Employ NetFlow to Monitor Your Network Traffic

NetFlow Network Monitoring

Cisco developed the NetFlow protocol as part of their Internetwork Operating System (IOS) back in 1996.   NetFlow started life as a mechanism to control caching on Cisco routers, and thus speed-up network packets.  It was but a small step from extracting routing information from the IP packets' headers, to developing a reporting capability for NetFlow.  Incidentally, this is why you cannot test SolarWinds Traffic Analyzers without access to a router.

Topics for NetFlow Network Monitoring

• Collecting Network Data
• Data Analysis and Interpretation
• Possible Network Problems NetFlow Can Tackle
• A Six Phase Network Monitoring Plan

Collecting Network Data

By 2009 NetFlow has become a mature technology, and though the use of templates, Version 9 has become future proof.  Network monitoring relies on the routers collecting then exporting detailed NetFlow (or J-Flow) information in UDP packets.  These datagrams are then collected by software such as the Orion NetFlow Traffic Analyzer.

Since NetFlow is open source it can be used by other router manufacturers, and also with traffic analyzers other than Orion.  In a parallel development Juniper Networks developed a protocol for their routers called J-Flow which is similar to NetFlow.  This is why the Orion NetFlow Traffic Analyzer has the capability to process J-Flow packets in addition to NetFlow.

Because of the open source nature of NetFlow, collecting the UDP packets is straightforward, the skill of the SolarWinds software lies in analyzing the data and presenting it ways useful to network managers.  To complete the picture of the comprehensive nature of the Orion Traffic Analyzer, it can also process ICMP, syslog and SNMP (Simple Network Management Protocol).

Creating the UDP Network Packets

Whether the network packet is TCP or UDP, its IP header has a mine of information.  In order to its job the router needs to inspect the header of each packet it receives.  As the router sends the packet to its next hop, so it record source, destination and port data.  Once it has the records of about 50 packets it exports them into a UDP datagram.  It is these UDP NetFlow or J-Flow datagrams that the traffic analyser collects.

Data Analysis and Interpretation

Baselines are boring, but without a reference point how would you know if a particular trace is 'normal', or whether the network conversation indicates a new problem?  It's always difficult to know where you are going if you don't know where you have come from.

NetFlow knows who talks to whom.  Moreover, it reveals which protocols and ports are involved, and how much data they exchange.  The data collection concentrates on the characteristics of the conversations without wasting time on recording the actual data in the conversation.  In a nutshell, NetFlow concentrates on the basics of: who, what, when, where, and how.

One of the differences between SolarWinds Real-time and Orion software is that the Orion package stores the network traffic in and SQL database, as a result you can analyze historic data to search for patterns, or research when a particular trend started.

Possible Network Problems NetFlow Can Tackle

Topology

• Slow network.  Latency caused by number of nodes and distance from the routers or backbone.  Would sub-netting help?
• Tracing the root cause of a problem, run it to ground.
• Where to monitor?  Traffic Analyzers can check multiple routers.

Infected Server

Many in the computing community suffered from the Slammer virus in 2003, but that could never happen again? Could it?  In reality there will be other attacks and the problem is that the next successful network virus won't be like the last.

The best that you can hope for is that people like Cisco will get early warning of the new killer virus and their engineers will be the first with a solution.  If you have experience of network monitoring you will know if you are affected, and you will understand how to implement fixes that will posted on the internet quickly.

Intermittent Problems

Reviewing the history may help to show patterns and thus put you on the right track for finding the sporadic cause.

If in doubt, Guy always blames the database

If a slow network problem is not immediately obvious, check the database(s) on the suspect server.  What I find is that the problem is not with the trusty network, which has not changed in 2 years, but some new database administrator has done something 'clever' that is crippling the network.

A Six Phase Network Monitoring Plan

1. Preparation - Create a baseline and thus understand normal business activity.
2. Identification - Record the UDP sources, destinations and the port number.
3. Classification - What are the characteristics of the virus?  E.g. packet size and port number.
4. Trace-back - Identify the source of any virus or attack.
5. Reaction - Block inbound and outbound access via ACLs
6. Follow-up - Continue to be vigilant.  Redouble preparation for the next attack.

Guy recommends: The Free IP SLA Monitor

The IP SLA Monitor offers so much more than just discovering network bottlenecks, the real joy is learning about router traffic.  See how effortlessly this free monitor analyzes and displays the IP statistics.  The key to configuring this Monitor is selecting the data most relevant to your network, for example, ping echo, DNS resolution times, or HTTP statistics.  As a result of a few hours of investigation is that you can set alerts on key indicators, then get on with the rest of your job.

Download your free copy of IP SLA Monitor

More Free and Trial Network Software

Here are Guy's reviews, recommendations and download links for handy utilities.

  ● NetFlow Monitoring   ● ipMonitor   ● Engineer's Toolset   ● Orion IPAM   ● Orion NPM   ● IPAT

  ● Free NetFlow Traffic Analyzer   ● Review Kiwi Syslog Analyzer   ● LANsurveyor Review

 *