NetFlow Tracker User GUide

NetFlow Tracker
User Guide
PN 3365122
August 2008
©2008 Fluke Corporation. All rights reserved.
All product names are trademarks of their respective companies.
NetFlow Tracker
User Guide
Third Party Software Components

NetFlow Tracker includes software developed by the Apache Software Foundation (http://www.apache.org/) and by
Advantys (http://www.advantys.com).
NetFlow Tracker includes the following third party software components:
• Apache Commons Collections 3.2, available at http://commons.apache.org/collections/. This is distributed
under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
• Apache Commons Logging 1.0.4, available at http://commons.apache.org/logging/. This is distributed under
the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
• Apache Log4j 1.2.15, available at http://logging.apache.org/log4j/. This is distributed under the Apache
Software License, a copy of which is available at http://www.apache.org/LICENSE.
• Apache Xerces Java 2.9.0, available at http://xerces.apache.org/xerces2-j/. This is distributed under the
Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
• IE5.5+ PNG Alpha Fix 1.0RC4, available at http://www.twinhelix.com/css/iepngfix/demo/. This is distributed
under the CC-GNU Lesser GNU Public License, a copy of which is available at
http://creativecommons.org/licenses/LGPL/2.1/deed.en.
• iText 2.0.6, available at http://www.lowagie.com/iText/. This is distributed under the Mozilla Public License, a
copy of which is available at http://www.mozilla.org/MPL/MPL-1.1.html.
• Jakarta Tomcat 3.3.2, available at http://tomcat.apache.org/. This is distributed under the Apache Software
License, a copy of which is available at http://www.apache.org/LICENSE.
• joeSNMP 0.2.6, available at
http://opennms.svn.sourceforge.net/viewvc/opennms/opennms/branches/OPENNMS/src/joesnmp/. This is
distributed under the Lesser GNU Public License, a copy of which is available at
http://www.gnu.org/licenses/lgpl.html.
• jspSmartUpload 2.1 which is no longer available. This is distributed under the Advantys Freeware license
contract, a copy of which is available at
http://web.archive.org/web/20031209160524/http://www.jspsmart.com/liblocal/docs/legal.htm.
• Quartz 1.6.0, available at http://www.opensymphony.com/quartz/. This is distributed under the Apache
Software License, a copy of which is available at http://www.apache.org/LICENSE
End User License

This is a legal agreement between you ("You"/ "the End User""), and Fluke Electronics Corporation, a Delaware
corporation, including its division, Fluke Networks ("FNET"), with offices at 6920 Seaway Boulevard, Everett, Washington,
98203, USA.
BY DOWNLOADING OR OTHERWISE ELECTRONICALLY RECEIVING THIS SOFTWARE PRODUCT ("PRODUCT") IN ACCORDANCE
WITH OUR SOFTWARE DELIVERY PROCEDURES OR BY OPENING THE SEALED DISK PACKAGE WHICH CONTAINS THE
PRODUCT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS
OF THIS AGREEMENT, PROMPTLY DELETE THE DOWNLOADED OR ELECTRONICALLY RECEIVED SOFTWARE FROM YOUR
COMPUTER SYSTEM AND NOTIFY US OF SAME IN ORDER TO CLAIM AND, IF YOU HAVE RECEIVED A SEALED CD-ROM
PACKAGE, RETURN THE UNOPENED DISK PACKAGE AND THE ACCOMPANYING ITEMS (INCLUDING MANUALS) TO A FNET
REPRESENTATIVE, FOR REFUND OF THE PRICE PAID.
1. GRANT OF LICENSE AND PAYMENT OF FEES

Provided that You have paid the applicable License fee, FNET grants You a non-exclusive and non-transferable, revocable
License to use one copy of the Product on the maximum number of servers and the maximum number of devices specified in
your purchase order, or if not so specified, on a single server and a single device by a single user, and only for the purpose of
carrying out your business in the country specified in your order. This Product is licensed for internal use by You, the end user
only. The Product is not licensed for provision of a public service by You or for the provision of any fee generating service by
You to a third party.
ii
In the event that at any time You wish to extend the permitted number of servers or devices above the permitted amount,
You must contact FNET or the reseller from whom you purchased the Product ("the Reseller") and an additional License fee
may be agreed upon and a new License issued for the requested additional number of servers/devices.
FNET or your Reseller may require that You provide written certification showing the geographical locations, type and serial
number of all computer hardware on which the Software is being used, together with confirmation that the Product is
being used in accordance with the conditions of this Agreement. You shall permit FNET or your Reseller, and/or their
respective agents to inspect and have access to any premises, and to the computer equipment located there, at or on which
the Software is being kept or used, and any records kept pursuant to this Agreement, for the purposes of ensuring that the
Customer is complying with the terms of this License, provided that FNET/your Reseller provides reasonable advance notice
to the Customer of such inspections, which shall take place at reasonable times.
2. EVALUATION AND GOLD SUPPORT

EVALUATION. If a provided license key is labelled "Evaluation", FNET grants You the right to use the Product enabled by
that key solely for the purpose of evaluation, and the Product will cease to function seven (7) days from enabling (or after
such longer period as may be agreed by FNET and confirmed by FNET or your Reseller in writing), at which time the License
grant for that Product also ends. After the evaluation period, You may either purchase a full License to use the Product from
your Reseller or directly from FNET, or You must promptly return to FNET or cease to use the Evaluation Product and all
associated documentation. The warranty set out in Clause 5 shall not apply in respect of Product downloaded for evaluation
purposes.
GOLD SUPPORT. Gold Support for the Product is required with the initial purchase. Gold Support offers 24 hour, 7 days a
week technical support and includes upgrades. Gold Support is an annual support, renewable by payment of the annual fee.
3. INTELLECTUAL PROPERTY RIGHTS

All intellectual property rights in the Product belong to FNET and its Supplier(s) and Licensors(s) and You acknowledge that
the Product contains valuable Trade Secrets of FNET, its Supplier(s) and Licensor(s) and You have no ownership claims or
rights whatsoever in the Product. You may (a) make one copy of the Product solely for backup or archival purposes and keep
this securely, or (b) transfer the software to a secure single hard disk provided that You keep the original solely and securely
for backup or archival purpose. You may not copy the written materials accompanying the Product. You shall not remove or
alter FNET's copyright or other intellectual property rights notices included in the Product or in and any associated
documentation. You must notify FNET forthwith if You become aware of any unauthorized use of the Product by any third
party.
FNET's Supplier(s) and Licensor(s) are third party beneficiaries of this Agreement as it pertains to relevant intellectual
property rights associated with the Product, and provisions of this Agreement related to intellectual property rights are
enforceable by FNET, its Supplier(s) and Licensor(s).
4. OTHER RESTRICTIONS
You shall not sub-License, distribute, market, lease, sell, commercially exploit, loan or give away the Product or any
associated documentation. For the avoidance of doubt, this License does not grant any rights in the Product to, and may not
be assigned, sub-Licensed or otherwise transferred to, any connected person, where the term connected person includes but
is not limited to the End User's subsidiaries, affiliates or any other persons in any way connected with the End User, whether
present or future. The Product and accompanying written materials may not be used on more than the permitted number of
servers at any one time or for in excess of the permitted number of devices. Subject always to any rights which You may
enjoy under applicable law (provided that such rights are exercised strictly in accordance with applicable law) and except as
expressly provided in this Agreement, You may not reproduce, modify, adapt, translate, decompile, disassemble or reverse
engineer the Product in any manner. You shall not merge or integrate the Product into any other computer program or
work, and You shall not create derivative works of the Product. FNET reserves all rights not expressly granted under this
Agreement.
5. LIMITED WARRANTY
FNET warrants that during the warranty period (a) the Product will perform substantially in accordance with its
accompanying written materials, and (b) the media on which the Product is furnished shall be free from defects in materials
and workmanship. The warranty period applicable to the Product shall be ninety (90) days from the date of delivery of the
Product or, if longer, the shortest warranty period permitted in respect of the Product under applicable law ("Warranty
iii
NetFlow Tracker
User Guide
Period"). The warranty for any hardware accompanying the Product shall be as stated on the warranty card shipped with
the hardware.
If, within the Warranty Period, You notify FNET of any defect or fault in the Product in consequence of which the Product
fails to perform substantially in accordance with its accompanying written materials, and such defect or fault does not result
from You, or anyone acting with your authority, having amended, modified or used the Product for a purpose or in a
context other than the purpose or context for which it was designed or licensed according to this Agreement, or as a result
of accident, power failure or surge or other hazards, FNET shall, at FNET's sole option and absolute discretion, do one of the
following:
(i) repair the Product; or
(ii) replace the Product; or
(iii) repay to You all license fees which You have paid to FNET under this Agreement.
FNET does not warrant that the operation of the Product will be uninterrupted or error or interruption free.
6. CUSTOMER REMEDIES
You must call your FNET representative to discuss remedies during the 90 day warranty period referred to in clause 5 above.
You acknowledge that your sole remedy for any defect in the Product will be Your rights under clause 5.
7. NO OTHER WARRANTIES
FNET AND/OR ITS SUPPLIERS, DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO
THE PRODUCT, THE ACCOMPANYING WRITTEN MATERIALS AND ANY ACCOMPANYING HARDWARE AND YOU AGREE THAT
THIS IS FAIR AND REASONABLE. THE EXPRESS TERMS OF THIS AGREEMENT ARE IN LIEU OF ALL WARRANTIES, CONDITIONS,
UNDERTAKINGS, TERMS OF OBLIGATIONS IMPLIED BY STATUTE, COMMON LAW, TRADE USAGE, COURSE OF DEALING OR
OTHERWISE, ALL OF WHICH ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.
8. NO LIABILITY FOR CONSEQUENTIAL DAMAGES

IN NO EVENT SHALL FNET AND/OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL OR ECONOMIC LOSS OR
DAMAGES WHATSOEVER OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS, SAVINGS, GOODWILL, CAPITAL, ADDITIONAL
ADMINISTRATIVE TIME OR DATA ARISING OUT A DEFECT IN THE PRODUCT OR THE USE OF OR INABILITY TO USE THE
PRODUCT, EVEN IF FNET HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
9. TERMINATION
Either party shall be entitled forthwith to terminate this Agreement by written notice if the other Party commits any
material breach of any of the provisions of this Agreement and, fails to remedy the same within sixty (60) days after receipt
of a written notice from the non-breaching Party giving full particulars of the breach and requiring it to be remedied.
You shall be obliged to notify FNET in writing of any change in the control or ownership of the End User and FNET shall be
entitled forthwith to terminate this Agreement by written notice.
This Agreement shall automatically terminate if replaced at any time with a new License agreement.
The right to terminate this Agreement given by this clause 9 will be without prejudice to any other accrued right or remedy
of either Party including accrued rights or remedies in respect of the breach concerned (if any) or any other breach, or which
the Parties have accrued prior to termination.
10. INDEMNIFICATION
You shall indemnify FNET in full and hold FNET harmless in respect of any loss, damages, proceedings, suits, third party
claims, judgements, awards, expenses and costs (including legal costs) incurred by or taken against FNET as a result of the
negligence, fault, error, omission, act or breach of You or of your employees, staff, contractors, agents or representatives or
for any breach of this Agreement whatsoever by You.
Notwithstanding any other provision of this Agreement, the aggregate liability of FNET for or in respect of all breaches of
its contractual obligations under this Agreement and for all representations, statements and tortious acts or omissions
iv
(including negligence but excluding negligence causing loss of life or personal injury) arising under or in connection with
this Agreement shall in no event exceed the License fee paid by You pursuant to this Agreement prior to the date of the
breach.
11. CONFIDENTIAL INFORMATION AND SECURITY

During and after this Agreement, the Parties will keep in confidence and use only for the purposes of this Agreement all
Confidential Information. Confidential Information means information belonging or relating to the Parties, their business or
affairs, including without limitation, information relating to research, development, Product, processes, analyses, data,
algorithms, diagrams, graphs, methods of manufacture, trade secrets, business plans, customers, finances, personnel data,
and other material or information considered confidential and proprietary by the Parties or which either Party is otherwise
informed is confidential or might or ought reasonably expect that the other Party would regard as confidential or which is
marked "Confidential". For the avoidance of doubt, You shall treat the Product and any accompanying documentation as
Confidential Information. Confidential Information does not include any information (i) which one Party lawfully knew
before the other Party disclosed it to that Party; (ii) which has become publicly known through no wrongful act of either
Party, or either Parties' employees or agents; or (iii) which either Party developed independently, as evidenced by
appropriate documentation; or (iv) which is required to be disclosed by law.
The Parties will procure and ensure that each of its employees, agents, servants, sub-contractors and advisers will comply
with the provisions contained in this clause. If either Party becomes aware of any breach of confidence by any of its
employees, officers, representatives, servants, agents or sub-contractors it shall promptly notify the other Party and give the
other Party all reasonable assistance in connection with any proceedings which the other Party may institute against any
such person. This clause 11 shall survive the termination of this Agreement.
Notwithstanding the above confidentiality provisions, in accepting this License agreement, You agree that, subject to any
applicable data protection laws, FNET may use your business name and logo for the purposes of marketing and promotion
of the product and its business and You hereby grant FNET a limited License to use your business name and logo for these
purposes.
12. EXPORT CONTROL

You shall be responsible for and agree to comply with all laws and regulations of the United States and other countries
("Export Laws") to ensure that the Product is not exported directly, or indirectly in violation of Export Laws or used for any
purpose prohibited by Export laws.
13. GOVERNING LAW AND JURISDICTION

This Agreement and all relationships created hereby will in all respects be governed by and construed in accordance with
the laws of the state of Washington, United States of America, in respect of all matters arising out of or in connection with
this agreement. The Parties hereby submit to the exclusive jurisdiction of the Washington Courts. NOTHING IN THIS CLAUSE
SHALL PREVENT FNET FROM TAKING AN ACTION FOR PROTECTIVE OR PROVISIONAL RELIEF IN THE COURTS OF ANY OTHER
STATE.
14. MISCELLANEOUS
14.1 The provisions of clauses 3, 7, 8, 10, 11, 12, 13 and 14 and the obligation on you to pay the License fee shall survive the
termination or expiry of this Agreement.
14.2 This Agreement is personal to You and You shall not assign, sub-License or otherwise transfer this Agreement or any
part of your rights or obligations hereunder whether in whole or in part save in accordance with this Agreement and with
the prior written consent of FNET and You shall not allow the Product to become the subject of any charge, lien or
encumbrance of whatever nature. Nothing in this Agreement shall preclude the Licensor from assigning the Product or any
related documentation or its rights and obligations under this Agreement to a third party and You hereby consent to any
such future assignment.
14.3 This Agreement supersede all prior representations, arrangements, understandings and agreements between the
Parties herein relating to the subject matter hereof, and sets out the entire and complete agreement and understanding
between the Parties relating to the subject matter hereof.
14.4 If any provisions of the Agreement are held to be unenforceable, illegal or void in whole or in part the remaining
portions of the Agreement shall remain in full force and effect.
v
NetFlow Tracker
User Guide
14.5 No party shall be liable to the other for any delay or non-performance of its obligations under this Agreement (save for
your obligation to pay the fees in accordance with clause 1) arising from any cause or causes beyond its reasonable control
including, without limitation, any of the following: act of God, governmental act, tempest, war, fire, flood, explosion, civil
commotion, industrial unrest of whatever nature or lack of or inability to obtain power, supplies or resources.
14.6 A waiver by either party to this Agreement of any breach by the other party of any of the terms of this Agreement or
the acquiescence of such party in any act which but for such acquiescence would be a breach as aforesaid, will not operate
as a waiver of any rights or the exercise thereof.
14.7 No alterations to these terms and conditions shall be effective unless contained in a written document made
subsequent to the date of the terms and conditions signed by the parties which are expressly stated to amend the terms and
conditions of this Agreement.
vi
Contents
1: NetFlow Tracker Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Deploying NetFlow Trackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Product Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Obtaining Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Obtaining Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Obtaining Product Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2: Installing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing NetFlow Tracker on Microsoft Windows . . . . . . . . . . . . . . . . . . 8
Installing Java Runtime Environment on Windows . . . . . . . . . . . . . . . 9
Installing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Installing NetFlow Tracker on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3: Setting Up NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Opening NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Selecting a Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Setting up NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Setting up Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Setting up Listener Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Applying SNMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enabling Devices to Export Flow Data . . . . . . . . . . . . . . . . . . . . . . . . 18
Applying Device Settings in NetFlow Tracker . . . . . . . . . . . . . . . . . . . 18
Device List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
vii
NetFlow Tracker
User Guide
Applying Traffic Class IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Applying Identified Applications . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Applying Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Deleting a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Making Sure That Data is Received . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Applying Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Viewing Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4: Viewing Real-Time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Viewing Network Overview Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Top Applications and Interfaces for a Device . . . . . . . . . . . . . . . . . . . 31
Application Conversations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Top Applications and Usage for an Interface . . . . . . . . . . . . . . . . . . . 32
Interface Conversations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Viewing Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Viewing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Viewing Per-AS Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Filtering Real-time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Viewing Chart Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Working with Pie Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Working with Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5: Viewing Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Viewing Long-term Network Overview Data . . . . . . . . . . . . . . . . . . . . . . 47
Viewing Long-term Device and Interface Data . . . . . . . . . . . . . . . . . . . . 49
Filtering Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Saving a Long-term Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
6: Setting up Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Applying General and Real-time Report Settings . . . . . . . . . . . . . . . . . . 54
Saving Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating Long-term Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Creating Executive Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adding a Sub-report Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
viii
Contents
Adding an HTML Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Viewing Executive and Real-Time Reports . . . . . . . . . . . . . . . . . . . . . . . . 69
7: Working with Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Alarms Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Alarm Severity and Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Thresholds and Baseline Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Alarming for Persistent Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Baseline Learning and Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Tips and Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Configuring Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Creating an Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring Notification Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Viewing Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing the Events Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Viewing the Event List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Viewing the Event Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
8: Optimizing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Data Display and Filtering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Management Portal Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
How Access Control Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Using Apache as a Portal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
IP Application Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Defining a Simple Application Name . . . . . . . . . . . . . . . . . . . . . . 84
Defining a Grouped Application Name . . . . . . . . . . . . . . . . . . . . . 85
DiffServ Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Hostname Resolution Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Subnet Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
AS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Data Management and System Performance Monitoring . . . . . . . . . . . . 89
Database Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Memory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
A: Setting up NetFlow on Network Devices . . . . . . . . . . . . . . . . . . . 95

Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch . . . . 95
ix
NetFlow Tracker
User Guide
Enabling Netflow Export on an IOS Device . . . . . . . . . . . . . . . . . . . . . 96

Enabling NDE on a Native IOS Device . . . . . . . . . . . . . . . . . . . . . . . . . 97
Enabling NetFlow Export on a 4000 Series Switch . . . . . . . . . . . . . . . 98
Configuring NDE on a CatOS Device . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Configuring NetFlow Input Filters for Traffic Class Reporting . . . . . . . 100
Enabling Flow Detail Records on a Packeteer Device . . . . . . . . . . . . . . 100
Enabling NetFlow on an Enterasys Device . . . . . . . . . . . . . . . . . . . . . . . 101
Enabling sFlow on a Foundry Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
B: Report Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Address Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Session Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
QoS Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Network Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Interface Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Traffic Identification Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Full Flow Forensics Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Other Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
C: Report URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

General Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Report Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Time Range Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Setting Start and End Times . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Creating a Fixed Length URL with Current Time Range . . . . . . . . . 119
Setting a Simple Calendar-Based Time Range . . . . . . . . . . . . . . . . . 119
Setting an Advanced Calendar-Based Time Range . . . . . . . . . . . . . . 120
Applying a Time-of-Day Mask to the Time Range . . . . . . . . . . . . . . 122
Setting a Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Setting the Chart Sample Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Setting the Source Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Filter Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Security Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Management Portal Access Control Parameters . . . . . . . . . . . . . . . . . . 134
D: File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

CSV File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
x
Contents
Chart CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Pie chart CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Tabular report CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
XML Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Chart XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Pie chart XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Tabular report XML format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
xi
NetFlow Tracker
User Guide
xii
1: NetFlow Tracker
Overview
Topics include:
• Key Features
• Deploying NetFlow Trackers
• Data Management
• Product Services
Key Features
NetFlow Tracker lets you as a network administrator view flow traffic
from routers and managed switches on the network. From a web-
based interface, it provides a set of dynamic charts and reports to
help you understand of network traffic flow data. You can analyze
application and protocol information in depth, including user, server,
and applications activity.
NetFlow Tracker supports data from a range of devices in formats

including NetFlow versions 1, 5, and 9, IPFIX, Nortel IPFIX, sFlow,
JFlow, Cflow, and netstream.
Key features include:

• Install and configure NetFlow Tracker on Windows or Linux
servers. See Chapter 2, “Installing NetFlow Tracker.”
• Customize setup to determine how data is gathered and
managed, and optimize NetFlow Tracker performance based on
the data you need. See Chapter 3, “Setting Up NetFlow Tracker”
and Chapter 8, “Optimizing NetFlow Tracker.”
1
NetFlow Tracker
User Guide
• View real-time network traffic in detail at per-minute resolution

for one week by default. Traffic views by user, user group,
conversation, system and application are available. Drill down
and zoom in on data. Filter all real-time reports and charts on any
field. See Chapter 4, “Viewing Real-Time Data.”
• Create custom long-term reports and charts. Define and quickly
access custom executive reports. Format reports and charts as CSV
or XML for further processing or as simplified HTML or PDF for
printing or emailing. Full flow forensic reports are available. See
Chapter 6, “Setting up Reports.”
• Create threshold and baseline alarms. Receive notifications via
email, logging or SNMP traps. See Chapter 7, “Working with
Alarms.”
Deploying NetFlow Trackers

You can deploy NetFlow Tracker as stand-alone software on a
dedicated server on your network or in the NetFlow Tracker
Appliance. Because NetFlow Tracker is a web-based application, you
can access the system from anywhere in the network.
NetFlow Tracker servers are typically deployed near large switches or

tightly clustered switches or routers where there is a high degree of
NetFlow traffic.
You can also deploy the NetFlow Tracker Appliance as part of the
Visual Performance Manager network performance management
system. This lets you view performance data and create reports from
multiple NetFlow Trackers on the network through a single web
portal interface. For more information, see the Visual Performance
Manager System Administration Guide.
2
NetFlow Tracker Overview
Data Management 1
Data Management
NetFlow Tracker has two databases:
• The real-time database stores data at millisecond granularity.
Report data is displayed in one-minute granularity. By default,
data is stored for up to seven days. You can adjust this setting in
Database Settings.
• The long-term database stores aggregated data for multiple years
at a granularity that you set in Database Settings. By default, data
is stored for 999 weeks at one-hour granularity. When you
configure long-term reports using custom granularity, the
database stores that data at that granularity for as long as the
report is scheduled.
Real-time database maintenance occurs every six hours (you cannot

run database maintenance on demand). During this time data is
reorganized and transfers to the long-term database and then is
aggregated in the long-term database. To monitor the length of time
this takes, see “Making Sure That Data is Received” on page 24.
You can also archive and back up real-time data.
See:
• “Database Settings ” on page 89
• “Backup” on page 90
• “Archiving” on page 92
Product Services
For NetFlow Tracker product information, see:
www.flukenetworks.com
3
NetFlow Tracker
User Guide
Obtaining Technical Support

If you require technical support for NetFlow Tracker, contact the Fluke
Networks Technical Assistance Center (TAC) at the points listed below:
By phone: 1 800-283-5853 (U.S. only) or 1 425-446-4519
(international)
By email: support@flukenetworks.com
Supervision Gold support packages are available from the Fluke

Networks website.
Obtaining Professional Services

Fluke Networks has certified consultants available to assist you with
the planning, installation, implementation, and deployment of the
product. Contact Professional Services at the points listed below:
By phone: 1 800-283-5853 (U.S. only) or 425-446-4600
By fax: 421-446-4839
By email: professionalservices@flukenetworks.com
Obtaining Product Training

Training is available. Direct training requests to your product vendor
or the training coordinator at the contact points listed below:
By phone: 301-296-2300
By fax: 301-296-2651
By email: training@flukenetworks.com
4
2: Installing NetFlow
Tracker
Topics include:
• System Requirements
• Preparing for Installation
• Installing NetFlow Tracker on Microsoft Windows
• Installing NetFlow Tracker on Linux
Note
For upgrade information, see the Release Notes included with
the NetFlow Tracker release.
System Requirements
The type of system required to run NetFlow Tracker depends on the
number of devices sending NetFlow information to it and the amount
and nature of traffic handled by those devices.
Hardware Requirements
The following requirements are a guideline. To determine your
requirements, test the software’s performance in your network
environment.
5
NetFlow Tracker
User Guide
Table 1 Minimum Hardware Requirements
Component Minimum Requirement

Processor Intel Pentium D, Core 2 or Xeon or a compatible processor of
similar performance. Multiple processors improve
performance, but consider these only after increasing RAM
and the performance of the disk subsystem.
RAM 2 GB. Performance increases with the amount of RAM
available for the disk cache and database buffers.
Disk subsystem High performance disk subsystem with substantial free
space. For all but the lightest loads, use a server RAID card
running RAID 5 over at least three high-performance disks.
NetFlow Tracker stores and queries real-time data for a
week at one-minute granularity. A busy enterprise router
can generate between 20GB to 50GB of data in this time.
Software Requirements
Note
NetFlow Tracker requires high speed disk I/O to run effectively. If
you run antivirus software on the NetFlow Tracker server you
are likely to have periodic issues with storing and accessing flow
data.
6
Installing NetFlow Tracker
Preparing for Installation 2
Table 2 Software Requirements
Software Requirement
Operating system English and Chinese language versions are supported.
• Windows XP Professional SP2
• Windows Server 2003 R2 SP 2
• Windows Server 2003 SP 2
• Windows Server 2000
• Linux—NetFlow Tracker has been tested and is
supported on Red Hat Enterprise Linux 5 and Fedora
Core 8 running Java 1.6.0_05 or later and MySQL 5.0
(Intel-compatible processor).
For more information on installing NetFlow Tracker on
other Linux distributions, contact Fluke Networks TAC.
Browser MS Internet Explorer (IE) 7.0
IE 6.0 with SP1, critical updates
Firefox 3.0
Other web browsers may run but have not been tested.
Java version Java 2 Runtime Environment SE v1.6.0_05 or later
Other components • MySQL 5.0, installed with NetFlow Tracker
• Adobe Acrobat Reader 6.0 or later
Preparing for Installation

Before installing, complete the following tasks:
• NetFlow Tracker puts a heavy load on the system. It is strongly
recommended that you install it on a dedicated server.
• Do not install any other MySQL-dependent software on the
NetFlow Tracker server. Because of the large database size and
optimized structure required by NetFlow Tracker, MySQL is set up
in a way that can seriously degrade the performance of other
software that use MySQL.
7
NetFlow Tracker
User Guide
• NetFlow Tracker uses a version of MySQL that differs significantly

from that used by Fluke Networks NetFlow Monitor, NetWatch
and ResponseWatch products. If you install NetFlow Tracker on a
server running one of these products it will not function correctly.
Likewise, if you install one of these products on a server running
NetFlow Tracker, both products will not function correctly.
• NetFlow Tracker contains an embedded web server. Web servers
normally run on port 80, but another web server on your system
may be using this. You can choose a different port during
installation or disable other web servers prior to installation.
• If you have previously configured a router for NetFlow Monitor,
note: NetFlow Tracker requires a different active flow timeout or
long aging timer.
Installing NetFlow Tracker on Microsoft

Windows
You must log in as an administrator to install NetFlow Tracker.
Installation takes several minutes.
• If you received NetFlow Tracker on CD, the setup program starts
automatically when you insert the CD. If it does not, open the CD
drive in My Computer and double-click setup.exe.
• If you downloaded NetFlow Tracker software, double-click the file
you downloaded.
• Installation detects unsupported MySQL versions. If MySQL is
installed on the server already, a message asks if you want to
continue. Uninstall any unsupported MySQL version. NetFlow
Tracker requires MySQL 5.0, which installed with the application.
The installation program will fail if the installed version of MySQL
uses a root password.
8
Installing NetFlow Tracker on Microsoft Windows 2
Installing Java Runtime Environment on Windows
To install Java Runtime Environment:
1 Insert the NetFlow Tracker CD in your server.
2 If the server does not have the required version of the Java
Runtime Environment installed, click OK to install it. The Java
installer launches.
3 Accept Sun’s license agreement and click Next.
4 On the Setup Type screen, choose Typical or Custom. Select
Custom if you do not want the web browser to use Sun’s Java
Plug-in. Click Next.
5 When Java Runtime Environment installation is completed, click

Finish.

Once Java Runtime Environment installation completes, the NetFlow
Tracker software begins installing.
9
NetFlow Tracker
User Guide
To install NetFlow Tracker:

1 On the Welcome screen, click Next.
2 On the License Agreement screen, accept the agreement and click
Next.
3 On the Customer Information screen, enter your name and

organization name. Choose whether to install the software for
yourself only or for every user that logs in to the system. If you
install the software for yourself, only you will see the shortcut to
the web front-end and only you can uninstall the software. Click
Next.
4 On the Setup Type screen, choose:
• Complete to install NetFlow Tracker to the “nfNetFlow
Tracker” folder on your system drive and MySQL to the
“MySQL” folder on the same drive. The internal web server
will run on port 80 if available. If port 80 is unavailable, you
are prompted to choose another. Click Next. Proceed to step
7.
• Custom if you want to change the install folders or choose a
different port even if 80 is available. Click Next.
10
Installing NetFlow Tracker on Linux 2
5 If you chose Custom, the Custom Setup screen is shown. You can
change the install folder for NetFlow Tracker and MySQL. Select
the feature and click Change. Click Next.
6 If you chose Custom setup or if port 80 is in use, the Select HTTP
Port screen is shown. Select a port and click Test to check if it is
available. Click Next.
7 On the Ready to Install screen, click Install. Installation take
several minutes. If installation stops for longer than that, contact
Fluke Networks TAC. When installation completes, click Finish.
After installation, a shortcut is placed in the NetFlow Tracker folder

under the Programs in the Windows Start menu.
Installing NetFlow Tracker on Linux

Note
The RPM installer works only for the supported distributions of
Linux: Red Hat Enterprise Linux 5 and Fedora Core 8. If you are
trying to upgrade on a different platform contact Fluke
Networks TAC at support@flukenetworks.com.
The NetFlow Tracker web server runs on port 8000.
To install the RPM run the following as root (replace the RPM file
below with the file you downloaded).
rpm -Uvh nftracker-4.0-0.i386.rpm
For an upgrade installation, use:

rpm -Uvh --nopreun --nopostun nftracker-4.0-0.i386.rpm
The following is an example of the install sequence:
11
NetFlow Tracker
User Guide
The following graphic shows the successfully completed installation.
12
3: Setting Up NetFlow
Tracker
After installation, you can set up NetFlow Tracker to monitor data.

Topics include:
• Opening NetFlow Tracker
• Selecting a Language
• Setting up NetFlow Tracker
• Viewing Version Information
Opening NetFlow Tracker

To open and set up NetFlow Tracker:
1 Open NetFlow Tracker:
• To open NetFlow Tracker from the computer on which it is
installed, from the Windows task bar select Start > All Pro-
grams > NetFlow Tracker > NetFlow Tracker.
• To open NetFlow Tracker from a URL, open a web browser
and type the IP address or DNS name of the NetFlow Tracker
on the port set up during installation.
2 Click the splash screen to dismiss it. The Network Overview page is
shown.
• If you have not yet configured NetFlow Tracker, the Network
Overview page has no data. In the upper left part of the inter-
face, select Main Menu > Settings. Configure the settings
required so that NetFlow Tracker can start monitoring data.
See “Setting up NetFlow Tracker.”
13
NetFlow Tracker
User Guide
• If you have already configured NetFlow Tracker, data is shown

on the Network Overview page. See “Viewing Network Over-
view Data” on page 30.
Note:
• If you have password protection enabled you may need to log in
as an administrative user to see the Main Menu > Settings link.
See “Applying Security Settings” on page 26.
• The Settings link is not shown for NetFlow Trackers that have a
portal secret configured in the Visual Performance Manager.
Selecting a Language
You can view the NetFlow Tracker interface in English or in Chinese,
depending on the language settings of your browser.
To change language settings:

1 Access the language selection dialog:
• In Firefox, select Tools > Options. From the General tab (in
Firefox 2.0) or Content tab (in Firefox 3.0), under Languages,
click Choose.
• In Internet Explorer, select Tools > Internet Options. From the
General tab, click Languages.
2 Click Add and select a supported language from the list:
• Chinese/China [zh-cn]
• English/United States [en-us]
3 Select the language you want to use and click Move Up to place it
at the top of the list.
4 Click OK. Then click OK again in the Options or Internet Options
dialog.
14
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
Setting up NetFlow Tracker
From the Settings page (Main Menu > Settings) you can set up
NetFlow Tracker to gather data from network devices, determine
how that data is gathered and managed, and monitor and optimize
NetFlow Tracker performance.
If you are using NetFlow Tracker for the first time after installation,
set up NetFlow Tracker to start gathering data. Topics include:
• Setting up Licensing
• Setting up Listener Ports
• Applying SNMP Settings
• Enabling Devices to Export Flow Data
• Applying Device Settings in NetFlow Tracker
• Making Sure That Data is Received
• Applying Security Settings
Once NetFlow Tracker begins collecting data you can apply additional
data filtering and management settings. For more information, see
Chapter 8, “Optimizing NetFlow Tracker.”
When applying settings, note:

• Each settings page controls a single aspect of the software. To
apply changes, click OK on that page. To return to the main
Settings page without applying changes, click Cancel.
• Use the session path link on settings pages to return to the main
Settings page. Using the web browser’s Back button can cause
you to lose changes.
Setting up Licensing
Use the Licensing page to apply a new full or trial license or check the
status of an existing license.
15
NetFlow Tracker
User Guide
To install a license:
1 Select Main Menu > Settings > Licensing.
2 Add license information:
• If from a file, click Browse, locate the file, and select it. Then
click Load.
• If text, enter or paste the text and click Decode.
3. Click OK.
Setting up Listener Ports

Use the Listener Ports page to set the UDP ports on which NetFlow
Tracker will monitor NetFlow traffic from devices.
When you set up NetFlow exporting on a device, you provide a port

number to which to send exports. By default, NetFlow Tracker listens
on ports 2055 and 6343. For best performance, use a dedicated
listener port for each device exporting flow data to NetFlow Tracker.
For more information about configuring devices for NetFlow, see

Appendix A, “Setting up NetFlow on Network Devices.”
To add listener ports:

1 Select Main Menu > Settings > Listener Ports.
2 Add ports. Select All local addresses and enter a port number:
Note
When adding local addresses, you must specify a port number
on the NetFlow Tracker server to receive NetFlow traffic.
3 Set the Receive buffer size. The default size is 32768. This setting
applies to all ports.
Note
If traffic exceeds the buffer size, increase the buffer size to avoid
dropping packets. If you increase the buffer size, monitor the
system’s memory usage.
16
4 Assign each device its own listening port.
5 Click OK. If you receive an error message, one or more ports are
already in use. An asterisk (*) marks these ports. Remove these
ports and add others until no errors remain.
Applying SNMP Settings

Use the SNMP Settings page to add communities to devices you want
to monitor that do not use the read-only “public” SNMP community.
When NetFlow Tracker receives exports from a previously unknown

device, it scans the device using SNMP to find its name and interface
properties. A password, called a community, is required to use SNMP.
In many cases a default community of “public” is set for a device. If
your devices do not use the “public” community, add the
communities they use to the SNMP Settings list.
Note
A device is scanned when it reboots and when NetFlow Tracker
software restarts. Because NetFlow Tracker checks each
community when it detects a new device, place the most
frequently used communities higher in the list for faster
scanning.
You can change the community string used to rescan an existing

device on the device configuration page. See “Applying Device
Settings in NetFlow Tracker” on page 18.
In the Device List, devices that do not match the SNMP community
setting show a . See “Device List” on page 20.
To apply SNMP settings:

1 Select Main Menu > Settings > SNMP Settings.
2 Enter at least one community for devices that do not use
“public”.
3 Select a community on the list and click Up or Down. To reduce
the scanning time, order communities by most frequently to least
frequently used.
17
NetFlow Tracker
User Guide
4 Leave the default settings for timeout (5000 ms) and number of
attempts (3) used for SNMP requests.
5 Click OK.
Enabling Devices to Export Flow Data

To view data in NetFlow Tracker, you must enable network devices
(routers and switches) to export flow data to the server running
NetFlow Tracker. For more information, see Appendix A, “Setting up
NetFlow on Network Devices.”
Once devices are enabled, to see whether NetFlow Tracker has started
collecting data, see “Making Sure That Data is Received” on page 24
Applying Device Settings in NetFlow Tracker

Use the Device Settings page to:
• Collect SNMP information from devices so that interfaces are
named correctly.
• Apply BGP settings if BGP is used to establish routing between
autonomous systems (ASes).
• Apply sampled data settings to collected flows, so that utilization
information is scaled accurately in reports.
• Apply traffic class, identified applications, and interface settings.
To configure devices:
1 Select Main Menu > Settings > Device Settings.
2 Select a device from the Device List. See “Device List” on page 20.
3 Apply General settings:
• Override the name detected using SNMP.
• Choose whether to archive real-time data from the device.
Note: When you archive data all NetFlow data monitored by
the device is archived.
18
• Show interface descriptions entered on the network device or
leave the default setting. Default does not show the interface
descriptions.
4 Apply SNMP settings. For SNMP mode, select:
• Use SNMP if the device supports SNMP. Let NetFlow Tracker
use SNMP to scan a device because the numbers used to iden-
tify the inbound and outbound interfaces in NetFlow exports
are not constant and SNMP is the only way NetFlow Tracker
can make a correct correlation between an identifier and a
physical interface or port. Select an SNMP version (SNMP v1 or
SNMPv2c) and enter a community name.
• Don’t use SNMP if the device does not support SNMP. This
assigns default properties to each interface encountered in
NetFlow exports from the device.
• Keep current configuration to freeze a device’s configuration.
This ignores any new interface encountered, so use this with
caution.
To rescan an SNMP device using the SNMP version and community
specified in the page, click Rescan. This scans but does not save
the settings. You must click OK on the Device Settings page to
apply changes. Because NetFlow Tracker rescans a device when
the software restarts, a new interface is encountered, or the
device reboots, you do not normally have to manually rescan a
device.
5 Apply BGP settings if BGP is used:
• Local AS—The local AS number is required to get correct AS
numbers for traffic routed to or from the local AS. If BGP is
not used, leave this setting blank.
• Store peer/origin ASes—For a device that can send both the
peer and origin AS number for each NetFlow record, choose
which AS numbers are stored in the database.
• Store BGP next-hop—For a device that can send the BGP next-
hop address in its NetFlow exports, store this value in place of
the IP next-hop for the device.
6 Set Sampled Data Scaling.
• Scale sampled data—If a device samples packets to simplify
the generation of NetFlow data, select this to scale each Net-
Flow record by the sampling interval and thus produce traffic
and packet rates that more accurately reflect the real levels.
19
NetFlow Tracker
User Guide
• Scaling factor—In most cases NetFlow Tracker can extract the

sampling interval from the NetFlow data. If it cannot, then
supply a scaling factor.
7 Apply Traffic Class settings. See “Applying Traffic Class IDs” on
page 21.
8 Apply Identified Applications settings. See “Applying Identified
Applications” on page 21.
9 Apply settings for interfaces. See “Applying Interface Settings”
on page 22.
10 Click OK.
11 Click OK on the Device Settings page.
Device List
Use the device list on the Device Settings page to check the status of
known devices and override the interface descriptions and speeds
collected by NetFlow Tracker. NetFlow Tracker performs an SNMP scan
when it starts to populate this list. When devices reboot, they are
rescanned.
The name and address of each known device are listed, along with a
status indicator:
• (exclamation point)—Indicates that NetFlow Tracker could not
contact the device using SNMP or is ignored due to a license
violation.
• (hourglass)—Indicates that the device is being scanned and
cannot be edited. To see if scanning has finished click Refresh.
• No icon—The device is working correctly.
Click a device name to edit its settings.
Note
Any changes you make to any device are only applied when you
click OK in the main Device Settings page.
20
Applying Traffic Class IDs
In the Traffic Class IDs section of a device’s settings page, you can map
traffic classes or manually add these using the list.
For devices that can export traffic class data that helps route the
traffic involved in each flow, leave Automatically map traffic classes
checked. If this option is not available for a device, add each traffic
class to NetFlow Tracker and configure a map from the device’s class
ID to the NetFlow Tracker traffic class. Give each class a unique
identifier that is used if you create a URL with a traffic class filter.
Note: This identifier does not need to match the identifier exported
by any of your devices for the traffic class.
To add traffic class IDs

3 Expand Traffic Classes:
• For devices that can export traffic class data that helps to help
route the traffic involved in each flow, leave Automatically
map traffic classes checked.
• For devices that do not automatically map traffic classes, click
add/delete in the Traffic Class column header.
4 On the Traffic Class Names page, enter a unique identifier and
name.
5 Click Add. To delete an ID, select its checkbox and click Delete.
6 Click OK.
7 Click OK in the device’s settings page.
Applying Identified Applications

Identified applications are similar to traffic classes and you configure
them in the same way. Packeteer devices support this feature.
As with traffic classes, leave mapping enabled for devices that

support it. For devices that do not support automatic mapping, you
must create a unique, NetFlow Tracker-specific identifier for each
identified application that you want to report on. Then define a
21
NetFlow Tracker
User Guide
mapping from the device-specific protocol or service ID to the

NetFlow Tracker identified application for each device.
To add application identifiers:

3 Expand Identified Applications and click add/delete in the
Identified Applications column header.
4 On the Identified Application Names page, enter an identifier
and name.
5 Click Add. To delete an ID, select its checkbox and click Delete.
Click OK.
6 Click OK on the device’s settings page.
Applying Interface Settings

If you cannot change the settings of the device or it has an
asynchronous interface, you can override the description, inward
speed, and outward speed for its interfaces. For non-SNMP
compatible devices, you must provide interface descriptions and
speeds.
You can associate any interface on any device with a uniquely named
Virtual Private Network (VPN) for reporting and filtering. A VPN
groups data from the devices and interfaces assigned to it. This data is
included in the VPNs report and by the VPN filters. NetFlow Tracker
assigns the customer-facing interfaces of an MPLS provider edge
router (PER) using MPLS VPN and supports the standard SNMP MIB
automatically. If your network device does not support this, you must
create a unique identifier for each VPN.
Note
If you reset a speed or description setting and the device
reboots or has an SNMP rescan, your settings are overridden.
You can also set an interface as inactive. Inactive interfaces do not

show up in the interface status report or in the Filter Editor. This
22
option is useful to remove interfaces that do not report NetFlow data
from reports.
To apply interface settings:

3 Expand Interfaces. You have the following options:
a Enter an interface name and description.
b Enter the speed.
c To associate an interface with a VPN, click add/delete in the
VPN column header. On the VPNs page, enter a unique ID and
name for each VPN. The description is optional. To delete a
VPN from the list, select its checkbox and click Delete. Click
OK.
d In the VPN column on the device’s settings page, select from
the drop-down list. If the interface is not part of a VPN, leave
the setting to none and make sure that the P interface(s) on
an MPLS PER have their VPN set to none also because they
carry traffic from multiple VPNs.
Note
VPNs are assigned to interfaces by name, so each VPN must have
a unique name.
4 To mark an interface as inactive, check its Inactive box.

5 Click OK.
6 Click OK on the Device Settings page.
Deleting a Device
You can delete a device from the device’s settings page.
Note
When you delete a device, if the device is still sending NetFlow
data to NetFlow Tracker it will reappear after you delete it.
23
NetFlow Tracker
User Guide
To delete a device:
1 From the NetFlow Tracker Main Menu, select Settings > Device
Settings.
3 On the Device page, click Delete.
Note
If you cancel the deletion at this point, you will lose any other
changes you have made on the setting page.
4 Click Yes to continue.

5 On the Device Settings page, click OK. If you click Cancel, the
device will remain, but other changes you applied will be lost.
Making Sure That Data is Received

To check that NetFlow Tracker is receiving data from a device, first
check the Device Settings page to make sure that SNMP access was
successful. After several minutes, see that the Network Overview
shows data. Then review information on the Performance Counters
page.
Use the Performance Counters page to diagnose problems in NetFlow

Tracker setup and ongoing operation. Counters are stored for each
device from which the software has received data (see Table 3).
Counts start when the system is started and you can reset them at any
time.
Table 3 Performance Counters
Item Definition
Average sample storage Length of time it takes the system to store a one-minute sample of real-time
duration data. If this is more than fifteen seconds, the system is overloaded.
Last long-term database Length of time it took to perform the last update of the long-term database. If
maintenance duration this took longer than two to three hours, consider reducing the number of long-
term reports or the number of devices they cover, or setting some long-term
sample sizes to zero.
24
Table 3 Performance Counters (continued)
Item Definition
Last real-time database The length of time it took to perform the last reorganization of the real-time
maintenance duration database. If this took longer than 30 minutes, it may indicate a performance
problem on the server, too much data in the database, or not enough memory
allotted for NetFlow Tracker.
NetFlow data received Shows the number of exports and amount of NetFlow data received from each
device. Note: This is not the amount of traffic described by the exports but the
LAN traffic generated by the exports.
Traffic described Tracks the total amount of network traffic across all interfaces in each direction
as described by NetFlow exports received from each device.
Ignored flows NetFlow Tracker ignores flows that arrive too late to be processed. If you see a
large number of ignored flows make sure that the inactive timeout or short
aging time settings on the router are correctly set.
For devices that do not have a configurable active flow timeout or if the active
flow timeout is not working with a certain device, configure NetFlow Tracker to
hold data in RAM longer to prevent ignored flows. See the “Hold back real-time
data for” option in “Database Settings ” on page 89.
Unprocessed flowsets NetFlow version 9 flows are encoded in a flexible manner using templates
exported by the router every few seconds. For several minutes after starting
NetFlow Tracker or after a router reboots, NetFlow Tracker may receive flows
that it cannot decode.
If you do not see data after 10 minutes, check the server, NetFlow Tracker
settings, and the router configuration.
Interface scans NetFlow Tracker scans the interface list of each device exporting to it when the
device or NetFlow Tracker software restarts. A large number of rescans,
particularly failed ones, indicates a problem.
Missed flows NetFlow versions 5 and 7 exports contain a sequence number that NetFlow
Tracker uses to detect when exports are missed. It can miss exports due to
network congestion or a busy router. If a switch or router is reordering the UDP
packets that contain NetFlow exports, missed flows are shown. Each export
normally contains data on about 30 flows.
Note: If the NetFlow Tracker server is processing a very high volume of data it
may drop packets. In this case, increase the receive buffer size in Listener Ports.
See “Setting up Listener Ports” on page 16.
Missed exports NetFlow version 9 exports contain a sequence number that NetFlow Tracker uses
to detect when exports are missed. Unlike the version 5 or 7 sequence numbers,
only the number of missed exports can be counted and not the number of missed
flows.
25
NetFlow Tracker
User Guide
Table 3 Performance Counters (continued)
Item Definition
No out interface The router sends flows with “no out interface” when an access control list lookup
fails or multicast traffic is routed. A high number of flows with no out interfaces
is normal.
No in interface The arrival of flows with “no in interface” may indicate a configuration problem
on a Catalyst switch. Contact Fluke Networks TAC.
Applying Security Settings

Use the Security Settings page to set the protection level for user
access to NetFlow Tracker. You can also set a new default or custom
home page for all users and for individual users.
When adding a custom home page, make sure that the URL of any
custom home page is relative to the server’s root. For example, the
standard home page is specified as “index.jsp” and the Network
Overview is specified as “report.jsp?cid=_topdevices”. The Network
Overview is the default home page.
Security settings are optional.
To apply password protection:

1 Select Main Menu > Settings > Security Settings.
2 Choose a protection level:
• No password protection—No login or password is required
and all pages are accessible.
• Protect configuration only—A login and password is required
for access. Settings pages are accessible only to
administrators.
• Protect all access—A login and password is required for
access. Settings pages are accessible only to administrators
and standard users have view-only access.
3 Set a custom home page. The default is “Network Overview.”
To use your own HTML page as a custom home page, place it in
the “customweb” folder under the NetFlow Tracker install folder
and enter the URL here. For example, if you enter
26
Viewing Version Information 3
http://server/customweb/file.html the home page is
customweb/file.html.
4 If you applied password protection, add user login and password.
You may apply user-specific home pages. You must set at least
one user as an administrator who can configure settings.
5 Click Add. To delete users, select the user’s checkbox and click
Delete.
6 Click OK. If you applied password protection or changed your
own user login details you must log in again.
Viewing Version Information

The About page (Main Menu > Settings > About) shows NetFlow
Tracker, Java, MySQL, and operating system version information. It
also shows the status of all main subsystems. Use this page when
consulting with Fluke Networks TAC to help diagnose a problem.
27
NetFlow Tracker
User Guide
28
4: Viewing Real-Time
Data
After you complete initial setup, real-time data is available within a

few minutes. You can view this data in chart and table formats.
Topics include:
• Viewing Network Overview Data
• Viewing Devices
• Viewing Interfaces
• Filtering Real-time Data
• Viewing Chart Data
See also:
• “Database Settings ” on page 89.
• “Applying General and Real-time Report Settings” on page 54.
29
NetFlow Tracker
User Guide
Viewing Network Overview Data

The Network Overview (Main Menu > Network Overview) shows the
top devices and interfaces on the network. From here, you can drill
down to device and interface-specific application data. It is NetFlow
Tracker’s default home page. This page shows:
• A pie chart, stacked bar chart over time, and table show the top
five applications plus “Other” by percentage of total traffic rate.
Average and peak traffic rates are also shown.
• A table shows the top five interfaces by peak percentage of
usage, along with the direction and average percentage of usage.
• A table shows the top five interfaces by traffic rate, along with
the direction and average traffic rate.
Viewing options include:

• Click a device in the list to see its top applications and busiest
interfaces.
• Click an interface name to see its top applications and recent
traffic.
• Right-click a pie segment to create a report for that segment.
From the menu, select an item to create another chart for the
selected time range.
30
Viewing Real-Time Data
Viewing Network Overview Data 4
Figure 1 Network Overview
Hold mouse over a

segment to highlight
corresponding table
row
Right-click to run an
ad hoc report
Click to view top

applications and
interfaces on device
Click to view top

applications and traffic
rate for interface
Top Applications and Interfaces for a Device

You open the Top Applications and Interfaces page for a device by
clicking an application on the Network Overview. This page shows:
• A pie chart, stacked bar chart over time, and table showing the
top five applications plus “Other” by percentage of total traffic
rate. Average and peak traffic rates are also shown.
• A table showing the top five interfaces by peak percentage of
usage, along with the direction and average percentage of usage.
• A table showing the top five interfaces by traffic rate, along with
the direction and average traffic rate.
31
NetFlow Tracker
User Guide
Application Conversations
You open the Conversations page for an application by clicking an
application on Top Applications and Interfaces page. This page shows:
• Traffic Rate tab—A stacked bar chart and table shows the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
• Packet Rate tab—A stacked bar chart and table shows the top 10
conversations by packet rate. The source and destination address,
source and destination application, and peak and average packet
rate are shown.
Top Applications and Usage for an Interface

You open the Top Applications and Usage page for an interface by
clicking an interface on the device’s Top Applications and Interfaces
page. This page shows:
• A stacked bar chart over time and table showing average and
peak percentage of usage for the In and Out directions.
Interface Conversations
You open the Conversations page for an interface by clicking an
application on Top Applications and Usage page for an interface. This
page shows:
• In/out Interface - %Usage tab—A stacked bar chart and
corresponding table show the top 10 conversations by percentage
of total usage. The source and destination address, source and
destination application, and the peak and average percentage of
usage are shown.
32
Viewing Devices 4
• Traffic Rate tab—A stacked bar chart and table show the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
Viewing Devices
The Devices page (Main Menu > Devices) lists all devices that export
flow data. Use this page to identify devices and their interfaces that
show high traffic or packet rates (see Figure 2). The page refreshes
every minute.
Options include:
• To sort data by device name, address, peak traffic rate, or peak
packet rate, click the column header. By default, each peak rate is
the highest two-minute rate in the last six hours. This differs if the
default time range is altered.
• Click the Relative Traffic and Relative Packet Rate meters for a
device to open a chart of the device’s recent activity over time.
Each chart is scaled relative to the busiest device. This ensures that
a high value on a chart indicates a relatively high traffic or packet
rate. By default, the last six hours is shown.
33
NetFlow Tracker
User Guide
Figure 2 NetFlow Tracker Devices and Drilldown
Click device to view

its interface list
Click meter to view

traffic rate and packet
rate details
Viewing Interfaces
You can open the Interfaces page for a device by clicking the device
name on the Devices page. The Interfaces page lists all known
interfaces on the device. Information for each interface includes the
interface description, percentage of usage, relative traffic, relative
packets, peak percentage of usage In and Out, peak traffic rate In
and Out, and peak packet rate In and Out.
Options include:
• Hold your mouse over an interface’s name to see its speed, type,
and extended description if available.
• Click column headers to sort interfaces by name, description, peak
percentage of usage in either direction, peak traffic rate in either
direction, and recent peak packet rate in either direction.
34
Viewing Interfaces 4
• Click an interface name or the % Usage, Relative Traffic, or
Relative Packet Rate meters to view detailed data on that
interface. A chart shows the interface’s recent bi-directional
utilization, traffic rate, or packet rate over time (see Figure 3).
Data in meters is scaled in the following ways:

• The % Usage column scales each row of each chart according to
the configured speed of the interface in that direction.
• The Relative Traffic and Relative Packets columns are scaled
relative to the busiest direction of the busiest interface. This
ensures that a high value on a chart indicates either high usage or
a relatively high traffic or packet rate.
You can change the speed of an interface in Device Settings. You

must do this for an asynchronous interface. You can also use the
Device Settings page to hide interfaces that never export any NetFlow
data. For more information, see “Applying Interface Settings” on
page 22.
Figure 3 Device Interfaces
Click name or meter to

open drill-down page to
its corresponding tab
35
NetFlow Tracker
User Guide
Viewing Per-AS Data

If your router uses BGP to route traffic, it provides source and
destination origin or peer autonomous system (AS) numbers in its
NetFlow data. NetFlow Tracker creates optimized bi-directional charts
for each AS just as it does for each interface. Because routers will
likely count some or all traffic multiple times, an AS chart is only
available for a single device. Use the Filter Editor to create a report or
chart based upon an AS and data from multiple routers. See
“Filtering Real-time Data.”
To view the ASes routed by a given router, click ASes in the

navigation menu at the top of the interface report:
Filtering Real-time Data

You can create any chart or tabular report using the Filter Editor.
Filters let you restrict the source data considered for the report. The
report template and start and end times filters are shown by default.
You can also select from over 30 additional filters (see Figure 4).
36
Filtering Real-time Data 4
Figure 4 Filter Editor—Real-Time Data
Set the start and end

time or length
Select a filter and click

Add to show it
Note:
• If you do not want to use a filter, leave it blank.
• For filters in which you add a range of items, enter the start and
end of the range in the boxes provided. To select a single item,
leave the right-hand box empty. You can include or exclude the
items you select.
• For filters that have selectable items, select the items in the
Available box on the left and click > to move them to the Selected
box.
If you are an administrative user or your access to NetFlow Tracker

does not require a password, you can save filters for use at another
time.
Saved filters are available in the Filter drop-down list. You manage
saved filters in Report Settings. See “Saving Report Filters” on
page 55.
To filter data:
1 Select Main Menu > Filter Editor.
2 Select a report template and set whether to create a tabular
report, chart, or pie chart. For more information, see Appendix B,
“Report Templates.”
37
NetFlow Tracker
User Guide
3 Set a sample size. NetFlow Tracker picks an optimal sample size

for a real-time chart based upon the amount of time covered. To
override this, select a number of units. For example, you can
create a report covering a day that has hour-long samples.
4 Click Start time/End time or Length to determine how much data
the report will include:
• Pick the date and time of the earliest and latest data to con-
sider. The default start time is six hours before you opened
the Filter Editor.
• Set the length in units. The report will cover that number of
units and end at the last full unit before the time it is opened.
5 Set a reload interval. If you selected a unit length or a time range
that extends into the future you may want the report to refresh
periodically to show new data. If so, enter the number of seconds
between refreshes.
6 Select a source device or source data depending on the report:
• Source device—Select which router or switch you want to con-
sider. If you need more than one device, click Multiple. Then
select devices in the left column and click > to include them.
Note: If you select multiple devices some or all traffic may be
counted multiple times.
• Source data—Long-term data is stored in sample sizes that are
optimal for different lengths of charts. You can override the
automatic selection of the source data to create charts show-
ing, for example, a month in day-long blocks.
7 Select a filter from the drop-down list and click Add. The filter is
added to the Filter Editor page. See Table 4.
8 Click OK. Click Save to save the filter.
Table 4 Filter Definitions
Filter To Apply...
Time zone Change the time zone used to interpret the start and end times
and time masks. The default is the time zone the NetFlow
Tracker server uses.
38
Table 4 Filter Definitions (continued)
Filter To Apply...
Time mask Select a limited time range during a day. For example, to
consider only data between 8:30 and 18:00 on a weekday,
select Monday, Friday, 8:30 and 18:00 and click Add. Add as
many masks as you want. Only data within one or more
masked areas is considered. If you do not select a mask then all
data between the start and end time is considered.
In interface Report on inbound traffic for an interface or set of interfaces.
Available interfaces depend on the filtered source devices.
Out interface Restrict a report to just outbound traffic from a set of
interfaces. Use this with an In interface filter to report on
traffic that took a particular path through a router.
In/out interface Restrict the report to bi-directional traffic for the selected
interfaces.
In VPN Restrict a report to just traffic where the inbound interface is
part of the selected VPN(s). For this filter to work, you must
associate interfaces with VPNs in Device Settings. See
“Applying Interface Settings” on page 22.
Out VPN Select traffic where the outbound interface is part of the
selected VPN(s).
VPN Select traffic where either interface is part of the selected
VPN(s).
Source address Restrict the report to traffic with a given source IP address or a
set of source IP addresses. Type the address or domain in the
box and click Add.
Dest address Report on data with one of a set of destination IP addresses.
Src/dest address Consider traffic either originating from or destined for the
given addresses.
Protocol Restrict the set of IP protocols considered. For example, you
may want to consider only UDP or ICMP traffic while
investigating a denial-of-service attack.
Source port Restrict the source application port number. Use this with the
Protocol filter.
Dest port Restrict the destination application port number.
Src/dest port Consider traffic with the given port number as either the
source or destination.
39
NetFlow Tracker
User Guide
Filter To Apply...
Source Restrict the IP protocol and source application port number.
application Enter a port number and protocol or select from those
configured in the IP Application Names settings page. See
“Applying Identified Applications” on page 21.
Dest application Restrict the protocol and destination application port,
selectable by name.
Src/dest Consider traffic using the application as either the source or
application destination.
Recognized Select traffic with the given source or destination application.
application Consideration of the source or destination application depends
on whether it has a name defined in the IP Application Names
settings page or, if both or neither have names, which one has
the lower port number. See “Applying Identified Applications”
on page 21.
Identified Select traffic with the identified application. For NetFlow
application Tracker to identify applications, the device must support the
functionality and you must set its identified application
mapping in Device Settings. See “Applying Identified
Applications” on page 21.
ToS Filter traffic bearing any one of a set of type-of-service (ToS)
byte values. Select a priority from 0 to 7 and select Include or
Exclude.
To filter on individual bits, from the drop-down lists, select 0 to
filter on bits set to 0 in the flow. Select D (delay), T
(throughput), R (reliability), or M (monetary cost) to filter on
bits set to 1 in these flows. To ignore filtering for a bit, leave it
blank.
DiffServ Select only traffic bearing one of the selected differentiated
service code points. Because DiffServ and ToS use the same
field in the IP header, do not use both filters at the same time.
You can assign a name to a code point using the DiffServ
Names settings page. See “DiffServ Names” on page 86.
Traffic class Select traffic within a traffic class. For NetFlow Tracker to
identify traffic classes, the device must support the
functionality and you must configure its traffic class mapping
in Device Settings. See “Applying Traffic Class IDs” on page 21.
40
Filter To Apply...
Source AS Select traffic bearing one of a set of source AS numbers. The
router’s settings determine whether this is the origin or peer
AS. Enter an AS number or select from the set of private-use
ASes configured in the AS Names settings page. Note: You
cannot select public ASes by name.
Dest AS Restrict the source data to traffic bearing the destination
origin or peer ASes.
Src/dest AS Consider traffic to or from the origin or peer ASes.
Source subnet Select traffic with the source subnet. Enter the network
address and mask length or select from the subnets configured
in the Subnet Names settings page. Note: The subnet mask
used by the router to route the traffic is ignored when
applying this filter. See “Subnet Names” on page 87.
Dest subnet Select traffic with the given destination subnets. Note: A
destination subnet filter of 224.0.0.0/4 will select multicast
traffic.
Src/dest subnet Select traffic to or from the subnets.
Source mask Select traffic routed using the source network mask.
Dest mask Select traffic with the destination network mask.
Src/dest mask Select traffic with the source or destination network mask.
Next hop Filter traffic based on the next hop used by the router in
routing the traffic.
TCP Flags Filter TCP traffic. To filter on individual bits, from the drop-
down lists, select 0 to filter on bits set to 0 in the flow. Select U
(urgent), A (acknowledged), P (push), R (reset), S
(synchronized), or F (finished) to filter on bits set to 1 in these
flows. To ignore filtering for a bit, leave it blank.
Duration Include or exclude traffic based on length of time in
milliseconds. Terms:
• ge—greater than or equal to
• le—less than or equal to
See also:
• “Filtering Long-term Data” on page 50
41
NetFlow Tracker
User Guide
Viewing Chart Data

Using NetFlow Tracker charts and tables you can quickly see areas of
interest and examine these in further detail (see Figure 5).
Charts display the elements that contributed most to the overall total
traffic or packet rate over the charted time range. By default, at most
ten elements are shown but you can configure this on the Report
Settings page. See “Setting up Reports” on page 53.
Figure 5 NetFlow Tracker Chart
Select the entire time

range, zoom, and
perform other actions
View data from an

earlier or later date
Hold mouse over data

for details; right-click to
run a report
Chart navigation and viewing options include:

• To view earlier or later date, click (forward or back) at
the upper left corner of the chart. Note: When you move forward
or back, the chart does not refresh.
• In drill-down charts, to change the chart view, select a different
tab above the chart.
42
Viewing Chart Data 4
• To get more details on an item in the chart or table, click its link.
• To zoom in to the center of the chart, click . To zoom in on a
particular selection, first select that time range. Zooming in stops
the chart from refreshing.
• To zoom out from the center of the chart, click . Zooming out
also stops the chart from refreshing.
• To select a time range, click and drag the mouse across the chart.
You can then zoom in on the selection.
• To select the entire time range, click .
• To drill into selected data, select a time range and right-click the
selection. From the menu, select an item to create another chart
for the selected time range.
• To view data as a pie chart, click . See “Working with Pie
Charts” on page 43.
• To view data in a table, click . See “Working with Tables” on
page 44.
• To alter the filter applied to a standard chart, click .
• To view resolved domain names if a chart shows IP addresses, hold
your mouse over the address.
• To refresh the view, click .
• To reload the chart with all resolvable domain names shown, click
(resolve all).
• To revert from viewing resolvable domain names and view only IP
addresses, click (resolve available).
• To convert a chart to a CSV file, click . You are prompted to
open or save the file.
• To print the chart, click .
• To open the chart in a new window, click .
Working with Pie Charts

You can view most charts as a pie chart. A pie chart shows each
element’s proportion of the total octets or packets during the entire
time range.
43
NetFlow Tracker
User Guide
• To return to the standard chart view, click .

• Hold your mouse over a pie segment to highlight data in the
table.
• Right-click a pie segment to create a report for that device. From
the menu, select an item to create another chart for the selected
time range.
Figure 6 Chart Report
Hold mouse over a

corresponding table
row
ad hoc report
Working with Tables

Device and Interface list pages use a tabular view, as do filtered
reports you create. You can also view most charts as tables. A tabular
44
Viewing Chart Data 4
view shows the entire time range in one table. It also shows every
contributing element rather than just the largest ones.
Figure 7 Table Report
Select and click Go to drill into row’s data
Options include:
• To return to the standard chart view, click .
• To navigate through tables of more than 25 rows, use the page
navigation at the top of the table.
• To go to a specific position in the view, click in the scrollbar; A
blue line or box on the scrollbar indicates the page shown and
how much of the view the page represents.
• To sort items by name, address, traffic rate, or packet rate, click
the column heading. Click again to sort items in the opposite
order.
• In reports, to drill into a row’s data, select the radio button at the
left of a row. (You can select only one row at a time.) Select a sub-
report type from drop-down list at the bottom of the page and
click Go: For example, if you are viewing a report of source
applications, you can select an application and view source
addresses using that application. For more information, see
Appendix B, “Report Templates.”
45
NetFlow Tracker
User Guide
46
5: Viewing Long-term
Data
Use long-term reports (Main Menu > Long-term Reports) to view

aggregated data for periods up to multiple years at a granularity
level you define in Database Settings. NetFlow Tracker provides
reports on top devices and interfaces. To view custom long-term data,
you must set up a long-term report. Because data is aggregated,
long-term reports can take less time to run than real-time reports.
Topics include:
• Viewing Long-term Network Overview Data
• Viewing Long-term Device and Interface Data
• Filtering Long-term Data
See also:
• “Database Settings ” on page 89.
• “Creating Long-term Reports” on page 60.
Viewing Long-term Network Overview

Data
The long-term data Network Overview (Main Menu > Long-term
Reports > Network Overview) shows the top exporting devices and
busiest interfaces on the network based on long-term data. From
here, you can drill down to device and interface-specific application
data. This page shows:
47
NetFlow Tracker
User Guide
• Tables showing the top five in and out interfaces by average and
peak percentage of usage.
• Tables showing the top five in and out interfaces by average and
peak traffic rate.

• Click a device in the list to see its busiest interfaces. See “Viewing
Interfaces” on page 34.
• Click an interface name to see its recent usage percentage, traffic
rate, and packet rate data.
• Right-click a pie segment to create a report for that device. From
the menu, select Source Addresses, Destination Addresses, or
Recognized Applications to create another chart for the selected
time range.
The granularity of long-term report data is based on your database

settings. See “Database Settings ” on page 89.
48
Viewing Long-term Data
Viewing Long-term Device and Interface Data 5
Figure 8 Network Overview—Long-term Data
Hold mouse over a

corresponding table
row
ad hoc report
Click to view top

devices and interfaces
Click to view traffic and

packet rates for interface
Viewing Long-term Device and Interface

Data
The long-term Devices and Interfaces pages (Main Menu > Long-term
Reports > Devices) show NetFlow performance data from all devices
and their interfaces. They are similar to the real-time versions, except
for the following differences:
49
NetFlow Tracker
User Guide
• A selector at the bottom of the page lets you change the time
range of the current report or chart, and any reports or charts
opened by interacting with it. Time options span from hours to
years. The default setting is seven days, based on the time zone of
the NetFlow Tracker server. To change this setting, see “Creating
Long-term Reports” on page 60.
Note
If you zoom into or out of a long-term chart or drill into a
selection (other than one selected using Select All), the time
range selector is not available on the resulting chart.
• The long-term Devices and Interfaces pages show the peak and
average traffic and packet rates. By contrast, real-time pages
show the peak and most recent rates.
• When you select a range of time on a long-term device or
interface chart and right-click to drill down, you can only access
reports created as per-device, per-inbound interface or per-
outbound interface in Report Settings.
See also:
• “Viewing Devices” on page 33.
• “Viewing Interfaces” on page 34.
Filtering Long-term Data

You can create a long-term report using the long-term Filter Editor, a
simpler version of the real-time Filter Editor. It is the only way you can
access custom long-term reports that are created as basic reports.
Reports for source addresses, destination addresses, and recognized
applications (per source device and inbound and outbound
interfaces) are available.
To apply filters to long-term reports:

1 Select Main Menu > Long-term Reports > Filter Editor.
50
Viewing Long-term Data
Saving a Long-term Filter 5
2 Select a long-term report and set whether to create a tabular
report, chart, or pie chart.
3 For Source Data, select the data sample size. Long-term data is
stored in sample sizes that are optimal for different lengths of
charts. You can override the selection of the source data to create
charts showing, for example, a month in day-long blocks.
4 Click Start time/End time or Length to set how much data the
report will include:
• Pick the date and time of the earliest and latest data to con-
sider. The default start time is six hours before you opened
the Filter Editor.
• Set the length in units. The report will cover that number of
units and end at the last full unit before the time it is opened.
5 Select a source device or interface to report upon. To select more
than one device or interface you must save the filter.
6 To add a Time zone or Time mask filter or a saved filter, select
from the drop-down list and click Add. The filter is added to the
Filter Editor page. For more information, see Table 4 on page 38.
7 Click OK to apply the filter settings. The filter is directly applied.
Click Save to save the filter for future use. See “Saving a Long-
term Filter.”
Saving a Long-term Filter

When you save the filter, you can select multiple interfaces or devices
for the filter, and you can apply the full range of filters to it.
To save a long-term filter:

1 Configure the long-term filter as described in “Filtering Long-
term Data.” In the long-term Filter Editor, click Save.
2 Select an ID number and name.
3 (Optional) Add multiple interfaces or devices.
4 Select a filter from the drop-down list and click Add. For more
information, see Table 4 on page 38.
51
NetFlow Tracker
User Guide
52
6: Setting up Reports
Use the Report Settings page (Main Menu > Settings > Report
Settings) to set up all reports and charts. Topics include:
• Reports Overview
• Applying General and Real-time Report Settings
• Saving Report Filters
• Scheduling Reports
• Creating Long-term Reports
• Creating Executive Reports
Reports Overview
You can create three types of reports:
• Real-time reports—View the last seven days of data (by default)
in real-time at one-minute granularity.
• Long-term reports—View aggregated data for up to multiple
years at a granularity level you define in Database Settings.
• Executive reports—An executive report is a pre-configured
template that contains one or more reports or charts and HTML
content that you define. Use an executive report to access often-
used reports or to group related reports on one page.
53
NetFlow Tracker
User Guide
Note
Avoid reporting from multiple devices and over long periods of
time. Doing so can cause NetFlow Tracker to count some traffic
multiple times.
Applying General and Real-time Report

Settings
Table 5 General and Real-time Report Settings
Section Option Definition

General Show Open reports and charts with all resolvable hostnames resolved and shown by
hostnames in default.
reports
Show chart Show the rows of a chart legend in the same order as the corresponding table or
legends in as the areas shown on the chart.
descending
order
Show interface Use the description of an interface, when available, in filter descriptions instead
descriptions of the name.
Work around Enable or disable the work-around for the “click to activate and use this
“click to control” message that appears over chart applets in Internet Explorer. Some
activate” combinations of operating system, browser, and Java plug-in do not work
correctly when this is enabled. If applets do not show correctly or drilling down
does not work, turn off this setting.
Default PDF Set the default page size in a PDF version of a report or chart. If a report is too
page size wide to fit on a page, the page is made proportionally bigger.
Landscape Set the orientation of the report. Leave blank for portrait.
54
Setting up Reports
Saving Report Filters 6
Table 5 General and Real-time Report Settings
Section Option Definition

Real-time Rows per The number of rows shown on each page of a tabular report. Note: Device and
Reports tabular report interface status reports show all rows on a single page.
page
Elements Determine the accuracy of a real-time chart. When a chart is generated only the
considered per largest elements are considered from each block. Because the highest overall
chart block elements may not be the highest elements in each block of the chart, set more
elements from each block than the number of charted elements.
Charted Set the maximum number of elements displayed on a chart, excluding the
elements Others element.
Default time Set the time range used for any real-time report or chart where a time range is
range not specified. This is the time range of the Network Overview, device, interface,
and AS status reports and charts and the default time range selected in the
Filter Editor.
Reload interval Set the number of minutes between automatic refreshes of the device,
interface, and AS status reports and charts.
Saving Report Filters

In Report Settings, you can save filters and use these in the Filter
Editor when creating real-time or long-term reports. For example,
you may use a saved filter to attach a name to a time-of-day mask or
a filter that selects traffic related to a particular multi-port
application or group of servers.
To create a saved filter:

1 Select Main Menu > Settings > Report Settings.
2 Expand the Saved Filters setting.
3 Type a name in the box and click New.
4 In the New Saved Filter page, assign an ID. Select a filter and click
Add. Then click OK. The filter is added to the list.
5 In the Saved Filters list on the Report Settings page, you have the
following options:
• To edit or delete a filter, click its name.
55
NetFlow Tracker
User Guide
• To copy a filter, click its icon.

• To change the order in which saved filters appear, click the up
or down arrows.
6 Click OK.
Scheduling Reports
You can set up any real-time, long-term, or executive report as a
scheduled report that you can email or save to a server location based
on that schedule. In addition, you can generate scheduled reports on
demand if they are included in the Reports page.
56
Setting up Reports
Scheduling Reports 6
Figure 9 Report Settings—Scheduled Reports
Enter name, select type,

and click New
Set report distribution
To create a scheduled report:

2 Expand the Scheduled Reports setting (see Figure 9).
3 To receive reports by email:
• For Email server address, enter the IP address or domain
name of the SMTP server used to send scheduled report
emails.
• For Send emails from, set the email address that is used as the
“From:” address of mails sent by NetFlow Tracker.
4 To save reports to a server, for Save reports to enter the folder
where scheduled reports are saved to. You can override this
default location for any scheduled report.
57
NetFlow Tracker
User Guide
5 Under Scheduled Report Name, enter a name. Use only

alphanumeric characters.
6 Select a report type: Real-time, Long-term, Executive, or Custom.
Choose Custom to create a report based on custom parameters.
See Appendix C, “Report URL Parameters.”
7 Click New. The New Scheduled Report page is shown (see
Figure 9). Here you can set up the report parameters (see Table 6).
8 Click OK. The scheduled report is added to the list on the Report
Settings page.
9 In the Scheduled Reports list, you have the following options:
• To edit or delete a report, click its name.
• To copy a report, click its icon.
• To change the order in which reports appear, click the up or
down arrows.
10 Click OK on the Report Settings page to apply the changes.
Table 6 New Scheduled Report Options
Option Definition
ID The report’s identification number.
Name The report name. Use only alphanumeric characters.
Description The report description.
Include in reports Show the report in the Reports page.
menu
Run on demand The report does not automatically generate and appears
only in the Reports page.
Run once The report runs once at the specified time on the date
supplied for “Begin running this schedule on.”
Run every day The report runs every day at the specified time, starting on
the specified start date and optionally finishing in the
specified end date.
Run every week The report runs on the specified days of every week.
Run every month The report runs on either the specified date of each month
or on the specified week day (for example, the first
Monday of each month).
58
Setting up Reports
Scheduling Reports 6
Table 6 New Scheduled Report Options (continued)
Option Definition
Begin running this Set the beginning date for the schedule.
schedule on
End this schedule Set the end date for the schedule.
on
Delete report after If you select an end date, select this to delete the report on
schedule ends that date. Saved output is not deleted. Tip: You can use
this with the “Run once” schedule option to run a
particularly time-consuming report.
Output as Options are PDF, HTML single file (MHTML), HTML zipped
(which contains the HTML, stylesheets, and images), CSV,
and XML. When a report is generated on-demand from
the Reports page it is formatted in the normal interactive
HTML format.
Save to Save the report to a specified folder on the server.
Email to Email the report as an attachment to the specified address.
Enter the subject line and body of the email.
Length or Select Length to set the length of time covered in the
Default/custom report based on a number of minutes, hours, or days.
Configure the report type and its filters. You can add
custom parameters to alter anything about the report that
is not configurable using the Filter Editor.
Reload interval Set the number of minutes between automatic refreshes
of the device, interface, and AS status reports and charts.
Source device or Set the source device or the source data sample size
Source data depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter Select a filter and click Add. See Table 4 on page 38.
Custom Parameter Add a custom parameter name and value and click Add.
59
NetFlow Tracker
User Guide
Creating Long-term Reports

You can set up any report you created using the Filter Editor as a
long-term report. A custom long-term report has a name, report
template, and type. It can also have its own time mask, other filters,
and storage settings that override those in Database Settings.
The report type determines how the report is accessed. Because a

basic report is created across the entire system, put a filter on at least
the source device. You can only access a basic report from the long-
term report Filter Editor.
You can also create a long-term report for each device in the system
or for each inbound or outbound interface. These reports can still
have a filter or time mask. You can access a per-device, inbound, or
outbound interface report from the long-term Filter Editor or by
drilling down from the long-term device or interface charts.
Note
If you create a long-term report that includes only data from the
real-time database, then the report’s granularity is one-minute.
60
Setting up Reports
Creating Long-term Reports 6
Figure 10 Report Settings—Long-term Reports
Enter name, select type,

and click New
Set granularity
To create a long-term report:

2 Expand the Long-term Reports setting (see Figure 10).
3 For Elements stored per sample, set the number of elements to
store per sample. This controls the accuracy of long-term charts
and tabular reports. It is similar to the number of elements
considered per chart block
4 For Tabular report rows, set the maximum number of rows to
show on a tabular report. Note: The accuracy of a long-term
tabular report depends upon the number of elements considered
per sample.
5 For Charted elements, set the maximum number of elements
shown on a long-term chart, excluding the Others element.
61
NetFlow Tracker
User Guide
6 Select Standard long-term reports are disabled to turn off the

standard set of per-device and per-interface long-term reports.
7 For Default time range, set the time span used for any long-term
report where one is not set on a specific report.
8 Enter a report name. Use only alphanumeric characters.
9 Under Report Template, select a template. See Appendix B,
“Report Templates.”
10 Select a report type. For more information, see Table 7.
11 Click New. The New Long-term Report page is shown (see
Figure 9). Here you can set up the report parameters (see Table 6).
12 Click OK. The long-term report is added to the list on the Report
Settings page.
13 In the Long-term Reports list, you have the following options:
• To edit or delete a report, click its name.You cannot change
the report template, type, or time mask of an existing report.
down arrows.
Table 7 New Long-term Report Options
Option Definition
ID The report’s identification number
Name The report name.
Report Template See Appendix B, “Report Templates.”
Type Basic—Select source devices and interfaces for the report.
Per source device—Run this report on all source devices.
Per inbound interface—Run this report on all inbound
interfaces.
Per outbound interface—Run this report on all outbound
interfaces.
62
Setting up Reports
Creating Executive Reports 6
Table 7 New Long-term Report Options (continued)
Option Definition
Storage Options Set the length of time to store data and its granularity.
Note: Storage settings can impact system performance. See
“Database Settings ” on page 89.
selection.
Creating Executive Reports

An executive report is a pre-configured template that contains one or
more sub-reports or charts and user-defined HTML content. Executive
report filters are applied to sub-reports along with their own filters.
63
NetFlow Tracker
User Guide
Figure 11 Report Settings—Executive Reports
Enter name and click

New
Set up sub-report
contents and layout
To create an executive report:

2 Expand Executive Reports (see Figure 11).
3 Enter a report name and click New.
4 On the New Executive Report page, apply the following settings:
a Enter a report ID, name, and description. For the name, use
only alphanumeric characters.
b Check Include in reports menu to show the report on the
Reports page. Note: Use unfiltered sub-reports with care if
64
Setting up Reports
you select this. You will not be able to filter the executive
report from the Reports page.
c Under Sub-report tag, enter the name of a sub-report to
embed in the executive report. Select a type: Real-time, Long-
term, or Custom. Click New. On the Sub-report page, set the
parameters for the sub-report (see Table 8) and click OK. You
can add as many sub-reports as you want.
d Click Add Row to add a content row to the executive report.
You can then add cells to the row. Each row has one or more
cells. You can set up a cell to span a number of columns. There
are two types of cells: sub-report cells and HTML cells. See
“Adding a Sub-report Cell” on page 66 and “Adding an HTML
Cell” on page 68.
5 Click OK. The executive report is added to the list on the Report
Settings page.
6 In the Executive Reports list, you have the following options:
• To edit or delete a report, click its name. You cannot change
the report template, type, or time mask of an existing report.
down arrows.
Table 8 Sub-report Options
Option Definition
Tag The sub-report name.
Report template See Appendix B, “Report Templates.”
Sample size: Length Select Length to set the length of time covered in the
or Default/custom report based on a number of minutes, hours, or days.
Configure the report type and its filters. You can add
custom parameters.
Note: If you select Default/Custom and do not add custom
time range parameters, the time range is passed to the
executive report, or the default real-time or long-term
time range, according to the report.
Reload interval The number of minutes between refreshes of the device,
interface, and AS status reports and charts.
65
NetFlow Tracker
User Guide
Table 8 Sub-report Options
Option Definition
selection.
Adding a Sub-report Cell

On the New Executive Report page, you can add sub-report cells to
the report. Select a sub-report from the list. See Table 9 for options.
66
Setting up Reports
Figure 12 Report Settings—Executive Reports
Table 9 Sub-report Cell Options
Option Definition
Sub-report Sub-report name.
Output as pie chart If the sub-report is a chart over time, select to output a pie
chart.
Sections Select the sections of the sub-report you want the cell to
display.
Controls Select the user-interface controls to enable.
67
NetFlow Tracker
User Guide
Table 9 Sub-report Cell Options
Option Definition
Columns Select which columns to show.
Chart If the sub-report is a chart or pie chart, select which chart
to show.
Output Parameter Enter a custom parameter name and value and click Add.
Name and Value See Appendix C, “Report URL Parameters.”
New Window Select to include all sections, controls, and columns in the
Drilldown Settings drill-down window.
If you have set the Drilldown or Open in a new window
options for a report cell, you must also set how the URL is
modified to create the new window. You can show all
sections and columns and allow all controls (which is
usually the case for a complex layout). You can also specify
custom parameters. Note: To remove a parameter from the
new window’s URL, leave its value blank.
Parameter Name Enter a custom parameter name and value and click Add.
and Value See Appendix C, “Report URL Parameters.”
Adding an HTML Cell

From the New Executive Report page, you can add HTML content,
such as explanatory text, links, or a company logo, to the report using
HTML cells. Store images to include in the report in the “customweb”
folder under NetFlow Tracker’s install folder. You can access these as
“customweb/<filename>.<ext>”.
CSS style controls an HTML cell’s appearance. Three standard styles

are offered:
• Report Title produces a cell that matches a report title.
• Report Description produces a cell with the blue background of a
report’s time range and filter description. If you use this, enclose
the text in the following HTML tag.
<span class=”repdesctext”>Test</span>
• Content Cell produces a cell with a white background.
68
Setting up Reports
Viewing Executive and Real-Time Reports 6
When an executive report is formatted as PDF only the three standard
styles are used and all HTML tags are removed from the text.
You can control the layout of the report by moving rows up and
down and cells left and right within their rows. To create complex
layouts, make cells span multiple columns.
• To increase the cell by a column, click .
• To decrease the cell by a column, click .
• To delete a cell or row, click .
Viewing Executive and Real-Time Reports

You can view executive reports you have created from the Reports
page (Main Menu > Reports). Select a report to view its contents. To
create reports, see “Setting up Reports” on page 53.
69
NetFlow Tracker
User Guide
70
7: Working with Alarms
Topics include:
• Alarms Overview
• Configuring Alarms
• Configuring Notification Settings
• Viewing Events
Alarms Overview
Alarms are pro-active notifications of user-impacting performance
problems on the network. Alarms are triggered by events—problems
or other important incidents on the network.
When configuring an alarm, you choose the alarm type, metric, and
the threshold type for permitted performance. You can set thresholds
from specified values or from a baseline. NetFlow Tracker supports
two types of alarms:
• Threshold alarms indicate changes in performance for a selected
metric, such as traffic rate or conversation rate over time, based
on the filters applied in the alarm. Threshold alarms compare
recent performance against configured thresholds. They can use a
baseline or specified values.
• Profile alarms indicate changes in the network. For example, the
Recognized Applications profile alarm indicates which
applications make up the traffic or packets observed in the last
minute against the configured baseline. They always use a
baseline.
71
NetFlow Tracker
User Guide
Alarm Severity and Lifecycle

Alarms have two levels of severity: degraded and excessive. These
identify less and more severe performance conditions. You can
independently set the thresholds for degraded and excessive alarms.
An alarm’s severity can change over its duration. For example, an

alarm that is initially generated as degraded can later change to
excessive. Similarly, an alarm that was once excessive can later change
to degraded.
An alarm ends when the performance improves or after the alarm

times out. This occurs after if traffic falls within the accepted
threshold for one minute. This change in the severity of the alarm
throughout its duration is referred to as the event lifecycle.
By default, alarms are removed after 7 days, as real-time data is

replaced with more current data. You can set the length of time to
keep real-time data in the database. For more information, see
“Database Settings ” on page 89.
Thresholds and Baseline Sensitivity

When configuring an alarm, you can set values for degraded (orange)
and exceeded (red) thresholds or have the thresholds derived from a
baseline.
Thresholds with specified values set minimum permitted standards

for performance. Because of this, service level agreements (SLAs) are
often defined in terms of fixed thresholds. This option can require
more maintenance if you need to individually set thresholds for many
different devices or addresses, or if performance thresholds are
expected to change over time. Specified values are available for
Threshold alarms only.
When you set alarm thresholds using baselines, the sensitivity setting
is used to derive the alarm performance thresholds from the
baselines. A baseline records normal network behavior against which
future network problems and important incidents are measured. The
alarm sensitivity controls how a threshold is calculated in relation to
72
Working with Alarms
Alarms Overview 7
the baseline average and standard deviation. Because a default
sensitivity value must apply consistently across many different
baselines and also across individual baselines as they change over
time, sensitivity is a relative value.
There are two types of baselines:

• Static—This baseline is calculated at the beginning and not
updated. It is useful when performance is usually stable and
consistent. In these cases, static baselines are often simpler to
configure and maintain than specified value thresholds.
• Weekly—This baseline is most useful for detecting sudden
changes from recent performance. Weekly updated baselines
change to reflect recent performance. As baselines change over
time, the thresholds adapt to these changes
To configure alarm thresholds that use baselines, adjust the sensitivity

slider. The maximum sensitivity for both thresholds is 10.
Alarming for Persistent Changes

The “Alarm only for persistent change” option blocks out alarms that
are based on random and transitory changes that are too short-lived
to require attention. When this setting is enabled, an alarm is
generated only when the most recent performance is consistently
above the performance threshold. This lets you focus on user-
impacting performance changes.
Alarms marked for persistent changes are based on the most recent
20 minutes of data taken at one-minute samples by NetFlow Tracker.
Alarms not marked for persistent changes are based on the most
recent minute of data only.
Alarm status is checked every minute. After every check, new alarms
can be generated, existing alarms can end, or alarms can continue.
73
NetFlow Tracker
User Guide
Baseline Learning and Reset

For the baseline to accurately reflect performance, time is required to
gather data. The following states are possible:
• Learning—Baselines are still learning the typical network
performance. Alarms are not generated.
• Available—There is enough data to calculate a profile of typical
network performance. However, more data is desired for a more
accurate profile. Alarms are generated.
• Complete—The profile has a good sample of data to calculate
reliable profiles. Alarms are generated.
These states are shown in the Alarm List (Settings > Configure
Alarms).
Only available and complete baselines are used to set thresholds and
generate alarms. NetFlow Tracker can collect enough data in a day to
create an available baseline. A complete baseline usually takes a
week.
Note
When you first install NetFlow Tracker or change alarm
parameters, baselines are reset. NetFlow Tracker must “learn”
the normal network performance and generate new baseline
profiles.
Static baselines are static only after the status is Complete. When
status of a static baseline is Available, the baseline is still adjusting.
Tips and Techniques

In general, configuring alarm thresholds too low results in too many
alarms that are ignored and makes it difficult to identify the more
serious problems as they arise.
Note:
• Always enable the “Alarm only for persistent change” option
unless there is a specific reason to disable it.
74
Working with Alarms
Configuring Alarms 7
• To disable Degraded alarms but leave Excessive alarms enabled,
set the Degraded threshold to match the Excessive threshold.
• If your network experiences poor performance that an alarm is
not identifying, decrease the threshold. If alarms are being
generated but the performance is acceptable, increase the
threshold.
Configuring Alarms
Use the Alarm List page (Settings > Configure Alarms) to manage and
create alarms. For each alarm, the name, type, template, exceeded
and degraded thresholds, filter, and persistent changes settings are
shown.
Options include:
• To view events triggered by an alarm, click . See “Viewing the
Event List” on page 79.
• To add a new alarm, click New. See “Creating an Alarm.”
• To edit an alarm, click its name.
• To delete an alarm, select its checkbox and click Delete.
Creating an Alarm
In NetFlow Tracker, you can create up to 100 alarms.
75
NetFlow Tracker
User Guide
Figure 13 Creating an Alarm
To create an alarm:
1 Select Main Menu > Settings > Configure Alarms.
2 Click New. The Create Alarm page is shown
3 Enter a name.
4 Select an alarm type:
• Threshold Alarm—Indicates changes in performance. You can
use a baseline or specified values.
• Profile Alarm—Indicates changes in the network. You can use
a baseline only. Select a report template for the alarm.
5 Select a metric. Available metrics vary based on the alarm type
and, for Profile alarms, the report template:
• For Threshold alarms, select: Traffic Rate, Packet Rate,
Address Pair Rate, or Conversation Rate.
• For Profile alarms, select: Traffic Rate, Packet Rate, Destina-
tion Address Count, or Conversation Count, and Source
Address Count.
6 Set the source device. If you need more than one device, click
Multiple. Then select devices in the left column and click > to
include them. Note: If you select multiple devices, some or all
traffic may be counted multiple times.
76
Working with Alarms
Configuring Notification Settings 7
7 Select a filter and click Add. For more information, see Table 4 on
page 38.
8 Set Alarm only for persistent change to exclude alarms that do
not fall into a consistent pattern over a 20-minute period and
may represent random jumps in data.
9 Set the threshold type:
• Weekly Baseline—The baseline adjusts weekly, based on cur-
rent data. Adjust the slider to set the alarm sensitivity.
• Static Baseline—The baseline does not adjust once it is com-
plete. Adjust the slider to set the alarm sensitivity.
• Specified Values—Available only for Threshold alarms. Set the
degraded and exceeded thresholds.
For more information, see “Thresholds and Baseline Sensitivity.”
10 Click OK.
Configuring Notification Settings

NetFlow Tracker generates SNMP traps when an alarm first exceeds its
threshold, when it returns below its threshold, and when it changes
from a degraded to excessive state for the first time. You can set up
NetFlow Tracker to send event notifications to any platform that can
receive them.
To configuring notification settings:

1 Select Main Menu > Settings > Notification Settings.
2 Enter the IP address of the trap receiver.
3 Enter the SNMP port number and community.
4 Select the SNMP version: SNMP V1 or SNMP V2C.
77
NetFlow Tracker
User Guide
Viewing Events
Events are displayed at one-minute granularity. Events are removed
as real-time data is removed, by default after seven days. You can
view events in the following ways:
Viewing the Events Timeline

To view degraded and exceeded events in chart format over time,
select Main Menu > Events Timeline.
Figure 14 Events Timeline
Options include:
• To view data in chart format based on the report template used,
click the alarm name.
• To view event data for a point in time, right-click and select from
the menu.
• View data in the chart back and forward in time, zoom in and
out, or in a table. For more information, see “Viewing Chart
Data” on page 42.
78
Working with Alarms
Viewing Events 7
Viewing the Event List
Use the Event List to view events in table format. To access the page:
• Select Main Menu > All Events.
• From the Events Overview, select a time view and click (table icon)
to view events for that time.
• From the Event Details page, click OK.

• To view data in chart format based on the report template used,
click the alarm name.
• To view the event lifecycle, click .
Figure 15 Event List
Viewing the Event Lifecycle

To view event lifecycle information, click on the Event List.
The Event Lifecycle page shows the alarm name and type, the event
start and end time, duration, current status, initial and maximum
79
NetFlow Tracker
User Guide
severity levels, and a bar chart showing status over its life. Four states
are:
• Exceeded— (Red) The conditions have surpassed the Excessive
threshold or baseline setting.
• Degraded— (Orange) The conditions have surpassed the
Degraded setting but have not reached the Excessive setting.
• Normal— Green. The conditions have not reached the
Degraded setting.
• No Data— (Black) No data was available.
Click the chart to view data based on the selected alarm template.
The resulting chart shows performance against the Degraded and
Excessive thresholds for the alarm.
80
8: Optimizing NetFlow
Tracker
Using Settings, you can determine how data is gathered and

managed, and optimize NetFlow Tracker performance. Topics include:
• Data Display and Filtering Settings
• Data Management and System Performance Monitoring
For other settings, see:

• “Setting up NetFlow Tracker” on page 15.
• “Setting up Reports” on page 53.
• “Creating an Alarm” on page 75.
• “Configuring Notification Settings” on page 77.
Data Display and Filtering Settings

Use these settings to apply additional filters and to set up NetFlow
Tracker for use through a management portal. Topics include:
• Management Portal Settings
• IP Application Names
• DiffServ Names
• Hostname Resolution Settings
• Subnet Names
• AS Names
81
NetFlow Tracker
User Guide
Management Portal Settings

Use Management Portal Settings to set up access to NetFlow Tracker
through a management portal (such as the Visual Performance
Manager Web Portal).
NetFlow Tracker lets users of a management portal have device or

interface-level access to interactive reports, as long as the portal’s
HTTP proxy server can conceal the initial URL sent to NetFlow Tracker
and can direct subsequent HTTP requests from the user interacting
with the page to the NetFlow Tracker server. You may use an Apache
web server as a proxy if the management portal does not contain one
or is not sufficiently programmable. See “Using Apache as a Portal
Server” on page 83.
Note
When using management portal settings, you must use
password protection to prevent the system from being
bypassed. See “Applying Security Settings” on page 26.
To set up portal access control:

1 Select Main Menu > Settings > Management Portal Settings.
2 Under Tag, enter a tag that is used to identify the secret value if
you need to change or delete it.
3 Under Secret, enter the secret value and under Confirm, enter the
secret value again. To remove a secret value, check its box and
click Delete.
4 Click Add.
5 Click OK.
How Access Control Works

A user’s web browser requests a URL from the portal’s proxy server
that identifies a particular NetFlow Tracker report. For example:
http://<proxy>/NetFlow Tracker1/report1
82
Optimizing NetFlow Tracker
Data Display and Filtering Settings 8
The portal’s proxy server sends a request to the NetFlow Tracker
server that selects the report and contains one of the configured
secret values and some access control parameters describing what the
user can access:
http://<NetFlow
Tracker1>/report.jsp?portalsecret=<secret>&aclif=...
NetFlow Tracker creates a session for the portal and logs it in. This
session is restricted so that only requests containing access list
identifiers are accepted.
The report generated by NetFlow Tracker ensures that any interaction

(such as clicking a link) results in a request containing a securely-
generated access list identifier:
http://<proxy>/NetFlow Tracker1/report.jsp?portalacl=...
The portal’s proxy server sends the unaltered request to the correct
NetFlow Tracker server:
http://<NetFlow Tracker1>/report.jsp?portalacl=...
Using Apache as a Portal Server

The Apache web server supports several directives in its configuration
file (httpd.conf) for use as a programmable proxy server:
Table 10 Apache Web Server Commands
Command Definition
RewriteEngine On Enables the URL rewriting module.
RewriteRule ^/NetFlow Tracker1/report1$ Sets up a rule to proxy requests for
http://1.2.3.4/report.jsp?portalsecret= http://<proxy>/NetFlow Tracker1/report1 to an
s3cr3t&acldevice=4.3.2.1&templid=0000 access controlled request to the NetFlow Tracker server.
[P,L]
RewriteRule ^/NetFlow Tracker1/(.*)$ Sets up a rule to proxy any requests for URLs starting
http://1.2.3.4/$1 [P,L,QSA] with http://<proxy>/NetFlow Tracker1/ to an
equivalent request to the NetFlow Tracker server.
ProxyPassReverse /NetFlow Tracker1/ Makes sure that NetFlow Tracker handles the HTTP
http://1.2.3.4/ redirects correctly when it creates a session for the
portal and logs it in.
83
NetFlow Tracker
User Guide
IP Application Names
Use IP Application Names to apply custom applications and ports that
you want to track. You can define simple and grouped applications.
Figure 16 IP Application Name Settings
Simple applications
Grouped applications
Defining a Simple Application Name

A simple IP application is determined by its protocol (for example TCP
or UDP) and an application port number. Applications you define
here are used to display readable names in reports.
Protocol name and port numbers correspond directly to specific

network applications. Many are predefined (well-known ports) while
others (registered ports) are defined by the software manufacturer.
84
NetFlow Tracker comes configured with the well-known ports in
addition to many others. For a list of all well-known and registered
ports, see http://www.iana.org/assignments/port-numbers.
To define a single application:

1 Select Main Menu > Settings > IP Application Names.
2 Under Protocol, select a protocol from the drop-down list.
3 Under Port, enter a port number. By default, ports below 1024 are
not shown on this page. To see them, click (more…).
4 Under Name, enter a unique name.
5 Click Add. To delete an application, select its checkbox and click
Delete.
6 On the IP Application Names page, click OK.
Defining a Grouped Application Name

You often need more than a simple application port to correctly
identify an application.
In IP Application Names settings, you can create multiple grouped

applications, with each grouped application containing multiple
rules. A rule consists of at least one IP address and a range of port
numbers for a given protocol, traffic class, or identified application.
Each item in a rule is optional. Traffic that passes at least one rule is
considered part of that application.
To avoid double-counting data between single and grouped

applications, grouped applications have a configurable precedence.
Each group has a higher precedence than any simple application. If
traffic is considered part of more than one grouped application, the
one with the highest precedence is chosen.
A grouped application also has a unique identifier that is used when

creating long-term report data and in filter URLs. Because long-term
data uses identifiers, assign these carefully.
To define a grouped application:

1 Select Main Menu > Settings > IP Application Names.
85
NetFlow Tracker
User Guide
2 On the lower part of the page, enter a unique identification

number and name for the application.
3 Set the precedence of the application.
4 Click New. The Grouped Application page is shown.
5 Apply an address range, protocol, port or port range, traffic class,
identified application, and click Add. To delete a grouped
application, select its checkbox and click Delete.
Note
Do not change the identifier of an existing grouped application
because long-term data uses this. Use caution when deleting
grouped applications.
6 Click OK.
7 On the IP Application Names page, click OK.
DiffServ Names
Use DiffServ Names settings to assign names to each of the 64
differentiated service code points. Standard code point names are
already configured.
To add a DiffServ name:

1 From the NetFlow Tracker Main Menu, select Settings > IP
Application Names.
2 Enter the DiffServ codepoint and name.
3 Click Add. To remove a code name from the list, select its
checkbox and click Delete.
4 Click OK.
86
Hostname Resolution Settings
Use Hostname Resolution Settings to configure aspects of the
resolution of hostnames for addresses encountered on reports. These
names are kept to increase reporting speed and reduce the amount
of network traffic NetFlow Tracker generates when generating a
report. You can set the length of time to store resolved hostnames
and failed lookups in cache. You can also control the size of the cache
and the number of threads used to resolve hostnames.
Note:
• If hostname resolution is not working, click Defaults and then OK
to return to useful default values.
• To clear the cache of resolved hostnames, clear Enable hostname
resolution and click OK. Then return to the Hostname Resolution
settings page and check this setting again.
To set hostname resolution:

1 Select Main Menu > Settings > Hostname Resolution.
2 Select Enable hostname resolution.
3 Set the length of time to cache successful lookups. The default is
1800 seconds (30 minutes).
4 Set the length of time to cache failed lookups. The default is 10
seconds.
5 Set the maximum number of cached lookups and concurrent
resolutions.
6 Click OK.
Subnet Names
Use Subnet Names to assign names to the IP subnets that appear in
reports. You define an IP subnet by its network address and mask
length. Subnet names you define here are shown in subnet reports.
Because routers may use different mask lengths to route different
traffic, you can assign names to overlapping subnets.
87
NetFlow Tracker
User Guide
To set subnet names:

1 Select Main Menu > Settings > Subnet Names.
2 Enter the subnet IP address and a mask.
3 Enter a unique subnet name.
4 Click Add. To delete a subnet, select its checkbox and click Delete.
5 Click OK.
AS Names
Use AS Names to assign names to autonomous system (AS) numbers
appearing in reports.
• AS numbers from 0 to 34816 are assigned by several agencies;
NetFlow Tracker comes with many of these ASes already named.
You can, however, edit these.
• Numbers between 34816 and 64511 are held by the IANA and are
not available for use.
• Numbers from 64512 to 65535 are available for use.
The AS names you define here are shown in reports.
To set AS names:
1 Select Main Menu > Settings > AS Names.
2 Enter an AS number. To assign or edit the name of a public or
reserved AS, click (more…).
3 Enter a unique subnet name.
4 Click Add. To delete a subnet, select its checkbox and click Delete.
5 Click OK.
88
Data Management and System Performance Monitoring 8
Data Management and System
Performance Monitoring
Use these settings to management the database, back up and archive
data, allocate memory, and monitor system performance. Topics
include:
• Database Settings
• Backup
• Archiving
• Memory Settings
• Making Sure That Data is Received
Database Settings
Use Database Settings to improve the performance of reports and
charts and to change the number of days for which data is stored (see
Table 11).
Table 11 Database Settings
Option Definition
Expect large result sets Controls how the database server manipulates raw data. Leave the default
setting, Auto, to let the database optimize itself. If you have a fast disk
subsystem, set this to Always to make sure reports with large amounts of data
perform well. If you have a slower disk subsystem, a lot of RAM, and a relatively
small amount of data, consider setting this to Never. Note, however, that reports
with large amounts of data may take much longer to run.
Maximum in-memory The maximum amount of memory the database server will use during a query
temporary table size when you do set “Expect large result sets” to Never. Increasing this increases the
amount of data that it can report before performance drops significantly.
Sort buffer size The size of the buffer used to reduce the amount of disk seeks when sorting
rows for grouping or final display. Increasing this improves reporting speed. You
are unlikely to see any benefit for sizes above 128MB.
89
NetFlow Tracker
User Guide
Table 11 Database Settings
Option Definition
Hold back real-time data Set the number of seconds after its end that each one-minute sample of real-
for time data is held in RAM before being committed to disk. You may need to
increase this to avoid ignored flows.
MySQL can not access Leave clear to improve the database performance. However, on Unix if the user
temporary files you run as has a umask that creates temporary files that MySQL cannot read,
check this setting.
Number of threads to use Set the number of threads used to generate real-time charts over time and pie
to generate a report charts. Do not set this to more than the number of CPU cores in your system. You
are unlikely to see any benefit beyond 4.
Store real-time data for Change the number of days full real-time data is stored for. Reduce this to save
disk space. Increase this if you have enough free space.
Store long-term report Change how long the different types of long-term data are stored. Each type of
data for... data allows a long-term chart to display blocks of that size. If the block size is not
specified when opening a long-term report, then the closest available size to the
ideal for the selected time range is used.
Use compression Reduce the amount of disk space used. Note: Reducing the disk space is likely to
slow down report generation.
Backup
Use Backup settings to back up the configuration of your NetFlow
Tracker server and its real-time and long-term databases.
Note
A full backup can take a long time to complete and uses a large
amount of disk space. Test the effect a full backup has upon the
system before scheduling it.
You can start a backup on demand or configure a schedule. The

folder’s contents are erased before the backup, so make sure that you
move scheduled backups to long-term storage if you need to save
space. Schedule a backup to different locations on alternate days.
90
To back up data:
1 Select Main Menu > Settings > Backup.
2 For a scheduled backup:
a Enter the scheduled time and days.
b Select the databases to include.
c Enter the destination folder on the NetFlow Tracker server.
d Click Add. To delete a scheduled backup, select its checkbox
and click Delete.
3 For an on-demand backup:
a Enter the destination folder on the server.
b Select the databases to include.
c Click Start.
4 Click OK.
To restore a backup:
1 Install your previous version of NetFlow Tracker. To obtain this,
contact Fluke Networks TAC.
2 On Windows, open a command prompt and issue the following
commands, replacing paths as appropriate. (<enter> means to
press the Enter key.)
c: <enter>
cd \nftracker <enter>
runany c:\nftracker c:\progra~1\java\j2re14~1.2_0
com.crannogsoftware.ulysses.CRestore –sourcefolder
c:\nftbackup <enter>
On Linux, type the following commands in a terminal, again
replacing paths as appropriate:
cd /usr/local/nftracker <enter>
./runany com.crannogsoftware.ulysses.CRestore
–sourcefolder /var/nftbackup <enter>
chown –R nft:nft .systemPrefs
chown –R mysql:mysql /var/lib/mysql/crannog_ulysses
chown –R mysql:mysql
/var/lib/mysql/crannog_ulysses_longterm
91
NetFlow Tracker
User Guide
Archiving
Use Archiving settings to archive real-time data instead of deleting it
when it exceeds the length of storage time configured in Database
Settings. You can set the archive location and access archived data by
mounting the archive containing the data you want to examine and
using the Filter Editor.
Note:
• You must enable archiving for each device that you want to
archive data from in Device Settings. See “Database Settings ” on
page 89.
• Archived data is not deleted. You must move archived data to
long-term storage in a timely manner.
• You cannot mount an archive from a device that was deleted or
was never present on the server.
• Mounting and unmounting archives does not affect the archive
file itself.
• You can restore archived data from NetFlow Tracker v4.0.
You can store all archives in the archive folder or in subfolders for
each device or day.
To mount an archive:
1 Select Main Menu > Settings > Archiving.
2 Under Mount Archives, enter the directory containing the archive
and click List.
3 Select archives and click Mount. When archives are mounted they
appear under Currently Mounted Archives. To unmount these,
select and click Unmount.
4 Click OK.
92
Memory Settings
Use Memory Settings to control the amount of initial and maximum
memory used by NetFlow Tracker. During normal operation, NetFlow
Tracker uses a small amount of memory, so in most cases you do not
need to change the default settings
Note the following:

• By incorrectly allocating memory you can prevent NetFlow
Tracker from functioning properly.
• The Memory Settings page is not available on Unix installations.
To change the memory settings on Unix you must edit the start
script.
93
NetFlow Tracker
User Guide
94
A: Setting up NetFlow
on Network Devices
Topics include:
• Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
• Configuring NetFlow Input Filters for Traffic Class Reporting
• Enabling Flow Detail Records on a Packeteer Device
• Enabling NetFlow on an Enterasys Device
• Enabling sFlow on a Foundry Device
For information about other supported flow standards and devices,

see the Fluke Networks Knowledge Base.
Enabling NetFlow Export/NDE on a Cisco

Router or Layer 3 Switch
Only users experienced in configuring Cisco devices should attempt to
apply these commands. If you are in doubt, contact your network
administrator or Cisco consultant. Note: If you are running hybrid
mode on a layer 3 switch you must set up IOS on the MSFC and CatOS
on the Supervisor Engine. Native IOS also requires extra commands
which are documented in the following sections. For more
information, see http://www.cisco.com/go/netflow.
95
NetFlow Tracker
User Guide
Enabling Netflow Export on an IOS Device

In configure mode on the router or MSFC, issue the commands in
Table 12 to enable NetFlow export:
Table 12 IOS NetFlow Commands
Command Definition
ip cef Enables Cisco Express Forwarding, which is required for NetFlow in most recent
IOS releases.
ip flow-export Use the address of your NetFlow Tracker server and one of the ports configured
destination in the Listener Ports settings page. Port 2055 is monitored by default.
<address> 2055
ip flow-export The source interface is used to set the source IP address of the NetFlow exports
source loopback 0 that the router sends. NetFlow Tracker makes SNMP requests of the router on
this address. If you experience problems, set the source interface to an Ethernet
or WAN interface instead of the loopback.
ip flow-export Sets the export version. NefFlow Tracker supports IOS versions 5 and 9. If you
version 5 [peer-as | have a Native IOS switch you may need to use version 9 to work around an issue.
origin-as] If your router uses BGP, you can include the origin or peer ASes in exports. You
or cannot include both.
ip flow-export Note: Enabling or disabling NetFlow versions 5 or 9 on a 12000 series router
version 9 [peer-as | causes packet forwarding to stop for a few seconds while the route processor
origin-as] and line card CEF tables reload. To avoid interruption of service to a live network,
apply this command during a change window, or include it in the startup-
configuration file to be executed during a router reboot.
ip flow-cache Breaks up long-lived flows into one-minute segments.
timeout active 1
ip flow-cache Makes sure that flows that have finished are exported in a timely manner.
timeout inactive 15
96
Setting up NetFlow on Network Devices
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A
Table 12 IOS NetFlow Commands (continued)
Command Definition
interface Enable NetFlow on each interface through which the traffic you are monitoring
<interface> flows (normally the Ethernet and WAN interfaces. Note: There are several
ip route-cache flow commands to enable NetFlow on an interface and you must use the same
or ip flow ingress command for every interface.
or ip route-cache ip route-cache flow and ip flow ingress enable NetFlow for inbound
cef traffic on the interface, but you apply the latter to individual sub-interfaces and
bandwidth <kbps> the former to the physical interface. Do not enable NetFlow for a physical
exit interface and one or more of its sub-interfaces.
ip flow egress enables NetFlow for outbound traffic on the interface and is
required if you are using input filters. You may enable NetFlow for both inbound
and outbound traffic on a single interface. In this case, make sure that no other
interface has NetFlow enabled.
Egress NetFlow is also useful if you are monitoring a router that applies QoS to
the traffic it routes. By using egress NetFlow, you see QoS settings that the router
applied rather than those on the traffic before it was routed.
You may also need to set the speed of the interface in kilobits per second. It is
important to do this for frame relay or ATM virtual circuits. Note: A Catalyst 4000
series switch does not support any of the commands to enable NetFlow for an
interface. Instead, NetFlow is enabled for all interfaces using the following
special command.
show ip flow export Shows the current NetFlow configuration. Issue this in normal (not
configuration) mode.
show ip cache flow These commands issued in normal mode summarize the active flows and indicate
of how much NetFlow data the router is exporting.
show ip cache
verbose flow
Enabling NDE on a Native IOS Device

In addition to commands listed in Table 12, use the commands in
Table 13 to get NetFlow information on route-switched traffic from a
Catalyst 6000 or above. These are not required for a Catalyst 4000
series.
Table 13 IOS NDE Commands
Command Definition
mls netflow Enables NetFlow on the supervisor.
97
NetFlow Tracker
User Guide
Table 13 IOS NDE Commands (continued)
Command Definition
mls nde sender Sets the export version. Due to IOS issues, the export version you must use on the
version 5 supervisor depends on your hardware configuration and IOS version:
or Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
mls nde sender 12.2(15.1)S, 12.2(17a)SX or above: Use version 5. Note: This configuration causes
version 7 Performance Counters to report missed flows that are not actually missed as a
result of an IOS bug fixed in the SXF strains.
Distributed Forwarding Cards and older than 12.1(13)E03, 12.1(18.1)E,
12.2(13.6)S, 12.2(15.1)S or 12.2(17a)SX: This configuration causes serious
problems. Contact Fluke Networks TAC if your device matches this description.
No Distributed Forwarding Cards and 12.0(24)S, 12.2(18)S, 12.3(1) or above: Use
version 5 and configure the MSFC to export version 9 as described above.
No Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
12.2(15.1)S, 12.2(17a)SX or above: Use version 5.
All others: Use version 7. Note: Version 7 may not include AS or subnet mask
information.
mls aging long 64 Breaks up long-lived flows into one-minute segments.
mls aging normal 32 Makes sure that completed flows are exported in a timely manner.
mls flow ip If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher,
interface-full you must use the first two commands to put interface and routing information
mls nde interface into the NetFlow Exports. This information is unavailable with any earlier IOS
or version on the Supervisor Engine 2 or 720.
mls flow ip full If you have a Supervisor Engine 1, use the third command to put full information
into the NetFlow Exports.
ip flow ingress A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command,
layer2-switched vlan which enables NDE for all traffic within the specified VLANs rather than just
<vlanlist> inter-VLAN traffic.
ip flow export
layer2-switched vlan
<vlanlist>
Enabling NetFlow Export on a 4000 Series Switch

The 4000 and 4500 series switches require a Supervisor IV with a
NetFlow Services daughter card (WS-F4531), or a Supervisor V, and IOS
version 12.1(19)EW or above to support NetFlow. First configure the
98
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A
device as for an IOS device, omitting the command ip route-cache
flow on each interface, and then issue the following command:
ip route-cache flow infer-fields
This makes sure that routing information is included in the flows.
Configuring NDE on a CatOS Device

A layer 3 switch running CatOS appears as two devices. You can set up
the MSFC to export NetFlow information on all the packets it routes
by following the instructions for configuring an IOS device above.
Table 14 IOS Commands on CatOS Device
Command Definition
set system name In privileged mode on the Supervisor Engine, issue this to enable NDE:
<name> Set the name of your switch. Note: Even if the prompt has been set to the name
of the switch you still need this command.
set mls nde Use the address of the NetFlow Tracker server and one of the ports configured in
<address> 2055 the Listener Ports settings page. Port 2055 is monitored by default.
set mls nde version Sets the export version. Version 7 is the most recent full export version supported
7 by switches.
set mls agingtime Breaks up long-lived flows into one-minute segments.
long 64
set mls agingtime 32 Makes sure that completed flows are exported in a timely manner.
set mls flow full Sets the flow mask to full flows. This is required to get useful information from
the switch.
set mls bridged- CatOS 7.(2) or higher is required for this command, which enables NDE for all
flow-statistics traffic within the specified VLANs rather than just inter-VLAN traffic.
enable <vlanlist>
set mls nde enable Enables NDE.
show mls nde These commands help debug your NDE configuration.
show mls debug
99
NetFlow Tracker
User Guide
Configuring NetFlow Input Filters for

Traffic Class Reporting
IOS versions 12.2(25)S, 12.2(27)SBC and 12.3(4)T and greater support
the NetFlow Input Filters feature, which NetFlow Tracker can use to
report upon the traffic class used to route each flow.
Table 15 NetFlow Input Filters for Traffic Class Reporting
Command Definition
flow-sampler-map allflows Create a flow sampler that exports every flow record.
mode random one-out-of 1
exit
policy-map netflowpolicymap Create a policy map containing NetFlow sampling actions. You must
class <class> include each class for which you want information.
netflow-sampler allflows
exit
exit
interface <interface> Associate the policy map with an interface. You must associate the
service-policy input policy map with each NetFlow-enabled interface from which you
netflowpolicymap want traffic class information.
exit
Enabling Flow Detail Records on a

Packeteer Device
A Packeteer 1200, 1550, 2500, 4500, 6500, 8500, 9500, or 10000 series
running PacketWise v7.0.0 or above and having 256MB or more of
memory can send either NetFlow records or a similar proprietary
format to NetFlow Tracker. For more information, see
http://support.packeteer.com/documentation/packetguide/rc3.1/overv
iews/flowdetail.htm.
100
Enabling NetFlow on an Enterasys Device A
To enable Flow Detail Records:
1 Log in to the PacketShaper in touch mode.
2 Open the flow detail records page on the setup tab.
3 In a collector rows, enter the IP address of the NetFlow Tracker
server and one of the ports configured in Listener Ports settings
(2055 is monitored by default). Packeteer-1 is the recommended
record type for use with NetFlow Tracker. Packeteer-2 is not
recommended because NetFlow Tracker does not use the extra
information and bandwidth is wasted.
You can also export NetFlow v5 records. This prevents the Traffic
Classes and Identified Applications reports and filters from
functioning for the device.
4 Set the value under Enabled to on and click apply changes.
5 To make sure that NetFlow Tracker receives enough information
from the PacketShaper device, verify that the Look Community
String configured in the SNMP page is set up in SNMP Settings,
and set Packeteer-0 Packets to on in the system variables page.
6 If you have a recent version of PacketWise, you may need to
change extra settings on the system variables page. Set
Intermediate FDR to on, Intermediate FDR Timeout to 30000
milliseconds, and Reset Packeteer 1/2 counters to on. If these
settings are not available, then the PacketShaper describes all
traffic for a long-lived flow in one record, and NetFlow Tracker
counts it all in the minute during which the flow ended. This
leads to large spikes in charts for the device.
Enabling NetFlow on an Enterasys Device

NetFlow Tracker supports Enterasys devices capable of exporting
NetFlow version 9 exports. To enable NetFlow, enter the following
commands while logged in to the router with read/write access:
101
NetFlow Tracker
User Guide
Table 16 NetFlow on an Enterasys Device
Command Definition
set netflow cache Enables NetFlow.
enable
set netflow export- Use the address of your NetFlow Tracker server and a configured port in the
destination Listener Ports settings page. Port 2055 is monitored by default.
<address> 2055
set netflow export- Breaks up long-lived flows into one-minute segments.
interval 1
set netflow port You must enable NetFlow on each interface through which traffic you are
<port-string> enable monitoring flows, normally the Ethernet and WAN interfaces.
set netflow export- Sets the export version. Version 9 is required for NetFlow Tracker to associate
version 9 NetFlow information with the interfaces it relates to.
Enabling sFlow on a Foundry Device

NetFlow Tracker supports Foundry devices capable of exporting sFlow
version 2 and 5 exports. To enable NetFlow, enter the following
commands while logged in to the router with read/write access:
For more information, see the Foundry Command Reference Guide.
Table 17 sFlow on a Foundry Device
Command Definition
(config)# sflow enable Enable sFlow globally
(config)# sflow destination x.x.x.x Configure a destination
(config)# interface eth 1 Enable sFlow on a port or ports
or
(config)# interface eth 1 to 48)
(config-if-1)# sflow forwarding
102
B: Report Templates
When you create a report or chart you can choose from the report
templates, depending on the type of data you want to examine.
• Address Reports
• Session Reports
• QoS Reports
• Network Reports
• Interface Reports
• Traffic Identification Reports
• Full Flow Forensics Reports
• Other Reports
Address Reports
Report Shows...
Source Addresses The IP addresses that were the source of most traffic
or packets.
Destination Addresses The destination IP addresses that were the
destination of most traffic or packets.
Addresses Busiest addresses. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
103
NetFlow Tracker
User Guide
Report Shows...
Address Pairs The pairs of connected IP addresses that exchanged
most traffic or packets.
Bi-directional Address In extra columns, the traffic and packets sent from
Pairs destination to source for each address pair.
Source Address The source addresses that conversed with the most
Dissemination distinct destination addresses and that were involved
in the most distinct endpoint-to-endpoint
conversations. This can help detect file sharing or
virus infected hosts.
Destination Address The destination addresses that conversed with the
Popularity most distinct source addresses and that were
involved in the most distinct conversations.
Session Reports
Report Shows...
Protocols The IP protocols, such as TCP or UDP, used by most
traffic or packets.
Source Applications The IP applications that were the source of the most
traffic or packets. An IP application is a combination
of an application port and protocol: for example,
HTTP or FTP. You can assign names to applications
using the IP Application Names settings page.
Examining the source applications inwards on an
interface can show you what applications are using
your Internet bandwidth.
Destination Applications The IP applications that were the destination of most
traffic or packets. The destination applications
outwards can show the most requested applications
on a link.
104
Report Templates
Session Reports B
Report Shows...
Recognized Applications The IP applications that were the source or
destination of most traffic or packets. Whether the
application was the source or destination depends on
whether it has a name defined in the IP Application
Names settings page or, if both or neither have
names, which has the lower port number.
Conversations The pairs of connected endpoints that exchanged
most traffic or packets. A single conversation
represents, for example, a web browser downloading
a single image.
Bi-directional In extra columns, the traffic and packets sent from
Conversations destination to source for each conversation.
Source Endpoints The IP addresses and corresponding applications that
were the source of most traffic or packets. The top
source endpoints inwards on a link are the remote
services using your bandwidth.
Destination Endpoints The IP addresses and corresponding applications that
were the destination of most traffic or packets.
Server-Client Sessions The pairs of connected source endpoints and
destination addresses that exchanged most traffic or
packets. A session might represent, for example, a
web browser downloading several web pages with
images from a web server.
Client-Server Sessions The pairs of connected source addresses and
destination endpoints that exchanged the most
traffic or packets. A session could represent a client’s
requests to a web server for several pages and
images.
Sessions Source and address destination, application, traffic,
percentage of total traffic, packets, and percentage
of total packets.
Bi-directional Sessions Data in Sessions report, plus forward and reverse
traffic and packets.
105
NetFlow Tracker
User Guide
QoS Reports
Report Shows...
Types of Service The ToS levels with most traffic or packets.
Differentiated Services The DiffServ code points with most traffic or packets.
Network Reports
Report Shows...
Source ASes The autonomous systems that were the source of
most traffic or packets. Note: A switch does not know
anything about ASe.s
Destination ASes The autonomous systems that were the destination
of most traffic or packets.
ASes Busiest ASes. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
AS Pairs The pairs of connected ASes that exchanged most
traffic or packets.
Bi-directional AS Pairs In extra columns, the traffic and packets sent from
destination to source for each AS pair.
Source Networks The IP subnets that were the source of most traffic or
packets. Note: A router may not know the subnet of
a particular address and a switch never knows it.
Destination Networks The IP subnets that were the destination of most
traffic or packets.
Network Pairs The pairs of connected IP subnets that exchanged
most traffic or packets.
Bi-directional Network In extra columns, the traffic and packets sent from
Pairs destination to source for each network pair.
106
Report Templates
Interface Reports B
Interface Reports
Report Shows...
In Interfaces The router interfaces or switch ports that were the
arrival point of most traffic or packets. Note: This is
only meaningful for the outwards direction.
Out Interfaces The router interfaces or switch ports that were the
departure point of most traffic or packets. Note: This
is only meaningful for the inwards direction.
Interface Pairs In and out interfaces, in and out percentage of
usage, traffic, percentage of total traffic, packets,
and percentage of packets for devices.
VPNs The VPNs with most traffic or packets. You must
associate interfaces with VPNs in Device Settings for
this report to function.
Next Hops The next-hop addresses that received most traffic or
packets. Note: Only a router can supply a next-hop
address.
Traffic Identification Reports

Report Shows...
Identified Applications Identified applications with the most traffic or
packets.
Traffic Classes Traffic classes that with the most traffic or packets.
107
NetFlow Tracker
User Guide
Full Flow Forensics Reports

Report Shows...
TCP Flags TCP flag, traffic, percentage of total traffic, packets,
and percentage of total packets.
Duration Flows ranked by duration—the full length of a flow.
Includes amount of traffic, percentage of total
traffic, number of packets, and percentage of total
packets.
Full Flow Conversations Start and end times, source and destination addresses
and applications, in and out interfaces, TCP flags, and
traffic for each flow.
Other Reports
Report Shows...
Total Address Pairs Total number of address pairs.
Total Conversations Total number of conversations.
Total Traffic, percentage of total traffic, packets, and
percentage of total packets.
108
C: Report URL
Parameters
In addition to the filters used when configuring NetFlow Tracker

reports, you can apply additional custom parameters to further
define data. You can generate your own URLs or modify
automatically created ones for use in network management portals
favorites lists.
Table 18 Customizable Filter Parameters
Parameter Specifies...
templid The report template to use.
id The long-term report to open.
cid The executive report to open
output The type of report to generate: tabular or chart.

nrecords The number of rows to show per page of a tabular view.
others That a tabular view shows an “others” row instead of a page navigator.
visible A visible column of a table or chart.
nelements The number of elements to chart.
chartTitle The chart to show.
chartWidth The width of the chart.

chartHeight The height of the chart.
sections The report sections to output.
features The available interactive report features.
resolve How domain names will be handled in a report with an IP address column.
format The output format of the report or chart.
reload The number of seconds between automatic refreshes of the report.

splash Show the splash screen.
109
NetFlow Tracker
User Guide
Table 18 Customizable Filter Parameters (continued)
stime The start of the required time range.
etime The end of the required time range.
length The length of the required time range.
unit The unit to measure the time range in.
nunitsago The number of units before the time of report generation the time range should end.
nunits The number of units required.
date_unit The unit to measure how long before the report is generated the time range starts
and ends.
sdate_unit The unit to measure how long before the report is generated the time range starts.
sdate_nunitsago The number of units before the time of report generation of the first day of the time
range.
edate_unit The unit to measure how long before the report is generated the time range end.
edate_nunitsago The number of units before the time of report generation of the last day of the time
range.
stime The time of day at which the time range starts (simple calendar).
etime The time of day at which the time range ends (simple calendar).
timemask An inclusive mask to apply the to time range.
timezone The time zone of the view.
sample_unit The unit to measure the sample size in.
sample_nunits The number of units in each sample.
range The source long-term data to use.

sample The source long-term data to use.
sf Saved filter to apply to the report.
device The address of a permitted NetFlow-exporting device.

inif A permitted input interface, thus selecting inbound traffic on the interface.
outif A permitted output interface, thus selecting outbound traffic on the interface.
if A permitted input or output interface of the flow, thus selecting traffic passed in both
directions across the interface.
invpn A Virtual Private Network (VPN) that the input interface must be part of.
outvpn A VPN that the output interface must be part of.
110
Report URL Parameters
C
vpn A VPN that either interface must be part of.
srcaddr A permitted source address.
dstaddr A permitted destination address.
addr A permitted source or destination address.
proto A permitted IP protocol.
srcport A permitted source application port number.
dstport A permitted destination application port number.
srcappl A permitted source IP application.
dstappl A permitted destination IP application.
appl A permitted source or destination IP application port.
recappl A permitted recognized IP application port.
applid A permitted identified application.

tos A permitted Type-of-Service byte.
ds A permitted differentiated service codepoint.
class A permitted traffic class.
srcas A permitted source autonomous system number.
dstas A permitted destination autonomous system number.
as A permitted source or destination autonomous system number.
srcnet A permitted source subnet.
dstnet A permitted destination subnet.
net A permitted source or destination subnet.
srcmask A permitted source subnet mask, as supplied by the router.
dstmask A permitted destination subnet mask.
mask A permitted source or destination subnet mask.

nexthop A next-hop address.
j_username The username.
j_password The password.

portalsecret The secret value assigned to the management portal.
acldevice The address of a permitted device that exports NetFlow.
aclif A permitted interface.
111
NetFlow Tracker
User Guide
aclvpn A permitted VPN.
acltemplid A permitted report template.
aclid A permitted long-term report.
aclcid A permitted executive report.
aclfiltereditor A filter that will show in the Filter Editor
aclsf A visible saved filter.
aclfeatures The permitted interactive report features.
General Format
http://<server>:<port>/report.jsp?prm=value&prm=value...
server The domain name or IP address of the NetFlow Tracker server

port The HTTP port of the NetFlow Tracker server
prm, value A named parameter and its value. Supply as many parameters
as necessary in any order with each prm=value pair separated
by an ampersand.
Report Parameters
templid – specifies the report template to use. Do not use this
parameter with id or cid.
0000 Source Addresses

0001 Destination Addresses
0002 Address Pairs
112
Report Parameters C
0003 Protocols
0006 Source Applications
0007 Destination Applications
0008 Source Endpoints
0009 Destination Endpoints
0010 Server-Client Sessions
0011 Client-Server Sessions
0012 Conversations
0013 Types of Service
0014 Differentiated Services
0015 Source ASes
0016 Destination ASes
0017 AS Pairs
0018 Source Networks
0019 Destination Networks
0020 Network Pairs
0021 In Interfaces
0022 Out Interfaces
0023 Next Hops
0024 Source Address Dissemination
0025 Destination Address Popularity
0026 Recognized Applications
0027 Traffic Classes
0028 Identified Applications
0029 Bi-directional Address Pairs
0030 Bi-directional Conversations
0031 Bi-directional AS Pairs
0032 Bi-directional Network Pairs
0033 Total
0034 VPNs
0035 Addresses
113
NetFlow Tracker
User Guide
0036 Endpoints
0037 Networks
0038 Ass
0039 Sessions
0040 Bi-directional Sessions
0041 Interface Pairs
_flows Full flows
id – specifies the long-term report to open. You can enable several

standard long-term reports in Report Settings. The IDs for these
reports are given below. The ID for a custom report is available in
Report Settings. Do not use this parameter with templid or cid.
0000 Source Addresses per inbound interface

0001 Source Addresses per outbound interface
0002 Destination Addresses per inbound interface
0003 Destination Addresses per outbound interface
0004 Recognized Applications per inbound interface
0005 Recognized Applications per outbound interface
0100 Source Addresses per source device
0101 Destination Addresses per source device
0102 Recognized Applications per source device
<id> A custom long-term report ID
cid – specifies the executive report to open. The ID for an executive

report is available in Report Settings. Do not use this parameter with
templid or id.
<id> An executive report ID
114
Report Parameters C
output – specifies the type of report to generate: tabular or chart.
table A tabular report is generated (default)

chart A chart over time is generated
pie A pie chart is generated
nrecords – specifies the number of rows to show per page of a

tabular view.
<number> The number of rows per page

-1 Show all rows
others – specifies that a tabular view shows an Others row instead of

a page navigator. The long-term tabular view always show an Others
row.
true An Others row is shown instead of a page navigator

false No Others row is shown (default)
visible – specifies a visible column of a table or chart. Apply this as

often as needed to include all desired columns. By default, all
columns are visible.
<heading> The URL-encoded column heading; note that % is URL-encoded

as %25
-<heading> A column to make invisible; parameters specifying invisible
columns cannot be mixed with those specifying visible columns
nelements – specifies the number of elements to chart.
<number> The number of elements to chart
115
NetFlow Tracker
User Guide
chartTitle – specifies the chart to show.
<title> The chart title
chartWidth – specifies the width of the chart. Use this as an output

parameter in an executive report.
<width> The chart width in pixels
chartHeight – specifies the height of the chart. Use this as an

output parameter in an executive report.
<height> The chart height in pixels
sections – specifies the report sections to output.
<sections> The sections, formed by summing the values for each section
1 Title
2 Time range & filter description
4 Main report or chart body
8 Chart title, if applicable
16 Chart legend, if applicable
32 Result information, if applicable
-<sections> The sections that are not displayed
features – specifies the available interactive report features.
116
Report Parameters C
<features> The features, formed by adding the values for each feature
1 Navigation Menu
2 Select All button, if applicable
4 Zoom In button, if applicable
8 Zoom Out button, if applicable
48 Open as Tabular Report, Chart or Pie buttons as
applicable
64 Filter Editor button, if applicable
128 Refresh and Resolve All buttons, if applicable
256 Print and CSV buttons, if applicable
512 Open in New Window button
1024 Drilldown controls
2048 Direct drilldown links (found in navigation reports)
4096 Page navigator
8192 Sortable column headers
16384 Chart scrollbar
32768 Chart selection headers
65536 Time range editor, if specified
-<features> The features that are not displayed
resolve – specifies how domain names are handled in a report with

an IP address column.
all All domain names will be resolved and shown in full

available Only already resolved names will be shown, as tooltips (default)
format – specifies the output format of the report or chart.
html Fully interactive HTML (default)

print Printable/saveable HTML
117
NetFlow Tracker
User Guide
csv Comma separated values
reload – specifies the number of seconds between automatic

refreshes of the report. Use this with one of the dynamic time ranges
(see “Time Range Parameters” on page 118). Only the interactive
HTML format supports this parameter.
-1 The report will not reload automatically (default)

<seconds> Number of seconds between refreshes
splash – controls whether the splash screen is shown.
true The splash screen is shown if it has not already been shown
(default).
false The splash screen is not shown.
Time Range Parameters
Setting Start and End Times

You can specify a fixed start and end time in plain text or in UTC,
which is the number of milliseconds since 1 Jan 1970.
stime – specifies the start of the required time range.
<time> The time in milliseconds UTC

<dd>/<MM>/<yyyy>%20<HH> The time: <dd> is the date, <MM> the month,
:<mm> <yyyy> the year, %20 a URL-encoded space
character, <HH> the hour in the 24-hour clock and
<mm> the minutes
118
Time Range Parameters C
etime – specifies the end of the required time range.
<time> The time in milliseconds UTC

<dd>/<MM>/<yyyy>%20<HH>: The time: <dd> is the date, <MM> the month,
<mm> <yyyy> the year, %20 a URL-encoded space
character, <HH> the hour in the 24-hour clock
and <mm> the minutes
Creating a Fixed Length URL with Current Time Range

To create a URL that always shows a current time range, specify a
number of milliseconds ending at the time the report is generated.
length – specifies the length of the required time range.
<millis> The length in milliseconds
Setting a Simple Calendar-Based Time Range

A simple calendar-based time range is a given number of units ending
when the report generates or at the end of the last full unit before
the report generates.
unit – specifies the unit to measure the time range in.
hour Hours
day Days
week Weeks
mon Weeks starting on a Monday
tue Weeks starting on a Tuesday
wed Weeks starting on a Wednesday
thu Weeks starting on a Thursday
fri Weeks starting on a Friday
119
NetFlow Tracker
User Guide
sat Weeks starting on a Saturday

sun Weeks starting on a Sunday
month Months
quarter Quarters
halfyear Half-years
year Years
nunitsago – specifies the number of units before the time of report

generation the time range should end.
0 The time range will end at end of the current unit at the time of
report generation; this is likely to be later than the time of report
generation
1 The time range will extend to the end of the last full unit before
the time of report generation (default)
<number> The time range will extend to the end of this number of full units
before the time of report generation
nunits – specifies the number of units required. This may include a

partial unit.
1 The time range will extend for a single unit (default)

<number> The time range will extend for this number of units
Setting an Advanced Calendar-Based Time Range

An advanced calendar-based time range has an optional start date
specified as a given number of units before the time of report
generation, defaulting to the day of report generation. Specify the
start time in plain text. Specify the optional end date in the same way
as the start date, defaulting to the same day as the start date. Specify
the end time in plain text.
120
date_unit – (optional) specifies the unit to measure how long
before the report is generated that the time range starts and ends.
day Days
week Weeks
mon Weeks starting on a Monday
tue Weeks starting on a Tuesday
wed Weeks starting on a Wednesday
thu Weeks starting on a Thursday
fri Weeks starting on a Friday
sat Weeks starting on a Saturday
sun Weeks starting on a Sunday
month Months
quarter Quarters
halfyear Half-years
year Years
sdate_unit – (optional) specifies the unit to measure how long

before the report is generated that the time range starts. Format as
for date_unit above.
sdate_nunitsago – (optional) specifies the number of units before

the time of report generation of the first day of the time range.
1 The first day of the time range is the first day of the current
unit at the time of report generation (default)
<number> The first day of the time range is at the start of this number of
full units before the time of report generation
edate_unit – (optional) specifies the unit to measure how long

before the report is generated that the time range ends. Format as
for date_unit above.
121
NetFlow Tracker
User Guide
edate_nunitsago – (optional) specifies the number of units before

the time of report generation of the last day of the time range.
0 The last day of the time range is the first day of the unit
following the current unit at the time of report generation
1 The last day of the time range is the first day of the current unit
at the time of report generation (default)
<number> The time range extends to the end of this number of full units
before the time of report generation
stime – specifies the time of day at which the time range starts.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
etime – specifies the time of day at which the time range ends.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
Applying a Time-of-Day Mask to the Time Range

If the time range is longer than a day, you may want to restrict it to
just certain times on each day. For example, you can select only
working hours or only non-working hours.
If a long-term report has a configured time zone or mask, this

parameter will have no effect.
timemask – specifies an inclusive mask to apply the to time range. To

specify multiple inclusive masks, include a parameter name and value
in the URL for each mask.
122
<day1>- The range of weekdays and the times on those
<day2>/<time1>- weekdays to include in the mask. A weekday is SUN,
<time2> MON, TUE, WED, THU, FRI or SAT, day2 coming on or
after day1 in the list above. Time is in the 24-hour
form hh:mm, and time2 is after time1
Setting a Time Zone

By default, the time zone of the NetFlow Tracker is used to interpret
calendar-based time ranges and time-of-day masks. You can specify a
non-default time zone. Note: If a long-term report has a configured
time zone or mask, this parameter has no effect.
timezone – specifies the time zone of the view.
0 (GMT-12:00) International Date Line West

1 (GMT-11:00) Midway Island, Samoa
2 (GMT-10:00) Hawaii
3 (GMT-09:00) Alaska
4 (GMT-08:00) Pacific Time (US & Canada); Tijuana
15 (GMT-07:00) Arizona
10 (GMT-07:00) Mountain Time (US & Canada)
13 (GMT-07:00) Chihuahua, La Paz, Mazatlan
33 (GMT-06:00) Central America
20 (GMT-06:00) Central Time (US & Canada)

30 (GMT-06:00) Guadalajara, Mexico City, Monterrey
25 (GMT-06:00) Saskatchewan
45 (GMT-05:00) Bogota, Lima, Quito
35 (GMT-05:00) Eastern Time (US & Canada)
40 (GMT-05:00) Indiana (East)
50 (GMT-04:00) Atlantic Time (Canada)

55 (GMT-04:00) Caracas, La Paz
56 (GMT-04:00) Santiago
123
NetFlow Tracker
User Guide
60 (GMT-03:30) Newfoundland
65 (GMT-03:00) Brasilia
70 (GMT-03:00) Buenos Aires, Georgetown

73 (GMT-03:00) Greenland
75 (GMT-02:00) Mid-Atlantic
80 (GMT-01:00) Azores
83 (GMT-01:00) Cape Verde Is.
90 (GMT) Casablanca, Monrovia
85 (GMT) Greenwich Mean Time: Dublin, Edinburgh, Lisbon, London

110 (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
95 (GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
105 (GMT+01:00) Brussels, Copenhagen, Madrid, Paris
100 (GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb

113 (GMT+01:00) West Central Africa
130 (GMT+02:00) Athens, Beirut, Istanbul, Minsk
115 (GMT+02:00) Bucharest
120 (GMT+02:00) Cairo
140 (GMT+02:00) Harare, Pretoria
125 (GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
135 (GMT+02:00) Jerusalem
158 (GMT+03:00) Baghdad
150 (GMT+03:00) Kuwait, Riyadh

145 (GMT+03:00) Moscow, St. Petersburg, Volgograd
155 (GMT+03:00) Nairobi
160 (GMT+03:30) Tehran
165 (GMT+04:00) Abu Dhabi, Muscat
170 (GMT+04:00) Baku, Tbilisi, Yerevan
175 (GMT+04:30) Kabul
180 (GMT+05:00) Ekaterinburg
185 (GMT+05:00) Islamabad, Karachi, Tashkent
190 (GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi
124
193 (GMT+05:45) Kathmandu
201 (GMT+06:00) Almaty, Novosibirsk”
195 (GMT+06:00) Astana, Dhaka

200 (GMT+06:00) Sri Jayawardenepura
203 (GMT+06:30) Rangoon
205 (GMT+07:00) Bangkok, Hanoi, Jakarta
207 (GMT+07:00) Krasnoyarsk"
210 (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
227 (GMT+08:00) Irkutsk, Ulaan Bataar

215 (GMT+08:00) Kuala Lumpur, Singapore
225 (GMT+08:00) Perth
220 (GMT+08:00) Taipei
235 (GMT+09:00) Osaka, Sapporo, Tokyo

230 (GMT+09:00) Seoul
240 (GMT+09:00) Yakutsk
250 (GMT+09:30) Adelaide
245 (GMT+09:30) Darwin
260 (GMT+10:00) Brisbane
255 (GMT+10:00) Canberra, Melbourne, Sydney
275 (GMT+10:00) Guam, Port Moresby
265 (GMT+10:00) Hobart
270 (GMT+10:00) Vladivostok

280 (GMT+11:00) Magadan, Solomon Is., New Caledonia
290 (GMT+12:00) Auckland, Wellington
285 (GMT+12:00) Fiji, Kamchatka, Marshall Is.
300 (GMT+13:00) Nuku'alofa
Setting the Chart Sample Size

When you create a real-time chart, the system chooses a sample size
that creates as close to 150 samples over the full width of the chart as
125
NetFlow Tracker
User Guide
possible. You can specify a different sample size to show, for example,
a day in hour-long samples or a month in day-long samples.
sample_unit – specifies the unit to measure the sample size in.
minute Minutes
hour Hours
day Days
week Weeks
month Months
quarter Quarters
halfyear Half-years
year Years
sample_nunits – specifies the number of units in each sample.
1 Each sample will be one unit long (default)

<number> Each sample will be this number of units long
Setting the Source Long-term Data

When you create a long-term chart or tabular report, the source data
is chosen so the time range will be in as close to 150 samples as
possible. You can override this if you wish.
range – specifies the source long-term data to use.
daily Daily data (ten minute samples) are used

weekly Weekly data (one hour samples) are used
monthly Monthly data (six hour samples) are used
quarterly Quarterly data (twelve hour samples) are used
126
halfyearly Half-yearly data (one-day samples) are used
yearly Yearly data (two-day samples) are used
sample – specifies the source long-term data to use.
10minute Daily data (ten minute samples) are used

1hour Weekly data (one hour samples) are used
6hour Monthly data (six hour samples) are used
12hour Quarterly data (twelve hour samples) are used
1day Half-yearly data (one-day samples) are used
2day Yearly data (two-day samples) are
Filter Parameters
You can apply any number of filters to a report. Each filter is a set of
acceptable values for a certain aspect of the source data. If you do
not specify a filter, then all values element are accepted.
To specify multiple acceptable values for a filter, include the

parameter name and value in the URL once for each value.
Note: The filters that you can apply to a long-term report depend
upon the report’s type.
sf – specifies a saved filter to apply to the report. The ID for a saved

filter is available in Report Settings.
<id> A saved filter ID
device – specifies the address of a permitted NetFlow-exporting

device.
<addr> The address in dotted-decimal format (a.b.c.d)
127
NetFlow Tracker
User Guide
inif – specifies a permitted input interface, thus selecting inbound

traffic on the interface.
<addr>/<id> The interface: addr is the address of the NetFlow-exporting

device in dotted-decimal format and id is the NetFlow
Tracker-specific interface identifier
<addr>/- The interface: addr is the address of the NetFlow-exporting
<ifindex> device in dotted-decimal format and ifindex is the current
SNMP interface index assigned to the interface
outif – specifies a permitted output interface, thus selecting

outbound traffic on the interface. Format as for inif above.
if – specifies a permitted input or output interface of the flow, thus

selecting traffic passed in both directions across the interface. Format
as for inif above.
invpn – specifies a Virtual Private Network (VPN) that the input

interface must be part of.
<name> The VPN name; see Device Settings for more information
<id> The VPN identifier
outvpn – specifies a VPN that the output interface must be part of.
Format as for invpn above.
vpn – specifies a VPN that either interface must be part of. Format as
for invpn above.
srcaddr – specifies a permitted source address.
<addr> The address in dotted-decimal format
srcaddr_exclude=true – specifies that the supplied source

addresses are excluded rather than included.
128
dstaddr – specifies a permitted destination address. Format as for
srcaddr above.
dstaddr_exclude=true – specifies that the supplied destination

addr – specifies a permitted source or destination address. Format as

for srcaddr above.
addr_exclude=true – specifies that the supplied source or

destination addresses are excluded rather than included.
proto – specifies a permitted IP protocol.
<name> The protocol name, such as TCP or UDP

<number> The protocol number, in the range 0-255
proto_exclude=true – specifies that the supplied protocols are

excluded rather than included.
srcport – specifies an acceptable source application port number.
<port> The application port number in the range 0-65535

<port1>- A range of port numbers, with port1 being the start of the
<port2> range and port2 the end
srcport_exclude=true – specifies that the supplied source

application port numbers are excluded rather than included.
dstport – specifies an acceptable destination application port

number. Format as for srcport above.
dstport_exclude=true – specifies that the supplied destination

application port numbers are excluded rather than included.
srcappl – specifies a permitted source IP application.
129
NetFlow Tracker
User Guide
<port>/<name> The application: port is the application port number in the

range 0-65535 and name is the protocol name, such as TCP
or UDP
<port>/<number> The application: port is the application port number in the
range 0-65535 and num is the protocol number in the
range 0-255
<name> The name of a grouped application
srcappl_exclude=true – specifies that the supplied source

applications are excluded rather than included.
dstappl – specifies a permitted destination IP application. Format as

for srcappl above.
dstappl_exclude=true – specifies that the supplied destination

appl – specifies a permitted source or destination IP application port.

Format as for srcappl above.
appl_exclude=true – specifies that the supplied source or

destination applications are excluded rather than included.
recappl – specifies a permitted recognized IP application port.

Format as for srcappl above.
recappl_exclude=true – specifies that the supplied recognized

applid – specifies a permitted identified application.
<name> The identified application name; see Device Settings for more
information
<id> The identified application identifier
130
applid_exclude=true – specifies that the supplied identified
tos – specifies a permitted Type-of-Service byte.
<prec> The precedence, in the range 0-7

<tos> A string of letters indicating which ToS bits you must set or
unset.
D - low delay, d - normal delay
T - high througput, t - normal througput
R - high reliability, r - normal reliability
M - minimize monetary cost, m normal monetary cost.
Any bits not specified as set or unset are disregarded.
<prec>%20<tos The precedence and ToS as above; %20 being a URL-encoded
> space character
tos_exclude=true – specifies that the supplied Type-of-Service

values are excluded rather than included.
ds – specifies a permitted differentiated service codepoint.
<name> The assigned name of the codepoint

<code> The six-digit binary representation of the codepoint
<byte> The value of the entire Type-of-Service byte, in the range 0-255
ds_exclude=true – specifies that the supplied differentiated service

codepoints are excluded rather than included.
class – specifies a permitted traffic class.
<name> The traffic class name. See “Applying Traffic Class IDs” on page 21.
<id> The traffic class identifier
class_exclude=true – specifies that the supplied traffic classes are

excluded rather than included.
131
NetFlow Tracker
User Guide
srcas – specifies a permitted source autonomous system number.
<as> The AS number, in the range 0-65535
srcas_exclude=true – specifies that the supplied source

autonomous system numbers are excluded rather than included.
dstas – specifies a permitted destination autonomous system

number. Format as for srcas above.
dstas_exclude=true – specifies that the supplied destination

as – specifies a permitted source or destination autonomous system

number. Format as for srcas above.
as_exclude=true – specifies that the supplied source or destination

srcnet – specifies a permitted source subnet. Note that the subnet

mask supplied by the router is ignored.
<addr>/<mask> The subnet: addr is the network address in dotted-decimal

format and mask is the mask length, in the range 0-32
srcnet_exclude=true – specifies that the supplied source subnets

are excluded rather than included.
dstnet – specifies a permitted destination subnet. Format as for

srcnet above.
dstnet_exclude=true – specifies that the supplied destination

subnets are excluded rather than included.
net – specifies a permitted source or destination subnet. Format as

for srcnet above.
132
Security Parameters C
net_exclude=true – specifies that the supplied source or
destination subnets are excluded rather than included.
srcmask – specifies a permitted source subnet mask, as supplied by

the router.
<mask> The mask length, in the range 0-32
srcmask_exclude=true – specifies that the supplied source subnet

masks are excluded rather than included.
dstmask – specifies a permitted destination subnet mask. Format as

for srcmask above.
dstmask_exclude=true – specifies that the supplied destination

subnet masks are excluded rather than included.
mask – specifies a permitted source or destination subnet mask.

Format as for srcmask above.
mask_exclude=true – specifies that the supplied source or

destination subnet masks are excluded rather than included.
nexthop – specifies a next-hop address.
<addr> The address in dotted-decimal format
nexthop_exclude=true – specifies that the supplied next-hop

Security Parameters
If a username and password is required to access a report you can
specify it in the URL.
133
NetFlow Tracker
User Guide
j_username – specifies the username.
<username> The username
j_password – specifies the password.
<password> The password
Management Portal Access Control

Parameters
A management portal that provide users with access to NetFlow
Tracker reports uses the following parameters. For more information,
see “Management Portal Settings” on page 82.
portalsecret – specifies the secret value assigned to the

management portal in Management Portal Settings.
<secret> The secret value
acldevice – specifies the address of a permitted device that exports

NetFlow data. Format as for device above.
aclif – specifies a permitted interface. Format as for inif above.
aclvpn – specifies a permitted VPN. Format as for invpn above.
acltemplid – specifies a permitted report template.
null No report templates are permitted

<id> A permitted report template; see templid in Report Format
Parameters above for permitted values
134
Management Portal Access Control Parameters C
aclid – specifies a permitted long-term report.
null No long-term reports are permitted

<id> A permitted long-term report; see id in Report Format
aclcid – specifies a permitted executive report.
null No executive reports are permitted

<id> A permitted executive report; see cid in Report Format
aclfiltereditor – specifies a filter that will appear in the Filter

Editor. Note that it will be possible for the user to create reports with
other filters by drilling down or manually editing a URL.
null No filter editors are permitted

0 Source Device
1 Source Address
2 Dest Address
3 Src/Dest Address
4 Next Hop
5 In Interface
6 Out Interface
7 In/Out Interface
8 Protocol
9 Source Port
10 Dest Port
11 Src/Dest Port
12 Source Application
13 Dest Application
14 Src/Dest Application
135
NetFlow Tracker
User Guide
15 ToS
16 DiffServ
17 Source AS
18 Dest AS
19 Src/Dest AS
20 Source Subnet
21 Dest Subnet
22 Src/Dest Subnet
23 Source Mask
24 Dest Mask
25 Src/Dest Mask
26 Recognised Application
27 Traffic Class
28 Identified Application
29 VPN
30 In VPN
31 Out VPN
aclsf – specifies a visible saved filter.
null No saved filters are visible

<id> A visible saved filter; see sf in Filter Parameters above for
permitted values
aclfeatures – specifies the permitted interactive report features.

For parameters, see features.
136
D: File Formats
CSV File Format

You can convert every standard chart and tabular report to comma-
separated-value format for import into a database server or
spreadsheet.
Chart CSV format

Each section is separated by a row of “=” signs. The first section is the
chart title; the second is the time range and filter.
Each following section represents a single chart, equivalent to the

tabs above the chart in interactive mode. The first line of the section
is the name of the chart. The next two rows contain the start and end
time of each sample in milliseconds UTC. Each has an empty column
at the start to accommodate the description of each data row below.
Each data row consists of a description followed by a usage, octet
count or packet count for each sample.
Pie chart CSV format

chart title; the second is the time range and filter.
Each following section represents a single chart, equivalent to the

tabs above the chart in interactive mode. The first line of the section
is the name of the chart, followed by a row for each charted element
137
NetFlow Tracker
User Guide
consisting of a description followed by a usage, octet count or packet

count.
Tabular report CSV format

report title; the second is the time range and filter.
The third section starts with the title of each column, separated by a
comma. Each following line in the section is a row with each value
separated by a comma, and text values contained within double
quotes. There are several differences between a report viewed in a
browser and one converted to CSV. In CSV format all rows are
included, information normally available by hovering the mouse over
a label is unavailable, and traffic and packets passed are output as
simple counts rather than rates.
The fourth section contains column totals, again separated by

commas. There are usually empty values in the total row
corresponding to non-numeric columns.
XML Format
You can convert every standard chart and tabular report to XML for
use in external software. The XML schemas in the xml subfolder
underneath the NetFlow Tracker installation folder.
The root of each XML document contains the report title. The first tag
in the root contains data about the NetFlow Tracker version that
generated the document.
The next tag contains data about the filter applied to the report. The
time range is set as a start and end in both milliseconds UTC and year,
month, day, hour, etc. The number of milliseconds spanned by the
138
File Formats
XML Format D
time range is provided, taking into account the time mask applied, if
any.
Chart XML format

Each chart is described in a separate tag with a title attribute
equivalent to the title in the tabs above the chart in interactive mode.
The next tag describes the types and headings of each column in the
description of each charted element; the subsequent tag provides the
type, heading and overall total for each summary column.
The final tag describes each charted element, or dataset. Each dataset
has a value for each description column (unless it is marked as being
an “others” dataset) and a value for each summary column. This is
followed by the start and end time and value for each sample that
makes up the dataset.
Pie chart XML format

The pie chart format is very similar to the chart format, but there are
no datasets.
Tabular report XML format

A tabular report is described using two tags. The first describes the
type and heading of each column in the report; any column totals are
included here.
The second section describes each row in the table. If the number of
rows is restricted, the attributes of the result tag provide the start
result, number of results output and the total number of results in
the report. Each result contains a value for each column.
139
NetFlow Tracker
User Guide
140
Index
A C
Acrobat Reader, version supported 7 Cflow 1
Address Pairs report 104 charts 42
Addresses report 103 navigating 42
alarms 71 pie 43
baselines 72, 74 viewing data on 42
configuring 75, 76 cid URL parameter 114
metrics 76 Client-Server Sessions view 105
persistent changes 73, 77 contacting Fluke Networks 2
severity and life cycle 72 conversations 32
thresholds and sensitivity 72, 77 Conversations report 105
tips 74 creating
types 71 alarms 75
applications custom home page 26
conversations 32 reports 53
top for device 31 executive 63
top for interface 32 long-term 60
archiving data 92 real-time 54
AS names 88 scheduled 56
AS Pairs report 106
ASes report 106
D
data
B archiving 92
baselines 72 management 3, 24
setting 77 scaling samples 19
status 74 database 3
BGP backing up 90, 91
applying for devices 18, 19 maintenance 24
per-AS data 36 restoring backup 91
Bi-directional Address Pairs report 104 settings 89
Bi-directional AS Pairs report 106 Destination Address Popularity report
Bi-directional Conversations report 105 104
Bi-directional Network Pairs report 106 Destination Addresses report 103
Bi-directional Sessions report 105 Destination Applications report 104
Destination ASes report 106
Destination Endpoints report 105
Destination Networks report 106
141
NetFlow Tracker
User Guide
device
deleting 23
H
top applications and interfaces 31 hostname resolution settings 87
device settings 18–??
deleting a device 23
device list 20 I
identified applications 21
id URL parameter 114
interface 22
Identified Applications report 107
traffic class IDs 21 identified applications, applying 21
device settings<$sendrange 24
In Interfaces report 107
devices
installing
deleting 23 Java on Windows 9
viewing 33
NetFlow Tracker
viewing long-term 49
on Linux 11
Differentiated Services report 106 on Windows 9
diffserv names 86
preparing 7
dstport URL parameter 129
interface
Duration report 108 conversations 32
marking as inactive 22
scans 24
E top applications and usage 32
etime URL parameter 122 Interface Pairs report 107
events interface settings, applying 22
forwarding notifications 77 interfaces
events, viewing 78 top for device 31
lifecycle 79 viewing long-term 49
list 79 viewing on NetFlow Tracker 34
timeline 78 IP application names 84
executive reports 69 grouped applications 85
creating 63 simple applications 84
HTML cells 68 IPFIX 1
sub-report cells 66
viewing 69
J
j_password URL parameter 134
F j_username URL parameter 134
features URL parameter 116 Java
filter parameters 38 installing on Windows 9
custom 109–133 versions supported 7
saving 55 JFlow 1
filtering data
for long-term reports 50
real-time 36 L
Fluke Networks, contacting 2
language, selecting 14
Forensic Conversations report 108
licensing 15
forensics reports 108 Linux
installing NetFlow Tracker on 11
restoring database backup on 91
142
Index
M
versions supported 7 reports 53

listener ports 16 selecting language 14
long-term data settings
creating reports for 60 alarm 75
database 3, 24 archiving 92
filtering 50 AS names 88
network overview 47 backup 90
viewing devices and interfaces 49 database 89
diffserv names 86
hostname resolution 87
M IP application names 84
management portal 82
management portal settings 82 memory 93
URL parameters 134
notification 77
using Apache as portal server 83
performance counters 24
memory settings 93 report settings 53
Microsoft Windows
subnet names 87
installing Java on 9
system requirements 5
installing NetFlow Tracker on 8, 9 version information 27
versions supported 6
web server 8
MPLS 22
netstream 1
MySQL NetWatch 8
installation 8
network devices, enabling NetFlow 18,
requirements for installation 7
95–101
network overview
long-term data 47
N real-time data 30
NetFlow 2 Network Pairs report 106
data received 25 Next Hops report 107
devices exporting 33 Nortel IPFIX 1
enabling on network devices 18, notification settings 77
95–101 nrecords URL parameter 115
NetFlow Monitor 8
NetFlow Tracker 1 O
appliance 2
Out Interfaces report 107
applying settings 15 output URL parameter 115
devices 18
licensing 15
listener ports 16
security 26 P
SNMP 17 packet rate, for application 32
data management 3 passwords, choosing a protection level 26
deploying 2 performance counters 24
filtering real-time data 36 profile alarms 71, 76
installing Protocols report 104
on Linux 11
on Windows 8, 9
monitoring performance 24 R
opening 13
preparing for installation 7 RAID 6
RAM 6
product services 3
143
NetFlow Tracker
User Guide
range URL parameter 126 memory 93

real-time data notification 77
database 3, 24 performance counters 24
filter parameters 38 reports 53
filtering data 36 security 26
network overview 30 SNMP 17
reports subnet names 87
creating 54 sf URL parameter 127
viewing 69 sFlow 1
Recognized Applications report 105 enabling on network devices 102
reports SNMP
address 103 overriding properties for a device 18,
chart data 42 19
executive 63 setting up trap notifications 77
full flow forensics 108 settings 17
interface 107 Source Address Dissemination report 104
long-term 60 Source Addresses report 103
network 106 Source Applications report 104
other 108 Source ASs report 106
QoS 106 Source Endpoints report 105
scheduling 56 Source Networks report 106
session 104 splash URL parameter 118
setting up 53 srcport URL parameter 129
tabular 44 static baseline 73
templates 103 stime stime URL parameter 122
for real-time filtering 37 subnet names 87
traffic identification 107 system requirements 5, 6
ResponseWatch 8
T
S tables 44
sample URL parameter 127 TCP Flags report 108
scheduling reports 56 technical support 4
security settings 26 templid URL parameter 112
Server-Client Sessions report 105 threshold alarms 71, 76
Sessions report 105 Total Address Pairs report 108
settings 15 Total Conversations report 108
alarms 75 Total report 108
archiving 92 traffic class IDs, applying 21
AS names 88 Traffic Classes report 107
backup 90 traffic rate
database 89 for application 32
devices 18 interface 32
diffserv names 86 training 4
hostname resolution 87 Types of Service report 106
IP application names 84
licensing 15
listener ports 16 U
management portal 82
unprocessed flowsets 25
144
Index
V
URL parameters 109–136

general format 112
usage, top for interface 32
V
Visual Performance Manager, NetFlow
Tracker deployment in 2
VPNs
associating interface with 22
report 107
W
web browsers 6
weekly baseline 73
Windows
restoring database backup on 91
145
NetFlow Tracker
User Guide
146

NetFlow Tracker User GUide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NetFlow Tracker User GUide

Hochgeladen von

Copyright:

Verfügbare Formate

NetFlow Tracker

Third Party Software Components

End User License

1. GRANT OF LICENSE AND PAYMENT OF FEES

2. EVALUATION AND GOLD SUPPORT

3. INTELLECTUAL PROPERTY RIGHTS

8. NO LIABILITY FOR CONSEQUENTIAL DAMAGES

11. CONFIDENTIAL INFORMATION AND SECURITY

12. EXPORT CONTROL

13. GOVERNING LAW AND JURISDICTION

1: NetFlow Tracker Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2: Installing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3: Setting Up NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Applying Traffic Class IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

4: Viewing Real-Time Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5: Viewing Long-term Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding an HTML Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

7: Working with Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

8: Optimizing NetFlow Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A: Setting up NetFlow on Network Devices . . . . . . . . . . . . . . . . . . . 95

Enabling Netflow Export on an IOS Device . . . . . . . . . . . . . . . . . . . . . 96

B: Report Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

C: Report URL Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

D: File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Chart CSV format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

NetFlow Tracker supports data from a range of devices in formats

Key features include:

• View real-time network traffic in detail at per-minute resolution

Deploying NetFlow Trackers

NetFlow Tracker servers are typically deployed near large switches or

Real-time database maintenance occurs every six hours (you cannot

You can also archive and back up real-time data.

Obtaining Technical Support

Supervision Gold support packages are available from the Fluke

Obtaining Professional Services

Obtaining Product Training

Table 1 Minimum Hardware Requirements

Component Minimum Requirement

Preparing for Installation

• NetFlow Tracker uses a version of MySQL that differs significantly

Installing NetFlow Tracker on Microsoft

5 When Java Runtime Environment installation is completed, click

Installing NetFlow Tracker

To install NetFlow Tracker:

3 On the Customer Information screen, enter your name and

After installation, a shortcut is placed in the NetFlow Tracker folder

Installing NetFlow Tracker on Linux

The NetFlow Tracker web server runs on port 8000.

For an upgrade installation, use:

The following is an example of the install sequence:

The following graphic shows the successfully completed installation.

After installation, you can set up NetFlow Tracker to monitor data.

Opening NetFlow Tracker

• If you have already configured NetFlow Tracker, data is shown

To change language settings:

When applying settings, note:

Setting up Listener Ports

When you set up NetFlow exporting on a device, you provide a port

For more information about configuring devices for NetFlow, see

To add listener ports:

Applying SNMP Settings

When NetFlow Tracker receives exports from a previously unknown

You can change the community string used to rescan an existing