1 2 3 Previous Next

Geek Speak

37 Posts authored by: brad.hale

Welcome to SolarWinds inaugural IT Blog Spotlight column where we will share some of our favorite IT blogs and the geeks behind them.

 

Tom Hollingsworth is a network engineer based in Oklahoma City who has a lot of letters after his name (CISSP, CCNA, CCDA, CCNP, CCDP, CCVP, CCSP, CQS: Unity Support & Design, CQS: Rich Media, CQS: UCCX, CDCNISS, MCSE 2000: Messaging & Security, Novell Master CNE, HP Procurve Master ASE: Convergence, A+, Network+, Security+, Linux+, Project+, and VMWare VCP). Tom started The Networking Nerd in 2010 because he was looking for an avenue to express his thoughts on all things IT in more than 140 characters.

 

Tom tries to balance his blog posts between his own opinions, while also helping train and educate those interested in the IT space by providing overviews and technology deep dives. His most popular post is When Is A Trunk Not A Trunk?

 

When asked what the top 5 tools a network engineer needs in their toolbox are, he came up with this list:

  • Network discovery tool such as an IP network browser to footprint a network
  • Notetaking software to document everything
  • Terminal client to make serial connections such as PuTTY, Tera Term, or ITerm2 and ZTerm for you Mac fans
  • Social Media – you can solve a lot of problems on Twitter
  • NetFlow monitor (of course we recommend SolarWinds Real-Time NetFlow Analyzer or NetFlow Traffic Analyzer)

 

We think this educational, opinionated, and humorous blog is worth checking out!


Tom Hollingsworth.png

Connect with Tom:

URL: networkingnerd.net

Twitter handle: @networkingnerd

Google+


If you've got an IT blog that you would like in the SolarWinds IT Blog Spotlight, send us the link and we'll check it out.

Network administrators are constantly faced with the challenge of ensuring network and infrastructure availability and performance at all times. Outage, downtime, latency, and faults on network devices will significantly affect business-critical applications and ultimately the bottom line. As network administrators, it is critical that you have the following information available at all times:

 

  1. Network Availability - by monitoring the up/down status of network nodes, and analyzing real-time and in-depth network availability statistics, you can quickly view the availability of your core IT services and data center
  2. Network Fault - identify network faults by monitoring statistics such as bandwidth utilization, packet loss, latency, errors, discards, quality of service, disk space, CPU load, and memory utilization
  3. Network Performance - identify and analyze performance bottlenecks by monitoring various performance metrics, counters and statistics over time using device-critical information such as resource utilization, network traffic, throughput, etc...

 

 

Through the use of automated tools, network administrators can simplify the collection of this critical information for more effective network management. When assessing a network availability, fault, and performance monitoring tool, you will want to ensure that it provides the following:

 

  1. Intelligent Network Alerting – create and send alerts to respond to different network scenarios.  Look for the ability to define device dependencies; configure alerts for correlated events, sustained conditions, and complex combinations of device states; and escalate through a variety of delivery methods.
  2. Customizable Reporting – out-of-the-box and customizable reports that can be automated and exported.
  3. Intuitive Dashboards - view performance metrics in easy-to-understand charts and graphs, that allow you to drill-down and navigate to the root cause of the issue, and customize views to focus on highlighted issues that cross predefined thresholds.

 

 

 

SolarWinds Network Performance Monitor (NPM) is a best-of-breed network monitoring software that integrates these three elements and offers a single unified and intuitive web console from which you can monitor your network nodes, drill down to analyze issues, and be alerted if any performance metric is behaving differently than expected. Having the control to be alerted/notified on issues and warnings, you can be in a better position to provide both strategic and tactical solutions to your network issues quickly and effectively.

 

Network Node Availability.png

               SolarWinds NPM showing Network Node Availability Stats


Network Interface Availability.png

                         SolarWinds NPM showing Network Interface Availability Stats for each Node         


Top 10 Nodes.png

                         SolarWinds NPM showing Network Interface Availability Stats for each Node    


Node Details.png

        SolarWinds NPM showing performance metrics and charts on the performance of a router 


Download a free fully functional 30-day trial of SolarWinds Network Performance Monitor.             



Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today's topic is an overview of SolarWinds NetFlow Traffic Analyzer.


SolarWinds NetFlow Analyzer (NTA) monitors network traffic by capturing flow data from network devices, including Cisco® NetFlow v5 or v9, Juniper® J-Flow, IPFIX, sFlow®, and Huawei NetStream™, and identifies which users, applications, and protocols are consuming the most bandwidth and highlights the IP addresses of the top talkers.

 

SolarWinds NTA is an effective network traffic monitoring software that helps you capture Cisco NetFlow (v5 or v9) data from continuous streams of network traffic passing through NetFlow-enabled network devices and convert the raw metrics of the Export Packet into easy-to-interpret charts and tables that quantify exactly how, by whom, and for what purpose the corporate network is being used.

 

NTA NetFlow Collector.png

 

Intelligent and Intuitive Dashboards

 

You can view key metrics in ‘summary’ or in ‘detail’ in the following categories:

  • Applications
  • Conversations
  • Countries
  • Endpoints
  • IP Address Groups
  • Protocols
  • Receivers
  • Types of Service
  • Transmitters
  • Border Gateway Protocol (BGP)

 

You can also access the data most critical to your network instantly by setting up Cisco NetFlow (v5 or v9) network traffic views.


Alerting and Reporting in SolarWinds NTA

 

  • Set pre-defined thresholds and customize how you want to receive alerts, when and by what condition or threshold
  • You can automate scheduling reports and leverage the reports available out of the box for instant use. SolarWinds NTA includes out-of-the-box reports for:
    • Top 100 Applications
    • Top 100 Conversations
    • Top 100 Conversations including applications
    • Top 20 Traffic Destinations By Domain
    • Top 20 Traffic Sources By Domain
    • Top 5 Protocols
    • Top 5 Traffic Destinations By IP Address Group
    • Top 5 Traffic Sources By IP Address Group
    • Top 50 Endpoints
    • Top 50 Endpoints by Unique Partners
    • Top 50 Receivers
    • Top 50 Receivers by Unique Partners
    • Top 50 Transmitters
    • Top 50 Transmitters by Unique Partners

 

  NTA Dashboard Screenshot:


Screen Shot 2012-09-05 at 11.01.22 AM.png


Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

For a detailed overview and specification on NetFlow you can visit this Cisco NetFlow Version 9 Flow-Record Format page.

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo, or download a free fully functional 30-day trial.

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


As of the publication of this article, this table represents a list of Cisco devices, the IOS version, and the version of NetFlow supported.  It is not intended to be a comprehensive or final list and should be used for reference only.  Please refer to your specific Cisco model for the latest updates.

 

IOS Family

IOS Version

Supported NetFlow Versions

Supported Cisco Models

Cisco Release Notes

12.0 Family

12.0S

V5, V9

7000 Series, 7200 Series, 7500 Series, 10000 Series, 10720 Internet Router, 12000 Series

Link

12.0ST

V5, V9

7200 Series, 7500 Series, 10000 Series, 10720, 12000 Series

Link

12.0T

V1, V5

1400, 1600, 1720, 2500, 2600, 3600, 4500, 4700, AS5300, AS5800, 7200, uBR7200, 7500, RSP7000, RSM, MGX 8800 RPM, BPX 8600

 

12.0XE

V1, V5

7100

 

12.2 Family

12.20

V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, Catalyst 4K, 4500 Series, Catlayst 5K, AS5320, AS5400, AS5800, 7000 Family, uBR7200 Series

Link

12.2

V7

Catalyst 5K

 

12.2S

V5, V9

7200 Series, 7301, 7304, 7400 Series, 7500 Series

Link

12.2SB

V5, V9

7200 Series, 7301, 7304, 10000 Series

Link

12.2SR

V5, V9

7200 Series, 7301, 7304, 7600, 10000 Series

Link

12.2SX

V5, V9

Catalyst 6000

Link

12.2T

V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, 3700 Series, Catlayst 4000, Catalyst 4224, 4500 Series, AS5300, AS5320, AS5350, AS5400, AS5800, AS5850, 6400 Family, 7000 Family, uBR7200 Series, ICS 7750

Link

12.3 Family

12.30

V5, V9

800 Series, uBR920 Series, 1400 Series, 1600/1600R Series, 1700 Series, 2500 Series, 2600 Series, 3600 Series, 3700 Series, Catalyst 4224, Catalyst 4500, AS5300, AS5350, AS5400, AS5800, AS5850, 6400 Family, 7000 Family, ICS 7750

Link

12.3T

V5, V9

800 Series, 1700 Series, 1900 Series, IAD2430, 2600XM Series, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, Catalyst 4500, AS5350/5350XM, AS5400/5400XM, AS5850, Catalyst 6000, Catalyst 6500, 7000 Family

Link

12.4 Family

12.40

V5, V9

800 Series, 1700 Series, 1800 Series. 1900 Series, IAD2430, 2600XM Series, 2691, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, Catalyst 4500, AS5350/5350XM, AS5400/5400XM, AS5850, Catalyst 6000, Catalyst 6500, 7000 Family

Link

12.4T

V5, V9

800 Series, 1700 Series, 1800 Series, IAD2430, 2600XM Series, 2691, 2800 Series,3200 Series, 3600 Series, 3700 Series, 3800 Series, AS5350/5350XM, AS5400/5400XM, AS5850/5850-ERSC, Catalyst 6000, 7000 Family

Link

XE Family

Release 2

V5, V9

ASR 1002, ASR 1002-F, ASR 1004, ASR 1006

Link

Release 3S

V5, V9

ASR 903, ASR 1001, ASR 1002, ASR 1002-F, ASR 1004, ASR 1006, ASR 1013

Link

Release 3SG

V5, V9

Catlyst 4500E

Link

15 Family

15.0M

V5, V9

800 Series, 1800 Series, 1900 Series, 2800 Series, 2900 Series, 3200 Series, 3800 Series, 3900 Series, 7000 Family, AS5350, AS5400

Link

15.0S

V5, V9

7600 Series

Link

15.0SY

V5, V9

6500 Series running Supervisor Engine 2T

Link

15.1S

V5, V9

7200 Series, 7301, 7600 Series

Link

15.1M&T

V5, V9

800 Series, 1800 Series, 1900 Series, 2800 Series, 2900 Series, 3800 Series, 3900 Series, 7000 Family, AS5350, AS5400

Link

 

 

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

For a detailed overview and specification you can visit this Cisco NetFlow Version 9 Flow-Record Format page.

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.

 

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today's topic is the NetFlow v9 Options Template.


The Options Template is a special type of template record used to communicate the format of data related to the NetFlow process.

 

NetFlow v9 Options Template.png

 

The Options Data Record is a special type of data record (based on an options template) with a reserved template ID that, rather than supplying information about IP flows, is used to supply "meta-data" about the NetFlow process itself.

 

NetFlow v9 Options Data Record.png

 

Nomenclature

FlowSet ID = 1

The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID which is greater than 255.

Length

This field gives the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs, the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

Template ID

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID. The Template ID is greater than 255. Template IDs inferior to 255 are reserved.

Option Scope Length

This field gives the length in bytes of any scope fields contained in this options template (the use of scope is described below).

Options Length

This field gives the length (in bytes) of any Options field definitions contained in this options template.

Scope Field 1 Type

This field gives the relevant portion of the NetFlow process to which the options record refers. Currently defined values follow:

  • 0x0001 System
  • 0x0002 Interface
  • 0x0003 Line Card
  • 0x0004 NetFlow Cache
  • 0x0005 Template

For example, sampled NetFlow can be implemented on a per-interface basis, so if the options record was reporting on how sampling is configured, the scope for the report would be 0x0002 (interface).

Scope Field 1 Length

This field gives the length (in bytes) of the Scope field, as it would appear in an options record.

Option Field 1 Type

This numeric value represents the type of the field that appears in the options record. Possible values are detailed in Table 6 above.

Option Field 1 Length

This number is the length (in bytes) of the field, as it would appear in an options record.

Padding

Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.

 

 

NetFlow v9 Sample Options Template Data.png

 

 

 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.

 

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today's topic is the NetFlow v9 Data FlowSet.



The Data FlowSet is a collection of one or more data records that have been grouped together in an export packet. Data records provide information about an IP flow that exists on the device that produced an export packet. Each group of data records (that is, each data FlowSet) references a previously transmitted template ID, which can be used to parse the data contained within the records.


NetFlow v9 Data FlowSet Format


Data FlowSet.png


Nomenclature

FlowSet ID = Template ID

A FlowSet ID precedes each group of records within a NetFlow Version 9 data FlowSet. The FlowSet ID maps to a (previously received) template ID. The collector and display applications should use the FlowSet ID to map the appropriate type and length to any field values that follow.

Length

This field gives the length of the data FlowSet.

Length is expressed in TLV format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of any included data records.

Record N - Field N

The remainder of the Version 9 data FlowSet is a collection of field values. The type and length of the fields have been previously defined in the template record referenced by the FlowSet ID/template ID.

Padding

Padding should be inserted to align the end of the FlowSet on a 32 bit boundary. Pay attention that the Length field will include those padding bits.

 

Note:

 

When interpreting the NetFlow Version 9 data FlowSet format, note that the fields cannot be parsed without a corresponding template ID. If a data FlowSet that does not have an appropriate template ID is received, the record should be discarded.


Sample Data FlowSet:


NetFlow v9 Sample Data FlowSet.png


 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.


Today topic is NetFlow v9 Template FlowSet


Following the packet header, the FlowSet is an export packet containing information that must be parsed and interpreted by the collector device. A FlowSet is a generic term for a collection of records that follow the packet header in an export packet.

 

There are two different types of FlowSets: template and data. An export packet contains one or more FlowSets, and both template and data FlowSets can be mixed within the same export packet.

 

  • Template FlowSet is a collection of one or more template records that have been grouped together in an export packet. Templates greatly enhance the flexibility of the NetFlow record format, because they allow a NetFlow collector or display application to process NetFlow data without necessarily knowing the format of the data in advance. Templates are used to describe the type and length of individual fields within a NetFlow data record that match a template ID.
  • Template Record is used to define the format of subsequent data records that may be received in current or future export packets. It is important to note that a template record within an export packet does not necessarily indicate the format of data records within that same packet. A collector application must cache any template records received, and then parse any data records it encounters by locating the appropriate template record within the cache.
  • Template ID is a unique number that distinguishes this template record from all other template records produced by the same export device. A collector application that is receiving export packets from several devices should be aware that uniqueness is not guaranteed across export devices. Thus, the collector should also cache the address of the export device that produced the template ID in order to enforce uniqueness.


NetFlow v9 Template FlowSet Format


Template Flowset.png


Nomenclature

FlowSet ID

The FlowSet ID is used to distinguish template records from data records. A template record always has a FlowSet ID in the range of 0-255. Currently, the template record that describes flow fields has a FlowSet ID of zero and the template record that describes option fields (described below) has a FlowSet ID of 1. A data record always has a nonzero FlowSet ID greater than 255.

Length

Length refers to the total length of this FlowSet. Because an individual template FlowSet may contain multiple template IDs (as illustrated above), the length value should be used to determine the position of the next FlowSet record, which could be either a template or a data FlowSet.

Length is expressed in Type/Length/Value (TLV) format, meaning that the value includes the bytes used for the FlowSet ID and the length bytes themselves, as well as the combined lengths of all template records included in this FlowSet.

Template ID

As a router generates different template FlowSets to match the type of NetFlow data it will be exporting, each template is given a unique ID. This uniqueness is local to the router that generated the template ID.

Templates that define data record formats begin numbering at 256 since 0-255 are reserved for FlowSet IDs.

Field Count

This field gives the number of fields in this template record. Because a template FlowSet may contain multiple template records, this field allows the parser to determine the end of the current template record and the start of the next.

Field Type

This numeric value represents the type of the field. The possible values of the field type are vendor specific. Cisco supplied values are consistent across all platforms that support NetFlow Version 9.

At the time of the initial release of the NetFlow Version 9 code (and after any subsequent changes that could add new field-type definitions), Cisco provides a file that defines the known field types and their lengths.

The currently defined field types are detailed in Table 6.

Field Length

This number gives the length of the above-defined field, in bytes.

 

 

Note:


  • Template IDs are not consistent across a router reboot. Template IDs should change only if the configuration of NetFlow on the export device changes.
  • Templates periodically expire if they are not refreshed. Templates can be refreshed in two ways.
  • A template can be resent every N number of export packets.
  • A template can also be sent on a timer, so that it is refreshed every N number of minutes. Both options are user configurable.


Sample Template FlowSet Data


Sample Template FlowSet Data.png


 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Part 1 - NetFlow Overview

Part 2 - NetFlow v9 Packet Header

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

.

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo.

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted to help you perform comprehensive network traffic monitoring.

 

Today's topic is the NetFlow v9 Packet Header.


The NetFlow Packet Header provides basic information about the packet such as the NetFlow version, number of records contained within the packet, and sequence numbering, so that lost packets can be detected. All NetFlow packets begin with version-dependent header that contains at least these fields:

 

  • Version number (v5, v8, v9, v10)
  • Sequence number to detect loss and duplication
  • Timestamps at the moment of export, as system uptime or absolute time.
  • Number of records (v5 or v8) or list of templates and records (v9)

 

The NetFlow Version 9 record format consists of a packet header followed by at least one or more template or data FlowSets. The combination of packet header, and one or more template and data FlowSets is called an Export Packet. Built by a device (for example, a router) with NetFlow services enabled, this type of packet is addressed to another device (for example, a NetFlow collector). This other device processes the packet (parses, aggregates, and stores information on IP flows) .

 

NetFlow v9 Export Packet.png

 

NetFlow v9 Packet Header Format

 

NetFlow v9 Packet Header.png

 

Nomenclature

Version

The version of NetFlow records exported in this packet; for Version 9, this value is 0x0009

Count

Number of FlowSet records (both template and data) contained within this packet

System Uptime

Time in milliseconds since this device was first booted

UNIX Seconds

Seconds since 0000 Coordinated Universal Time (UTC) 1970

Sequence Number

Incremental sequence counter of all export packets sent by this export device; this value is cumulative, and it can be used to identify whether any export packets have been missed

Note: This is a change from the NetFlow Version 5 and Version 8 headers, where this number represented "total flows."

Source ID

The Source ID field is a 32-bit value that is used to guarantee uniqueness for all flows exported from a particular device. (The Source ID field is the equivalent of the engine type and engine ID fields found in the NetFlow Version 5 and Version 8 headers). The format of this field is vendor specific. In the Cisco implementation, the first two bytes are reserved for future expansion, and will always be zero. Byte 3 provides uniqueness with respect to the routing engine on the exporting device. Byte 4 provides uniqueness with respect to the particular line card or Versatile Interface Processor on the exporting device. Collector devices should use the combination of the source IP address plus the Source ID field to associate an incoming NetFlow export packet with a unique instance of NetFlow on a particular device.

 

Sample Packet Header Data

 

NetFlow v9 Sample Packet Header Data.png

 

 

Part 1:  NetFlow Overview

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Portions of this document are excerpted from Cisco, “NetFlow Version 9 Flow Record Format”. Available at http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

 

 

Learn more about how SolarWinds NetFlow Traffic Analyzer, network traffic monitor, can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring or see for yourself with SolarWinds live on-line demo, or, view this video:  How to Configure NetFlow on Cisco Routers.

 

 

NTA_Netflow_WP.png

Welcome to SolarWinds NetFlow v9 Datagram Knowledge Series.  This is a 7 part series of blogs to provide the IT professional a basic understanding of how flow technology works, specifically Cisco’s NetFlow v9, what metrics are being captured, and how they are interpreted.

 

Let’s take a quick tour on the basics of NetFlow technology in this first part of the Knowledge Series.


What is NetFlow?

 

NetFlow is a network protocol developed by Cisco Systems for collecting IP traffic information and monitoring network traffic.  While the term NetFlow has become a de-facto industry standard many other manufacturers support alternative flow technologies including; Juniper (Jflow); 3Com/HP, Dell and Netgear (s-flow); Huawei (NetStream); Alcatel-Lucent (Cflow); and Ericsson (Rflow).

 

Routers and switches that support NetFlow collect IP traffic statistics on all interfaces where NetFlow is enabled, and later export those statistics as NetFlow records, toward at least one NetFlow collector – typically a server that does the actual traffic analysis. The NetFlow collector then processes the data to perform the traffic analysis and presentation in a user-friendly format.  NetFlow collectors can take the form of hardware based collectors or probes, or software based collectors. SolarWinds NetFlow Traffic Analyzer(NTA) is an example of a software based NetFlow collector that collects traffic data, correlates it into a useable format, and then presents it to the user in a web based interface for monitoring network traffic.

 

 

History of NetFlow

 

NetFlow v1 was originally introduced in 1990 and has since evolved to NetFlow version 9.  Today, the most common versions are v5 and v9.

 

 

Version

Comment

v1

First implementation, now obsolete, and restricted to IPv4 (without IP mask and AS Numbers).

v2

Cisco internal version, never released.

v3

Cisco internal version, never released.

v4

Cisco internal version, never released.

v5

Most common version, available (as of 2009) on many routers from different brands, but restricted to IPv4 flows.

v6

No longer supported by Cisco. Encapsulation information.

v7

Like version 5 with a source router field. Used on Cisco Catalyst switches.

v8

Several aggregation form, but only for information that is already present in version 5 records

v9

Template Based, available (as of 2009) on some recent routers. Mostly used to report flows like IPv6, MPLS, or even plain IPv4 with BGP nexthop.

v10

aka IPFIX, IETF Standardized NetFlow 9 with several extensions like Enterprise-defined fields types, and variable length fields.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 









Benefits of Using NetFlow Technology for Monitoring Network Traffic

 

Monitoring and analyzing NetFlow will help obtain valuable information about network users and applications, peak usage times, and traffic routing.  In contrast with traditional SNMP-dependent systems, NetFlow-based network traffic monitoring has the ability to characterize traffic from applications and users, understand the traffic patterns, provide a holistic view for monitoring network bandwidth utilization and WAN traffic, support CBQoS validation and performance monitoring, be used for network traffic forensics, and aid in compliance reporting.


Understanding the Datagram

 

The NetFlow Export datagram consists of a header and a sequence of flow records. The header contains information such as sequence number, record count, and sysuptime.  The flow record contains flow information such as IP addresses, ports, and routing information.

 

Below is a simple datagram for NetFlow v9 that we will use throughout this knowledge series to provide a detailed breakdown of the details of the NetFlow Export Packet format.

 

NetFlow v9 Datagram.png

 

Part 2:  NetFlow v9 Packet Header

Part 3 - NetFlow v9 Template FlowSet

Part 4 - NetFlow v9 Data FlowSet

Part 5 - NetFlow v9 Options Template

Part 6 - Supported Cisco Models

Part 7 - SolarWinds NetFlow Traffic Analyzer

 

Portions of this document are excerpted from Cisco, “Cisco NetFlow Version 9 Flow-Record Format".  Available at NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

 

Learn more about how SolarWinds NetFlow Traffic Analyzer can help you by being your netflow analyzer providing you with network traffic analysis and bandwidth monitoring, see for yourself with SolarWinds live on-line demo. or view this video:  How to Configure NetFlow on Cisco Routers.

 

 

NTA_Netflow_WP.png

A rogue access point (AP) is a wireless access point that has gained access into secure enterprise network without explicit authorization from the network administration team. These unauthorized rogue access points open wireless backdoors into wired networks. There could be numerous unauthorized APs in and around the airspace of your corporate firewall. There could be Wi-Fi devices from employees who bring personal devices into the corporate WLAN and APs from neighboring concerns that may be accessible to your network because of proximity. These may not look potentially malicious but still they are unsecured and may turn out to be security threats later on. And then, there are the actual rogue APs that pose potential security threats and by infringing into your corporate network.

  • In order to better understand the intent of these APs, let’s classify them as
  • Unauthorized APs – that which are introduced by employees within the organization but with no detrimental intent
  • Insecure APs – that which bypass network security owing to airspace proximity
  • Malicious APs – actual rogue APs that pose a security threat. Some of these include:
    • Skyjacking attack: Vulnerabilities within device access points could be used by remote attackers to convert an authorized AP into rouge by taking full control over it.
    • Planting a malicious rogue AP within the office space disguised as a trusted AP.
    • Rogue APs can also  spoof MAC addresses used by legitimate APs or try to mimic your own WLAN's SSID


While all of these malicious and non-malicious access points need to be monitored, it is the responsibility of the network administrator to ensure the malicious ones are contained and eliminated.

How SolarWinds can help you monitor rogue APs?

SolarWinds Network Performance Monitor (NPM) is an effective network management software that comes with an integrated poller that can get help identify your rogue APs in a multi-vendor network environment by scanning wireless controllers and devices. SolarWinds NPM network monitor supports monitoring both thin and thick (or autonomous) access points and their associated clients. You can also use the out-of-the-box on rogue access points over varying time frames.

NPM Wireless Summary View.png

SolarWinds User Device Tracker is comprehensive network device monitoring tool that can be used to drill deeper into the rogue access point and get details of all the endpoints connected to it, when the rogue AP was connected, how long it was active and which user was using it.

 

UDT Access Point Details.png

Now that you’ve detected the rogue access point and analyzed its activity in your WLAN, you can take appropriate measures to contain or eliminate it from your enterprise network once and for all.


NPM_Cybersecurity_WP.png

SolarWinds has just released our newest free tool, Call Detail Record Tracker, to make it easier for you to quickly view call detail records and see the relevant MOS score.  With Call Detail Record Tracker you can:

 

  • Retrieve call detail records from Cisco CallManager 7.x and 8.x
  • Load up to 48 hours of CDR data
  • Search, filter, and sort call detail records

 

To get started with Call Detail Record Tracker, you simply point to the FTP server where you store your CDRs, enter your credentials, and let the tool know how far back you want to retrieve CDRs (up to 48 hours):

 

CDR Tracker Still02.jpg

 

Once your CDRs have been retrieved, you can search, filter, and sort based on call origin, call destination, call status, termination cause, call quality, and call time:

 

 

CDR Tracker Still03.jpg

 

Learn more about SolarWinds free Call Detail Record Tracker, watch this overview video, or download your free copy.

 

For more advanced VoIP Monitoring and Troubleshooting take a look at SolarWinds VoIP & Network Quality Manager (VNQM).  See this blog to learn more about VNQM.

Locating users and devices in a wireless network just got easier with today's release of version 2.5 of User Device Tracker.  Now you can track users and devices within a wireless network with support for wireless thin access points.  This new product capability can enhance network security for any business, educational, governmental, or healthcare environment that has a wireless infrastructure.

 

UDT's summary page now includes two new resources:  Top 10 SSIDs by Current # of Endpoints, and Top 10 Access Points by Current # of Endpoints.

 

Screen Shot 2012-08-30 at 8.35.30 AM.png

You can drill down for additional details about the SSID:

 

Screen Shot 2012-08-30 at 8.38.09 AM.png

And the Access Point:

Screen Shot 2012-08-30 at 8.40.20 AM.png

 

And again drill further down for details on the Endpoint Connections:

 

Screen Shot 2012-08-30 at 8.45.03 AM.png

 

Learn more about User Device Tracker or download a free fully functional 30-day trial.

Numerous prognosticators predicted network meltdowns as a result of the increase in streaming video from the Olympic Games. The Los Angeles Times reported Internet traffic had spiked about 20% because of live Olympics streaming and the CTO of Los Angeles municipality had emailed thousands of City Hall employees, asking them to stop watching the games online at work. Another study stated that Games enthusiasts followed the proceedings on two or more personal devices.

 

Tackling the bandwidth crunch


The Olympics may have officially come to an end, and hopefully your network did not melt down, but that does not lessen the need for effective network traffic monitoring. Companies should prepare themselves to ensure bandwidth consumption is actively managed. Some key focus areas should be:

 

  • Monitor network bandwidth & traffic patterns down to the interface level
  • Identify your bandwidth hogs: which users, applications, and protocols are consuming the most bandwidth
  • Understand what protocols and IP addresses are consuming bandwidth. 

 

If you’re primary concern is to measure and control traffic to avoid congestion and poor performance by the variety of devices on the network, it is important to have a solution that addresses all the above best practices. If so, you may be interested in checking out a netflow analyzer tool which helps monitor network traffic and gives you visibility into the performance of your QoS policies that you may have established on your network.

 

 

Let us know, did streaming video from the Olympics have any impact on your network?

 

 

The Winter Games will be here sooner than you think.  Will your network be ready?

brad.hale

Managing the BYOD Chaos

Posted by brad.hale Aug 17, 2012

The evolution in mobile technology has changed the way we work. Gone are the days when work was only done on personal computers. Even laptops have slowly paved way to trendy mobile phones and tablets. With a new and sophisticated device hitting the market on a daily basis with better technological supremacy, employees are not just using them to communicate but largely to conduct work as well. BYOD, bring-your-own device is a trend which is becoming the norm of the day. Surprised? Well, don’t be. A recent research report from Forrester shows, organizations in Europe and North America are taking this trend quite seriously with 64% of respondents identifying providing more mobility support for employees as a top priority. Companies that allow employees to use their personal devices on the corporate network feel that it’s a trend which has increased employee productivity thereby increasing job satisfaction and retention and also drastic reduction in the cost they have to bear towards hardware. Employees are satisfied as they can access work from devices familiar to them. Organizations are smiling at the money they have saved by shifting the hardware responsibility to the user.

 

But all this consumerization of IT is also causing headache for enterprises. Gartner reports that BYOD is surely a concern when it comes to security and top enterprises are a worried lot.

 

 

  • Potential for loss of confidential information via personal devices
  • Legal issues and regulatory compliance risks
  • Introduction of malware threats
  • Management burden associated with supporting diverse device types
  • Ensuring user authentication, security, and encryption
  • Policy formulation and enforcement
  • Monitoring and management of Wi-Fi access points
  • Network bandwidth monitoring


If you’re an IT Admin, you ought to prepare yourself to tackle the BYOD trend. With the number of unrecognized devices multiplying on the network daily, it’s quite important to have complete control over them to proactively address any security risk arising via suspicious rouge devices. Sanjay Castelino, VP, Market Leader Network Management Business at SolarWinds, recently published an article, Managing the BYOD Chaos with Network and Security Information Monitoring and Management, in which he laid out a number of areas an IT pro can focus on to manage the BYOD chaos.


 

 

By creating and enforcing the right policy for your organization, monitoring usage and access, and implementing intelligent and advanced security solutions, BYOD can substantially benefit the likes of businesses and employees in developing a better, more productive work environment. Try the interactive online demo of SolarWinds NetFlow Traffic Analyzer, a comprehensive network traffic monitor that will help you monitor traffic and bandwidth utilization across your enterprise network.

 

 

IPAM_BestPrac_WP.png

Are you still crawling around your wiring closet trying to trace a rogue network device or user to a switch port?

 

Regardless of whether your tracking users and devices in a wiring closet that looks like this…

Good Wiring Closet.png

or like this....

 

bad wiring closet.png

 

the process can be tedious and maddening without the right tools.  Almost all network admins and system engineers are posed with three crucial questions when attempting to track devices and endpoints that may be potential security threats.

  • How do I track the device just by knowing its MAC address, IP address or hostname without manually searching for the connecting wires and cables?
  • How do I find the user that uses the device?
  • How do I find the historical data on when and where a device was connected and which user was using it?

 

Let’s explore how you can answer these three questions with SolarWinds User Device Tracker (UDT).

 

When you first login to UDT, you will be provided with UDT’s Device Tracker Summary, giving you an at-a-glance view of your monitored nodes and their status.  Within this view, you have the ability to search for a user or device quickly and easily (see highlighted box).

 

UDT Summary With Search Box.png

 

Searching for a device is as simple as entering the Endpoint hostname, Endpoint IP Address, or Endpoint MAC Address.  Once the device is located, you can see the node port, node name, connection duration and connection type as well as detailed information about the device.

 

UDT End Point Details.png

 

You can drill down into the node port to see the history of devices that have been connected.

 

UDT Port Details.png

 

To search for a user, you simply enter their username in the search box and you will be presented with User Detail.

 

UDT User Details.png

Additionally, with UDT you can create a device watch list so that you are notified immediately when a watched user or device connects to the network.

 

UDT Device Watch List.png

 

UDT Add A Device.png

 

On top of tracking users and devices, UDT maps, monitors and reports on your switch ports for utilization.  Having a report on the switch capacity and port utilization can be just the load balancing thing that you need to implement optimal use of ports and switches. Leveraging UDT’s switch port monitoring functionality, we can:

  • Find available network ports
  • View individual ports per switch, reclaiming unused ports
  • Discover switches operating near full capacity
  • Display switch capacities by ports used, CPU loads, memory used to justify purchase of new equipment

 

UDT Ethernet Ports Over Time.png UDT CPU Load.png UDT Radial Gauges.png

 

With UDT, we can drill down into any added node to find all available ports and the status of the port – whether it’s up, down, used or unused. The port details shown by UDT include port name, number, VLAN and duplex along with a complete history of devices that have been attached to the port.

 

SolarWinds UDT’s real-time network discovery feature initiates automated network scans producing comprehensive network switch/port lists saving time by eliminating manual database entries.

 

UDT Port Discovery.png

 

You can test drive our live demo or try out a free fully functional 30-day trial of SolarWinds User Device Tracker, an affordable yet tremendously powerful product that will answer all your calls of tracking rogue network devices.

 

Track them, trace them and take them down! - Let us know what you think.

Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.