Beruflich Dokumente
Kultur Dokumente
User Guide
PN 3365122
August 2008
©2008 Fluke Corporation. All rights reserved.
All product names are trademarks of their respective companies.
NetFlow Tracker
User Guide
ii
In the event that at any time You wish to extend the permitted number of servers or devices above the permitted amount,
You must contact FNET or the reseller from whom you purchased the Product ("the Reseller") and an additional License fee
may be agreed upon and a new License issued for the requested additional number of servers/devices.
FNET or your Reseller may require that You provide written certification showing the geographical locations, type and serial
number of all computer hardware on which the Software is being used, together with confirmation that the Product is
being used in accordance with the conditions of this Agreement. You shall permit FNET or your Reseller, and/or their
respective agents to inspect and have access to any premises, and to the computer equipment located there, at or on which
the Software is being kept or used, and any records kept pursuant to this Agreement, for the purposes of ensuring that the
Customer is complying with the terms of this License, provided that FNET/your Reseller provides reasonable advance notice
to the Customer of such inspections, which shall take place at reasonable times.
4. OTHER RESTRICTIONS
You shall not sub-License, distribute, market, lease, sell, commercially exploit, loan or give away the Product or any
associated documentation. For the avoidance of doubt, this License does not grant any rights in the Product to, and may not
be assigned, sub-Licensed or otherwise transferred to, any connected person, where the term connected person includes but
is not limited to the End User's subsidiaries, affiliates or any other persons in any way connected with the End User, whether
present or future. The Product and accompanying written materials may not be used on more than the permitted number of
servers at any one time or for in excess of the permitted number of devices. Subject always to any rights which You may
enjoy under applicable law (provided that such rights are exercised strictly in accordance with applicable law) and except as
expressly provided in this Agreement, You may not reproduce, modify, adapt, translate, decompile, disassemble or reverse
engineer the Product in any manner. You shall not merge or integrate the Product into any other computer program or
work, and You shall not create derivative works of the Product. FNET reserves all rights not expressly granted under this
Agreement.
5. LIMITED WARRANTY
FNET warrants that during the warranty period (a) the Product will perform substantially in accordance with its
accompanying written materials, and (b) the media on which the Product is furnished shall be free from defects in materials
and workmanship. The warranty period applicable to the Product shall be ninety (90) days from the date of delivery of the
Product or, if longer, the shortest warranty period permitted in respect of the Product under applicable law ("Warranty
iii
NetFlow Tracker
User Guide
Period"). The warranty for any hardware accompanying the Product shall be as stated on the warranty card shipped with
the hardware.
If, within the Warranty Period, You notify FNET of any defect or fault in the Product in consequence of which the Product
fails to perform substantially in accordance with its accompanying written materials, and such defect or fault does not result
from You, or anyone acting with your authority, having amended, modified or used the Product for a purpose or in a
context other than the purpose or context for which it was designed or licensed according to this Agreement, or as a result
of accident, power failure or surge or other hazards, FNET shall, at FNET's sole option and absolute discretion, do one of the
following:
(i) repair the Product; or
(ii) replace the Product; or
(iii) repay to You all license fees which You have paid to FNET under this Agreement.
FNET does not warrant that the operation of the Product will be uninterrupted or error or interruption free.
6. CUSTOMER REMEDIES
You must call your FNET representative to discuss remedies during the 90 day warranty period referred to in clause 5 above.
You acknowledge that your sole remedy for any defect in the Product will be Your rights under clause 5.
7. NO OTHER WARRANTIES
FNET AND/OR ITS SUPPLIERS, DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO
THE PRODUCT, THE ACCOMPANYING WRITTEN MATERIALS AND ANY ACCOMPANYING HARDWARE AND YOU AGREE THAT
THIS IS FAIR AND REASONABLE. THE EXPRESS TERMS OF THIS AGREEMENT ARE IN LIEU OF ALL WARRANTIES, CONDITIONS,
UNDERTAKINGS, TERMS OF OBLIGATIONS IMPLIED BY STATUTE, COMMON LAW, TRADE USAGE, COURSE OF DEALING OR
OTHERWISE, ALL OF WHICH ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW.
9. TERMINATION
Either party shall be entitled forthwith to terminate this Agreement by written notice if the other Party commits any
material breach of any of the provisions of this Agreement and, fails to remedy the same within sixty (60) days after receipt
of a written notice from the non-breaching Party giving full particulars of the breach and requiring it to be remedied.
You shall be obliged to notify FNET in writing of any change in the control or ownership of the End User and FNET shall be
entitled forthwith to terminate this Agreement by written notice.
This Agreement shall automatically terminate if replaced at any time with a new License agreement.
The right to terminate this Agreement given by this clause 9 will be without prejudice to any other accrued right or remedy
of either Party including accrued rights or remedies in respect of the breach concerned (if any) or any other breach, or which
the Parties have accrued prior to termination.
10. INDEMNIFICATION
You shall indemnify FNET in full and hold FNET harmless in respect of any loss, damages, proceedings, suits, third party
claims, judgements, awards, expenses and costs (including legal costs) incurred by or taken against FNET as a result of the
negligence, fault, error, omission, act or breach of You or of your employees, staff, contractors, agents or representatives or
for any breach of this Agreement whatsoever by You.
Notwithstanding any other provision of this Agreement, the aggregate liability of FNET for or in respect of all breaches of
its contractual obligations under this Agreement and for all representations, statements and tortious acts or omissions
iv
(including negligence but excluding negligence causing loss of life or personal injury) arising under or in connection with
this Agreement shall in no event exceed the License fee paid by You pursuant to this Agreement prior to the date of the
breach.
14. MISCELLANEOUS
14.1 The provisions of clauses 3, 7, 8, 10, 11, 12, 13 and 14 and the obligation on you to pay the License fee shall survive the
termination or expiry of this Agreement.
14.2 This Agreement is personal to You and You shall not assign, sub-License or otherwise transfer this Agreement or any
part of your rights or obligations hereunder whether in whole or in part save in accordance with this Agreement and with
the prior written consent of FNET and You shall not allow the Product to become the subject of any charge, lien or
encumbrance of whatever nature. Nothing in this Agreement shall preclude the Licensor from assigning the Product or any
related documentation or its rights and obligations under this Agreement to a third party and You hereby consent to any
such future assignment.
14.3 This Agreement supersede all prior representations, arrangements, understandings and agreements between the
Parties herein relating to the subject matter hereof, and sets out the entire and complete agreement and understanding
between the Parties relating to the subject matter hereof.
14.4 If any provisions of the Agreement are held to be unenforceable, illegal or void in whole or in part the remaining
portions of the Agreement shall remain in full force and effect.
v
NetFlow Tracker
User Guide
14.5 No party shall be liable to the other for any delay or non-performance of its obligations under this Agreement (save for
your obligation to pay the fees in accordance with clause 1) arising from any cause or causes beyond its reasonable control
including, without limitation, any of the following: act of God, governmental act, tempest, war, fire, flood, explosion, civil
commotion, industrial unrest of whatever nature or lack of or inability to obtain power, supplies or resources.
14.6 A waiver by either party to this Agreement of any breach by the other party of any of the terms of this Agreement or
the acquiescence of such party in any act which but for such acquiescence would be a breach as aforesaid, will not operate
as a waiver of any rights or the exercise thereof.
14.7 No alterations to these terms and conditions shall be effective unless contained in a written document made
subsequent to the date of the terms and conditions signed by the parties which are expressly stated to amend the terms and
conditions of this Agreement.
vi
Contents
vii
NetFlow Tracker
User Guide
6: Setting up Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Applying General and Real-time Report Settings . . . . . . . . . . . . . . . . . . 54
Saving Report Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating Long-term Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Creating Executive Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Adding a Sub-report Cell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
viii
Contents
ix
NetFlow Tracker
User Guide
x
Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
xi
NetFlow Tracker
User Guide
xii
1: NetFlow Tracker
Overview
Topics include:
• Key Features
• Deploying NetFlow Trackers
• Data Management
• Product Services
Key Features
NetFlow Tracker lets you as a network administrator view flow traffic
from routers and managed switches on the network. From a web-
based interface, it provides a set of dynamic charts and reports to
help you understand of network traffic flow data. You can analyze
application and protocol information in depth, including user, server,
and applications activity.
1
NetFlow Tracker
User Guide
You can also deploy the NetFlow Tracker Appliance as part of the
Visual Performance Manager network performance management
system. This lets you view performance data and create reports from
multiple NetFlow Trackers on the network through a single web
portal interface. For more information, see the Visual Performance
Manager System Administration Guide.
2
NetFlow Tracker Overview
Data Management 1
Data Management
NetFlow Tracker has two databases:
• The real-time database stores data at millisecond granularity.
Report data is displayed in one-minute granularity. By default,
data is stored for up to seven days. You can adjust this setting in
Database Settings.
• The long-term database stores aggregated data for multiple years
at a granularity that you set in Database Settings. By default, data
is stored for 999 weeks at one-hour granularity. When you
configure long-term reports using custom granularity, the
database stores that data at that granularity for as long as the
report is scheduled.
See:
• “Database Settings ” on page 89
• “Backup” on page 90
• “Archiving” on page 92
Product Services
For NetFlow Tracker product information, see:
www.flukenetworks.com
3
NetFlow Tracker
User Guide
4
2: Installing NetFlow
Tracker
Topics include:
• System Requirements
• Preparing for Installation
• Installing NetFlow Tracker on Microsoft Windows
• Installing NetFlow Tracker on Linux
Note
For upgrade information, see the Release Notes included with
the NetFlow Tracker release.
System Requirements
The type of system required to run NetFlow Tracker depends on the
number of devices sending NetFlow information to it and the amount
and nature of traffic handled by those devices.
Hardware Requirements
The following requirements are a guideline. To determine your
requirements, test the software’s performance in your network
environment.
5
NetFlow Tracker
User Guide
Software Requirements
Note
NetFlow Tracker requires high speed disk I/O to run effectively. If
you run antivirus software on the NetFlow Tracker server you
are likely to have periodic issues with storing and accessing flow
data.
6
Installing NetFlow Tracker
Preparing for Installation 2
Table 2 Software Requirements
Software Requirement
Operating system English and Chinese language versions are supported.
• Windows XP Professional SP2
• Windows Server 2003 R2 SP 2
• Windows Server 2003 SP 2
• Windows Server 2000
• Linux—NetFlow Tracker has been tested and is
supported on Red Hat Enterprise Linux 5 and Fedora
Core 8 running Java 1.6.0_05 or later and MySQL 5.0
(Intel-compatible processor).
For more information on installing NetFlow Tracker on
other Linux distributions, contact Fluke Networks TAC.
Browser MS Internet Explorer (IE) 7.0
IE 6.0 with SP1, critical updates
Firefox 3.0
Other web browsers may run but have not been tested.
Java version Java 2 Runtime Environment SE v1.6.0_05 or later
Other components • MySQL 5.0, installed with NetFlow Tracker
• Adobe Acrobat Reader 6.0 or later
7
NetFlow Tracker
User Guide
8
Installing NetFlow Tracker
Installing NetFlow Tracker on Microsoft Windows 2
Installing Java Runtime Environment on Windows
To install Java Runtime Environment:
1 Insert the NetFlow Tracker CD in your server.
2 If the server does not have the required version of the Java
Runtime Environment installed, click OK to install it. The Java
installer launches.
3 Accept Sun’s license agreement and click Next.
4 On the Setup Type screen, choose Typical or Custom. Select
Custom if you do not want the web browser to use Sun’s Java
Plug-in. Click Next.
9
NetFlow Tracker
User Guide
10
Installing NetFlow Tracker
Installing NetFlow Tracker on Linux 2
5 If you chose Custom, the Custom Setup screen is shown. You can
change the install folder for NetFlow Tracker and MySQL. Select
the feature and click Change. Click Next.
6 If you chose Custom setup or if port 80 is in use, the Select HTTP
Port screen is shown. Select a port and click Test to check if it is
available. Click Next.
7 On the Ready to Install screen, click Install. Installation take
several minutes. If installation stops for longer than that, contact
Fluke Networks TAC. When installation completes, click Finish.
To install the RPM run the following as root (replace the RPM file
below with the file you downloaded).
rpm -Uvh nftracker-4.0-0.i386.rpm
11
NetFlow Tracker
User Guide
12
3: Setting Up NetFlow
Tracker
13
NetFlow Tracker
User Guide
Note:
• If you have password protection enabled you may need to log in
as an administrative user to see the Main Menu > Settings link.
See “Applying Security Settings” on page 26.
• The Settings link is not shown for NetFlow Trackers that have a
portal secret configured in the Visual Performance Manager.
Selecting a Language
You can view the NetFlow Tracker interface in English or in Chinese,
depending on the language settings of your browser.
14
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
Setting up NetFlow Tracker
From the Settings page (Main Menu > Settings) you can set up
NetFlow Tracker to gather data from network devices, determine
how that data is gathered and managed, and monitor and optimize
NetFlow Tracker performance.
If you are using NetFlow Tracker for the first time after installation,
set up NetFlow Tracker to start gathering data. Topics include:
• Setting up Licensing
• Setting up Listener Ports
• Applying SNMP Settings
• Enabling Devices to Export Flow Data
• Applying Device Settings in NetFlow Tracker
• Making Sure That Data is Received
• Applying Security Settings
Once NetFlow Tracker begins collecting data you can apply additional
data filtering and management settings. For more information, see
Chapter 8, “Optimizing NetFlow Tracker.”
Setting up Licensing
Use the Licensing page to apply a new full or trial license or check the
status of an existing license.
15
NetFlow Tracker
User Guide
To install a license:
1 Select Main Menu > Settings > Licensing.
2 Add license information:
• If from a file, click Browse, locate the file, and select it. Then
click Load.
• If text, enter or paste the text and click Decode.
3. Click OK.
Note
When adding local addresses, you must specify a port number
on the NetFlow Tracker server to receive NetFlow traffic.
3 Set the Receive buffer size. The default size is 32768. This setting
applies to all ports.
Note
If traffic exceeds the buffer size, increase the buffer size to avoid
dropping packets. If you increase the buffer size, monitor the
system’s memory usage.
16
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
4 Assign each device its own listening port.
5 Click OK. If you receive an error message, one or more ports are
already in use. An asterisk (*) marks these ports. Remove these
ports and add others until no errors remain.
Note
A device is scanned when it reboots and when NetFlow Tracker
software restarts. Because NetFlow Tracker checks each
community when it detects a new device, place the most
frequently used communities higher in the list for faster
scanning.
In the Device List, devices that do not match the SNMP community
setting show a . See “Device List” on page 20.
17
NetFlow Tracker
User Guide
4 Leave the default settings for timeout (5000 ms) and number of
attempts (3) used for SNMP requests.
5 Click OK.
Once devices are enabled, to see whether NetFlow Tracker has started
collecting data, see “Making Sure That Data is Received” on page 24
To configure devices:
1 Select Main Menu > Settings > Device Settings.
2 Select a device from the Device List. See “Device List” on page 20.
3 Apply General settings:
• Override the name detected using SNMP.
• Choose whether to archive real-time data from the device.
Note: When you archive data all NetFlow data monitored by
the device is archived.
18
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
• Show interface descriptions entered on the network device or
leave the default setting. Default does not show the interface
descriptions.
4 Apply SNMP settings. For SNMP mode, select:
• Use SNMP if the device supports SNMP. Let NetFlow Tracker
use SNMP to scan a device because the numbers used to iden-
tify the inbound and outbound interfaces in NetFlow exports
are not constant and SNMP is the only way NetFlow Tracker
can make a correct correlation between an identifier and a
physical interface or port. Select an SNMP version (SNMP v1 or
SNMPv2c) and enter a community name.
• Don’t use SNMP if the device does not support SNMP. This
assigns default properties to each interface encountered in
NetFlow exports from the device.
• Keep current configuration to freeze a device’s configuration.
This ignores any new interface encountered, so use this with
caution.
To rescan an SNMP device using the SNMP version and community
specified in the page, click Rescan. This scans but does not save
the settings. You must click OK on the Device Settings page to
apply changes. Because NetFlow Tracker rescans a device when
the software restarts, a new interface is encountered, or the
device reboots, you do not normally have to manually rescan a
device.
5 Apply BGP settings if BGP is used:
• Local AS—The local AS number is required to get correct AS
numbers for traffic routed to or from the local AS. If BGP is
not used, leave this setting blank.
• Store peer/origin ASes—For a device that can send both the
peer and origin AS number for each NetFlow record, choose
which AS numbers are stored in the database.
• Store BGP next-hop—For a device that can send the BGP next-
hop address in its NetFlow exports, store this value in place of
the IP next-hop for the device.
6 Set Sampled Data Scaling.
• Scale sampled data—If a device samples packets to simplify
the generation of NetFlow data, select this to scale each Net-
Flow record by the sampling interval and thus produce traffic
and packet rates that more accurately reflect the real levels.
19
NetFlow Tracker
User Guide
Device List
Use the device list on the Device Settings page to check the status of
known devices and override the interface descriptions and speeds
collected by NetFlow Tracker. NetFlow Tracker performs an SNMP scan
when it starts to populate this list. When devices reboot, they are
rescanned.
The name and address of each known device are listed, along with a
status indicator:
• (exclamation point)—Indicates that NetFlow Tracker could not
contact the device using SNMP or is ignored due to a license
violation.
• (hourglass)—Indicates that the device is being scanned and
cannot be edited. To see if scanning has finished click Refresh.
• No icon—The device is working correctly.
Note
Any changes you make to any device are only applied when you
click OK in the main Device Settings page.
20
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
Applying Traffic Class IDs
In the Traffic Class IDs section of a device’s settings page, you can map
traffic classes or manually add these using the list.
For devices that can export traffic class data that helps route the
traffic involved in each flow, leave Automatically map traffic classes
checked. If this option is not available for a device, add each traffic
class to NetFlow Tracker and configure a map from the device’s class
ID to the NetFlow Tracker traffic class. Give each class a unique
identifier that is used if you create a URL with a traffic class filter.
Note: This identifier does not need to match the identifier exported
by any of your devices for the traffic class.
21
NetFlow Tracker
User Guide
You can associate any interface on any device with a uniquely named
Virtual Private Network (VPN) for reporting and filtering. A VPN
groups data from the devices and interfaces assigned to it. This data is
included in the VPNs report and by the VPN filters. NetFlow Tracker
assigns the customer-facing interfaces of an MPLS provider edge
router (PER) using MPLS VPN and supports the standard SNMP MIB
automatically. If your network device does not support this, you must
create a unique identifier for each VPN.
Note
If you reset a speed or description setting and the device
reboots or has an SNMP rescan, your settings are overridden.
22
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
option is useful to remove interfaces that do not report NetFlow data
from reports.
Note
VPNs are assigned to interfaces by name, so each VPN must have
a unique name.
Deleting a Device
You can delete a device from the device’s settings page.
Note
When you delete a device, if the device is still sending NetFlow
data to NetFlow Tracker it will reappear after you delete it.
23
NetFlow Tracker
User Guide
To delete a device:
1 From the NetFlow Tracker Main Menu, select Settings > Device
Settings.
2 Select a device from the Device List. See “Device List” on page 20.
3 On the Device page, click Delete.
Note
If you cancel the deletion at this point, you will lose any other
changes you have made on the setting page.
Item Definition
Average sample storage Length of time it takes the system to store a one-minute sample of real-time
duration data. If this is more than fifteen seconds, the system is overloaded.
Last long-term database Length of time it took to perform the last update of the long-term database. If
maintenance duration this took longer than two to three hours, consider reducing the number of long-
term reports or the number of devices they cover, or setting some long-term
sample sizes to zero.
24
Setting Up NetFlow Tracker
Setting up NetFlow Tracker 3
Table 3 Performance Counters (continued)
Item Definition
Last real-time database The length of time it took to perform the last reorganization of the real-time
maintenance duration database. If this took longer than 30 minutes, it may indicate a performance
problem on the server, too much data in the database, or not enough memory
allotted for NetFlow Tracker.
NetFlow data received Shows the number of exports and amount of NetFlow data received from each
device. Note: This is not the amount of traffic described by the exports but the
LAN traffic generated by the exports.
Traffic described Tracks the total amount of network traffic across all interfaces in each direction
as described by NetFlow exports received from each device.
Ignored flows NetFlow Tracker ignores flows that arrive too late to be processed. If you see a
large number of ignored flows make sure that the inactive timeout or short
aging time settings on the router are correctly set.
For devices that do not have a configurable active flow timeout or if the active
flow timeout is not working with a certain device, configure NetFlow Tracker to
hold data in RAM longer to prevent ignored flows. See the “Hold back real-time
data for” option in “Database Settings ” on page 89.
Unprocessed flowsets NetFlow version 9 flows are encoded in a flexible manner using templates
exported by the router every few seconds. For several minutes after starting
NetFlow Tracker or after a router reboots, NetFlow Tracker may receive flows
that it cannot decode.
If you do not see data after 10 minutes, check the server, NetFlow Tracker
settings, and the router configuration.
Interface scans NetFlow Tracker scans the interface list of each device exporting to it when the
device or NetFlow Tracker software restarts. A large number of rescans,
particularly failed ones, indicates a problem.
Missed flows NetFlow versions 5 and 7 exports contain a sequence number that NetFlow
Tracker uses to detect when exports are missed. It can miss exports due to
network congestion or a busy router. If a switch or router is reordering the UDP
packets that contain NetFlow exports, missed flows are shown. Each export
normally contains data on about 30 flows.
Note: If the NetFlow Tracker server is processing a very high volume of data it
may drop packets. In this case, increase the receive buffer size in Listener Ports.
See “Setting up Listener Ports” on page 16.
Missed exports NetFlow version 9 exports contain a sequence number that NetFlow Tracker uses
to detect when exports are missed. Unlike the version 5 or 7 sequence numbers,
only the number of missed exports can be counted and not the number of missed
flows.
25
NetFlow Tracker
User Guide
Item Definition
No out interface The router sends flows with “no out interface” when an access control list lookup
fails or multicast traffic is routed. A high number of flows with no out interfaces
is normal.
No in interface The arrival of flows with “no in interface” may indicate a configuration problem
on a Catalyst switch. Contact Fluke Networks TAC.
When adding a custom home page, make sure that the URL of any
custom home page is relative to the server’s root. For example, the
standard home page is specified as “index.jsp” and the Network
Overview is specified as “report.jsp?cid=_topdevices”. The Network
Overview is the default home page.
26
Setting Up NetFlow Tracker
Viewing Version Information 3
http://server/customweb/file.html the home page is
customweb/file.html.
4 If you applied password protection, add user login and password.
You may apply user-specific home pages. You must set at least
one user as an administrator who can configure settings.
5 Click Add. To delete users, select the user’s checkbox and click
Delete.
6 Click OK. If you applied password protection or changed your
own user login details you must log in again.
27
NetFlow Tracker
User Guide
28
4: Viewing Real-Time
Data
Topics include:
• Viewing Network Overview Data
• Viewing Devices
• Viewing Interfaces
• Filtering Real-time Data
• Viewing Chart Data
See also:
• “Database Settings ” on page 89.
• “Applying General and Real-time Report Settings” on page 54.
29
NetFlow Tracker
User Guide
30
Viewing Real-Time Data
Viewing Network Overview Data 4
Figure 1 Network Overview
Right-click to run an
ad hoc report
31
NetFlow Tracker
User Guide
Application Conversations
You open the Conversations page for an application by clicking an
application on Top Applications and Interfaces page. This page shows:
• Traffic Rate tab—A stacked bar chart and table shows the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
• Packet Rate tab—A stacked bar chart and table shows the top 10
conversations by packet rate. The source and destination address,
source and destination application, and peak and average packet
rate are shown.
Interface Conversations
You open the Conversations page for an interface by clicking an
application on Top Applications and Usage page for an interface. This
page shows:
• In/out Interface - %Usage tab—A stacked bar chart and
corresponding table show the top 10 conversations by percentage
of total usage. The source and destination address, source and
destination application, and the peak and average percentage of
usage are shown.
32
Viewing Real-Time Data
Viewing Devices 4
• Traffic Rate tab—A stacked bar chart and table show the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
Viewing Devices
The Devices page (Main Menu > Devices) lists all devices that export
flow data. Use this page to identify devices and their interfaces that
show high traffic or packet rates (see Figure 2). The page refreshes
every minute.
Options include:
• To sort data by device name, address, peak traffic rate, or peak
packet rate, click the column header. By default, each peak rate is
the highest two-minute rate in the last six hours. This differs if the
default time range is altered.
• Click the Relative Traffic and Relative Packet Rate meters for a
device to open a chart of the device’s recent activity over time.
Each chart is scaled relative to the busiest device. This ensures that
a high value on a chart indicates a relatively high traffic or packet
rate. By default, the last six hours is shown.
33
NetFlow Tracker
User Guide
Viewing Interfaces
You can open the Interfaces page for a device by clicking the device
name on the Devices page. The Interfaces page lists all known
interfaces on the device. Information for each interface includes the
interface description, percentage of usage, relative traffic, relative
packets, peak percentage of usage In and Out, peak traffic rate In
and Out, and peak packet rate In and Out.
Options include:
• Hold your mouse over an interface’s name to see its speed, type,
and extended description if available.
• Click column headers to sort interfaces by name, description, peak
percentage of usage in either direction, peak traffic rate in either
direction, and recent peak packet rate in either direction.
34
Viewing Real-Time Data
Viewing Interfaces 4
• Click an interface name or the % Usage, Relative Traffic, or
Relative Packet Rate meters to view detailed data on that
interface. A chart shows the interface’s recent bi-directional
utilization, traffic rate, or packet rate over time (see Figure 3).
35
NetFlow Tracker
User Guide
36
Viewing Real-Time Data
Filtering Real-time Data 4
Figure 4 Filter Editor—Real-Time Data
Note:
• If you do not want to use a filter, leave it blank.
• For filters in which you add a range of items, enter the start and
end of the range in the boxes provided. To select a single item,
leave the right-hand box empty. You can include or exclude the
items you select.
• For filters that have selectable items, select the items in the
Available box on the left and click > to move them to the Selected
box.
Saved filters are available in the Filter drop-down list. You manage
saved filters in Report Settings. See “Saving Report Filters” on
page 55.
To filter data:
1 Select Main Menu > Filter Editor.
2 Select a report template and set whether to create a tabular
report, chart, or pie chart. For more information, see Appendix B,
“Report Templates.”
37
NetFlow Tracker
User Guide
Filter To Apply...
Time zone Change the time zone used to interpret the start and end times
and time masks. The default is the time zone the NetFlow
Tracker server uses.
38
Viewing Real-Time Data
Filtering Real-time Data 4
Table 4 Filter Definitions (continued)
Filter To Apply...
Time mask Select a limited time range during a day. For example, to
consider only data between 8:30 and 18:00 on a weekday,
select Monday, Friday, 8:30 and 18:00 and click Add. Add as
many masks as you want. Only data within one or more
masked areas is considered. If you do not select a mask then all
data between the start and end time is considered.
In interface Report on inbound traffic for an interface or set of interfaces.
Available interfaces depend on the filtered source devices.
Out interface Restrict a report to just outbound traffic from a set of
interfaces. Use this with an In interface filter to report on
traffic that took a particular path through a router.
In/out interface Restrict the report to bi-directional traffic for the selected
interfaces.
In VPN Restrict a report to just traffic where the inbound interface is
part of the selected VPN(s). For this filter to work, you must
associate interfaces with VPNs in Device Settings. See
“Applying Interface Settings” on page 22.
Out VPN Select traffic where the outbound interface is part of the
selected VPN(s).
VPN Select traffic where either interface is part of the selected
VPN(s).
Source address Restrict the report to traffic with a given source IP address or a
set of source IP addresses. Type the address or domain in the
box and click Add.
Dest address Report on data with one of a set of destination IP addresses.
Src/dest address Consider traffic either originating from or destined for the
given addresses.
Protocol Restrict the set of IP protocols considered. For example, you
may want to consider only UDP or ICMP traffic while
investigating a denial-of-service attack.
Source port Restrict the source application port number. Use this with the
Protocol filter.
Dest port Restrict the destination application port number.
Src/dest port Consider traffic with the given port number as either the
source or destination.
39
NetFlow Tracker
User Guide
Filter To Apply...
Source Restrict the IP protocol and source application port number.
application Enter a port number and protocol or select from those
configured in the IP Application Names settings page. See
“Applying Identified Applications” on page 21.
Dest application Restrict the protocol and destination application port,
selectable by name.
Src/dest Consider traffic using the application as either the source or
application destination.
Recognized Select traffic with the given source or destination application.
application Consideration of the source or destination application depends
on whether it has a name defined in the IP Application Names
settings page or, if both or neither have names, which one has
the lower port number. See “Applying Identified Applications”
on page 21.
Identified Select traffic with the identified application. For NetFlow
application Tracker to identify applications, the device must support the
functionality and you must set its identified application
mapping in Device Settings. See “Applying Identified
Applications” on page 21.
ToS Filter traffic bearing any one of a set of type-of-service (ToS)
byte values. Select a priority from 0 to 7 and select Include or
Exclude.
To filter on individual bits, from the drop-down lists, select 0 to
filter on bits set to 0 in the flow. Select D (delay), T
(throughput), R (reliability), or M (monetary cost) to filter on
bits set to 1 in these flows. To ignore filtering for a bit, leave it
blank.
DiffServ Select only traffic bearing one of the selected differentiated
service code points. Because DiffServ and ToS use the same
field in the IP header, do not use both filters at the same time.
You can assign a name to a code point using the DiffServ
Names settings page. See “DiffServ Names” on page 86.
Traffic class Select traffic within a traffic class. For NetFlow Tracker to
identify traffic classes, the device must support the
functionality and you must configure its traffic class mapping
in Device Settings. See “Applying Traffic Class IDs” on page 21.
40
Viewing Real-Time Data
Filtering Real-time Data 4
Table 4 Filter Definitions (continued)
Filter To Apply...
Source AS Select traffic bearing one of a set of source AS numbers. The
router’s settings determine whether this is the origin or peer
AS. Enter an AS number or select from the set of private-use
ASes configured in the AS Names settings page. Note: You
cannot select public ASes by name.
Dest AS Restrict the source data to traffic bearing the destination
origin or peer ASes.
Src/dest AS Consider traffic to or from the origin or peer ASes.
Source subnet Select traffic with the source subnet. Enter the network
address and mask length or select from the subnets configured
in the Subnet Names settings page. Note: The subnet mask
used by the router to route the traffic is ignored when
applying this filter. See “Subnet Names” on page 87.
Dest subnet Select traffic with the given destination subnets. Note: A
destination subnet filter of 224.0.0.0/4 will select multicast
traffic.
Src/dest subnet Select traffic to or from the subnets.
Source mask Select traffic routed using the source network mask.
Dest mask Select traffic with the destination network mask.
Src/dest mask Select traffic with the source or destination network mask.
Next hop Filter traffic based on the next hop used by the router in
routing the traffic.
TCP Flags Filter TCP traffic. To filter on individual bits, from the drop-
down lists, select 0 to filter on bits set to 0 in the flow. Select U
(urgent), A (acknowledged), P (push), R (reset), S
(synchronized), or F (finished) to filter on bits set to 1 in these
flows. To ignore filtering for a bit, leave it blank.
Duration Include or exclude traffic based on length of time in
milliseconds. Terms:
• ge—greater than or equal to
• le—less than or equal to
See also:
• “Filtering Long-term Data” on page 50
41
NetFlow Tracker
User Guide
Charts display the elements that contributed most to the overall total
traffic or packet rate over the charted time range. By default, at most
ten elements are shown but you can configure this on the Report
Settings page. See “Setting up Reports” on page 53.
42
Viewing Real-Time Data
Viewing Chart Data 4
• To get more details on an item in the chart or table, click its link.
• To zoom in to the center of the chart, click . To zoom in on a
particular selection, first select that time range. Zooming in stops
the chart from refreshing.
• To zoom out from the center of the chart, click . Zooming out
also stops the chart from refreshing.
• To select a time range, click and drag the mouse across the chart.
You can then zoom in on the selection.
• To select the entire time range, click .
• To drill into selected data, select a time range and right-click the
selection. From the menu, select an item to create another chart
for the selected time range.
• To view data as a pie chart, click . See “Working with Pie
Charts” on page 43.
• To view data in a table, click . See “Working with Tables” on
page 44.
• To alter the filter applied to a standard chart, click .
• To view resolved domain names if a chart shows IP addresses, hold
your mouse over the address.
• To refresh the view, click .
• To reload the chart with all resolvable domain names shown, click
(resolve all).
• To revert from viewing resolvable domain names and view only IP
addresses, click (resolve available).
• To convert a chart to a CSV file, click . You are prompted to
open or save the file.
• To print the chart, click .
• To open the chart in a new window, click .
43
NetFlow Tracker
User Guide
Right-click to run an
ad hoc report
44
Viewing Real-Time Data
Viewing Chart Data 4
view shows the entire time range in one table. It also shows every
contributing element rather than just the largest ones.
Options include:
• To return to the standard chart view, click .
• To navigate through tables of more than 25 rows, use the page
navigation at the top of the table.
• To go to a specific position in the view, click in the scrollbar; A
blue line or box on the scrollbar indicates the page shown and
how much of the view the page represents.
• To sort items by name, address, traffic rate, or packet rate, click
the column heading. Click again to sort items in the opposite
order.
• In reports, to drill into a row’s data, select the radio button at the
left of a row. (You can select only one row at a time.) Select a sub-
report type from drop-down list at the bottom of the page and
click Go: For example, if you are viewing a report of source
applications, you can select an application and view source
addresses using that application. For more information, see
Appendix B, “Report Templates.”
45
NetFlow Tracker
User Guide
46
5: Viewing Long-term
Data
Topics include:
• Viewing Long-term Network Overview Data
• Viewing Long-term Device and Interface Data
• Filtering Long-term Data
See also:
• “Database Settings ” on page 89.
• “Creating Long-term Reports” on page 60.
47
NetFlow Tracker
User Guide
• A pie chart, stacked bar chart over time, and table showing the
top five applications plus “Other” by percentage of total traffic
rate. Average and peak traffic rates are also shown.
• Tables showing the top five in and out interfaces by average and
peak percentage of usage.
• Tables showing the top five in and out interfaces by average and
peak traffic rate.
48
Viewing Long-term Data
Viewing Long-term Device and Interface Data 5
Figure 8 Network Overview—Long-term Data
Right-click to run an
ad hoc report
49
NetFlow Tracker
User Guide
• A selector at the bottom of the page lets you change the time
range of the current report or chart, and any reports or charts
opened by interacting with it. Time options span from hours to
years. The default setting is seven days, based on the time zone of
the NetFlow Tracker server. To change this setting, see “Creating
Long-term Reports” on page 60.
Note
If you zoom into or out of a long-term chart or drill into a
selection (other than one selected using Select All), the time
range selector is not available on the resulting chart.
• The long-term Devices and Interfaces pages show the peak and
average traffic and packet rates. By contrast, real-time pages
show the peak and most recent rates.
• When you select a range of time on a long-term device or
interface chart and right-click to drill down, you can only access
reports created as per-device, per-inbound interface or per-
outbound interface in Report Settings.
See also:
• “Viewing Devices” on page 33.
• “Viewing Interfaces” on page 34.
50
Viewing Long-term Data
Saving a Long-term Filter 5
2 Select a long-term report and set whether to create a tabular
report, chart, or pie chart.
3 For Source Data, select the data sample size. Long-term data is
stored in sample sizes that are optimal for different lengths of
charts. You can override the selection of the source data to create
charts showing, for example, a month in day-long blocks.
4 Click Start time/End time or Length to set how much data the
report will include:
• Pick the date and time of the earliest and latest data to con-
sider. The default start time is six hours before you opened
the Filter Editor.
• Set the length in units. The report will cover that number of
units and end at the last full unit before the time it is opened.
5 Select a source device or interface to report upon. To select more
than one device or interface you must save the filter.
6 To add a Time zone or Time mask filter or a saved filter, select
from the drop-down list and click Add. The filter is added to the
Filter Editor page. For more information, see Table 4 on page 38.
7 Click OK to apply the filter settings. The filter is directly applied.
Click Save to save the filter for future use. See “Saving a Long-
term Filter.”
51
NetFlow Tracker
User Guide
52
6: Setting up Reports
Use the Report Settings page (Main Menu > Settings > Report
Settings) to set up all reports and charts. Topics include:
• Reports Overview
• Applying General and Real-time Report Settings
• Saving Report Filters
• Scheduling Reports
• Creating Long-term Reports
• Creating Executive Reports
Reports Overview
You can create three types of reports:
• Real-time reports—View the last seven days of data (by default)
in real-time at one-minute granularity.
• Long-term reports—View aggregated data for up to multiple
years at a granularity level you define in Database Settings.
• Executive reports—An executive report is a pre-configured
template that contains one or more reports or charts and HTML
content that you define. Use an executive report to access often-
used reports or to group related reports on one page.
53
NetFlow Tracker
User Guide
Note
Avoid reporting from multiple devices and over long periods of
time. Doing so can cause NetFlow Tracker to count some traffic
multiple times.
54
Setting up Reports
Saving Report Filters 6
Table 5 General and Real-time Report Settings
55
NetFlow Tracker
User Guide
Scheduling Reports
You can set up any real-time, long-term, or executive report as a
scheduled report that you can email or save to a server location based
on that schedule. In addition, you can generate scheduled reports on
demand if they are included in the Reports page.
56
Setting up Reports
Scheduling Reports 6
Figure 9 Report Settings—Scheduled Reports
57
NetFlow Tracker
User Guide
Option Definition
ID The report’s identification number.
Name The report name. Use only alphanumeric characters.
Description The report description.
Include in reports Show the report in the Reports page.
menu
Run on demand The report does not automatically generate and appears
only in the Reports page.
Run once The report runs once at the specified time on the date
supplied for “Begin running this schedule on.”
Run every day The report runs every day at the specified time, starting on
the specified start date and optionally finishing in the
specified end date.
Run every week The report runs on the specified days of every week.
Run every month The report runs on either the specified date of each month
or on the specified week day (for example, the first
Monday of each month).
58
Setting up Reports
Scheduling Reports 6
Table 6 New Scheduled Report Options (continued)
Option Definition
Begin running this Set the beginning date for the schedule.
schedule on
End this schedule Set the end date for the schedule.
on
Delete report after If you select an end date, select this to delete the report on
schedule ends that date. Saved output is not deleted. Tip: You can use
this with the “Run once” schedule option to run a
particularly time-consuming report.
Output as Options are PDF, HTML single file (MHTML), HTML zipped
(which contains the HTML, stylesheets, and images), CSV,
and XML. When a report is generated on-demand from
the Reports page it is formatted in the normal interactive
HTML format.
Save to Save the report to a specified folder on the server.
Email to Email the report as an attachment to the specified address.
Enter the subject line and body of the email.
Length or Select Length to set the length of time covered in the
Default/custom report based on a number of minutes, hours, or days.
Configure the report type and its filters. You can add
custom parameters to alter anything about the report that
is not configurable using the Filter Editor.
Reload interval Set the number of minutes between automatic refreshes
of the device, interface, and AS status reports and charts.
Source device or Set the source device or the source data sample size
Source data depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter Select a filter and click Add. See Table 4 on page 38.
Custom Parameter Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
59
NetFlow Tracker
User Guide
You can also create a long-term report for each device in the system
or for each inbound or outbound interface. These reports can still
have a filter or time mask. You can access a per-device, inbound, or
outbound interface report from the long-term Filter Editor or by
drilling down from the long-term device or interface charts.
Note
If you create a long-term report that includes only data from the
real-time database, then the report’s granularity is one-minute.
60
Setting up Reports
Creating Long-term Reports 6
Figure 10 Report Settings—Long-term Reports
Set granularity
61
NetFlow Tracker
User Guide
Option Definition
ID The report’s identification number
Name The report name.
Report Template See Appendix B, “Report Templates.”
Type Basic—Select source devices and interfaces for the report.
Per source device—Run this report on all source devices.
Per inbound interface—Run this report on all inbound
interfaces.
Per outbound interface—Run this report on all outbound
interfaces.
62
Setting up Reports
Creating Executive Reports 6
Table 7 New Long-term Report Options (continued)
Option Definition
Storage Options Set the length of time to store data and its granularity.
Note: Storage settings can impact system performance. See
“Database Settings ” on page 89.
Source device or Set the source device or the source data sample size
Source data depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter Select a filter and click Add. See Table 4 on page 38.
Custom Parameter Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
63
NetFlow Tracker
User Guide
Set up sub-report
contents and layout
64
Setting up Reports
Creating Executive Reports 6
you select this. You will not be able to filter the executive
report from the Reports page.
c Under Sub-report tag, enter the name of a sub-report to
embed in the executive report. Select a type: Real-time, Long-
term, or Custom. Click New. On the Sub-report page, set the
parameters for the sub-report (see Table 8) and click OK. You
can add as many sub-reports as you want.
d Click Add Row to add a content row to the executive report.
You can then add cells to the row. Each row has one or more
cells. You can set up a cell to span a number of columns. There
are two types of cells: sub-report cells and HTML cells. See
“Adding a Sub-report Cell” on page 66 and “Adding an HTML
Cell” on page 68.
5 Click OK. The executive report is added to the list on the Report
Settings page.
6 In the Executive Reports list, you have the following options:
• To edit or delete a report, click its name. You cannot change
the report template, type, or time mask of an existing report.
• To copy a report, click its icon.
• To change the order in which reports appear, click the up or
down arrows.
7 Click OK on the Report Settings page to apply the changes.
Option Definition
Tag The sub-report name.
Report template See Appendix B, “Report Templates.”
Sample size: Length Select Length to set the length of time covered in the
or Default/custom report based on a number of minutes, hours, or days.
Configure the report type and its filters. You can add
custom parameters.
Note: If you select Default/Custom and do not add custom
time range parameters, the time range is passed to the
executive report, or the default real-time or long-term
time range, according to the report.
Reload interval The number of minutes between refreshes of the device,
interface, and AS status reports and charts.
65
NetFlow Tracker
User Guide
Option Definition
Source device or Set the source device or the source data sample size
Source data depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter Select a filter and click Add. See Table 4 on page 38.
Custom Parameter Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
66
Setting up Reports
Creating Executive Reports 6
Figure 12 Report Settings—Executive Reports
Option Definition
Sub-report Sub-report name.
Output as pie chart If the sub-report is a chart over time, select to output a pie
chart.
Sections Select the sections of the sub-report you want the cell to
display.
Controls Select the user-interface controls to enable.
67
NetFlow Tracker
User Guide
Option Definition
Columns Select which columns to show.
Chart If the sub-report is a chart or pie chart, select which chart
to show.
Output Parameter Enter a custom parameter name and value and click Add.
Name and Value See Appendix C, “Report URL Parameters.”
New Window Select to include all sections, controls, and columns in the
Drilldown Settings drill-down window.
If you have set the Drilldown or Open in a new window
options for a report cell, you must also set how the URL is
modified to create the new window. You can show all
sections and columns and allow all controls (which is
usually the case for a complex layout). You can also specify
custom parameters. Note: To remove a parameter from the
new window’s URL, leave its value blank.
Parameter Name Enter a custom parameter name and value and click Add.
and Value See Appendix C, “Report URL Parameters.”
68
Setting up Reports
Viewing Executive and Real-Time Reports 6
When an executive report is formatted as PDF only the three standard
styles are used and all HTML tags are removed from the text.
You can control the layout of the report by moving rows up and
down and cells left and right within their rows. To create complex
layouts, make cells span multiple columns.
• To increase the cell by a column, click .
• To decrease the cell by a column, click .
• To delete a cell or row, click .
69
NetFlow Tracker
User Guide
70
7: Working with Alarms
Topics include:
• Alarms Overview
• Configuring Alarms
• Configuring Notification Settings
• Viewing Events
Alarms Overview
Alarms are pro-active notifications of user-impacting performance
problems on the network. Alarms are triggered by events—problems
or other important incidents on the network.
When configuring an alarm, you choose the alarm type, metric, and
the threshold type for permitted performance. You can set thresholds
from specified values or from a baseline. NetFlow Tracker supports
two types of alarms:
• Threshold alarms indicate changes in performance for a selected
metric, such as traffic rate or conversation rate over time, based
on the filters applied in the alarm. Threshold alarms compare
recent performance against configured thresholds. They can use a
baseline or specified values.
• Profile alarms indicate changes in the network. For example, the
Recognized Applications profile alarm indicates which
applications make up the traffic or packets observed in the last
minute against the configured baseline. They always use a
baseline.
71
NetFlow Tracker
User Guide
When you set alarm thresholds using baselines, the sensitivity setting
is used to derive the alarm performance thresholds from the
baselines. A baseline records normal network behavior against which
future network problems and important incidents are measured. The
alarm sensitivity controls how a threshold is calculated in relation to
72
Working with Alarms
Alarms Overview 7
the baseline average and standard deviation. Because a default
sensitivity value must apply consistently across many different
baselines and also across individual baselines as they change over
time, sensitivity is a relative value.
Alarms marked for persistent changes are based on the most recent
20 minutes of data taken at one-minute samples by NetFlow Tracker.
Alarms not marked for persistent changes are based on the most
recent minute of data only.
Alarm status is checked every minute. After every check, new alarms
can be generated, existing alarms can end, or alarms can continue.
73
NetFlow Tracker
User Guide
These states are shown in the Alarm List (Settings > Configure
Alarms).
Only available and complete baselines are used to set thresholds and
generate alarms. NetFlow Tracker can collect enough data in a day to
create an available baseline. A complete baseline usually takes a
week.
Note
When you first install NetFlow Tracker or change alarm
parameters, baselines are reset. NetFlow Tracker must “learn”
the normal network performance and generate new baseline
profiles.
Static baselines are static only after the status is Complete. When
status of a static baseline is Available, the baseline is still adjusting.
Note:
• Always enable the “Alarm only for persistent change” option
unless there is a specific reason to disable it.
74
Working with Alarms
Configuring Alarms 7
• To disable Degraded alarms but leave Excessive alarms enabled,
set the Degraded threshold to match the Excessive threshold.
• If your network experiences poor performance that an alarm is
not identifying, decrease the threshold. If alarms are being
generated but the performance is acceptable, increase the
threshold.
Configuring Alarms
Use the Alarm List page (Settings > Configure Alarms) to manage and
create alarms. For each alarm, the name, type, template, exceeded
and degraded thresholds, filter, and persistent changes settings are
shown.
Options include:
• To view events triggered by an alarm, click . See “Viewing the
Event List” on page 79.
• To add a new alarm, click New. See “Creating an Alarm.”
• To edit an alarm, click its name.
• To delete an alarm, select its checkbox and click Delete.
Creating an Alarm
In NetFlow Tracker, you can create up to 100 alarms.
75
NetFlow Tracker
User Guide
To create an alarm:
1 Select Main Menu > Settings > Configure Alarms.
2 Click New. The Create Alarm page is shown
3 Enter a name.
4 Select an alarm type:
• Threshold Alarm—Indicates changes in performance. You can
use a baseline or specified values.
• Profile Alarm—Indicates changes in the network. You can use
a baseline only. Select a report template for the alarm.
5 Select a metric. Available metrics vary based on the alarm type
and, for Profile alarms, the report template:
• For Threshold alarms, select: Traffic Rate, Packet Rate,
Address Pair Rate, or Conversation Rate.
• For Profile alarms, select: Traffic Rate, Packet Rate, Destina-
tion Address Count, or Conversation Count, and Source
Address Count.
6 Set the source device. If you need more than one device, click
Multiple. Then select devices in the left column and click > to
include them. Note: If you select multiple devices, some or all
traffic may be counted multiple times.
76
Working with Alarms
Configuring Notification Settings 7
7 Select a filter and click Add. For more information, see Table 4 on
page 38.
8 Set Alarm only for persistent change to exclude alarms that do
not fall into a consistent pattern over a 20-minute period and
may represent random jumps in data.
9 Set the threshold type:
• Weekly Baseline—The baseline adjusts weekly, based on cur-
rent data. Adjust the slider to set the alarm sensitivity.
• Static Baseline—The baseline does not adjust once it is com-
plete. Adjust the slider to set the alarm sensitivity.
• Specified Values—Available only for Threshold alarms. Set the
degraded and exceeded thresholds.
For more information, see “Thresholds and Baseline Sensitivity.”
10 Click OK.
77
NetFlow Tracker
User Guide
Viewing Events
Events are displayed at one-minute granularity. Events are removed
as real-time data is removed, by default after seven days. You can
view events in the following ways:
Options include:
• To view data in chart format based on the report template used,
click the alarm name.
• To view event data for a point in time, right-click and select from
the menu.
• View data in the chart back and forward in time, zoom in and
out, or in a table. For more information, see “Viewing Chart
Data” on page 42.
78
Working with Alarms
Viewing Events 7
Viewing the Event List
Use the Event List to view events in table format. To access the page:
• Select Main Menu > All Events.
• From the Events Overview, select a time view and click (table icon)
to view events for that time.
• From the Event Details page, click OK.
The Event Lifecycle page shows the alarm name and type, the event
start and end time, duration, current status, initial and maximum
79
NetFlow Tracker
User Guide
severity levels, and a bar chart showing status over its life. Four states
are:
• Exceeded— (Red) The conditions have surpassed the Excessive
threshold or baseline setting.
• Degraded— (Orange) The conditions have surpassed the
Degraded setting but have not reached the Excessive setting.
• Normal— Green. The conditions have not reached the
Degraded setting.
• No Data— (Black) No data was available.
Click the chart to view data based on the selected alarm template.
The resulting chart shows performance against the Degraded and
Excessive thresholds for the alarm.
80
8: Optimizing NetFlow
Tracker
81
NetFlow Tracker
User Guide
Note
When using management portal settings, you must use
password protection to prevent the system from being
bypassed. See “Applying Security Settings” on page 26.
82
Optimizing NetFlow Tracker
Data Display and Filtering Settings 8
The portal’s proxy server sends a request to the NetFlow Tracker
server that selects the report and contains one of the configured
secret values and some access control parameters describing what the
user can access:
http://<NetFlow
Tracker1>/report.jsp?portalsecret=<secret>&aclif=...
NetFlow Tracker creates a session for the portal and logs it in. This
session is restricted so that only requests containing access list
identifiers are accepted.
The portal’s proxy server sends the unaltered request to the correct
NetFlow Tracker server:
http://<NetFlow Tracker1>/report.jsp?portalacl=...
Command Definition
RewriteEngine On Enables the URL rewriting module.
RewriteRule ^/NetFlow Tracker1/report1$ Sets up a rule to proxy requests for
http://1.2.3.4/report.jsp?portalsecret= http://<proxy>/NetFlow Tracker1/report1 to an
s3cr3t&acldevice=4.3.2.1&templid=0000 access controlled request to the NetFlow Tracker server.
[P,L]
RewriteRule ^/NetFlow Tracker1/(.*)$ Sets up a rule to proxy any requests for URLs starting
http://1.2.3.4/$1 [P,L,QSA] with http://<proxy>/NetFlow Tracker1/ to an
equivalent request to the NetFlow Tracker server.
ProxyPassReverse /NetFlow Tracker1/ Makes sure that NetFlow Tracker handles the HTTP
http://1.2.3.4/ redirects correctly when it creates a session for the
portal and logs it in.
83
NetFlow Tracker
User Guide
IP Application Names
Use IP Application Names to apply custom applications and ports that
you want to track. You can define simple and grouped applications.
Simple applications
Grouped applications
84
Optimizing NetFlow Tracker
Data Display and Filtering Settings 8
NetFlow Tracker comes configured with the well-known ports in
addition to many others. For a list of all well-known and registered
ports, see http://www.iana.org/assignments/port-numbers.
85
NetFlow Tracker
User Guide
Note
Do not change the identifier of an existing grouped application
because long-term data uses this. Use caution when deleting
grouped applications.
6 Click OK.
7 On the IP Application Names page, click OK.
DiffServ Names
Use DiffServ Names settings to assign names to each of the 64
differentiated service code points. Standard code point names are
already configured.
86
Optimizing NetFlow Tracker
Data Display and Filtering Settings 8
Hostname Resolution Settings
Use Hostname Resolution Settings to configure aspects of the
resolution of hostnames for addresses encountered on reports. These
names are kept to increase reporting speed and reduce the amount
of network traffic NetFlow Tracker generates when generating a
report. You can set the length of time to store resolved hostnames
and failed lookups in cache. You can also control the size of the cache
and the number of threads used to resolve hostnames.
Note:
• If hostname resolution is not working, click Defaults and then OK
to return to useful default values.
• To clear the cache of resolved hostnames, clear Enable hostname
resolution and click OK. Then return to the Hostname Resolution
settings page and check this setting again.
Subnet Names
Use Subnet Names to assign names to the IP subnets that appear in
reports. You define an IP subnet by its network address and mask
length. Subnet names you define here are shown in subnet reports.
Because routers may use different mask lengths to route different
traffic, you can assign names to overlapping subnets.
87
NetFlow Tracker
User Guide
AS Names
Use AS Names to assign names to autonomous system (AS) numbers
appearing in reports.
• AS numbers from 0 to 34816 are assigned by several agencies;
NetFlow Tracker comes with many of these ASes already named.
You can, however, edit these.
• Numbers between 34816 and 64511 are held by the IANA and are
not available for use.
• Numbers from 64512 to 65535 are available for use.
To set AS names:
1 Select Main Menu > Settings > AS Names.
2 Enter an AS number. To assign or edit the name of a public or
reserved AS, click (more…).
3 Enter a unique subnet name.
4 Click Add. To delete a subnet, select its checkbox and click Delete.
5 Click OK.
88
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring 8
Data Management and System
Performance Monitoring
Use these settings to management the database, back up and archive
data, allocate memory, and monitor system performance. Topics
include:
• Database Settings
• Backup
• Archiving
• Memory Settings
• Making Sure That Data is Received
Database Settings
Use Database Settings to improve the performance of reports and
charts and to change the number of days for which data is stored (see
Table 11).
Option Definition
Expect large result sets Controls how the database server manipulates raw data. Leave the default
setting, Auto, to let the database optimize itself. If you have a fast disk
subsystem, set this to Always to make sure reports with large amounts of data
perform well. If you have a slower disk subsystem, a lot of RAM, and a relatively
small amount of data, consider setting this to Never. Note, however, that reports
with large amounts of data may take much longer to run.
Maximum in-memory The maximum amount of memory the database server will use during a query
temporary table size when you do set “Expect large result sets” to Never. Increasing this increases the
amount of data that it can report before performance drops significantly.
Sort buffer size The size of the buffer used to reduce the amount of disk seeks when sorting
rows for grouping or final display. Increasing this improves reporting speed. You
are unlikely to see any benefit for sizes above 128MB.
89
NetFlow Tracker
User Guide
Option Definition
Hold back real-time data Set the number of seconds after its end that each one-minute sample of real-
for time data is held in RAM before being committed to disk. You may need to
increase this to avoid ignored flows.
MySQL can not access Leave clear to improve the database performance. However, on Unix if the user
temporary files you run as has a umask that creates temporary files that MySQL cannot read,
check this setting.
Number of threads to use Set the number of threads used to generate real-time charts over time and pie
to generate a report charts. Do not set this to more than the number of CPU cores in your system. You
are unlikely to see any benefit beyond 4.
Store real-time data for Change the number of days full real-time data is stored for. Reduce this to save
disk space. Increase this if you have enough free space.
Store long-term report Change how long the different types of long-term data are stored. Each type of
data for... data allows a long-term chart to display blocks of that size. If the block size is not
specified when opening a long-term report, then the closest available size to the
ideal for the selected time range is used.
Use compression Reduce the amount of disk space used. Note: Reducing the disk space is likely to
slow down report generation.
Backup
Use Backup settings to back up the configuration of your NetFlow
Tracker server and its real-time and long-term databases.
Note
A full backup can take a long time to complete and uses a large
amount of disk space. Test the effect a full backup has upon the
system before scheduling it.
90
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring 8
To back up data:
1 Select Main Menu > Settings > Backup.
2 For a scheduled backup:
a Enter the scheduled time and days.
b Select the databases to include.
c Enter the destination folder on the NetFlow Tracker server.
d Click Add. To delete a scheduled backup, select its checkbox
and click Delete.
3 For an on-demand backup:
a Enter the destination folder on the server.
b Select the databases to include.
c Click Start.
4 Click OK.
To restore a backup:
1 Install your previous version of NetFlow Tracker. To obtain this,
contact Fluke Networks TAC.
2 On Windows, open a command prompt and issue the following
commands, replacing paths as appropriate. (<enter> means to
press the Enter key.)
c: <enter>
cd \nftracker <enter>
runany c:\nftracker c:\progra~1\java\j2re14~1.2_0
com.crannogsoftware.ulysses.CRestore –sourcefolder
c:\nftbackup <enter>
On Linux, type the following commands in a terminal, again
replacing paths as appropriate:
cd /usr/local/nftracker <enter>
./runany com.crannogsoftware.ulysses.CRestore
–sourcefolder /var/nftbackup <enter>
chown –R nft:nft .systemPrefs
chown –R mysql:mysql /var/lib/mysql/crannog_ulysses
chown –R mysql:mysql
/var/lib/mysql/crannog_ulysses_longterm
91
NetFlow Tracker
User Guide
Archiving
Use Archiving settings to archive real-time data instead of deleting it
when it exceeds the length of storage time configured in Database
Settings. You can set the archive location and access archived data by
mounting the archive containing the data you want to examine and
using the Filter Editor.
Note:
• You must enable archiving for each device that you want to
archive data from in Device Settings. See “Database Settings ” on
page 89.
• Archived data is not deleted. You must move archived data to
long-term storage in a timely manner.
• You cannot mount an archive from a device that was deleted or
was never present on the server.
• Mounting and unmounting archives does not affect the archive
file itself.
• You can restore archived data from NetFlow Tracker v4.0.
You can store all archives in the archive folder or in subfolders for
each device or day.
To mount an archive:
1 Select Main Menu > Settings > Archiving.
2 Under Mount Archives, enter the directory containing the archive
and click List.
3 Select archives and click Mount. When archives are mounted they
appear under Currently Mounted Archives. To unmount these,
select and click Unmount.
4 Click OK.
92
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring 8
Memory Settings
Use Memory Settings to control the amount of initial and maximum
memory used by NetFlow Tracker. During normal operation, NetFlow
Tracker uses a small amount of memory, so in most cases you do not
need to change the default settings
93
NetFlow Tracker
User Guide
94
A: Setting up NetFlow
on Network Devices
Topics include:
• Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
• Configuring NetFlow Input Filters for Traffic Class Reporting
• Enabling Flow Detail Records on a Packeteer Device
• Enabling NetFlow on an Enterasys Device
• Enabling sFlow on a Foundry Device
95
NetFlow Tracker
User Guide
Command Definition
ip cef Enables Cisco Express Forwarding, which is required for NetFlow in most recent
IOS releases.
ip flow-export Use the address of your NetFlow Tracker server and one of the ports configured
destination in the Listener Ports settings page. Port 2055 is monitored by default.
<address> 2055
ip flow-export The source interface is used to set the source IP address of the NetFlow exports
source loopback 0 that the router sends. NetFlow Tracker makes SNMP requests of the router on
this address. If you experience problems, set the source interface to an Ethernet
or WAN interface instead of the loopback.
ip flow-export Sets the export version. NefFlow Tracker supports IOS versions 5 and 9. If you
version 5 [peer-as | have a Native IOS switch you may need to use version 9 to work around an issue.
origin-as] If your router uses BGP, you can include the origin or peer ASes in exports. You
or cannot include both.
ip flow-export Note: Enabling or disabling NetFlow versions 5 or 9 on a 12000 series router
version 9 [peer-as | causes packet forwarding to stop for a few seconds while the route processor
origin-as] and line card CEF tables reload. To avoid interruption of service to a live network,
apply this command during a change window, or include it in the startup-
configuration file to be executed during a router reboot.
ip flow-cache Breaks up long-lived flows into one-minute segments.
timeout active 1
ip flow-cache Makes sure that flows that have finished are exported in a timely manner.
timeout inactive 15
96
Setting up NetFlow on Network Devices
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A
Table 12 IOS NetFlow Commands (continued)
Command Definition
interface Enable NetFlow on each interface through which the traffic you are monitoring
<interface> flows (normally the Ethernet and WAN interfaces. Note: There are several
ip route-cache flow commands to enable NetFlow on an interface and you must use the same
or ip flow ingress command for every interface.
or ip route-cache ip route-cache flow and ip flow ingress enable NetFlow for inbound
cef traffic on the interface, but you apply the latter to individual sub-interfaces and
bandwidth <kbps> the former to the physical interface. Do not enable NetFlow for a physical
exit interface and one or more of its sub-interfaces.
ip flow egress enables NetFlow for outbound traffic on the interface and is
required if you are using input filters. You may enable NetFlow for both inbound
and outbound traffic on a single interface. In this case, make sure that no other
interface has NetFlow enabled.
Egress NetFlow is also useful if you are monitoring a router that applies QoS to
the traffic it routes. By using egress NetFlow, you see QoS settings that the router
applied rather than those on the traffic before it was routed.
You may also need to set the speed of the interface in kilobits per second. It is
important to do this for frame relay or ATM virtual circuits. Note: A Catalyst 4000
series switch does not support any of the commands to enable NetFlow for an
interface. Instead, NetFlow is enabled for all interfaces using the following
special command.
show ip flow export Shows the current NetFlow configuration. Issue this in normal (not
configuration) mode.
show ip cache flow These commands issued in normal mode summarize the active flows and indicate
of how much NetFlow data the router is exporting.
show ip cache
verbose flow
Command Definition
mls netflow Enables NetFlow on the supervisor.
97
NetFlow Tracker
User Guide
Command Definition
mls nde sender Sets the export version. Due to IOS issues, the export version you must use on the
version 5 supervisor depends on your hardware configuration and IOS version:
or Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
mls nde sender 12.2(15.1)S, 12.2(17a)SX or above: Use version 5. Note: This configuration causes
version 7 Performance Counters to report missed flows that are not actually missed as a
result of an IOS bug fixed in the SXF strains.
Distributed Forwarding Cards and older than 12.1(13)E03, 12.1(18.1)E,
12.2(13.6)S, 12.2(15.1)S or 12.2(17a)SX: This configuration causes serious
problems. Contact Fluke Networks TAC if your device matches this description.
No Distributed Forwarding Cards and 12.0(24)S, 12.2(18)S, 12.3(1) or above: Use
version 5 and configure the MSFC to export version 9 as described above.
No Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
12.2(15.1)S, 12.2(17a)SX or above: Use version 5.
All others: Use version 7. Note: Version 7 may not include AS or subnet mask
information.
mls aging long 64 Breaks up long-lived flows into one-minute segments.
mls aging normal 32 Makes sure that completed flows are exported in a timely manner.
mls flow ip If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher,
interface-full you must use the first two commands to put interface and routing information
mls nde interface into the NetFlow Exports. This information is unavailable with any earlier IOS
or version on the Supervisor Engine 2 or 720.
mls flow ip full If you have a Supervisor Engine 1, use the third command to put full information
into the NetFlow Exports.
ip flow ingress A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command,
layer2-switched vlan which enables NDE for all traffic within the specified VLANs rather than just
<vlanlist> inter-VLAN traffic.
ip flow export
layer2-switched vlan
<vlanlist>
98
Setting up NetFlow on Network Devices
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch A
device as for an IOS device, omitting the command ip route-cache
flow on each interface, and then issue the following command:
ip route-cache flow infer-fields
Command Definition
set system name In privileged mode on the Supervisor Engine, issue this to enable NDE:
<name> Set the name of your switch. Note: Even if the prompt has been set to the name
of the switch you still need this command.
set mls nde Use the address of the NetFlow Tracker server and one of the ports configured in
<address> 2055 the Listener Ports settings page. Port 2055 is monitored by default.
set mls nde version Sets the export version. Version 7 is the most recent full export version supported
7 by switches.
set mls agingtime Breaks up long-lived flows into one-minute segments.
long 64
set mls agingtime 32 Makes sure that completed flows are exported in a timely manner.
set mls flow full Sets the flow mask to full flows. This is required to get useful information from
the switch.
set mls bridged- CatOS 7.(2) or higher is required for this command, which enables NDE for all
flow-statistics traffic within the specified VLANs rather than just inter-VLAN traffic.
enable <vlanlist>
set mls nde enable Enables NDE.
show mls nde These commands help debug your NDE configuration.
show mls debug
99
NetFlow Tracker
User Guide
Command Definition
flow-sampler-map allflows Create a flow sampler that exports every flow record.
mode random one-out-of 1
exit
policy-map netflowpolicymap Create a policy map containing NetFlow sampling actions. You must
class <class> include each class for which you want information.
netflow-sampler allflows
exit
exit
interface <interface> Associate the policy map with an interface. You must associate the
service-policy input policy map with each NetFlow-enabled interface from which you
netflowpolicymap want traffic class information.
exit
100
Setting up NetFlow on Network Devices
Enabling NetFlow on an Enterasys Device A
To enable Flow Detail Records:
1 Log in to the PacketShaper in touch mode.
2 Open the flow detail records page on the setup tab.
3 In a collector rows, enter the IP address of the NetFlow Tracker
server and one of the ports configured in Listener Ports settings
(2055 is monitored by default). Packeteer-1 is the recommended
record type for use with NetFlow Tracker. Packeteer-2 is not
recommended because NetFlow Tracker does not use the extra
information and bandwidth is wasted.
You can also export NetFlow v5 records. This prevents the Traffic
Classes and Identified Applications reports and filters from
functioning for the device.
4 Set the value under Enabled to on and click apply changes.
5 To make sure that NetFlow Tracker receives enough information
from the PacketShaper device, verify that the Look Community
String configured in the SNMP page is set up in SNMP Settings,
and set Packeteer-0 Packets to on in the system variables page.
6 If you have a recent version of PacketWise, you may need to
change extra settings on the system variables page. Set
Intermediate FDR to on, Intermediate FDR Timeout to 30000
milliseconds, and Reset Packeteer 1/2 counters to on. If these
settings are not available, then the PacketShaper describes all
traffic for a long-lived flow in one record, and NetFlow Tracker
counts it all in the minute during which the flow ended. This
leads to large spikes in charts for the device.
101
NetFlow Tracker
User Guide
Command Definition
set netflow cache Enables NetFlow.
enable
set netflow export- Use the address of your NetFlow Tracker server and a configured port in the
destination Listener Ports settings page. Port 2055 is monitored by default.
<address> 2055
set netflow export- Breaks up long-lived flows into one-minute segments.
interval 1
set netflow port You must enable NetFlow on each interface through which traffic you are
<port-string> enable monitoring flows, normally the Ethernet and WAN interfaces.
set netflow export- Sets the export version. Version 9 is required for NetFlow Tracker to associate
version 9 NetFlow information with the interfaces it relates to.
Command Definition
(config)# sflow enable Enable sFlow globally
(config)# sflow destination x.x.x.x Configure a destination
(config)# interface eth 1 Enable sFlow on a port or ports
or
(config)# interface eth 1 to 48)
102
B: Report Templates
When you create a report or chart you can choose from the report
templates, depending on the type of data you want to examine.
• Address Reports
• Session Reports
• QoS Reports
• Network Reports
• Interface Reports
• Traffic Identification Reports
• Full Flow Forensics Reports
• Other Reports
Address Reports
Report Shows...
Source Addresses The IP addresses that were the source of most traffic
or packets.
Destination Addresses The destination IP addresses that were the
destination of most traffic or packets.
Addresses Busiest addresses. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
103
NetFlow Tracker
User Guide
Report Shows...
Address Pairs The pairs of connected IP addresses that exchanged
most traffic or packets.
Bi-directional Address In extra columns, the traffic and packets sent from
Pairs destination to source for each address pair.
Source Address The source addresses that conversed with the most
Dissemination distinct destination addresses and that were involved
in the most distinct endpoint-to-endpoint
conversations. This can help detect file sharing or
virus infected hosts.
Destination Address The destination addresses that conversed with the
Popularity most distinct source addresses and that were
involved in the most distinct conversations.
Session Reports
Report Shows...
Protocols The IP protocols, such as TCP or UDP, used by most
traffic or packets.
Source Applications The IP applications that were the source of the most
traffic or packets. An IP application is a combination
of an application port and protocol: for example,
HTTP or FTP. You can assign names to applications
using the IP Application Names settings page.
Examining the source applications inwards on an
interface can show you what applications are using
your Internet bandwidth.
Destination Applications The IP applications that were the destination of most
traffic or packets. The destination applications
outwards can show the most requested applications
on a link.
104
Report Templates
Session Reports B
Report Shows...
Recognized Applications The IP applications that were the source or
destination of most traffic or packets. Whether the
application was the source or destination depends on
whether it has a name defined in the IP Application
Names settings page or, if both or neither have
names, which has the lower port number.
Conversations The pairs of connected endpoints that exchanged
most traffic or packets. A single conversation
represents, for example, a web browser downloading
a single image.
Bi-directional In extra columns, the traffic and packets sent from
Conversations destination to source for each conversation.
Source Endpoints The IP addresses and corresponding applications that
were the source of most traffic or packets. The top
source endpoints inwards on a link are the remote
services using your bandwidth.
Destination Endpoints The IP addresses and corresponding applications that
were the destination of most traffic or packets.
Server-Client Sessions The pairs of connected source endpoints and
destination addresses that exchanged most traffic or
packets. A session might represent, for example, a
web browser downloading several web pages with
images from a web server.
Client-Server Sessions The pairs of connected source addresses and
destination endpoints that exchanged the most
traffic or packets. A session could represent a client’s
requests to a web server for several pages and
images.
Sessions Source and address destination, application, traffic,
percentage of total traffic, packets, and percentage
of total packets.
Bi-directional Sessions Data in Sessions report, plus forward and reverse
traffic and packets.
105
NetFlow Tracker
User Guide
QoS Reports
Report Shows...
Types of Service The ToS levels with most traffic or packets.
Differentiated Services The DiffServ code points with most traffic or packets.
Network Reports
Report Shows...
Source ASes The autonomous systems that were the source of
most traffic or packets. Note: A switch does not know
anything about ASe.s
Destination ASes The autonomous systems that were the destination
of most traffic or packets.
ASes Busiest ASes. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
AS Pairs The pairs of connected ASes that exchanged most
traffic or packets.
Bi-directional AS Pairs In extra columns, the traffic and packets sent from
destination to source for each AS pair.
Source Networks The IP subnets that were the source of most traffic or
packets. Note: A router may not know the subnet of
a particular address and a switch never knows it.
Destination Networks The IP subnets that were the destination of most
traffic or packets.
Network Pairs The pairs of connected IP subnets that exchanged
most traffic or packets.
Bi-directional Network In extra columns, the traffic and packets sent from
Pairs destination to source for each network pair.
106
Report Templates
Interface Reports B
Interface Reports
Report Shows...
In Interfaces The router interfaces or switch ports that were the
arrival point of most traffic or packets. Note: This is
only meaningful for the outwards direction.
Out Interfaces The router interfaces or switch ports that were the
departure point of most traffic or packets. Note: This
is only meaningful for the inwards direction.
Interface Pairs In and out interfaces, in and out percentage of
usage, traffic, percentage of total traffic, packets,
and percentage of packets for devices.
VPNs The VPNs with most traffic or packets. You must
associate interfaces with VPNs in Device Settings for
this report to function.
Next Hops The next-hop addresses that received most traffic or
packets. Note: Only a router can supply a next-hop
address.
107
NetFlow Tracker
User Guide
Other Reports
Report Shows...
Total Address Pairs Total number of address pairs.
Total Conversations Total number of conversations.
Total Traffic, percentage of total traffic, packets, and
percentage of total packets.
108
C: Report URL
Parameters
Parameter Specifies...
templid The report template to use.
id The long-term report to open.
others That a tabular view shows an “others” row instead of a page navigator.
resolve How domain names will be handled in a report with an IP address column.
109
NetFlow Tracker
User Guide
Parameter Specifies...
stime The start of the required time range.
nunitsago The number of units before the time of report generation the time range should end.
date_unit The unit to measure how long before the report is generated the time range starts
and ends.
sdate_unit The unit to measure how long before the report is generated the time range starts.
sdate_nunitsago The number of units before the time of report generation of the first day of the time
range.
edate_unit The unit to measure how long before the report is generated the time range end.
edate_nunitsago The number of units before the time of report generation of the last day of the time
range.
stime The time of day at which the time range starts (simple calendar).
etime The time of day at which the time range ends (simple calendar).
outif A permitted output interface, thus selecting outbound traffic on the interface.
if A permitted input or output interface of the flow, thus selecting traffic passed in both
directions across the interface.
invpn A Virtual Private Network (VPN) that the input interface must be part of.
110
Report URL Parameters
C
Table 18 Customizable Filter Parameters (continued)
Parameter Specifies...
vpn A VPN that either interface must be part of.
111
NetFlow Tracker
User Guide
Parameter Specifies...
aclvpn A permitted VPN.
General Format
http://<server>:<port>/report.jsp?prm=value&prm=value...
Report Parameters
templid – specifies the report template to use. Do not use this
parameter with id or cid.
112
Report URL Parameters
Report Parameters C
0003 Protocols
0006 Source Applications
0007 Destination Applications
0008 Source Endpoints
0009 Destination Endpoints
0010 Server-Client Sessions
0011 Client-Server Sessions
0012 Conversations
0013 Types of Service
0014 Differentiated Services
0015 Source ASes
0016 Destination ASes
0017 AS Pairs
0018 Source Networks
0019 Destination Networks
0020 Network Pairs
0021 In Interfaces
0022 Out Interfaces
0023 Next Hops
0024 Source Address Dissemination
0025 Destination Address Popularity
0026 Recognized Applications
0027 Traffic Classes
0028 Identified Applications
0029 Bi-directional Address Pairs
0030 Bi-directional Conversations
0031 Bi-directional AS Pairs
0032 Bi-directional Network Pairs
0033 Total
0034 VPNs
0035 Addresses
113
NetFlow Tracker
User Guide
0036 Endpoints
0037 Networks
0038 Ass
0039 Sessions
0040 Bi-directional Sessions
0041 Interface Pairs
_flows Full flows
114
Report URL Parameters
Report Parameters C
output – specifies the type of report to generate: tabular or chart.
115
NetFlow Tracker
User Guide
<sections> The sections, formed by summing the values for each section
1 Title
2 Time range & filter description
4 Main report or chart body
8 Chart title, if applicable
16 Chart legend, if applicable
32 Result information, if applicable
-<sections> The sections that are not displayed
116
Report URL Parameters
Report Parameters C
<features> The features, formed by adding the values for each feature
1 Navigation Menu
2 Select All button, if applicable
4 Zoom In button, if applicable
8 Zoom Out button, if applicable
48 Open as Tabular Report, Chart or Pie buttons as
applicable
64 Filter Editor button, if applicable
128 Refresh and Resolve All buttons, if applicable
256 Print and CSV buttons, if applicable
512 Open in New Window button
1024 Drilldown controls
2048 Direct drilldown links (found in navigation reports)
4096 Page navigator
8192 Sortable column headers
16384 Chart scrollbar
32768 Chart selection headers
65536 Time range editor, if specified
-<features> The features that are not displayed
117
NetFlow Tracker
User Guide
true The splash screen is shown if it has not already been shown
(default).
false The splash screen is not shown.
118
Report URL Parameters
Time Range Parameters C
etime – specifies the end of the required time range.
hour Hours
day Days
week Weeks
mon Weeks starting on a Monday
tue Weeks starting on a Tuesday
wed Weeks starting on a Wednesday
thu Weeks starting on a Thursday
fri Weeks starting on a Friday
119
NetFlow Tracker
User Guide
0 The time range will end at end of the current unit at the time of
report generation; this is likely to be later than the time of report
generation
1 The time range will extend to the end of the last full unit before
the time of report generation (default)
<number> The time range will extend to the end of this number of full units
before the time of report generation
120
Report URL Parameters
Time Range Parameters C
date_unit – (optional) specifies the unit to measure how long
before the report is generated that the time range starts and ends.
day Days
week Weeks
mon Weeks starting on a Monday
tue Weeks starting on a Tuesday
wed Weeks starting on a Wednesday
thu Weeks starting on a Thursday
fri Weeks starting on a Friday
sat Weeks starting on a Saturday
sun Weeks starting on a Sunday
month Months
quarter Quarters
halfyear Half-years
year Years
1 The first day of the time range is the first day of the current
unit at the time of report generation (default)
<number> The first day of the time range is at the start of this number of
full units before the time of report generation
121
NetFlow Tracker
User Guide
0 The last day of the time range is the first day of the unit
following the current unit at the time of report generation
1 The last day of the time range is the first day of the current unit
at the time of report generation (default)
<number> The time range extends to the end of this number of full units
before the time of report generation
stime – specifies the time of day at which the time range starts.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
etime – specifies the time of day at which the time range ends.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
122
Report URL Parameters
Time Range Parameters C
<day1>- The range of weekdays and the times on those
<day2>/<time1>- weekdays to include in the mask. A weekday is SUN,
<time2> MON, TUE, WED, THU, FRI or SAT, day2 coming on or
after day1 in the list above. Time is in the 24-hour
form hh:mm, and time2 is after time1
2 (GMT-10:00) Hawaii
3 (GMT-09:00) Alaska
4 (GMT-08:00) Pacific Time (US & Canada); Tijuana
15 (GMT-07:00) Arizona
25 (GMT-06:00) Saskatchewan
56 (GMT-04:00) Santiago
123
NetFlow Tracker
User Guide
60 (GMT-03:30) Newfoundland
65 (GMT-03:00) Brasilia
75 (GMT-02:00) Mid-Atlantic
80 (GMT-01:00) Azores
124
Report URL Parameters
Time Range Parameters C
193 (GMT+05:45) Kathmandu
125
NetFlow Tracker
User Guide
possible. You can specify a different sample size to show, for example,
a day in hour-long samples or a month in day-long samples.
minute Minutes
hour Hours
day Days
week Weeks
month Months
quarter Quarters
halfyear Half-years
year Years
126
Report URL Parameters
Time Range Parameters C
halfyearly Half-yearly data (one-day samples) are used
yearly Yearly data (two-day samples) are used
Filter Parameters
You can apply any number of filters to a report. Each filter is a set of
acceptable values for a certain aspect of the source data. If you do
not specify a filter, then all values element are accepted.
Note: The filters that you can apply to a long-term report depend
upon the report’s type.
127
NetFlow Tracker
User Guide
<name> The VPN name; see Device Settings for more information
<id> The VPN identifier
outvpn – specifies a VPN that the output interface must be part of.
Format as for invpn above.
vpn – specifies a VPN that either interface must be part of. Format as
for invpn above.
128
Report URL Parameters
Time Range Parameters C
dstaddr – specifies a permitted destination address. Format as for
srcaddr above.
129
NetFlow Tracker
User Guide
<name> The identified application name; see Device Settings for more
information
<id> The identified application identifier
130
Report URL Parameters
Time Range Parameters C
applid_exclude=true – specifies that the supplied identified
applications are excluded rather than included.
<name> The traffic class name. See “Applying Traffic Class IDs” on page 21.
<id> The traffic class identifier
131
NetFlow Tracker
User Guide
132
Report URL Parameters
Security Parameters C
net_exclude=true – specifies that the supplied source or
destination subnets are excluded rather than included.
Security Parameters
If a username and password is required to access a report you can
specify it in the URL.
133
NetFlow Tracker
User Guide
134
Report URL Parameters
Management Portal Access Control Parameters C
aclid – specifies a permitted long-term report.
135
NetFlow Tracker
User Guide
15 ToS
16 DiffServ
17 Source AS
18 Dest AS
19 Src/Dest AS
20 Source Subnet
21 Dest Subnet
22 Src/Dest Subnet
23 Source Mask
24 Dest Mask
25 Src/Dest Mask
26 Recognised Application
27 Traffic Class
28 Identified Application
29 VPN
30 In VPN
31 Out VPN
136
D: File Formats
137
NetFlow Tracker
User Guide
The third section starts with the title of each column, separated by a
comma. Each following line in the section is a row with each value
separated by a comma, and text values contained within double
quotes. There are several differences between a report viewed in a
browser and one converted to CSV. In CSV format all rows are
included, information normally available by hovering the mouse over
a label is unavailable, and traffic and packets passed are output as
simple counts rather than rates.
XML Format
You can convert every standard chart and tabular report to XML for
use in external software. The XML schemas in the xml subfolder
underneath the NetFlow Tracker installation folder.
The root of each XML document contains the report title. The first tag
in the root contains data about the NetFlow Tracker version that
generated the document.
The next tag contains data about the filter applied to the report. The
time range is set as a start and end in both milliseconds UTC and year,
month, day, hour, etc. The number of milliseconds spanned by the
138
File Formats
XML Format D
time range is provided, taking into account the time mask applied, if
any.
The final tag describes each charted element, or dataset. Each dataset
has a value for each description column (unless it is marked as being
an “others” dataset) and a value for each summary column. This is
followed by the start and end time and value for each sample that
makes up the dataset.
The second section describes each row in the table. If the number of
rows is restricted, the attributes of the result tag provide the start
result, number of results output and the total number of results in
the report. Each result contains a value for each column.
139
NetFlow Tracker
User Guide
140
Index
A C
Acrobat Reader, version supported 7 Cflow 1
Address Pairs report 104 charts 42
Addresses report 103 navigating 42
alarms 71 pie 43
baselines 72, 74 viewing data on 42
configuring 75, 76 cid URL parameter 114
metrics 76 Client-Server Sessions view 105
persistent changes 73, 77 contacting Fluke Networks 2
severity and life cycle 72 conversations 32
thresholds and sensitivity 72, 77 Conversations report 105
tips 74 creating
types 71 alarms 75
applications custom home page 26
conversations 32 reports 53
top for device 31 executive 63
top for interface 32 long-term 60
archiving data 92 real-time 54
AS names 88 scheduled 56
AS Pairs report 106
ASes report 106
D
data
B archiving 92
baselines 72 management 3, 24
setting 77 scaling samples 19
status 74 database 3
BGP backing up 90, 91
applying for devices 18, 19 maintenance 24
per-AS data 36 restoring backup 91
Bi-directional Address Pairs report 104 settings 89
Bi-directional AS Pairs report 106 Destination Address Popularity report
Bi-directional Conversations report 105 104
Bi-directional Network Pairs report 106 Destination Addresses report 103
Bi-directional Sessions report 105 Destination Applications report 104
Destination ASes report 106
Destination Endpoints report 105
Destination Networks report 106
141
NetFlow Tracker
User Guide
device
deleting 23
H
top applications and interfaces 31 hostname resolution settings 87
device settings 18–??
deleting a device 23
device list 20 I
identified applications 21
id URL parameter 114
interface 22
Identified Applications report 107
traffic class IDs 21 identified applications, applying 21
device settings<$sendrange 24
In Interfaces report 107
devices
installing
deleting 23 Java on Windows 9
viewing 33
NetFlow Tracker
viewing long-term 49
on Linux 11
Differentiated Services report 106 on Windows 9
diffserv names 86
preparing 7
dstport URL parameter 129
interface
Duration report 108 conversations 32
marking as inactive 22
scans 24
E top applications and usage 32
etime URL parameter 122 Interface Pairs report 107
events interface settings, applying 22
forwarding notifications 77 interfaces
events, viewing 78 top for device 31
lifecycle 79 viewing long-term 49
list 79 viewing on NetFlow Tracker 34
timeline 78 IP application names 84
executive reports 69 grouped applications 85
creating 63 simple applications 84
HTML cells 68 IPFIX 1
sub-report cells 66
viewing 69
J
j_password URL parameter 134
F j_username URL parameter 134
features URL parameter 116 Java
filter parameters 38 installing on Windows 9
custom 109–133 versions supported 7
saving 55 JFlow 1
filtering data
for long-term reports 50
real-time 36 L
Fluke Networks, contacting 2
language, selecting 14
Forensic Conversations report 108
licensing 15
forensics reports 108 Linux
installing NetFlow Tracker on 11
restoring database backup on 91
142
Index
M
143
NetFlow Tracker
User Guide
T
S tables 44
sample URL parameter 127 TCP Flags report 108
scheduling reports 56 technical support 4
security settings 26 templid URL parameter 112
Server-Client Sessions report 105 threshold alarms 71, 76
Sessions report 105 Total Address Pairs report 108
settings 15 Total Conversations report 108
alarms 75 Total report 108
archiving 92 traffic class IDs, applying 21
AS names 88 Traffic Classes report 107
backup 90 traffic rate
database 89 for application 32
devices 18 interface 32
diffserv names 86 training 4
hostname resolution 87 Types of Service report 106
IP application names 84
licensing 15
listener ports 16 U
management portal 82
unprocessed flowsets 25
144
Index
V
V
Visual Performance Manager, NetFlow
Tracker deployment in 2
VPNs
associating interface with 22
report 107
W
web browsers 6
weekly baseline 73
Windows
restoring database backup on 91
versions supported 6
145
NetFlow Tracker
User Guide
146