11 Replies Latest reply on Jan 15, 2009 2:01 PM by mkomeara

    Netflow report help

    branfarm

       I'm trying to figure out how to write a report in the Report Writer where I can see the top 10 receivers of a particular TCP port (5600) on a day-to-day basis.  The problem I'm running into is that I can' seem to find out how to add any sort of filtering based on port or application?  Does anyone have any idea how I can do this?

       

      Thanks in advance!

        • Re: Netflow report help
          Andy McBride

          Hi branfarm,


          It is not possible to create that report today. I am tracking this as a feature enhancement.


          Andy

            • Re: Netflow report help
              mkomeara

              Hello,

              We have remote offices and I need to run reports on particular offices showing Netflow traffic stats for the last hour in an office. I tried setting up a report of NetFlow data showing the top n devices by Bytes Transferred for a particular subnet or address range, like 10.1.1.0/26, but I get no data.  How is the best way to get a report like this?

               

              Thanks

                • Re: Netflow report help
                  Andy McBride

                  Create an IP address group in NetFlow Settings then use Traffic view builder to build a view of that subnet.

                    • Re: Netflow report help
                      mkomeara

                      I have three groups defined already; 10.1.1.0-10.1.1.255, 172.0.0.0-172.255.255.255, and 192.168.0.0-192.168.255.255, but when I try to add group 10.1.2.0-10.1.2.255, it says this;

                    • IP address groups may overlap but cannot be nested within another group. An IP address group already exists that is nested with the IP address range you are attempting to add. Please change the starting or ending IP Addresses you are adding.
                        • Re: Netflow report help
                          Andy McBride

                          If you don't need thise default private address groups delet them and then yours will be OK

                            • Re: Netflow report help
                              mkomeara

                              The problem is I have about 600 subnets that I may want to pull stats on separately.  For example, site A (10.1.1.0/24) complains of slow response across the WAN.  So I want to see the NetFlow numbers for the top Bytes sorted descending.  Do I have to define all 600 IP Address Groups separately?  If so is there a way to do it for all groups using file input or database update?  Then how would I select the groups when running a Historical NetFlow report?

                                • Re: Netflow report help
                                  Andy McBride

                                  Wow - That would be a lot of upfront work. I suggest adding the subnets to the IP groups as needed (When you need to find out about 10.10.1.0/24 add thet one) and using Traffic View Bulider, which gives historical views. The report writer won't support this today unless you use the advances SQL reports, which require some real good SQL skills.

                                    • Re: Netflow report help
                                      mkomeara

                                      Here's what I'm seeing;

                                      1. I create an IP Address Groups by filling in the blanks.  The web interface times out and I have to log out and log in to see the new group.  What can I change so this doesn't happen?

                                      2. In the NetFlow Summary window, I go to Traffic View Builder and select IP Address Group (10.2.52.0-10.2.52.255) and click Build.  Then I select the IP Address Group, the router and the interface and click Submit.  I get a page with every display showing "No Data for Selected Time Period".  Why?

                                      I guess from here on down, the advanced SQL skills would be required since Report Writer can't do this;

                                      3.  I go to Report Writer and run a Historical NetFlow Report to show the top 50 traffic destinations sorted descending by Bytes Transferred, I see 10.2.52.25 is number three on the list, but the IP Address Group field is blank.  How do I get that to populate with the groups I created?  I've already restarted the NetFlow service.

                                      4. I've tried filtering by an IP address or subnet but that doesn't work and I haven't yet found how to structure the filter to include addresses like 10.2.52.25 or 10.2.52.*

                              • Re: Netflow report help

                                How do you access the Traffic View Builder?

                                 

                                I am using NetFlow Traffic Analyzer version 3.0 and I do not see this option.

                                  • Re: Netflow report help
                                    Andy McBride

                                    It's on the NetFlow Summary view, unless that view has been customised and it was removed

                                      • Re: Netflow report help
                                        mkomeara

                                        I deleted all my IP Address Groups and added one back in for 10.1.1.0-10.1.1.255.  When I go to Database Manager and query entries in the IPAddressGroups table, there is only one entry, but its IPAddressGroupID is 18.  When I query the FlowCorrelation table for IP addresses in the same range, those records show an IPAddressGroupID of '1'.  Looking at all FlowCorrelation table entries, they are showing IPAddressGroupID numbers of 0, 1, 2, 3, 4, and 14.  Nothing shows the new ID of 18.