is created either Daily, Weekly, Monthly or Only Once
Details
Status
By default all schedules are Enabled, which means they are active. Click the icon to
disable a schedule. When this is done, reports will no longer be generated for
Last This column lists the last time when this schedule was run and a report created.
Report
Time
Generated By clicking on View Reports it is possible to view all the previous reports that have
Reports been generated. The number of reports that are stored is based on the user definition in
the Schedule Setting page. (By enabling the item "Enable older reports to be accessed
from UI" it is possible to retrieve even older reports.) For Daily Schedule up to 90 reports
can be stored. For Weekly Schedule up to 104 reports can be stored. For Monthly Schedule up
to 60 reports can be stored.
Edit
The various columns displayed in the Schedule Profile page are described in the table below:
Add Schedule
Add Schedule button on the right top to create an Schedule. Please give the blow parameter to
Add the schedule:
Par Description
ame
ters
Des Provide description of the profile to identify the purpose of the schedule created
cript
ion
Devi You can schedule reports for an Interfaces, Interface group, IP Group, WLC Devices, Access point groups, or
ce
Typ
e
Select the option based on you requirement.
Interface option allow you to select Interface for which you need the reports to be scheduled.
IP groups and Interface Groups will allow you to select the created IP and Interface groups for which you need to s
Access point groups and SSID Groups will allow you to select the created Access point and SSID groups for w
schedule the reports.
WLC devices option allow you to select WLC devices for which you need the reports to be schedu
Rep The type of report to be generated - Please select as per your requirement from the dropdown consisting th
ort
Consolidated report
Typ
e Traffic report -> Contains the traffic graph with Total Volume, Min, Max, Avg, Standard Deviation and 95th
Percentile details and detailed list data points for the report period.
Application report -> Contains list of Application with volume of traffic utilized and percentage of total traffic
utilized by each application.
Source report -> Contains list of Source IP with volume of traffic utilized and percentage of total traffic
utilized by each source IP.
Source network report -> Contains list of Source network with volume of traffic utilized and
percentage of total traffic utilized by each source network.
Destination report -> Contains list of Destination IP with volume of traffic utilized and percentage of total
traffic utilized by each destination IP.
Destination network report -> Contains list of Destination network with volume of traffic utilized and
percentage of total traffic utilized by each detination network.
QoS report -> Contains list of DSCP with volume of traffic utilized and percentage of total traffic utilized b
each DSCP
Conversation network report -> Contains Detailed list of conversation based on source and destination
network.
NBAR report -> Contains list of NBAR Application with volume of traffic utilized and percentage of total
traffic utilized by each NBAR app.
CBQoS report -> Contains the CBQOS report based on IN out OUT policy collected for the In
Compare report -> Allows you to create an schedule compare report for Interfaces, IP Groups, Interfac
Devices, Access Point Groups, or SSID Groups selected. Provide the required details for the report to be schedu
Custom Report -> Allows you to set the criteria for the report generated in the schedule. You can provide
below criteria to generate the reports: Sourc
Source Network Sourc
Destination Address Dest
Destination Node Appli
Port Port
DSCP
Capacity Planning Reports -> Generates the Capacity Planning reports for the selected Interfaces, Interfac
WLC Devices, Access point groups, or SSID group.
Medianet Reports -> Generates the Medianet reports collected for the Interface.
Rep You can select the format as PDF or CSV with which the reports will be exported to your email addr
ort
For
mat
Tim You can Select the Time Zone based for the reports to be generated. This will help operation to get reports who
e geographic locations.
Zon
e
Rep Select the report generation frequency as one from : Daily, Weekly, Monthly and Only Once. Depending on this
ort generated at the appropriate time intervals.
Day
s
Rep You can select the Date for which you need the report to be generated. This option is only available for the Only
ort
Dat
e
Rep Select the time period at which the reports has to be generated based on the schedule days you have s
ort
Tim
e
Rep You can select the Period for which for which the data should refelect in the Report to be generet
ort
Peri
od For Only Once Option you can select the Report Period to be Previous Day, Last 24 hours, Today, Last 6 hours, L
Week, Last 7 days, Previous Month, Last 30 days, Last Quarter and Custom. Custom Select allows you to sepcify
time period for which you need the report.
For Daily, weekly and Monthly reports you can select the time period to be Previous Day, Last 24 hours, Last 6 H
Mail You Can Select the Mail Notification to be ON or OFF.
Noti
ficat
ion If you select ON you will receive the reports generated in the schedule to the email address you will s
Mail Address - This is the address to which the generated reports will be sent. You can specify multiple em
reports to be sent to by providing email address seperated by comma without space eg:
abc@example.com,abcd@example.com,abcde@example.com
Mail Subject - The email subject can be customized according to the report selected.
Schedule Settings
This link lets you set parameters that could be applied across all the generated reports. The
parameters include:
Host Name display in reports - This determines how the host name is displayed in reports.
It could be chosen as one of
o IP Address ( or )
o DNS Name
Graph Options (Report Type to be shown in reports) - This determines how the data is to
be shown in the generated reports. This could be one of
o Utilization (in %) ( or )
o Speed (in bps)
Mail Attachment option - The format in which the attachments are to be mailed. It
could be one of
o Zipped file ( or )
o PDF - The number of PDF files to be sent in a mail is to be specified. The number may range from
5 to 50 in increments of five
Qos Options - This determines what the QOS report contains. This could be choosen from
one of below:
o DSCP ( or )
o TOS
Enable older reports to be accessed from UI
Forecast Report
Forecasting has the potential to interfere in decision-making and gives a picture of what can
probably be expected. Every business decision depends upon forecast on future trends and
hence, it is important to give maximum attention to it.
To plan network resources, timely and accurate prediction of bandwidth is beneficial to avoid
network bottlenecks. Also, to handle the ensuing network needs efficiently and to regulate
traffic, it is of utmost importance to predict data.
While a time series can be forecast using statistics or machine learning, NetFlow Analyzer
employs techniques like autocorrelation, seasonality trend loss decomposition and regression
to forecast reports.
A forecast report can only be as accurate and reliable as the data provided. The granularity
and accuracy of the forecast differ based on the available data. The below given table speaks
on the accuracy of the forecast that would be generated based upon the availability of past
data.
Forecast reports can be generated for a period ranging from 7 days to a year. However, the
Forecast period cannot be customized and can only be viewed for a pre-defined set of data.
On enabling the Show History button, the users can view the past trends based on which the
forecast has been generated.
You can mail the report or export data as CSV, PDF by clicking on the icons in the top right
corner of the view.
Billing
Billing is the latest feature introduced in NetFlow Analyzer. This feature helps keep a tab on resource
usage and takes the bandwidth monitoring one step ahead - Accounting. It makes easy to understand the
reports in terms of cost incurred. Internally, organizations can use this feature for department-wise
billing.Also Internet Service Providers can use this to automatically generate reports for their customers.
Operations on Billing
Billing can be accessed through "Billing" in "Reports"
1. Speed
2. Volume
Bills can be generated in accordance with the local time zone. Localization is supported in the Billing
feature.
Field Description
Bill Plan Enter the name you wish to assign for this bill plan
Bill Plan Description* Describe the plan for detailed understanding and for future reference
Base Speed
Enter the base speed of the connection in bps (bits per second)
Base Cost Select the currency from the drop-down box and enter the cost
Billing Period Lets you select the option as quarterly or monthly. Incase you select the billing plan as quarterly, the bill will be
generated quartely on the dateyou specify in the "Bill generation date" option. Incase you select the billing plan
as monthly, the bill will be generated on a monthly basis on the date you specify in the "Bill generation
date" option.
Bill Generation Date Enter the date on which you want the bill to be generated either on monthly basis or quarterly basis.
Associated To
This has the list of Routers/interfaces and IP groups. You can select the interfaces and/or the IP groups
that is associated with this plan.
Once an Interface/IP Group is added to one bill plan, the specific interface/IP Groups does not get displayed while
other bill plans
Enter the mail ID/IDs to which the generated Bill report needs to be sent. Multiple mail IDs should be
separated by comma ","
Sorted_In & Out= [1.427 1.385 1.347 1.265 1.248 1.229 1.221 1.013
1.002 0.992 0.971 0.940 0.896 0.874 0.689 0.653 0.523 0.438 0.370
0.347 0.231 0.276 0.233 0.218 0.203 0.201 0.198 0.185 0.182 0.169
0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
The highest sample from remaining data set is the 95th percentile
value for the originating set. So we obtain the following value:
outbound = [1.347 1.435 1.229 0.523 0.438 0.231 0.347 0.689 0.940
1.248 1.385 1.427 3.988 1.265 1.221 1.013 0.992 0.874 0.896 1.002]
After sorting, we obtain:
sorted_in = [0.971 0.653 0.370 0.276 0.233 0.218 0.203 0.201 0.198
0.185 0.182 0.169 0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
sorted_out = [3.988 1.435 1.427 1.385 1.347 1.265 1.248 1.229 1.221
1.013 1.002 0.992 0.940 0.896 0.874 0.689 0.523 0.438 0.347 0.231]
remaining_in = [0.653 0.370 0.276 0.233 0.218 0.203 0.201 0.198 0.185
0.182 0.169 0.157 0.139 0.131 0.126 0.116 0.084 0.047 0.032]
remaining_out = [1.435 1.427 1.385 1.347 1.265 1.248 1.229 1.221 1.013
1.002 0.992 0.940 0.896 0.874 0.689 0.523 0.438 0.347 0.231]
The highest sample from each remaining data set is the 95th percentile
value for the originating set. So, for each set, above, we obtain the
following values:
95th_in = 0.653 Mbps
The higher of the two computed 95th percentile values becomes the
final 95th percentile value used for billing:
Field Description
Bill Plan Enter the name you wish to assign for this bill plan
Bill Plan Description* Describe the plan for detailed understanding and for future reference
Base Volume
Enter the base volume in bytes
Base Cost Select the currency from the drop-down box and enter the cost
Additional Volume* Enter the additional volume in bytes
Data transfer Select one of the three options from the drop-down box.
calculation Selecting "Download" will take only downloaded data for billing.
Selecting "Upload" will take only uploaded data for billing.
Selecting "Download & Upload" will take both uploaded and downloaded data for billing.
Alert Checking this box will activate threshold based alerting. This will send alerts, if the user specified threshold value
has been exceeded.
Billing Period Lets you select the option as quarterly or monthly. Incase you select the billing plan as quarterly, the bill will be
generated quartely on the date you specify in the "Bill generation date" option. Incase you select the billing plan
as monthly, the bill will be generated on a monthly basis on the date you specify in the "Bill generation
date" option.
Bill Generation Date Enter the date on which you want the bill to be generated either on monthly basis or quartely basis.
Associated To
This has the list of Routers/interfaces and IP groups. You can select the interfaces and/or the IP groups
that is associated with this plan.
Once an Interface/IP Group is added to one bill plan, the specific interface/IP Groups does not get displayed while
other bill plans
On-Demand Billing
Bills can be generated on demand. By clicking on "OnDemand" for a particular bill plan in the bill plan
list, a bill can be generated for the time period from the beginning of the billing cycle to the current date.
An interface/IP group can be added during any point of the billing cycle. The bill will be generated for
this interface/IP group during the mentioned billing date for the billing plan.
When an Intereface/IP group is removed from a bill plan, the bill for that interface is generated at the
same instant.
Editing email ID and threshold alerting will take effect at the same time.
"Billing period" and "Bill generation date" CANNOT be changed. When the interfaces/ IP groups are unmanaged/
bill is generated for the interface or IP groups at that instant. If you modify the cost in the bill plan, It will be effect
the next billing cycle and NOT at that instant.
Reports
Generated Reports can be viewed by clicking the "Report" tab on top.
Available plans
You can view all the plans or any one plan by selecting the suitable option from the drop-down box. By
default the "report" page shows only the recent report of all the bill plans. If you want to view all the
generated reports for a particular bill plan, select the bill plan from the drop-down box, next to "available
plans". The reports are arranged with the most recent report on top.
Show details
By clicking on "show details" a pop up window opens, wherein you can view a speed-time graph.This
shows all the bills generated for the particular interface.The report in can be generated in PDF format by
clicking on "PDF" and you can view the data at 5 minutes interval by clicking on the "Data points".
Forensics
The Forensics link lets you set criteria and view specific details about the traffic across a single
interface or WLC device. Data for Troubleshooting reports is taken directly from raw data. Which
means that Troubleshooting reports will be available only for the maximum time period for retaining
raw data, configured under Settings -> NetFlow -> Storage Settings -> Raw Data Settings.
Localization is supported in this report.
Click on Reports icon -> Forensics to generate the report , For Interfaces, click
the Select Devices link to change the interface that you want to troubleshoot. For WLC Devices,
select the Controller and Access Point to view the report. Under Search Criteria, enter the
criteria on which the traffic needs to be filtered.
The From and To boxes let you choose custom time periods for the report. Ensure that the time
period selected, falls within the Raw Data Retention Period set under Settings, otherwise graphs
will show no data.
Use the Traffic Type option to be either Speed, Volume, Utilization or Packets to show the traffic
graph generated in the report based on your selection.
Once you select all the desired criteria, click the Generate Report button to display the
corresponding traffic IN/OUT, Application IN/OUT, Source IN/OUT, Destination IN/OUT, DSCP
IN/OUT, TCP Flag IN/OUT, Next Hop, Conversation IN/OUT, Multicast IN/OUT and Medianet
IN/OUT.
You can export ouput of each view in CSV or Excel by click on the icon at the
top right corner of the report.
Want to learn more about the feature? Check out this link.
WAAS: Introduction
WAAS Dashboard
WAAS reports details you on the central manager you have created and the devices
associated with it. You can access WAAS reports using Reports . Select WAAS
Dashboard from the Reports tab. You can view the reports based on hourly, daily, weekly,
monthly along with custom reports.
The Accelerator Group gives you the list of WAAS Accelerator Engines grouped together for
easy identification purposes. You can also view their reduction percentage, Status, and a brief
description about the group.
You can also view the top 10 WAE's by compression percentage as a pie chart. The report
displays WAN, LAN and compressed Traffic along with the reduction percentage.
The WAE devices List displays all the devices listed in the WAN Accelerator Engine. The top
ten devices are listed first. you can locate the devices using the simple search option by
indicating the name, IP address, Status, Location or MAC address of the device. By clicking on
the device name you can view the WAE Reports.
WAE reports
You can view these reports by clicking on any of the devices in the WAE device list. The WAE
reports page gives you detailed statistics of every device associated with a specific Central
Manager. This Report Details you on:
Application Reduction: The amount of compression each mapped application has gone
through. By Clicking on the application name you can view reports indicating bandwidth
reduction by location, bandwidth optimization trend and pass through summary trend of the
specific Application.
Bandwidth Reduction by Location: This details on the WAN, LAN, and amount of traffic
compression for each application along with the increase in bandwidth capacity due to
compression.
Pass Through Summary Trend: Denotes the unoptimized traffic that passes through the
WAE. You can view graph based on peer traffic, intermediate traffic,overload traffic and policy
applied.
Lists the conversations that passed through the selected WAE device and their corresponding
statistics. Using this you can view the Source, destination of the conversation, their respective
ports, type of policy applied, and the duration of each conversation. You can also view the type
of policy applied, the initial amount of traffic and compressed traffic in bytes along with the
compression ratio.
To generate these reports internationally predefined LAN IPs are preconfigured under Settings
> NetFlow > LAN IP Settings. Here the LAN IPs can be modified and configured individually
based on each router.
To generate this report, navigate to Reports > NetFlow > LAN WAN Report. Here select the
respective tab to generate the LAN-WAN or LAN-LAN report.
Source: The category of source (here, Devices and Interfaces) for which you want the
report to be generated.
Device: The specific device or interface under the category of sources for which the
report is to be generated.
Time Period: The day(s) / the hours for which you wish to generate the report data.
Business Hour Rules: You can configure Business Hours to filter out and view only
the reports generated within the business hours of your organization.
Weekends: Weekends can be excluded or included from the period the reports
generated for.
Click here to learn how to configure LAN IPs.