cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

SolarWinds Flow Tools Bundle Quick Reference Guide

Gain the ability to quickly distribute, test, and configure flow traffic with the free network traffic analysis tools included in the SolarWinds® Flow Tool Bundle. Showcasing some of the signature flow traffic analysis capabilities from SolarWinds, the Flow Tool Bundle offers three handy, easy-to-install, and free network traffic analysis tools: SolarWinds NetFlow Replicator, SolarWinds NetFlow Generator, and SolarWinds NetFlow Configurator.

NetFlow Replicator helps you easily distribute flow data to multiple destinations for traffic or security analysis. Configure random sampling of flow data packets to help reduce the load on the monitored system and collector. NetFlow Generator simulates network flow data so you can test and validate your configurations. This functionality is especially helpful when testing the behavior of more complex network entities, such as load balancers, firewall rules, and alert trigger conditions.

NetFlow Configurator remotely configures and activates NetFlow v5 on supported Cisco® devices. With this tool, you can easily set up the router to send NetFlow records to your collector.

The free network traffic analysis tools in this bundle can be installed on Windows® 7, 8, and 10, and Windows Server 2012 R2, 2016, 2019. We support 64-bit OS only.

Downloading and Unpacking

You can download the Flow Tool Bundle here: https://www.solarwinds.com/free-tools/flow-tool-bundle

First, unzip the bundle. Inside, you'll find three installers—one for the Flow Replicator, one for the Flow Generator, and one for the Flow Configurator. To install one or more of these, just execute the installer file and follow the prompts. You can install only what you need; you don't have to install all three on the same system.

Using the NetFlow Replicator

To use NetFlow Replicator, launch the utility.

Screen Shot 2018-12-28 at 12.32.54 PM.png

You'll see the screen is divided into sections that can be collapsed and expanded. Initially, the "Service" configuration section is expanded. We'll use the "Service" configuration to create an instance of the NetFlow Replicator that will continue to run even after you exit the utility. Configuring the "Service" and then running it will install the Replicator as a Windows service, and you can exit the utility. The next time you start the utility, it will connect to the running service and display current statistics. You can only have one service running in the background on any machine. The intent of the service configuration is to create a NetFlow Replicator process that is persistent over time.

The "Console" configuration is designed to run the NetFlow Replicator interactively. When you start the utility the first time, you'll see a collapsed Console configuration at the bottom of the screen. Click the double-chevron icon on the right to expand this section. You can configure and start multiple interactive console sessions. You'll find a button to "Create console configuration" at the top right of the screen.

 
The Service configuration and the Console configurations accept the same set of parameters.

The "Listener" is the IP address and port where NetFlow records will be received. It's the address and a port on your machine where the utility is listening for flow records. Typically, this is where NetFlow sources like routers would be configured to send records. Each "Destination" is a remote machine where the NetFlow Replicator will send the NetFlow records it receives. You'll need an IP Address and port for the destination, and you can optionally sample the records sent to each destination to help reduce the volume of traffic we're replicating. A sample rate of "1 in every 1 packet" is the same as not sampling at all. The sampling algorithm is a random "1 in N" method. Only flow data is sampled; NetFlow v9 and IPFIX templates are always forwarded.

You can add additional destinations to specify multiple destinations and replicate the same traffic. Delete destinations with the icon to the right of the destination. To start the NetFlow Replicator, select "Start Console." You'll see an indication that it's running, and you'll see some basic statistics on packet rates, drops, and the sampling rate. You can collapse this console session and create additional console sessions if you wish. You can create additional interactive sessions by selecting "Create console configuration."

Screen Shot 2018-12-28 at 12.57.35 PM.png

The menu (indicated by a vertical ellipse) allows you to export or import configurations to share your work. You can also delete console configurations, or view logging information.

Using the NetFlow Generator

To use NetFlow Generator, launch the utility.

Screen Shot 2018-12-28 at 1.08.44 PM.png

The NetFlow Generator is a completely interactive tool for simulating flow traffic records. Typically, we would use this to test a flow collection system, or an architecture that forwards or load balances flow from network devices. We can start and run multiple instances of this tool on the same machine if you need to. To use the NetFlow Generator, we'll need to know where we are sending the simulated NetFlow records, where they should appear to originate, and what groups of endpoints should be present in the data. We'll walk through the configuration top to bottom.

We'll start with the "Orion Server," which is the IP address and the port where the utility will send generated traffic records. This is typically your NetFlow collector, where network devices are usually configured to send records. Next, well configure the originating source of the NetFlow traffic, as it appears to the collector. You can send records from the local IP address of the server where the generator utility is running or select "Node Simulation" to simulate traffic from one or more NetFlow sources. When "Node Simulation" is selected, you can simulate originating the NetFlow traffic from another source or group of sources by entering a single address or a range of addresses.

Screen Shot 2018-12-28 at 1.19.30 PM.png

The "Number of interfaces" configuration allows you to simulate traffic from devices with multiple interfaces. This value applies uniformly to all of the devices configured as NetFlow sources.

Next, set the traffic level for the rate of the traffic you'll generate. This value is approximate, in average flow records per second.

In the next section, you’ll select the type of flow traffic that will be generated. The NetFlow Generator supports NetFlow v5, NetFlow v9, sFlow, and IPFIX flow formats. You can optionally generate sampled traffic or simulate NBAR2 where it's appropriate.

Screen Shot 2018-12-28 at 1.51.30 PM.png

The last step is configuring the conversation endpoints that are represented in the flow records we're generating. Both IPv4 and IPv6 conversations between endpoints can be configured. You configure endpoints by specifying the source of the flow—the address or addresses, and the source port—and then the destination of the flow. The IP addresses can be specified as a single address, a subnet using CIDR notation, or a range with starting and ending values. The ports are specified as individual port numbers, or ranges. Source ports can be randomly selected. The protocol can be specified as TCP, UDP, or both TCP and UDP.

Screen Shot 2018-12-28 at 2.07.26 PM.png

The menu (indicated by a vertical ellipse) at the right side of each endpoint row allows you to edit or delete the endpoint definition.

Running the generator sends flow records of the type you specified with conversations between the configured endpoints to the Orion® server, either sourced from the server where the utility is running or simulating another source of flow generator nodes that you've configured.

Starting the generator opens a statistics screen with an indication that it's running, continuously updated statistics, and a summary of the configuration you entered.

Screen Shot 2018-12-28 at 2.27.33 PM.png

Either exiting the utility or selecting the "Stop Generator" button will stop generating traffic.

Using the NetFlow Configurator

To use NetFlow Configurator, launch the utility.

Screen Shot 2018-12-28 at 2.47.15 PM.png

Enter the IP address of the router where you would like to configure NetFlow v5. The utility will report if the device doesn't support this method of configuration. To read and modify the configuration, you can use SNMP v1, v2, or v3. Enter the appropriate credentials and select "Next" to read the current device configuration.

Screen Shot 2018-12-28 at 2.54.21 PM.png

The current device configuration will show you the destinations for flow currently enabled or allow you to specify up to two destinations for the device to forward NetFlow records. Below, you'll see a list of the interfaces and the direction for which NetFlow is enabled.

Select the checkboxes for the desired configuration, and then select "Apply."

On the following page, you'll see a summary of the new configuration, and a reminder that changes are applied to the running configuration on the router only.

Screen Shot 2018-12-28 at 3.19.33 PM.png

Select "Configure another device" to continue and select another router to configure.

Fun with Flow

The Flow Tool bundle from SolarWinds is a versatile collection for your troubleshooting toolbox. You can use the NetFlow Generator to test firewall rules, load balancer configurations, or to test the next NetFlow Traffic Analyzer beta release. You can use it to generate demo traffic to show off NetFlow Traffic Analyzer to the rest of your organization while they evaluate the product. The NetFlow Replicator can be used to send a single stream of flow traffic from your network infrastructure to a single destination, and then consume it in multiple NTA instances. With the sampling feature in the NetFlow Replicator enabled, you can place the utility at a remote site, or within a public cloud instance and substantially reduce the traffic forwarded to the central NTA instance. Depending on the configuration of the machine that's hosting the NetFlow Replicator, you can configure it in a "single- armed" topology—both receiving and sending packets through the same interface—or an "in-line" configuration with packets arriving on one interface and forwarding through another.

For fun, try experimenting with the NetFlow Generator to simulate traffic to an unused port on your local machine. Then, set up the replicator to listen on this port, and forward to another unused port on your machine. This will give you a feel for the statistics output in each of these tools, and it's a simple way for the NetFlow Generator to exercise the NetFlow Replicator.

While the NetFlow Configurator offers a simple method to set up basic NetFlow v5 on a single device at a time, you can also consider trying Network Configuration Manager to automate mass changes in your network to enable NetFlow export.

Download the free SolarWinds Flow Tool Bundle today and post your observations and questions below!

joer

Comments

Nice!  We're reviewing options for better microsegmentation.  This might fill a gap.

rschroeder​, that's great to hear! Please let us know how you wind up using these tools to help support your microsegmentation strategy!

jreves

I really need to try these out. Thanks for posting.

robertcbrowning​, I hope you find these useful in your work!  Please let us know how you make use of these tools with your clients!

jreves

sharing to my folks. I'm imagining they will have a lot of positive things to say about this soon

SolarWinds has already posted a solution in Success Center and it worked for me.

The Deployment Health, Updates Available, and Diagnostics tabs are blank and diagnostics cannot be g...

designerfx​ Let us know how you find these useful, and what additional features you'd like to see!

jreves

I wish this support the NetFlow-Lite and replicate (transform) to a v5 or v9 format!

That's an interesting request! Can you talk a little more about how you would use this in your network?  Are there other types of transformations you would find useful?

jreves

jreves​ Sorry, please ignore my comment - I was wrong! NetFlow-Lite is simply a sampling type (minimum 1:32) of flow data. So this means The NetFlow Replicator should be able to forward traffic as it supports sampled flow data.

It would be great if you would add a save/export of the configuration for the Generator (similar to the replicator).  For some of our simulations, we have some pretty specific desires to show several flow types to and from specific locations as well.

That's great feedback, Jay!  Thanks -

Are issues with the NetFlow Replicator covered with a valid NAM license? I am having issues with the NetFlow Replicator sending flow data to our Splunk server.

Tony, the NetFlow Replicator is an unsupported free tool. If you can send me the details directly, I'll see if I can help you on a best-effort basis.  What kinds of issues are you seeing?

jreves

I created a new service and added our solarwinds (also our flow export destination) server as the Listener node and the Splunk server as the Destination node and set the Sampling rate to 1:1000. There are no Incoming packets on the Listener node and not Outgoing packets on the Destination node.

Tony, for this scenario I think you're going to have one listener - where flow arrives from your infrastructure - and then multiple destinations. One destination would be your NTA flow collector, and one destination would be your Splunk server. You can set up sampling on a per-destination basis.  Here's an overview; you can place the NetFlow Replicator either in-line, or in a single-arm configuration:

Flow Bundle.png

If you'd like to message me directly, we can set up some time and go over your specific config on a WebEx - would that work?

jreves

Thank you for the reply and I sent you a message directly. Does the NetFlow Replicator leverage an existing NTA implementation to send flows to another system?

Hi. We are trialling NetFlow Bundle now in our infrastructure and I have a couple of questions:

  1. Our SolarWinds server receives flows on port 2055 and, therefore, I suspect the NetFlow Replicator gives me an error of " this port is already in use" when I leave it as default (2055) in the Listener's configuration. What is the best way around this?
  2. What is the optimal ratio for sampling (1:N) and how to calculate it based on a received amount of flows?

Much appreciate for your help. Thanks a lot!

raimondasm​ -

Effectively, you'll want to "insert" the replicator between your existing sources of flow, and your NTA collector.  To do that, you'll first stop your NTA collector, and then relocate the collector port to a different port. You can do that in the NTA Settings section, under collector services:

You can relocate your collector to any other open port - for example, 2056.

Screen Shot 2019-07-09 at 11.23.25 AM.png

Once you've done that, you can bring up the replicator and configure your "Service" configuration to listen on port 2055, and configure a destination on the local machine for your NTA collector.  So - you would have one destination to port 2056 on your local machine. Go ahead and start your service; you don't need to keep the UI active. The service will run continuously in the background.

Screen Shot 2019-07-09 at 11.23.41 AM.png

Then - restart your NTA collector.  You now have a mechanism to "split" additional destinations from your single stream of flow data arriving at port 2055, and you don't need to make any changes to your device configurations.

In terms of optimal sampling rates, there's useful guidance on the sFlow Blog site, and also a worksheet you can reference here:sFlow Traffic Characterization Worksheet

jreves

jreves, thank you for your answer. I will make the suggested changes this week and test if this works as expected. I must say your provided source over the sampling rates is very good - this is exactly what I was looking for! Thanks again.

Hello, I am new user for Solarwinds products. For testing purpose of NTA I sent packets using "NetFlow Generator".

It runs well and NTA got NetFlow but I need to check whether the number of packets/flows are matched between NTA and "NetFlow Generator" side.

When I push the button of "Stop generator" in "NetFlow Generator" the statistics information like below image would be disappeared immediately.

So my question is  "How to find the statistics information in the client side which are installed with "NetFlow Generator""?

Thanks,

netflow generator.JPG

If destination port is set to 514(syslog), will the destination server recieve the netflow data in syslog format?

Regarding NetFlow Generator you could choose NetFlow v5/v9 or IPFIX or sFlow v5 format not syslog format.

I'm sorry, changing NetFlow's destination port does not change the format of the Netflow data to Syslog format.  Changing the destination port will cause your Solarwinds solution to fail to display Netflow data in NTA.

You can find more about Netflow data format here:

NetFlow Version 9 Flow-Record Format  [IP Application Services] - Cisco Systems

Rephrasing the question--> Can replicator deliver netflow data in syslog format to destination?  The response I am looking for is yes or no. ( I can or cannot receive netflow data in syslog format)

that is, unless you tell solarwinds to listen on that port - then it will still be collected but it still won't be syslog

are you referring to stuff like this sFlow: Exporting events using syslog  - tgreenwell​ ? ( I've not heard of people asking for netflow data as syslog)

We would like to sylog the netflow data from solarwinds to our UEBA tool. Is their a component in solarwinds that can do this?  (excluding the syslog forwarder in solarwinds SIEM) 

jreves​ please remind me, would this also replicate spfix?

@raimondasm   did the change suggested work for you?  I am facing the same issue.    Thanks

@holleyc77, yes, it work as a treat and it was straight forward. The only thing you may need to work out yourself if the sampling rate, but a reference to very good sampling rate intro is also in this thread.  

Hello Everyone!

I am a new user to Solarwind's Netflow generator :), I want to use these tools as it provides all major flow protocols like Netflow, IPFix, and flow. Currently, I am stuck unable to figure out how to implement my use case.

The analyzer which is under test is not reachable because ICMP Ping is disabled over it, this is done for security concerns. Hence due to this issue, I am not able to use the tool to generate the flows towards the collector. So the ask is there any way to bypass this check? I want flows to simply generate which is ideally the behavior of any router which generates the flows.

solrwind.PNG

 

Is there anyone who can give a feel for what performance spec will be needed for a given amount of netflow regeneration by the free flow tool?

We have about 5k pps inbound and about 20k pps outbound and want to know how much vCPU and ram to throw at it.

Version history
Revision #:
1 of 1
Last update:
‎12-28-2018 11:28 AM
Updated by: