NetFlow Tracker User Guide

NetFlow Tracker User Guide
NetFlow Tracker
User Guide
PN 3365122
January 2009, Rev 2, 1/2010
©2009, 2010 Fluke Corporation. All rights reserved.
All product names are trademarks of their respective companies.
NetFlow Tracker
User Guide
Third Party Software Components
NetFlow Tracker includes software developed by the Apache Software Foundation (http://www.apache.org/) and by
Advantys (http://www.advantys.com).
NetFlow Tracker includes the following third party software components:
•
•
•
•
•
•
•
•
•
•
Apache Commons Collections 3.2, available at http://commons.apache.org/collections/. This is distributed
under the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
Apache Commons Logging 1.0.4, available at http://commons.apache.org/logging/. This is distributed under
the Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
Apache Log4j 1.2.15, available at http://logging.apache.org/log4j/. This is distributed under the Apache
Software License, a copy of which is available at http://www.apache.org/LICENSE.
Apache Xerces Java 2.9.0, available at http://xerces.apache.org/xerces2-j/. This is distributed under the
Apache Software License, a copy of which is available at http://www.apache.org/LICENSE.
IE5.5+ PNG Alpha Fix 1.0RC4, available at http://www.twinhelix.com/css/iepngfix/demo/. This is distributed
under the CC-GNU Lesser GNU Public License, a copy of which is available at
http://creativecommons.org/licenses/LGPL/2.1/deed.en.
iText 2.0.6, available at http://www.lowagie.com/iText/. This is distributed under the Mozilla Public License, a
copy of which is available at http://www.mozilla.org/MPL/MPL-1.1.html.
Jakarta Tomcat 3.3.2, available at http://tomcat.apache.org/. This is distributed under the Apache Software
License, a copy of which is available at http://www.apache.org/LICENSE.
joeSNMP 0.2.6, available at
http://opennms.svn.sourceforge.net/viewvc/opennms/opennms/branches/OPENNMS/src/joesnmp/. This is
distributed under the Lesser GNU Public License, a copy of which is available at
http://www.gnu.org/licenses/lgpl.html.
jspSmartUpload 2.1 which is no longer available. This is distributed under the Advantys Freeware license
contract, a copy of which is available at
http://web.archive.org/web/20031209160524/http://www.jspsmart.com/liblocal/docs/legal.htm.
Quartz 1.6.0, available at http://www.opensymphony.com/quartz/. This is distributed under the Apache
Software License, a copy of which is available at http://www.apache.org/LICENSE
End User License
This is a legal agreement between you ("You"/ "the End User""), and Fluke Electronics Corporation, a Delaware
corporation, including its division, Fluke Networks ("FNET"), with offices at 6920 Seaway Boulevard, Everett, Washington,
98203, USA. BY DOWNLOADING OR OTHERWISE ELECTRONICALLY RECEIVING THIS SOFTWARE PRODUCT ("PRODUCT") IN
ACCORDANCE WITH OUR SOFTWARE DELIVERY PROCEDURES OR BY BREAKING THE SEAL ON A PRE-INSTALLED APPLIANCE
OR OPENING THE SEALED DISK PACKAGE WHICH CONTAINS THE PRODUCT, YOU ARE AGREEING TO BE BOUND BY THE
TERMS OF THIS AGREEMENT.
1. GRANT OF LICENSE AND PAYMENT OF FEES Provided that You have paid the applicable License fee, if you are a direct user
(as opposed to a service provider), FNET grants You a non-exclusive and non-transferable, revocable License to use one copy
of the Product on the maximum number of servers supporting the maximum number of devices (router, switch (including
each module with layer 3 capabilities such as WAN interface, layer 3 routed interface, or blade) specified in your purchase
order, or if not so specified, on a single server supporting a single device by a single user, and only for the purpose of
carrying out your business in the country specified in your order. If you are a Service Provider (as opposed to a direct user),
FNET grants You a non-exclusive and non-transferable, revocable License to use one copy of the Product on the maximum
number of PE devices regardless of where they are actually taking the flows from. If you are a Managed Service Provider,
FNET grants You a non-exclusive and non-transferable, revocable License to use one copy of the Product on the maximum
number of CE devices Irrespective of where they are actually taking the flows from. This Product is licensed for internal use
by You, the end user only. Once a license key has been issued to You, the product is non-refundable. Under certain, limited
circumstances, Fluke may at its sole discretion, provide written permission for You to transfer your license. iii In the event
that at any time You wish to extend the permitted number of servers or devices above the permitted amount, You must
ii
contact FNET or the reseller from whom you purchased the Product ("the Reseller") and an additional License fee may be
agreed upon and a new License issued for the requested additional number of servers/devices. FNET or your Reseller may
require that You provide written certification showing the geographical locations, type and serial number of all computer
hardware on which the Software is being used, together with confirmation that the Product is being used in accordance
with the conditions of this Agreement. You shall permit FNET or your Reseller, and/or their respective agents to inspect and
have reasonable access, during normal business hours, to any premises, and to the computer equipment located there, at or
on which the Software is being kept or used, and any records kept pursuant to this Agreement, for the purposes of ensuring
compliance with the terms of this License. 2. EVALUATION AND GOLD SUPPORT EVALUATION. If a provided license key is
labeled "Evaluation", FNET grants You the right to use the Product enabled by that key solely for the purpose of evaluation,
and the Product will cease to function seven (7) days from enabling (or after such longer period as may be agreed by FNET
and confirmed by FNET or your Reseller in writing), at which time the License grant for that Product also ends. After the
evaluation period, You may either purchase a full License to use the Product from your Reseller or directly from FNET, or You
must promptly stop using the Evaluation Product and all associated documentation. The warranty described in Section 5
shall not apply to Product that is downloaded for evaluation purposes. 3. INTELLECTUAL PROPERTY RIGHTS All intellectual
property rights in the Product belong to FNET and its Supplier(s) and Licensors(s) and You acknowledge that the Product
contains valuable Trade Secrets of FNET, its Supplier(s) and Licensor(s) and You have no ownership claims or rights
whatsoever in the Product. You may (a) make one copy of the Product solely for backup or archival purposes and keep this
securely, or (b) transfer the software to a secure single hard disk provided that You keep the original solely and securely for
backup or archival purpose. You may not copy the written materials accompanying the Product. You shall not remove or
alter FNET's copyright or other intellectual property rights notices included in the Product or in and any associated
documentation. You must notify FNET forthwith if You become aware of any unauthorized use of the Product by any third
party. FNET's Supplier(s) and Licensor(s) are third party beneficiaries of this Agreement as it pertains to relevant intellectual
property rights associated with the Product, and provisions of this Agreement related to intellectual property rights are
enforceable by FNET, its Supplier(s) and Licensor(s). 4. OTHER RESTRICTIONS You shall not sublicense, distribute, market,
lease, sell, commercially exploit, loan or give away the Product or any associated documentation. For the avoidance of
doubt, this License does not grant any rights in the Product to, and may not be assigned, sublicensed or otherwise
transferred to, any connected person, where the term connected person includes but is not limited to the End User's
subsidiaries, affiliates or any other persons in any way connected with the End User, whether present or future. The Product
and accompanying written materials may not be used on more than the permitted number of servers at any one time or for
in excess of the permitted number of devices. Subject always to any rights which You may enjoy under applicable law
(provided that such rights are exercised strictly in accordance with applicable law) and except as expressly provided in this
Agreement, You may not reproduce, modify, adapt, translate, decompile, disassemble or reverse engineer the Product in
any manner. You shall not merge or integrate the Product into any other computer program or work, and You shall not
create derivative works of the Product. FNET reserves all rights not expressly granted under this Agreement. 5. LIMITED
WARRANTY FNET warrants that during the warranty period (a) the Product will perform substantially in accordance with its
accompanying written materials, and (b) the media on which the Product is furnished shall be free from defects in materials
and workmanship. The warranty period applicable to the Product shall be ninety (90) days from the date of delivery of the
Product or, if longer, the shortest warranty period permitted in respect of the Product under applicable law ("Warranty
NetFlow Tracker User Guide iv Period"). The warranty for any hardware accompanying the Product shall be as stated on the
warranty card shipped with the hardware. If, within the Warranty Period, You notify FNET of any defect or fault in the
Product in consequence of which the Product fails to perform substantially in accordance with its accompanying written
materials, and such defect or fault does not result from You, or anyone acting with your authority, having amended,
modified or used the Product for a purpose or in a context other than the purpose or context for which it was designed or
licensed according to this Agreement, or as a result of accident, power failure or surge or other hazards, FNET shall, at
FNET's sole option and absolute discretion, do one of the following: (i) repair the Product; or (ii) replace the Product; or (iii)
repay to You all license fees which You have paid to FNET under this Agreement. FNET does not warrant that the operation
of the Product will be uninterrupted or error or interruption free. 6. CUSTOMER REMEDIES You must call your FNET
representative to discuss remedies during the 90 day warranty period referred to in Section 5 above. You acknowledge that
your sole remedy for any defect in the Product will be Your rights under Section 5. 7. NO OTHER WARRANTIES. FNET
AND/OR ITS SUPPLIERS, DISCLAIM ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE PRODUCT,
THE ACCOMPANYING WRITTEN MATERIALS AND ANY ACCOMPANYING HARDWARE AND YOU AGREE THAT THIS IS FAIR
AND REASONABLE. THE EXPRESS TERMS OF THIS AGREEMENT ARE IN LIEU OF ALL WARRANTIES, CONDITIONS,
UNDERTAKINGS, TERMS OF OBLIGATIONS IMPLIED BY STATUTE, COMMON LAW, TRADE USAGE, COURSE OF DEALING OR
OTHERWISE, ALL OF WHICH ARE HEREBY EXCLUDED TO THE FULLEST EXTENT PERMITTED BY LAW. 8. NO LIABILITY FOR
iii
NetFlow Tracker
User Guide
CONSEQUENTIAL DAMAGES IN NO EVENT SHALL FNET AND/OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT,
CONSEQUENTIAL OR ECONOMIC LOSS OR DAMAGES WHATSOEVER OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS,
SAVINGS, GOODWILL, CAPITAL, ADDITIONAL ADMINISTRATIVE TIME OR DATA ARISING OUT A DEFECT IN THE PRODUCT OR
THE USE OF OR INABILITY TO USE THE PRODUCT, EVEN IF FNET HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
9. TERMINATION Either party shall be entitled forthwith to terminate this Agreement by written notice if the other Party
commits any material breach of any of the provisions of this Agreement and, fails to remedy the same within sixty (60) days
after receipt of a written notice from the non-breaching Party giving full particulars of the breach and requiring it to be
remedied. You shall be obliged to notify FNET in writing of any change in the control or ownership of the End User and
FNET shall be entitled forthwith to terminate this Agreement by written notice. This Agreement shall automatically
terminate if replaced at any time with a new License agreement. The right to terminate this Agreement given by this
Section 9 will be without prejudice to any other accrued right or remedy of either Party including accrued rights or remedies
in respect of the breach concerned (if any) or any other breach, or which the Parties have accrued prior to termination. 10.
INDEMNIFICATION You shall indemnify FNET and hold it harmless from any loss, damages, proceedings, suits, third party
claims, judgments, awards, expenses and costs (including legal costs) incurred by or taken against FNET as a result of the
negligence, fault, error, omission, act or breach of You or of your employees, staff, contractors, agents or representatives or
for any breach of this Agreement whatsoever by You. Notwithstanding any other provision of this Agreement, the
aggregate liability of FNET for or in respect of all breaches of its contractual obligations under this Agreement and for all
representations, statements and tortuous acts or omissions v (including negligence but excluding negligence causing loss of
life or personal injury) arising under or in connection with this Agreement shall in no event exceed the License fee paid by
You pursuant to this Agreement prior to the date of the breach. 11. CONFIDENTIAL INFORMATION AND SECURITY During
and after this Agreement, the Parties will keep in confidence and use only for the purposes of this Agreement all
Confidential Information. Confidential Information means information belonging or relating to the Parties, their business or
affairs, including without limitation, information relating to research, development, Product, processes, analyses, data,
algorithms, diagrams, graphs, methods of manufacture, trade secrets, business plans, customers, finances, personnel data,
and other material or information considered confidential and proprietary by the Parties or which either Party is otherwise
informed is confidential or might or ought reasonably expect that the other Party would regard as confidential or which is
marked "Confidential". For the avoidance of doubt, You shall treat the Product and any accompanying documentation as
Confidential Information. Confidential Information does not include any information (i) which one Party lawfully knew
before the other Party disclosed it to that Party; (ii) which has become publicly known through no wrongful act of either
Party, or either Parties' employees or agents; or (iii) which either Party developed independently, as evidenced by
appropriate documentation; or (iv) which is required to be disclosed by law. The Parties will procure and ensure that each of
its employees, agents, servants, sub-contractors and advisers will comply with the provisions contained in this Section. If
either Party becomes aware of any breach of confidence by any of its employees, officers, representatives, servants, agents
or sub-contractors it shall promptly notify the other Party and give the other Party all reasonable assistance in connection
with any proceedings which the other Party may institute against any such person. This Section 11 shall survive the
termination of this Agreement. Notwithstanding the above confidentiality provisions, in accepting this License agreement,
You agree that, subject to any applicable data protection laws, FNET may use your business name and logo for the purposes
of marketing and promotion of the product and its business and You hereby grant FNET a limited License to use your
business name and logo for these purposes. 12. EXPORT CONTROL You shall be responsible for and agree to comply with all
laws and regulations of the United States and other countries ("Export Laws") to ensure that the Product is not exported
directly, or indirectly in violation of Export Laws or used for any purpose prohibited by Export laws. 13. GOVERNING LAW
AND JURISDICTION This Agreement and all relationships created hereby will in all respects be governed by and construed in
accordance with the laws of the state of Washington, United States of America, in respect of all matters arising out of or in
connection with this agreement. The Parties hereby submit to the exclusive jurisdiction of the Washington Courts. NOTHING
IN THIS CLAUSE SHALL PREVENT FNET FROM TAKING AN ACTION FOR PROTECTIVE OR PROVISIONAL RELIEF IN THE COURTS
OF ANY OTHER STATE. 14. MISCELLANEOUS 14.1 The provisions of Sections 3, 7, 8, 10, 11, 12, 13 and 14 and the obligation
on you to pay the License fee shall survive the termination or expiry of this Agreement. 14.2 This Agreement is personal to
You and You shall not assign, sublicense or otherwise transfer this Agreement or any part of your rights or obligations
hereunder whether in whole or in part save in accordance with this Agreement and with the prior written consent of FNET
and You shall not allow the Product to become the subject of any charge, lien or encumbrance of whatever nature. Nothing
in this Agreement shall preclude the Licensor from assigning the Product or any related documentation or its rights and
obligations under this Agreement to a third party and You hereby consent to any such future assignment. 14.3 This
Agreement supersede all prior representations, arrangements, understandings and agreements between the Parties herein
iv
relating to the subject matter hereof, and sets out the entire and complete agreement and understanding between the
Parties relating to the subject matter hereof. 14.4 If any provisions of the Agreement are held to be unenforceable, illegal or
void in whole or in part the remaining portions of the Agreement shall remain in full force and effect. NetFlow Tracker User
Guide vi 14.5 No party shall be liable to the other for any delay or non-performance of its obligations under this Agreement
(save for your obligation to pay the fees in accordance with Section 1) arising from any cause or causes beyond its
reasonable control including, without limitation, any of the following: act of God, governmental act, tempest, war, fire,
flood, explosion, civil commotion, industrial unrest of whatever nature or lack of or inability to obtain power, supplies or
resources. 14.6 A waiver by either party to this Agreement of any breach by the other party of any of the terms of this
Agreement or the acquiescence of such party in any act which but for such acquiescence would be a breach as aforesaid, will
not operate as a waiver of any rights or the exercise thereof. 14.7 No alterations to these terms and conditions shall be
effective unless contained in a written document made subsequent to the date of the terms and conditions signed by the
parties which are expressly stated to amend the terms and conditions of this Agreement.
v
NetFlow Tracker
User Guide
vi
NetFlow Tracker Overview 1
Key Features 1
Deploying NetFlow Trackers 2
Data Management 3
Product Services 3
Obtaining Technical Support 4
Obtaining Professional Services 4
Obtaining Product Training 4
Installing NetFlow Tracker 5
System Requirements 5
Hardware Requirements 5
Software Requirements 6
Preparing for Installation 7
Installing NetFlow Tracker on Microsoft Windows 8
Installing Java Runtime Environment on Windows 9
Installing NetFlow Tracker 9
Installing NetFlow Tracker on Linux 11
Setting Up NetFlow Tracker 13
Opening NetFlow Tracker 13
Selecting a Language 14
Setting up NetFlow Tracker 15
Setting up Licensing 15
Setting up Listener Ports 16
Applying SNMP Settings 17
Enabling Devices to Export Flow Data 18
Applying Device Settings in NetFlow Tracker 18
Device List 20
Applying Traffic Class IDs 21
Applying Identified Applications 22
Applying Interface Settings 22
Deleting a Device 24
Making Sure That Data is Received 24
Applying Security Settings 27
Viewing Version Information 28
Viewing Real-Time Data 29
Viewing Network Overview Data 30
Top Applications and Interfaces for a Device 31
vii
NetFlow Tracker
User Guide
Application Conversations 32
Top Applications and Usage for an Interface 32
Interface Conversations 32
Viewing Devices 33
Viewing Interfaces 34
Viewing Per-AS Data 36
Filtering Real-time Data 37
Viewing Chart Data 42
Working with Pie Charts 44
Working with Tables 45
Viewing Long-term Data 47
Viewing Long-term Network Overview Data 47
Viewing Long-term Device and Interface Data 49
Filtering Long-term Data 50
Saving a Long-term Filter 51
Setting up Reports 53
Reports Overview 53
Applying General and Real-time Report Settings 54
Saving Report Filters 55
Scheduling Reports 56
Creating Long-term Reports 60
Creating Executive Reports 65
Adding a Sub-report Cell 68
Adding an HTML Cell 70
Viewing Executive and Real-Time Reports 71
Working with Alarms 73
Alarms Overview 73
Alarm Severity and Lifecycle 74
Thresholds and Baseline Sensitivity 74
Alarming for Persistent Changes 75
Baseline Learning and Reset 76
Tips and Techniques 76
Configuring Alarms 77
Creating an Alarm 77
Creating an Interface Alarm 79
Configuration 80
viii
Configuring Notification Settings 81
Viewing Events 82
Viewing the Events Timeline 82
Viewing the Event List 83
Viewing the Event Lifecycle 83
Optimizing NetFlow Tracker 85
Data Display and Filtering Settings 85
Management Portal Settings 86
How Access Control Works 86
Using Apache as a Portal Server 87
IP Application Names 88
Defining a Simple Application Name 88
Defining a Grouped Application Name 89
DiffServ Names 90
Hostname Resolution Settings 91
Subnet Names 91
AS Names 92
Data Management and System Performance Monitoring 93
Database Settings 93
Backup 94
Backing Up Data 95
Restoring a Backup on Linux 95
Restoring a Backup on Windows 96
Archiving 96
Memory Settings 97
Setting up NetFlow on Network Devices 99
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch 99
Enabling Netflow Export on an IOS Device 100
Enabling NDE on a Native IOS Device 101
Enabling NetFlow Export on a 4000 Series Switch 102
Configuring NDE on a CatOS Device 103
Configuring NetFlow Input Filters for Traffic Class Reporting 104
Enabling Flow Detail Records on a Packeteer Device 104
Enabling NetFlow on an Enterasys Device 105
Enabling sFlow on a Foundry Device 106
Report Templates 107
Address Reports 107
ix
NetFlow Tracker
User Guide
Session Reports 108
QoS Reports 110
Network Reports 110
Interface Reports 111
Traffic Identification Reports 111
Full Flow Forensics Reports 112
Other Reports 112
Report URL Parameters 113
General Format 116
Report Parameters 116
Time Range Parameters 122
Setting Start and End Times 122
Creating a Fixed Length URL with Current Time Range 123
Setting a Simple Calendar-Based Time Range 123
Setting an Advanced Calendar-Based Time Range 125
Applying a Time-of-Day Mask to the Time Range 126
Setting a Time Zone 127
Setting the Chart Sample Size 130
Setting the Source Long-term Data 130
Filter Parameters 131
Security Parameters 138
Management Portal Access Control Parameters 138
File Formats 141
CSV File Format 141
Chart CSV format 141
Pie chart CSV format 141
Tabular report CSV format 142
XML Format 142
Chart XML format 143
Pie chart XML format 143
Tabular report XML format 143
x
1: NetFlow Tracker
Overview
Topics include:
•
Key Features
•
Deploying NetFlow Trackers
•
Data Management
•
Product Services
Key Features
NetFlow Tracker lets you as a network administrator view flow traffic
from routers and managed switches on the network. From a webbased interface, it provides a set of dynamic charts and reports to
help you understand of network traffic flow data. You can analyze
application and protocol information in depth, including user, server,
and applications activity.
NetFlow Tracker supports data from a range of devices in formats
including NetFlow versions 1, 5, and 9, IPFIX, Nortel IPFIX, sFlow,
JFlow, Cflow, and netstream.
Key features include:
•
Install and configure NetFlow Tracker on Windows or Linux
servers. See Chapter 2, “Installing NetFlow Tracker.”
•
Customize setup to determine how data is gathered and
managed, and optimize NetFlow Tracker performance based on
the data you need. See Chapter 3, “Setting Up NetFlow Tracker”
and Chapter 8, “Optimizing NetFlow Tracker.”
1
NetFlow Tracker
User Guide
•
View real-time network traffic in detail at per-minute resolution
for one week by default. Traffic views by user, user group,
conversation, system and application are available. Drill down
and zoom in on data. Filter all real-time reports and charts on any
field. See Chapter 4, “Viewing Real-Time Data.”
•
Create custom long-term reports and charts. Define and quickly
access custom executive reports. Format reports and charts as CSV
or XML for further processing or as simplified HTML or PDF for
printing or emailing. Full flow forensic reports are available. See
Chapter 6, “Setting up Reports.”
•
Create threshold and baseline alarms. Receive notifications via
email, logging or SNMP traps. See Chapter 7, “Working with
Alarms.”
Deploying NetFlow Trackers
You can deploy NetFlow Tracker as stand-alone software on a
dedicated server on your network or in the NetFlow Tracker
Appliance. Because NetFlow Tracker is a web-based application, you
can access the system from anywhere in the network.
NetFlow Tracker servers are typically deployed near large switches or
tightly clustered switches or routers where there is a high degree of
NetFlow traffic.
You can also deploy the NetFlow Tracker Appliance as part of the
Visual Performance Manager network performance management
system. This lets you view performance data and create reports from
multiple NetFlow Trackers on the network through a single web
portal interface. For more information, see the Visual Performance
Manager System Administration Guide.
2
NetFlow Tracker Overview
Data Management
1
Data Management
NetFlow Tracker has two databases:
•
The real-time database stores data at millisecond granularity.
Report data is displayed in one-minute granularity. By default,
data is stored for up to seven days. You can adjust this setting in
Database Settings.
•
The long-term database stores aggregated data for multiple years
at a granularity that you set in Database Settings. By default, data
is stored for 999 weeks at one-hour granularity. When you
configure long-term reports using custom granularity, the
database stores that data at that granularity for as long as the
report is scheduled.
Real-time database maintenance occurs every six hours (you cannot
run database maintenance on demand). During this time data is
reorganized and transfers to the long-term database and then is
aggregated in the long-term database. To monitor the length of time
this takes, see “Making Sure That Data is Received” on page 24.
You can also archive and back up real-time data.
See:
•
“Database Settings ” on page 93
•
“Backup” on page 94
•
“Archiving” on page 96
Product Services
For NetFlow Tracker product information, see:
www.flukenetworks.com
3
NetFlow Tracker
User Guide
Obtaining Technical Support
If you require technical support for NetFlow Tracker, contact the
Fluke Networks Technical Assistance Center (TAC) at the points listed
below:
By phone: 1 800-283-5853 (U.S. only) or 1 425-446-4519
(international)
By email: support@flukenetworks.com
Supervision Gold support packages are available from the Fluke
Networks website.
Obtaining Professional Services
Fluke Networks has certified consultants available to assist you with
the planning, installation, implementation, and deployment of the
product. Contact Professional Services at the points listed below:
By phone: 1 800-283-5853 (U.S. only) or 425-446-4600
By fax: 421-446-4839
By email: professionalservices@flukenetworks.com
Obtaining Product Training
Training is available. Direct training requests to your product vendor
or the training coordinator at the contact points listed below:
By phone: 301-296-2300
By fax: 301-296-2651
By email: training@flukenetworks.com
4
2: Installing NetFlow
Tracker
Topics include:
•
System Requirements
•
Preparing for Installation
•
Installing NetFlow Tracker on Microsoft Windows
•
Installing NetFlow Tracker on Linux
Note
For upgrade information, see the Release Notes included with
the NetFlow Tracker release.
System Requirements
The type of system required to run NetFlow Tracker depends on the
number of devices sending NetFlow information to it and the amount
and nature of traffic handled by those devices.
Hardware Requirements
The following requirements are a guideline. To determine your
requirements, test the software’s performance in your network
environment.
5
NetFlow Tracker
User Guide
Table 1 Minimum Hardware Requirements
Component
Minimum Requirement
Processor
Intel Pentium D, Core 2 or Xeon or a compatible processor of
similar performance. Multiple processors improve
performance, but consider these only after increasing RAM
and the performance of the disk subsystem.
RAM
2 GB. Performance increases with the amount of RAM
available for the disk cache and database buffers.
Disk subsystem
High performance disk subsystem with substantial free
space. For all but the lightest loads, use a server RAID card
running RAID 5 over at least three high-performance disks.
NetFlow Tracker stores and queries real-time data for a
week at one-minute granularity. A busy enterprise router
can generate between 20GB to 50GB of data in this time.
Software Requirements
Note
NetFlow Tracker requires high speed disk I/O to run effectively.
If you run antivirus software on the NetFlow Tracker server you
are likely to have periodic issues with storing and accessing flow
data.
6
Installing NetFlow Tracker
Preparing for Installation
2
Table 2 Software Requirements
Software
Requirement
Operating system
English, Chinese, and Japanese language versions are
supported.
•
•
•
•
•
Windows XP Professional SP2
Windows Server 2003 R2 SP 2
Windows Server 2003 SP 2
Windows Server 2000
Linux—NetFlow Tracker has been tested and is
supported on Red Hat Enterprise Linux 5 and Fedora
Core 10 running Java 1.6.0_05 or later and MySQL 5.0
(Intel-compatible processor).
For more information on installing NetFlow Tracker on
other Linux distributions, contact Fluke Networks TAC.
Browser
MS Internet Explorer (IE) 7.0
IE 6.0 with SP1, critical updates
Firefox 3.0
Other web browsers may run but have not been tested.
Java version
Java 2 Runtime Environment SE v1.6.0_05 or later
Other components
• MySQL 5.0, installed with NetFlow Tracker
• Adobe Acrobat Reader 6.0 or later
Preparing for Installation
Before installing, complete the following tasks:
•
NetFlow Tracker puts a heavy load on the system. It is strongly
recommended that you install it on a dedicated server.
•
Do not install any other MySQL-dependent software on the
NetFlow Tracker server. Because of the large database size and
optimized structure required by NetFlow Tracker, MySQL is set up
in a way that can seriously degrade the performance of other
software that use MySQL.
7
NetFlow Tracker
User Guide
•
NetFlow Tracker uses a version of MySQL that differs significantly
from that used by Fluke Networks NetFlow Monitor, NetWatch
and ResponseWatch products. If you install NetFlow Tracker on a
server running one of these products it will not function correctly.
Likewise, if you install one of these products on a server running
NetFlow Tracker, both products will not function correctly.
•
NetFlow Tracker contains an embedded web server. Web servers
normally run on port 80, but another web server on your system
may be using this. You can choose a different port during
installation or disable other web servers prior to installation.
•
If you have previously configured a router for NetFlow Monitor,
note: NetFlow Tracker requires a different active flow timeout or
long aging timer.
Installing NetFlow Tracker on Microsoft
Windows
You must log in as an administrator to install NetFlow Tracker.
Installation takes several minutes.
8
•
If you received NetFlow Tracker on CD, the setup program starts
automatically when you insert the CD. If it does not, open the CD
drive in My Computer and double-click setup.exe.
•
If you downloaded NetFlow Tracker software, double-click the
file you downloaded.
•
Installation detects unsupported MySQL versions. If MySQL is
installed on the server already, a message asks if you want to
continue. Uninstall any unsupported MySQL version. NetFlow
Tracker requires MySQL 5.0, which installed with the application.
The installation program will fail if the installed version of MySQL
uses a root password.
Installing NetFlow Tracker
Installing NetFlow Tracker on Microsoft Windows
2
Installing Java Runtime Environment on Windows
To install Java Runtime Environment:
1
Insert the NetFlow Tracker CD in your server.
2
If the server does not have the required version of the Java
Runtime Environment installed, click OK to install it. The Java
installer launches.
3
Accept Sun’s license agreement and click Next.
4
On the Setup Type screen, choose Typical or Custom. Select
Custom if you do not want the web browser to use Sun’s Java
Plug-in. Click Next.
5
When Java Runtime Environment installation is completed, click
Finish.
Installing NetFlow Tracker
Once Java Runtime Environment installation completes, the NetFlow
Tracker software begins installing.
9
NetFlow Tracker
User Guide
To install NetFlow Tracker:
10
1
On the Welcome screen, click Next.
2
On the License Agreement screen, accept the agreement and click
Next.
3
On the Customer Information screen, enter your name and
organization name. Choose whether to install the software for
yourself only or for every user that logs in to the system. If you
install the software for yourself, only you will see the shortcut to
the web front-end and only you can uninstall the software. Click
Next.
4
On the Setup Type screen, choose:
•
Complete to install NetFlow Tracker to the “nfNetFlow
Tracker” folder on your system drive and MySQL to the
“MySQL” folder on the same drive. The internal web server
will run on port 80 if available. If port 80 is unavailable, you
are prompted to choose another. Click Next. Proceed to step
7.
•
Custom if you want to change the install folders or choose a
different port even if 80 is available. Click Next.
Installing NetFlow Tracker
Installing NetFlow Tracker on Linux
2
5
If you chose Custom, the Custom Setup screen is shown. You can
change the install folder for NetFlow Tracker and MySQL. Select
the feature and click Change. Click Next.
6
If you chose Custom setup or if port 80 is in use, the Select HTTP
Port screen is shown. Select a port and click Test to check if it is
available. Click Next.
7
On the Ready to Install screen, click Install. Installation take
several minutes. If installation stops for longer than that, contact
Fluke Networks TAC. When installation completes, click Finish.
After installation, a shortcut is placed in the NetFlow Tracker folder
under the Programs in the Windows Start menu.
Installing NetFlow Tracker on Linux
Note
The RPM installer works only for the supported distributions of
Linux: Red Hat Enterprise Linux 5 and Fedora Core 8. If you are
trying to upgrade on a different platform contact Fluke
Networks TAC at support@flukenetworks.com.
The NetFlow Tracker web server runs on port 8000.
To install the RPM run the following as root (replace the RPM file
below with the file you downloaded).
rpm -Uvh nftracker-6.0-0.i386.rpm
For an upgrade installation, use:
rpm -Uvh --nopreun --nopostun nftracker-6.0-0.i386.rpm
The following is an example of the install sequence:
11
NetFlow Tracker
User Guide
The following graphic shows the successfully completed installation.
12
3: Setting Up NetFlow
Tracker
After installation, you can set up NetFlow Tracker to monitor data.
Topics include:
•
Opening NetFlow Tracker
•
Selecting a Language
•
Setting up NetFlow Tracker
•
Viewing Version Information
Opening NetFlow Tracker
To open and set up NetFlow Tracker:
1
2
Open NetFlow Tracker:
•
To open NetFlow Tracker from the computer on which it is
installed, from the Windows task bar select Start > All Programs > NetFlow Tracker > NetFlow Tracker.
•
To open NetFlow Tracker from a URL, open a web browser
and type the IP address or DNS name of the NetFlow Tracker
on the port set up during installation.
Click the splash screen to dismiss it. The Network Overview page is
shown.
•
If you have not yet configured NetFlow Tracker, the Network
Overview page has no data. In the upper left part of the interface, select Main Menu > Settings. Configure the settings
required so that NetFlow Tracker can start monitoring data.
See “Setting up NetFlow Tracker.”
13
NetFlow Tracker
User Guide
•
If you have already configured NetFlow Tracker, data is
shown on the Network Overview page. See “Viewing Network Overview Data” on page 30.
Note:
•
If you have password protection enabled you may need to log in
as an administrative user to see the Main Menu > Settings link.
See “Applying Security Settings” on page 27.
•
The Settings link is not shown for NetFlow Trackers that have a
portal secret configured in the Visual Performance Manager.
Selecting a Language
You can view the NetFlow Tracker interface in English, Chinese, or
Japanese, depending on the language settings of your browser.
To change language settings:
1
2
14
Access the language selection dialog:
•
In Firefox, select Tools > Options. From the General tab (in
Firefox 2.0) or Content tab (in Firefox 3.0), under Languages,
click Choose.
•
In Internet Explorer, select Tools > Internet Options. From the
General tab, click Languages.
Click Add and select a supported language from the list:
•
Chinese/China [zh-cn]
•
Japanese [ja]
•
English/United States [en-us]
3
Select the language you want to use and click Move Up to place it
at the top of the list.
4
Click OK. Then click OK again in the Options or Internet Options
dialog.
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
3
Setting up NetFlow Tracker
From the Settings page (Main Menu > Settings) you can set up
NetFlow Tracker to gather data from network devices, determine
how that data is gathered and managed, and monitor and optimize
NetFlow Tracker performance.
If you are using NetFlow Tracker for the first time after installation,
set up NetFlow Tracker to start gathering data. Topics include:
•
Setting up Licensing
•
Setting up Listener Ports
•
Applying SNMP Settings
•
Enabling Devices to Export Flow Data
•
Applying Device Settings in NetFlow Tracker
•
Making Sure That Data is Received
•
Applying Security Settings
Once NetFlow Tracker begins collecting data you can apply additional
data filtering and management settings. For more information, see
Chapter 8, “Optimizing NetFlow Tracker.”
When applying settings, note:
•
Each settings page controls a single aspect of the software. To
apply changes, click OK on that page. To return to the main
Settings page without applying changes, click Cancel.
•
Use the session path link on settings pages to return to the main
Settings page. Using the web browser’s Back button can cause
you to lose changes.
Setting up Licensing
Use the Licensing page to apply a new full or trial license or check the
status of an existing license.
15
NetFlow Tracker
User Guide
To install a license:
1
Select Main Menu > Settings > Licensing.
2
Add license information:
•
If from a file, click Browse, locate the file, and select it. Then
click Load.
•
If text, enter or paste the text and click Decode.
3. Click OK.
Setting up Listener Ports
Use the Listener Ports page to set the UDP ports on which NetFlow
Tracker will monitor NetFlow traffic from devices.
When you set up NetFlow exporting on a device, you provide a port
number to which to send exports. By default, NetFlow Tracker listens
on ports 2055 and 6343.
For more information about configuring devices for NetFlow, see
Appendix A, “Setting up NetFlow on Network Devices.”
To add listener ports:
1
Select Main Menu > Settings > Listener Ports.
2
Add ports. Select All local addresses and enter a port number:
Note
When adding local addresses, you must specify a port number
on the NetFlow Tracker server to receive NetFlow traffic.
3
Set the Receive buffer size. The default size is 32768. This setting
applies to all ports.
Note
If traffic exceeds the buffer size, increase the buffer size to
avoid dropping packets. If you increase the buffer size, monitor
the system’s memory usage.
16
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
4
3
Click OK. If you receive an error message, one or more ports are
already in use. An asterisk (*) marks these ports. Remove these
ports and add others until no errors remain.
Applying SNMP Settings
Use the SNMP Settings page to define default SNMP parameters. This
information is used to query devices.
When NetFlow Tracker receives exports from a previously unknown
device, it scans the device using SNMP to find its name and interface
properties. Devices enabled for SNMPv1 or SNMPv2c can be accessed
using a password, called a community string. By default, NetFlow
Tracker defines the community string public. You can define
additional community strings and define the order in which they will
be attempted.
For devices enabled for SNMPv3, access depends on the level of
security and access rights defined. A single set of default SNMPv3
parameters can be specified. SNMPv3 security is controlled by the
User Name plus an optional Authorization Protocol & Passphrase and
Privacy Protocol & Passphrase. SNMPv3 access is controlled by an
optional Context Name.
Note
A device is scanned when it reboots and when NetFlow Tracker
software restarts. Because NetFlow Tracker checks each SNMPv2
community first when it detects a new device, place the most
frequently used communities higher in the list for faster
scanning.
You can change the SNMP parameters used to rescan an existing
device on the device configuration page. See “Applying Device
Settings in NetFlow Tracker” on page 18.
Devices that have not been successfully queried using SNMP have an
next to them in the Device List. See “Device List” on page 20.
17
NetFlow Tracker
User Guide
To apply SNMP settings:
1
Select Main Menu > Settings > SNMP Settings.
2
Select SNMP 1/2c or SNMP 3.
3
If SNMP 1/2c is selected, enter at least one SNMP community
string. If multiple strings are added, each one will be attempted
successively until an SNMP query is successful. Enter the most
common string first in order to speed up the search.
If SNMP 3 is selected, enter SNMP v3 configuration information.
4
Leave the default settings for timeout (5000 ms) and number of
attempts (3) used for SNMP requests.
5
Click OK.
Enabling Devices to Export Flow Data
To view data in NetFlow Tracker, you must enable network devices
(routers and switches) to export flow data to the server running
NetFlow Tracker. For more information, see Appendix A, “Setting up
NetFlow on Network Devices.”
Once devices are enabled, to see whether NetFlow Tracker has started
collecting data, see “Making Sure That Data is Received” on page 24
Applying Device Settings in NetFlow Tracker
Use the Device Settings page to:
18
•
Collect information from devices using SNMP queries, so that
interfaces are named correctly.
•
Apply BGP settings if BGP is used to establish routing between
autonomous systems (ASes).
•
Apply sampled data settings to collected flows, so that utilization
information is scaled accurately in reports.
•
Apply traffic class, identified applications, and interface settings.
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
3
To configure devices:
1
Select Main Menu > Settings > Device Settings.
2
Select a device from the Device List. See “Device List” on page 20.
3
Apply General settings:
4
•
Override the name detected using SNMP.
•
Choose whether to archive real-time data from the device.
Note: When you archive data all NetFlow data monitored by
the device is archived.
•
Show interface descriptions entered on the network device or
leave the default setting. Default does not show the interface
descriptions.
Apply SNMP settings. For SNMP mode, select:
•
Use SNMP if the device supports SNMP. Let NetFlow Tracker
use SNMP to scan a device because the numbers used to identify the inbound and outbound interfaces in NetFlow exports
are not constant and SNMP is the only way NetFlow Tracker
can make a correct correlation between an identifier and a
physical interface or port. Select an SNMP version (SNMPv1,
SNMPv2c or SNMPv3) and enter the SNMP criteria. See “Applying SNMP Settings” on page 17 for more information.
•
Don’t use SNMP if the device does not support SNMP. This
assigns default properties to each interface encountered in
NetFlow exports from the device.
•
Keep current configuration to freeze a device’s configuration.
This ignores any new interface encountered, so use this with
caution.
To rescan an SNMP device using the SNMP parameters specified in
the page, click Rescan. This scans but does not save the settings.
You must click OK on the Device Settings page to apply changes.
Because NetFlow Tracker rescans a device when the software
restarts, a new interface is encountered, or the device reboots,
you do not normally have to manually rescan a device.
5
Apply BGP settings if BGP is used:
•
Local AS—The local AS number is required to get correct AS
numbers for traffic routed to or from the local AS. If BGP is
not used, leave this setting blank.
19
NetFlow Tracker
User Guide
6
•
Store peer/origin ASes—For a device that can send both the
peer and origin AS number for each NetFlow record, choose
which AS numbers are stored in the database.
•
Store BGP next-hop—For a device that can send the BGP nexthop address in its NetFlow exports, store this value in place of
the IP next-hop for the device.
Set Sampled Data Scaling.
•
Scale sampled data—If a device samples packets to simplify
the generation of NetFlow data, select this to scale each NetFlow record by the sampling interval and thus produce traffic
and packet rates that more accurately reflect the real levels.
•
Scaling factor—In most cases NetFlow Tracker can extract the
sampling interval from the NetFlow data. If it cannot, then
supply a scaling factor.
7
Apply Traffic Class settings. See “Applying Traffic Class IDs” on
page 21.
8
Apply Identified Applications settings. See “Applying Identified
Applications” on page 22.
9
Apply settings for interfaces. See “Applying Interface Settings”
on page 22.
10 Click OK.
11 Click OK on the Device Settings page.
Device List
Use the device list on the Device Settings page to check the status of
known devices and override the interface descriptions and speeds
collected by NetFlow Tracker. NetFlow Tracker performs an SNMP
scan when it starts to populate this list. When devices reboot, they are
rescanned.
The name and address of each known device are listed, along with a
status indicator:
•
20
(exclamation point)—Indicates that NetFlow Tracker could not
contact the device using SNMP or is ignored due to a license
violation.
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
•
(hourglass)—Indicates that the device is being scanned and
cannot be edited. To see if scanning has finished click Refresh.
•
No icon—The device is working correctly.
3
Click a device name to edit its settings.
Note
Any changes you make to any device are only applied when you
click OK in the main Device Settings page.
Applying Traffic Class IDs
In the Traffic Class IDs section of a device’s settings page, you can map
traffic classes or manually add these using the list.
For devices that can export traffic class data that helps route the
traffic involved in each flow, leave Automatically map traffic classes
checked. If this option is not available for a device, add each traffic
class to NetFlow Tracker and configure a map from the device’s class
ID to the NetFlow Tracker traffic class. Give each class a unique
identifier that is used if you create a URL with a traffic class filter.
Note: This identifier does not need to match the identifier exported
by any of your devices for the traffic class.
To add traffic class IDs
1
Select Main Menu > Settings > Device Settings.
2
Select a device from the Device List. See “Device List” on page 20.
3
Expand Traffic Classes:
•
For devices that can export traffic class data that helps to help
route the traffic involved in each flow, leave Automatically
map traffic classes checked.
•
For devices that do not automatically map traffic classes, click
add/delete in the Traffic Class column header.
4
On the Traffic Class Names page, enter a unique identifier and
name.
5
Click Add. To delete an ID, select its checkbox and click Delete.
6
Click OK.
21
NetFlow Tracker
User Guide
7
Click OK in the device’s settings page.
Applying Identified Applications
Identified applications are similar to traffic classes and you configure
them in the same way. Packeteer devices support this feature.
As with traffic classes, leave mapping enabled for devices that
support it. For devices that do not support automatic mapping, you
must create a unique, NetFlow Tracker-specific identifier for each
identified application that you want to report on. Then define a
mapping from the device-specific protocol or service ID to the
NetFlow Tracker identified application for each device.
To add application identifiers:
1
Select Main Menu > Settings > Device Settings.
2
Select a device from the Device List. See “Device List” on page 20.
3
Expand Identified Applications and click add/delete in the
Identified Applications column header.
4
On the Identified Application Names page, enter an identifier
and name.
5
Click Add. To delete an ID, select its checkbox and click Delete.
Click OK.
6
Click OK on the device’s settings page.
Applying Interface Settings
If you cannot change the settings of the device or it has an
asynchronous interface, you can override the description, inward
speed, and outward speed for its interfaces. For non-SNMP
compatible devices, you must provide interface descriptions and
speeds.
You can associate any interface on any device with a uniquely named
Virtual Private Network (VPN) for reporting and filtering. A VPN
groups data from the devices and interfaces assigned to it. This data is
included in the VPNs report and by the VPN filters. NetFlow Tracker
22
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
3
assigns the customer-facing interfaces of an MPLS provider edge
router (PER) using MPLS VPN and supports the standard SNMP MIB
automatically. If your network device does not support this, you must
create a unique identifier for each VPN.
Note
If you reset a speed or description setting and the device
reboots or has an SNMP rescan, your settings are overridden.
You can also set an interface as inactive. Inactive interfaces do not
show up in the interface status report or in the Filter Editor. This
option is useful to remove interfaces that do not report NetFlow data
from reports.
To apply interface settings:
1
Select Main Menu > Settings > Device Settings.
2
Select a device from the Device List. See “Device List” on page 20.
3
Expand Interfaces. You have the following options:
a
Enter an interface name and description.
b
Enter the speed.
c
To associate an interface with a VPN, click add/delete in the
VPN column header. On the VPNs page, enter a unique ID and
name for each VPN. The description is optional. To delete a
VPN from the list, select its checkbox and click Delete. Click
OK.
d
In the VPN column on the device’s settings page, select from
the drop-down list. If the interface is not part of a VPN, leave
the setting to none and make sure that the P interface(s) on
an MPLS PER have their VPN set to none also because they
carry traffic from multiple VPNs.
Note
VPNs are assigned to interfaces by name, so each VPN must have
a unique name.
4
To mark an interface as inactive, check its Inactive box.
5
Click OK.
6
Click OK on the Device Settings page.
23
NetFlow Tracker
User Guide
Deleting a Device
You can delete a device from the device’s settings page.
Note
When you delete a device, if the device is still sending NetFlow
data to NetFlow Tracker it will reappear after you delete it.
To delete a device:
1
From the NetFlow Tracker Main Menu, select Settings > Device
Settings.
2
Select a device from the Device List. See “Device List” on page 20.
3
On the Device page, click Delete.
Note
If you cancel the deletion at this point, you will lose any other
changes you have made on the setting page.
4
Click Yes to continue.
5
On the Device Settings page, click OK. If you click Cancel, the
device will remain, but other changes you applied will be lost.
Making Sure That Data is Received
To check that NetFlow Tracker is receiving data from a device, first
check the Device Settings page to make sure that SNMP access was
successful. After several minutes, see that the Network Overview
shows data. Then review information on the Performance Counters
page.
Use the Performance Counters page to diagnose problems in NetFlow
Tracker setup and ongoing operation. Counters are stored for each
device from which the software has received data (see Table 3).
Counts start when the system is started and you can reset them at any
time.
24
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
3
Table 3 Performance Counters
Item
Definition
System started at
The time and date the system started.
Counters last reset at
The time and date the performance counters were reset back to zero.
Free space for database
The amount of available space on the disk for the database. The following
message: ALERT: Flow processing suspended due to insufficient disk space. is
shown when the tracker has stopped collecting flows because less than 10% of
the disk space is available. A warning is shown when less than 25% of the disk
space is available.
Disk usage over last hour Trended disk usage over the last hour indicates that the disk will be full in the
indicates disk will be full specified time period.
in
Disk usage over last day
indicates disk will be full
in
Trended disk usage over the last 24 hours indicates that the disk will be full in the
specified time period.
Current Free Memory
The amount of free memory from the current program allocation.
Maximum Free Potential
Memory
The maximum potential free memory available to NetFlow Tracker.
Current Program
Allocation
The amount of memory currently allocated to NetFlow Tracker.
Maximum Program
Allocation
The maximum amount of memory that is available to NetFlow Tracker.
Average sample storage
duration:
The average time it takes to store samples to the database.
Last long-term database
maintenance durations:
This also lists the reports completed fully, partially, or skipped.
Last real-time database
maintenance duration:
The time that it took to delete real-time data older than the real-time data
storage period, plus the time that it took to archive the data. If the time is
greater than 30 minutes, it may indicate a performance problem on the server,
too much data in the database, or insufficient memory allocated for NetFlow
Tracker.
NetFlow data received
Shows the number of exports and amount of NetFlow data received from each
device. Note: This is not the amount of traffic described by the exports but the
LAN traffic generated by the exports.
Traffic described
Tracks the total amount of network traffic across all interfaces in each direction
as described by NetFlow exports received from each device.
25
NetFlow Tracker
User Guide
Table 3 Performance Counters (continued)
Item
Definition
Ignored flows
These are flows that are discarded by Tracker and therefore are not included in
the Tracker flow database. Flow records are discarded for the following reasons:
• Flow records are late—see Late Flows
• When devices are first seen by tracker (the device starts sending flow records),
the tracker attempts an SNMP query of the device and stores a record of the
device in the database. The tracker ignores flows from the device until the
device record is stored in the database.
Late flows
This indicates whether flows are arriving at the tracker on time. If the counter is
non-zero, the router configuration should be reviewed. A temporary measure is
to increase the holdback timer so that late flows are processed; however, this
introduces a delay in flow processing.
A flow is considered to be late if the difference between the flow end time and
the router sysUpTime marked in the flow export header is greater than the
tracker holdback time. Ideally, flow exporting devices should be configured so
that this time difference is approximately one minute.
Long flows
This shows the number of flows longer than 60 seconds received from a device. A
device sending a number of long flows should be examined to ensure that the
active flow timeout and/or mls aging settings are as advised in Appendix A,
“Setting up NetFlow on Network Devices”. A consequence of long flows can be
that utilization spikes of greater that 100% appear in Trackers charts.
Unprocessed flowsets
NetFlow version 9 flows are encoded in a flexible manner using templates
exported by the router every few seconds. For several minutes after starting
NetFlow Tracker or after a router reboots, NetFlow Tracker may receive flows
that it cannot decode.
If you do not see data after 10 minutes, check the server, NetFlow Tracker
settings, and the router configuration.
Interface scans
NetFlow Tracker scans the interface list of each device exporting to it when the
device or NetFlow Tracker software restarts. A rescan also occurs when a new v9
export template is received. A large number of rescans, particularly failed ones,
indicates a problem.
Missed flows
NetFlow versions 5 and 7 exports contain a sequence number that NetFlow
Tracker uses to detect when exports are missed. It can miss exports due to
network congestion or a busy router. If a switch or router is reordering the UDP
packets that contain NetFlow exports, missed flows are shown. Each export
normally contains data on about 30 flows.
Note: If the NetFlow Tracker server is processing a very high volume of data it
may drop packets. In this case, increase the receive buffer size in Listener Ports.
See “Setting up Listener Ports” on page 16.
26
Setting Up NetFlow Tracker
Setting up NetFlow Tracker
3
Table 3 Performance Counters (continued)
Item
Definition
Missed exports
NetFlow version 9 exports contain a sequence number that NetFlow Tracker uses
to detect when exports are missed. Unlike the version 5 or 7 sequence numbers,
only the number of missed exports can be counted and not the number of missed
flows.
No out interface
The router sends flows with “no out interface” when an access control list lookup
fails or multicast traffic is routed. A high number of flows with no out interfaces
is normal.
No in interface
The arrival of flows with “no in interface” may indicate a configuration problem
on a Catalyst switch. Contact Fluke Networks TAC.
Applying Security Settings
Use the Security Settings page to set the protection level for user
access to NetFlow Tracker. You can also set a new default or custom
home page for all users and for individual users.
When adding a custom home page, make sure that the URL of any
custom home page is relative to the server’s root. For example, the
standard home page is specified as “index.jsp” and the Network
Overview is specified as “report.jsp?cid=_topdevices”. The Network
Overview is the default home page.
Security settings are optional.
To apply password protection:
1
Select Main Menu > Settings > Security Settings.
2
Choose a protection level:
•
No password protection—No login or password is required
and all pages are accessible.
•
Protect configuration only—A login and password is required
for access. Settings pages are accessible only to
administrators.
•
Protect all access—A login and password is required for
access. Settings pages are accessible only to administrators
and standard users have view-only access.
27
NetFlow Tracker
User Guide
3
Set a custom home page. The default is “Network Overview.”
To use your own HTML page as a custom home page, place it in
the “customweb” folder under the NetFlow Tracker install folder
and enter the URL here. For example, if you enter
http://server/customweb/file.html the home page is
customweb/file.html.
4
If you applied password protection, add user login and password.
You may apply user-specific home pages. You must set at least
one user as an administrator who can configure settings.
5
Click Add. To delete users, select the user’s checkbox and click
Delete.
6
Click OK. If you applied password protection or changed your
own user login details you must log in again.
Viewing Version Information
The About page (Main Menu > Settings > About) shows NetFlow
Tracker, Java, MySQL, and operating system version information. It
also shows the status of all main subsystems. Use this page when
consulting with Fluke Networks TAC to help diagnose a problem.
28
4: Viewing Real-Time
Data
After you complete initial setup, real-time data is available within a
few minutes. You can view this data in chart and table formats.
Topics include:
•
Viewing Network Overview Data
•
Viewing Devices
•
Viewing Interfaces
•
Filtering Real-time Data
•
Viewing Chart Data
See also:
•
“Database Settings ” on page 93.
•
“Applying General and Real-time Report Settings” on page 54.
29
NetFlow Tracker
User Guide
Viewing Network Overview Data
The Network Overview (Main Menu > Network Overview) shows the
top devices and interfaces on the network. From here, you can drill
down to device and interface-specific application data. It is NetFlow
Tracker’s default home page. This page shows:
•
A pie chart, stacked bar chart over time, and table show the top
five applications plus “Other” by percentage of total traffic rate.
Average and peak traffic rates are also shown.
•
A table shows the top five interfaces by peak percentage of
usage, along with the direction and average percentage of usage.
•
A table shows the top five interfaces by traffic rate, along with
the direction and average traffic rate.
Viewing options include:
30
•
Click a device in the list to see its top applications and busiest
interfaces.
•
Click an interface name to see its top applications and recent
traffic.
•
Right-click a pie segment to create a report for that segment.
From the menu, select an item to create another chart for the
selected time range.
Viewing Real-Time Data
Viewing Network Overview Data
4
Figure 1 Network Overview
Hold mouse over a
segment to highlight
corresponding table
row
Right-click to run an
ad hoc report
Click to view top
applications and
interfaces on device
Click to view top
applications and traffic
rate for interface
Top Applications and Interfaces for a Device
You open the Top Applications and Interfaces page for a device by
clicking an application on the Network Overview. This page shows:
•
A pie chart, stacked bar chart over time, and table showing the
top five applications plus “Other” by percentage of total traffic
rate. Average and peak traffic rates are also shown.
•
A table showing the top five interfaces by peak percentage of
usage, along with the direction and average percentage of usage.
•
A table showing the top five interfaces by traffic rate, along with
the direction and average traffic rate.
31
NetFlow Tracker
User Guide
Application Conversations
You open the Conversations page for an application by clicking an
application on Top Applications and Interfaces page. This page
shows:
•
Traffic Rate tab—A stacked bar chart and table shows the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
•
Packet Rate tab—A stacked bar chart and table shows the top 10
conversations by packet rate. The source and destination address,
source and destination application, and peak and average packet
rate are shown.
Top Applications and Usage for an Interface
You open the Top Applications and Usage page for an interface by
clicking an interface on the device’s Top Applications and Interfaces
page. This page shows:
•
A pie chart, stacked bar chart over time, and table showing the
top five applications plus “Other” by percentage of total traffic
rate. Average and peak traffic rates are also shown.
•
A stacked bar chart over time and table showing average and
peak percentage of usage for the In and Out directions.
Interface Conversations
You open the Conversations page for an interface by clicking an
application on Top Applications and Usage page for an interface. This
page shows:
•
32
In/out Interface - %Usage tab—A stacked bar chart and
corresponding table show the top 10 conversations by percentage
of total usage. The source and destination address, source and
destination application, and the peak and average percentage of
usage are shown.
Viewing Real-Time Data
Viewing Devices
•
4
Traffic Rate tab—A stacked bar chart and table show the top 10
conversations by percentage of total traffic. The source and
destination address, source and destination application, and peak
and average traffic rate are shown.
Viewing Devices
The Devices page (Main Menu > Devices) lists all devices that export
flow data. Use this page to identify devices and their interfaces that
show high traffic or packet rates (see Figure 2). The page refreshes
every minute.
Options include:
•
To sort data by device name, address, peak traffic rate, or peak
packet rate, click the column header. By default, each peak rate is
the highest two-minute rate in the last six hours. This differs if the
default time range is altered.
•
The Relative Traffic and Relative Packets meters show the current
rate (green) and peak rate (yellow). Click a meter to open a chart
of the device’s recent activity over time. Each chart is scaled
relative to the busiest device. This ensures that a high value on a
chart indicates a relatively high traffic or packet rate. By default,
the last six hours is shown.
33
NetFlow Tracker
User Guide
Figure 2 NetFlow Tracker Devices and Drilldown
Click device to view
its interface list
Meters show current rate
(green) and peak rate (yellow);
click to view traffic rate and
packet rate details
Viewing Interfaces
You can open the Interfaces page for a device by clicking the device
name on the Devices page. The Interfaces page lists all known
interfaces on the device. Information for each interface includes the
interface description, percentage of usage, relative traffic, relative
packets, peak percentage of usage In and Out, peak traffic rate In
and Out, and peak packet rate In and Out.
Options include:
34
•
Hold your mouse over an interface’s name to see its speed, type,
and extended description if available.
•
Click column headers to sort interfaces by name, description, peak
percentage of usage in either direction, peak traffic rate in either
direction, and recent peak packet rate in either direction.
Viewing Real-Time Data
Viewing Interfaces
•
4
The % Usage, Relative Traffic, or Relative Packets meters show
the current in rate (green), current out rate (blue), and peak in
and out rates (yellow). Click an interface name or a meter to view
detailed data on that interface. A chart shows the interface’s
recent bi-directional utilization, traffic rate, or packet rate over
time (see Figure 3).
Data in meters is scaled in the following ways:
•
The % Usage column scales each row of each chart according to
the configured speed of the interface in that direction.
•
The Relative Traffic and Relative Packets columns are scaled
relative to the busiest direction of the busiest interface. This
ensures that a high value on a chart indicates either high usage or
a relatively high traffic or packet rate.
You can change the speed of an interface in Device Settings. You
must do this for an asynchronous interface. You can also use the
Device Settings page to hide interfaces that never export any NetFlow
data. For more information, see “Applying Interface Settings” on
page 22.
35
NetFlow Tracker
User Guide
Figure 3 Device Interfaces
Click name or meter to open
drill-down page to its
corresponding tab
Meters show the current in rate
(green), current out rate (blue),
and peak in and out rates
(yellow)
Viewing Per-AS Data
If your router uses BGP to route traffic, it provides source and
destination origin or peer autonomous system (AS) numbers in its
NetFlow data. NetFlow Tracker creates optimized bi-directional charts
for each AS just as it does for each interface. Because routers will
likely count some or all traffic multiple times, an AS chart is only
available for a single device. Use the Filter Editor to create a report or
chart based upon an AS and data from multiple routers. See
“Filtering Real-time Data.”
To view the ASes routed by a given router, click ASes in the
navigation menu at the top of the interface report:
36
Viewing Real-Time Data
Filtering Real-time Data
4
Filtering Real-time Data
You can create any chart or tabular report using the Filter Editor.
Filters let you restrict the source data considered for the report. The
report template and start and end times filters are shown by default.
You can also select from over 30 additional filters (see Figure 4).
Figure 4 Filter Editor—Real-Time Data
Set the start and end
time or length
Select a filter and click
Add to show it
Note:
•
If you do not want to use a filter, leave it blank.
•
For filters in which you add a range of items, enter the start and
end of the range in the boxes provided. To select a single item,
leave the right-hand box empty. You can include or exclude the
items you select.
•
For filters that have selectable items, select the items in the
Available box on the left and click > to move them to the Selected
box.
If you are an administrative user or your access to NetFlow Tracker
does not require a password, you can save filters for use at another
time.
37
NetFlow Tracker
User Guide
Saved filters are available in the Filter drop-down list. You manage
saved filters in Report Settings. See “Saving Report Filters” on
page 55.
To filter data:
1
Select Main Menu > Filter Editor.
2
Select a report template and set whether to create a tabular
report, chart, or pie chart. For more information, see Appendix B,
“Report Templates.”
3
Set a sample size. NetFlow Tracker picks an optimal sample size
for a real-time chart based upon the amount of time covered. To
override this, select a number of units. For example, you can
create a report covering a day that has hour-long samples.
4
Click Start time/End time or Length to determine how much data
the report will include:
Pick the date and time of the earliest and latest data to consider. The default start time is six hours before you opened
the Filter Editor.
•
Set the length in units. The report will cover that number of
units and end at the last full unit before the time it is opened.
5
Set a reload interval. If you selected a unit length or a time range
that extends into the future you may want the report to refresh
periodically to show new data. If so, enter the number of seconds
between refreshes.
6
Select a source device or source data depending on the report:
7
38
•
•
Source device—Select which router or switch you want to consider. If you need more than one device, click Multiple. Then
select devices in the left column and click > to include them.
Note: If you select multiple devices some or all traffic may be
counted multiple times.
•
Source data—Long-term data is stored in sample sizes that are
optimal for different lengths of charts. You can override the
automatic selection of the source data to create charts showing, for example, a month in day-long blocks.
Select a filter from the drop-down list and click Add. The filter is
added to the Filter Editor page. See Table 4.
Viewing Real-Time Data
Filtering Real-time Data
8
4
Click OK. Click Save to save the filter.
Table 4 Filter Definitions
Filter
To Apply...
Time zone
Change the time zone used to interpret the start and end times
and time masks. The default is the time zone the NetFlow
Tracker server uses.
Time mask
Select a limited time range during a day. For example, to
consider only data between 8:30 and 18:00 on a weekday,
select Monday, Friday, 8:30 and 18:00 and click Add. Add as
many masks as you want. Only data within one or more
masked areas is considered. If you do not select a mask then all
data between the start and end time is considered.
In interface
Report on inbound traffic for an interface or set of interfaces.
Available interfaces depend on the filtered source devices.
Out interface
Restrict a report to just outbound traffic from a set of
interfaces. Use this with an In interface filter to report on
traffic that took a particular path through a router.
In/out interface
Restrict the report to bi-directional traffic for the selected
interfaces.
In VPN
Restrict a report to just traffic where the inbound interface is
part of the selected VPN(s). For this filter to work, you must
associate interfaces with VPNs in Device Settings. See
“Applying Interface Settings” on page 22.
Out VPN
Select traffic where the outbound interface is part of the
selected VPN(s).
VPN
Select traffic where either interface is part of the selected
VPN(s).
Source address
Restrict the report to traffic with a given source IP address or a
set of source IP addresses. Type the address or domain in the
box and click Add.
Dest address
Report on data with one of a set of destination IP addresses.
Src/dest address Consider traffic either originating from or destined for the
given addresses.
Protocol
Restrict the set of IP protocols considered. For example, you
may want to consider only UDP or ICMP traffic while
investigating a denial-of-service attack.
39
NetFlow Tracker
User Guide
Table 4 Filter Definitions (continued)
Filter
To Apply...
Source port
Restrict the source application port number. Use this with the
Protocol filter.
Dest port
Restrict the destination application port number.
Src/dest port
Consider traffic with the given port number as either the
source or destination.
Source
application
Restrict the IP protocol and source application port number.
Enter a port number and protocol or select from those
configured in the IP Application Names settings page. See
“Applying Identified Applications” on page 22.
Dest application Restrict the protocol and destination application port,
selectable by name.
Src/dest
application
Consider traffic using the application as either the source or
destination.
Recognized
application
Select traffic with the given source or destination application.
Consideration of the source or destination application depends
on whether it has a name defined in the IP Application Names
settings page or, if both or neither have names, which one has
the lower port number. See “Applying Identified Applications”
on page 22.
Identified
application
Select traffic with the identified application. For NetFlow
Tracker to identify applications, the device must support the
functionality and you must set its identified application
mapping in Device Settings. See “Applying Identified
Applications” on page 22.
ToS
Filter traffic bearing any one of a set of type-of-service (ToS)
byte values. Select a priority from 0 to 7 and select Include or
Exclude.
To filter on individual bits, from the drop-down lists, select 0 to
filter on bits set to 0 in the flow. Select D (delay), T
(throughput), R (reliability), or M (monetary cost) to filter on
bits set to 1 in these flows. To ignore filtering for a bit, leave it
blank.
DiffServ
40
Select only traffic bearing one of the selected differentiated
service code points. Because DiffServ and ToS use the same
field in the IP header, do not use both filters at the same time.
You can assign a name to a code point using the DiffServ
Names settings page. See “DiffServ Names” on page 90.
Viewing Real-Time Data
Filtering Real-time Data
4
Table 4 Filter Definitions (continued)
Filter
To Apply...
Traffic class
Select traffic within a traffic class. For NetFlow Tracker to
identify traffic classes, the device must support the
functionality and you must configure its traffic class mapping
in Device Settings. See “Applying Traffic Class IDs” on page 21.
Source AS
Select traffic bearing one of a set of source AS numbers. The
router’s settings determine whether this is the origin or peer
AS. Enter an AS number or select from the set of private-use
ASes configured in the AS Names settings page. Note: You
cannot select public ASes by name.
Dest AS
Restrict the source data to traffic bearing the destination
origin or peer ASes.
Src/dest AS
Consider traffic to or from the origin or peer ASes.
Source subnet
Select traffic with the source subnet. Enter the network
address and mask length or select from the subnets configured
in the Subnet Names settings page. Note: The subnet mask
used by the router to route the traffic is ignored when
applying this filter. See “Subnet Names” on page 91.
Dest subnet
Select traffic with the given destination subnets. Note: A
destination subnet filter of 224.0.0.0/4 will select multicast
traffic.
Src/dest subnet
Select traffic to or from the subnets.
Source mask
Select traffic routed using the source network mask.
Dest mask
Select traffic with the destination network mask.
Src/dest mask
Select traffic with the source or destination network mask.
Next hop
Filter traffic based on the next hop used by the router in
routing the traffic.
TCP Flags
Filter TCP traffic. To filter on individual bits, from the dropdown lists, select 0 to filter on bits set to 0 in the flow. Select U
(urgent), A (acknowledged), P (push), R (reset), S
(synchronized), or F (finished) to filter on bits set to 1 in these
flows. To ignore filtering for a bit, leave it blank.
Duration
Include or exclude traffic based on length of time in
milliseconds. Terms:
• ge—greater than or equal to
• le—less than or equal to
41
NetFlow Tracker
User Guide
See also:
•
“Filtering Long-term Data” on page 50
Viewing Chart Data
Using NetFlow Tracker charts and tables you can quickly see areas of
interest and examine these in further detail (see Figure 5).
Charts display the elements that contributed most to the overall total
traffic or packet rate over the charted time range. By default, at most
ten elements are shown but you can configure this on the Report
Settings page. See “Setting up Reports” on page 53.
Figure 5 NetFlow Tracker Chart
Select the entire time
range, zoom, and
perform other actions
View data from an
earlier or later date
Hold mouse over data
for details; right-click to
run a report
Chart navigation and viewing options include:
42
Viewing Real-Time Data
Viewing Chart Data
4
•
To view earlier or later date, click
(forward or back) at
the upper left corner of the chart. Note: When you move forward
or back, the chart does not refresh.
•
In drill-down charts, to change the chart view, select a different
tab above the chart.
•
To get more details on an item in the chart or table, click its link.
•
To zoom in to the center of the chart, click . To zoom in on a
particular selection, first select that time range. Zooming in stops
the chart from refreshing.
•
To zoom out from the center of the chart, click
also stops the chart from refreshing.
•
To select a time range, click and drag the mouse across the chart.
You can then zoom in on the selection.
•
To select the entire time range, click
•
To drill into selected data, select a time range and right-click the
selection. From the menu, select an item to create another chart
for the selected time range.
•
To view data as a pie chart, click
Charts” on page 44.
•
To view data in a table, click
page 45.
•
To alter the filter applied to a standard chart, click
•
To view resolved domain names if a chart shows IP addresses,
hold your mouse over the address.
•
To refresh the view, click
•
To reload the chart with all resolvable domain names shown, click
(resolve all).
•
To revert from viewing resolvable domain names and view only IP
addresses, click
(resolve available).
•
To convert a chart to a CSV file, click
open or save the file.
•
To print the chart, click
•
To open the chart in a new window, click
. Zooming out
.
. See “Working with Pie
. See “Working with Tables” on
.
.
. You are prompted to
.
.
43
NetFlow Tracker
User Guide
Working with Pie Charts
You can view most charts as a pie chart. A pie chart shows each
element’s proportion of the total octets or packets during the entire
time range.
•
To return to the standard chart view, click
•
Hold your mouse over a pie segment to highlight data in the
table.
•
Right-click a pie segment to create a report for that device. From
the menu, select an item to create another chart for the selected
time range.
Figure 6 Chart Report
Hold mouse over a
segment to highlight
corresponding table
row
Right-click to run an
ad hoc report
44
.
Viewing Real-Time Data
Viewing Chart Data
4
Working with Tables
Device and Interface list pages use a tabular view, as do filtered
reports you create. You can also view most charts as tables. A tabular
view shows the entire time range in one table. It also shows every
contributing element rather than just the largest ones.
Figure 7 Table Report
Select and click Go to drill into row’s data
Options include:
•
To return to the standard chart view, click
.
•
To navigate through tables of more than 25 rows, use the page
navigation at the top of the table.
•
To go to a specific position in the view, click in the scrollbar; A
blue line or box on the scrollbar indicates the page shown and
how much of the view the page represents.
•
To sort items by name, address, traffic rate, or packet rate, click
the column heading. Click again to sort items in the opposite
order.
•
In reports, to drill into a row’s data, select the radio button at the
left of a row. (You can select only one row at a time.) Select a subreport type from drop-down list at the bottom of the page and
click Go: For example, if you are viewing a report of source
applications, you can select an application and view source
addresses using that application. For more information, see
Appendix B, “Report Templates.”
45
NetFlow Tracker
User Guide
46
5: Viewing Long-term
Data
Use long-term reports (Main Menu > Long-term Reports) to view
aggregated data for periods up to multiple years at a granularity
level you define in Database Settings. NetFlow Tracker provides
reports on top devices and interfaces. To view custom long-term data,
you must set up a long-term report. Because data is aggregated,
long-term reports can take less time to run than real-time reports.
Topics include:
•
Viewing Long-term Network Overview Data
•
Viewing Long-term Device and Interface Data
•
Filtering Long-term Data
See also:
•
“Database Settings ” on page 93.
•
“Creating Long-term Reports” on page 60.
Viewing Long-term Network Overview
Data
The long-term data Network Overview (Main Menu > Long-term
Reports > Network Overview) shows the top exporting devices and
busiest interfaces on the network based on long-term data. From
here, you can drill down to device and interface-specific application
data. This page shows:
47
NetFlow Tracker
User Guide
•
A pie chart, stacked bar chart over time, and table showing the
top five applications plus “Other” by percentage of total traffic
rate. Average and peak traffic rates are also shown.
•
Tables showing the top five in and out interfaces by average and
peak percentage of usage.
•
Tables showing the top five in and out interfaces by average and
peak traffic rate.
Viewing options include:
•
Click a device in the list to see its busiest interfaces. See “Viewing
Interfaces” on page 34.
•
Click an interface name to see its recent usage percentage, traffic
rate, and packet rate data.
•
Right-click a pie segment to create a report for that device. From
the menu, select Source Addresses, Destination Addresses, or
Recognized Applications to create another chart for the selected
time range.
The granularity of long-term report data is based on your database
settings. See “Database Settings ” on page 93.
48
Viewing Long-term Data
Viewing Long-term Device and Interface Data
5
Figure 8 Network Overview—Long-term Data
Hold mouse over a
segment to highlight
corresponding table
row
Right-click to run an
ad hoc report
Click to view top
devices and interfaces
Click to view traffic and
packet rates for interface
Viewing Long-term Device and Interface
Data
The long-term Devices and Interfaces pages (Main Menu > Long-term
Reports > Devices) show NetFlow performance data from all devices
and their interfaces. They are similar to the real-time versions, except
for the following differences:
49
NetFlow Tracker
User Guide
•
A selector at the bottom of the page lets you change the time
range of the current report or chart, and any reports or charts
opened by interacting with it. Time options span from hours to
years. The default setting is seven days, based on the time zone of
the NetFlow Tracker server. To change this setting, see “Creating
Long-term Reports” on page 60.
Note
If you zoom into or out of a long-term chart or drill into a
selection (other than one selected using Select All), the time
range selector is not available on the resulting chart.
•
The long-term Devices and Interfaces pages show the peak and
average traffic and packet rates. By contrast, real-time pages
show the peak and most recent rates.
•
When you select a range of time on a long-term device or
interface chart and right-click to drill down, you can only access
reports created as per-device, per-inbound interface or peroutbound interface in Report Settings.
See also:
•
“Viewing Devices” on page 33.
•
“Viewing Interfaces” on page 34.
Filtering Long-term Data
You can create a long-term report using the long-term Filter Editor, a
simpler version of the real-time Filter Editor. It is the only way you can
access custom long-term reports that are created as basic reports.
Reports for source addresses, destination addresses, and recognized
applications (per source device and inbound and outbound
interfaces) are available.
To apply filters to long-term reports:
1
50
Select Main Menu > Long-term Reports > Filter Editor.
Viewing Long-term Data
Saving a Long-term Filter
5
2
Select a long-term report and set whether to create a tabular
report, chart, or pie chart.
3
For Source Data, select the data sample size. Long-term data is
stored in sample sizes that are optimal for different lengths of
charts. You can override the selection of the source data to create
charts showing, for example, a month in day-long blocks.
4
Click Start time/End time or Length to set how much data the
report will include:
•
Pick the date and time of the earliest and latest data to consider. The default start time is six hours before you opened
the Filter Editor.
•
Set the length in units. The report will cover that number of
units and end at the last full unit before the time it is opened.
5
Select a source device or interface to report upon. To select more
than one device or interface you must save the filter.
6
To add a Time zone or Time mask filter or a saved filter, select
from the drop-down list and click Add. The filter is added to the
Filter Editor page. For more information, see Table 4 on page 39.
7
Click OK to apply the filter settings. The filter is directly applied.
Click Save to save the filter for future use. See “Saving a Longterm Filter.”
Saving a Long-term Filter
When you save the filter, you can select multiple interfaces or devices
for the filter, and you can apply the full range of filters to it.
To save a long-term filter:
1
Configure the long-term filter as described in “Filtering Longterm Data.” In the long-term Filter Editor, click Save.
2
Select an ID number and name.
3
(Optional) Add multiple interfaces or devices.
4
Select a filter from the drop-down list and click Add. For more
information, see Table 4 on page 39.
51
NetFlow Tracker
User Guide
52
6: Setting up Reports
Use the Report Settings page (Main Menu > Settings > Report
Settings) to set up all reports and charts. Topics include:
•
Reports Overview
•
Applying General and Real-time Report Settings
•
Saving Report Filters
•
Scheduling Reports
•
Creating Long-term Reports
•
Creating Executive Reports
Reports Overview
You can create three types of reports:
•
Real-time reports—View the last seven days of data (by default)
in real-time at one-minute granularity.
•
Long-term reports—View aggregated data for up to multiple
years at a granularity level you define in Database Settings.
•
Executive reports—An executive report is a pre-configured
template that contains one or more reports or charts and HTML
content that you define. Use an executive report to access oftenused reports or to group related reports on one page.
53
NetFlow Tracker
User Guide
Note
Avoid reporting from multiple devices and over long periods of
time. Doing so can cause NetFlow Tracker to count some traffic
multiple times.
Applying General and Real-time Report
Settings
Table 5 General and Real-time Report Settings
Section
Option
Definition
General
Show
hostnames in
reports
Open reports and charts with all resolvable hostnames resolved and shown by
default.
Show chart
legends in
descending
order
Show the rows of a chart legend in the same order as the corresponding table or
as the areas shown on the chart.
Show interface Use the description of an interface, when available, in filter descriptions instead
descriptions
of the name.
54
Work around
“click to
activate”
Enable or disable the work-around for the “click to activate and use this
control” message that appears over chart applets in Internet Explorer. Some
combinations of operating system, browser, and Java plug-in do not work
correctly when this is enabled. If applets do not show correctly or drilling down
does not work, turn off this setting.
Default PDF
page size
Set the default page size in a PDF version of a report or chart. If a report is too
wide to fit on a page, the page is made proportionally bigger.
Landscape
Set the orientation of the report. Leave blank for portrait.
Setting up Reports
Saving Report Filters
6
Table 5 General and Real-time Report Settings
Section
Option
Definition
Real-time Rows per
Reports
tabular report
page
The number of rows shown on each page of a tabular report. Note: Device and
interface status reports show all rows on a single page.
Elements
Determine the accuracy of a real-time chart. When a chart is generated only the
considered per largest elements are considered from each block. Because the highest overall
chart block
elements may not be the highest elements in each block of the chart, set more
elements from each block than the number of charted elements.
Charted
elements
Set the maximum number of elements displayed on a chart, excluding the
Others element.
Default time
range
Set the time range used for any real-time report or chart where a time range is
not specified. This is the time range of the Network Overview, device, interface,
and AS status reports and charts and the default time range selected in the
Filter Editor.
Reload interval Set the number of minutes between automatic refreshes of the device,
interface, and AS status reports and charts.
Saving Report Filters
In Report Settings, you can save filters and use these in the Filter
Editor when creating real-time or long-term reports. For example,
you may use a saved filter to attach a name to a time-of-day mask or
a filter that selects traffic related to a particular multi-port
application or group of servers.
To create a saved filter:
1
Select Main Menu > Settings > Report Settings.
2
Expand the Saved Filters setting.
3
Type a name in the box and click New.
4
In the New Saved Filter page, assign an ID. Select a filter and click
Add. Then click OK. The filter is added to the list.
5
In the Saved Filters list on the Report Settings page, you have the
following options:
•
To edit or delete a filter, click its name.
55
NetFlow Tracker
User Guide
6
•
To copy a filter, click its
icon.
•
To change the order in which saved filters appear, click the up
or down arrows.
Click OK.
Scheduling Reports
You can set up any real-time, long-term, or executive report as a
scheduled report that you can email or save to a server location based
on that schedule. In addition, you can generate scheduled reports on
demand if they are included in the Reports page.
56
Setting up Reports
Scheduling Reports
6
Figure 9 Report Settings—Scheduled Reports
Enter name, select type,
and click New
Set report distribution
To create a scheduled report:
1
Select Main Menu > Settings > Report Settings.
2
Expand the Scheduled Reports setting (see Figure 9).
3
To receive reports by email:
4
•
For Email server address, enter the IP address or domain
name of the SMTP server used to send scheduled report
emails.
•
For Send emails from, set the email address that is used as the
“From:” address of mails sent by NetFlow Tracker.
To save reports to a server, for Save reports to enter the folder
where scheduled reports are saved to. You can override this
default location for any scheduled report.
57
NetFlow Tracker
User Guide
5
Under Scheduled Report Name, enter a name. Use only
alphanumeric characters.
6
Select a report type: Real-time, Long-term, Executive, or Custom.
Choose Custom to create a report based on custom parameters.
See Appendix C, “Report URL Parameters.”
7
Click New. The New Scheduled Report page is shown (see
Figure 9). Here you can set up the report parameters (see
Table 6).
8
Click OK. The scheduled report is added to the list on the Report
Settings page.
9
In the Scheduled Reports list, you have the following options:
•
To edit or delete a report, click its name.
•
To copy a report, click its
•
To change the order in which reports appear, click the up or
down arrows.
icon.
10 Click OK on the Report Settings page to apply the changes.
Table 6 New Scheduled Report Options
58
Option
Definition
ID
The report’s identification number.
Name
The report name. Use only alphanumeric characters.
Description
The report description.
Include in reports
menu
Show the report in the Reports page.
Run on demand
The report does not automatically generate and appears
only in the Reports page.
Run once
The report runs once at the specified time on the date
supplied for “Begin running this schedule on.”
Run every day
The report runs every day at the specified time, starting on
the specified start date and optionally finishing in the
specified end date.
Run every week
The report runs on the specified days of every week.
Setting up Reports
Scheduling Reports
6
Table 6 New Scheduled Report Options (continued)
Option
Definition
Run every month
The report runs on either the specified date of each month
or on the specified week day (for example, the first
Monday of each month).
Begin running this
schedule on
Set the beginning date for the schedule.
End this schedule
on
Set the end date for the schedule.
Delete report after
schedule ends
If you select an end date, select this to delete the report on
that date. Saved output is not deleted. Tip: You can use
this with the “Run once” schedule option to run a
particularly time-consuming report.
Output as
Options are PDF, HTML single file (MHTML), HTML zipped
(which contains the HTML, stylesheets, and images), CSV,
and XML. When a report is generated on-demand from
the Reports page it is formatted in the normal interactive
HTML format.
Save to
Save the report to a specified folder on the server.
Email to
Email the report as an attachment to the specified address.
Enter the subject line and body of the email.
Length or
Select Length to set the length of time covered in the
report based on a number of minutes, hours, or days.
Default/custom
Configure the report type and its filters. You can add
custom parameters to alter anything about the report that
is not configurable using the Filter Editor.
Reload interval
Set the number of minutes between automatic refreshes
of the device, interface, and AS status reports and charts.
Source device or
Source data
Set the source device or the source data sample size
depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter
Select a filter and click Add. See Table 4 on page 39.
59
NetFlow Tracker
User Guide
Table 6 New Scheduled Report Options (continued)
Option
Definition
Custom Parameter
Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
Creating Long-term Reports
You can set up any report you created using the Filter Editor as a
long-term report. A custom long-term report has a name, report
template, and type. It can also have its own time mask, other filters,
and storage settings that override those in Database Settings.
The report type determines how the report is accessed. Because a
basic report is created across the entire system, put a filter on at least
the source device. You can only access a basic report from the longterm report Filter Editor.
You can also create a long-term report for each device in the system
or for each inbound or outbound interface. These reports can still
have a filter or time mask. You can access a per-device, inbound, or
outbound interface report from the long-term Filter Editor or by
drilling down from the long-term device or interface charts.
Note
If you create a long-term report that includes only data from the
real-time database, then the report’s granularity is one-minute.
60
Setting up Reports
Creating Long-term Reports
6
Figure 10 Report Settings—Long-term Reports
Enter name, select type,
and click New
Set granularity
Long-term Reports are split into two groups – Standard Long-term
Reports and User Long-term Reports. Standard reports are always in
the system (note that even if the Standard long-term reports are
disabled option is enabled that there are still two reports defined).
By default, long-term report data is generated every six hours and
therefore must complete processing within that six hour window. The
report settings page should be used when creating new long-term
reports to assess whether the informantion processing of the report
will exceed this long-term database maintenance window. Table 7
describes configuration options. Reports can also be ranked in order
to ensure that the most important reports are processed first.
61
NetFlow Tracker
User Guide
Table 7 Long Term Report Configuration Options
Column
Definition
ID
The report’s identification number
Type
The report type (see Table 8 for more details)
Execution Time The time taken to generate the report data in the last long-term database
maintenance window
Status
Shows the status of the report from the last long-term database maintenance
window, together with the time that processing of the report started. This
information is useful in assessing the impact of the load of a report on the
system.
Status values are:
• Unknown—Report maintenance has not yet been run)
• Run—Report executed successfully)
• Partial Run—Report execution incomplete due to exceeding available
maintenance window time)
• Not Run—Report not executed due to exceeding available maintenance
window time)
• Failed—An error occurred whilst executing this report)
To create a long-term report:
62
1
Select Main Menu > Settings > Report Settings.
2
Expand Long-term Reports (see Figure 10). Set the following
parameters:
•
Elements stored per sample—This controls the accuracy of
long-term charts and tabular reports. It is similar to the number of elements considered per chart block.
•
Tabular report rows—Set the maximum number of rows to
show on a tabular report. Note: The accuracy of a long-term
tabular report depends upon the number of elements considered per sample.
•
Charted elements—Set the maximum number of elements
shown on a long-term chart, excluding the Others element.
•
Standard long-term reports are disabled—Enable to turn off
the standard set of per-device and per-interface long-term
reports.
Setting up Reports
Creating Long-term Reports
•
6
Default time range—Set the time span used for any long-term
report where the time span is not set on a specific report.
User Long-term Reports
3
Enter a report name. Use only alphanumeric characters.
4
Report Template—select a template. See Appendix B, “Report
Templates.”
5
Type—See Table 8 for a list of types.
6
Click New. The New Long-term Report page is shown (see
Figure 9). Here you can set up the report parameters (see
Table 6).
7
Click OK. The long-term report is added to the list on the Report
Settings page.
8
In the User Long-term Reports list, you have the following
options:
9
•
To edit or delete a report, click its name.You cannot change
the report template, type, or time mask of an existing report.
•
To copy a report, click its
•
To change the order in which reports appear, click the up or
down arrows.
icon.
Click OK on the Report Settings page to apply the changes.
63
NetFlow Tracker
User Guide
Figure 11 New Long-Term Report Settings
Table 8 New Long-term Report Options
Option
Definition
ID
The report’s identification number
Name
The report name.
Report Template
See Appendix B, “Report Templates.”
Type
Basic—Select source devices and interfaces for the report.
Per source device—Run this report on all source devices.
Per inbound interface—Run this report on all inbound
interfaces.
Per outbound interface—Run this report on all outbound
interfaces.
Storage Options
Set the length of time to store data and its granularity.
Note: Storage settings can impact system performance. See
“Database Settings ” on page 93.
64
Setting up Reports
Creating Executive Reports
6
Table 8 New Long-term Report Options (continued)
Option
Definition
Source device or
Source data
Set the source device or the source data sample size
depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter
Select a filter and click Add. See Table 4 on page 39.
Custom Parameter
Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
Creating Executive Reports
An executive report is a pre-configured template that contains one or
more sub-reports or charts and user-defined HTML content. Executive
report filters are applied to sub-reports along with their own filters.
65
NetFlow Tracker
User Guide
Figure 12 Report Settings—Executive Reports
Enter name and click
New
Set up sub-report
contents and layout
To create an executive report:
66
1
Select Main Menu > Settings > Report Settings.
2
Expand Executive Reports (see Figure 12).
3
Enter a report name and click New.
4
On the New Executive Report page, apply the following settings:
a
Enter a report ID, name, and description. For the name, use
only alphanumeric characters.
b
Check Include in reports menu to show the report on the
Reports page. Note: Use unfiltered sub-reports with care if
Setting up Reports
Creating Executive Reports
6
you select this. You will not be able to filter the executive
report from the Reports page.
c
Under Sub-report tag, enter the name of a sub-report to
embed in the executive report. Select a type: Real-time, Longterm, or Custom. Click New. On the Sub-report page, set the
parameters for the sub-report (see Table 9) and click OK. You
can add as many sub-reports as you want.
d
Click Add Row to add a content row to the executive report.
You can then add cells to the row. Each row has one or more
cells. You can set up a cell to span a number of columns. There
are two types of cells: sub-report cells and HTML cells. See
“Adding a Sub-report Cell” on page 68 and “Adding an HTML
Cell” on page 70.
5
Click OK. The executive report is added to the list on the Report
Settings page.
6
In the Executive Reports list, you have the following options:
7
•
To edit or delete a report, click its name. You cannot change
the report template, type, or time mask of an existing report.
•
To copy a report, click its
•
To change the order in which reports appear, click the up or
down arrows.
icon.
Click OK on the Report Settings page to apply the changes.
Table 9 Sub-report Options
Option
Definition
Tag
The sub-report name.
Report template
See Appendix B, “Report Templates.”
Sample size: Length Select Length to set the length of time covered in the
or Default/custom
report based on a number of minutes, hours, or days.
Configure the report type and its filters. You can add
custom parameters.
Note: If you select Default/Custom and do not add custom
time range parameters, the time range is passed to the
executive report, or the default real-time or long-term
time range, according to the report.
Reload interval
The number of minutes between refreshes of the device,
interface, and AS status reports and charts.
67
NetFlow Tracker
User Guide
Table 9 Sub-report Options
Option
Definition
Source device or
Source data
Set the source device or the source data sample size
depending on the report.
• Source device—Select which router or switch you want
to consider. If you need more than one device, click
Multiple. Then select devices in the left column and click
> to include them. Note: If you select multiple devices
some or all traffic may be counted multiple times.
• Source data—Select a data sample size. Long-term data
is stored in sample sizes that are optimal for different
lengths of charts. You can override the automatic
selection.
Add Filter
Select a filter and click Add. See Table 4 on page 39.
Custom Parameter
Add a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
Adding a Sub-report Cell
On the New Executive Report page, you can add sub-report cells to
the report. Select a sub-report from the list. See Table 10 for options.
68
Setting up Reports
Creating Executive Reports
6
Figure 13 Report Settings—Executive Reports
Table 10 Sub-report Cell Options
Option
Definition
Sub-report
Sub-report name.
Output as pie chart
If the sub-report is a chart over time, select to output a pie
chart.
Sections
Select the sections of the sub-report you want the cell to
display.
Controls
Select the user-interface controls to enable.
69
NetFlow Tracker
User Guide
Table 10 Sub-report Cell Options
Option
Definition
Columns
Select which columns to show.
Chart
If the sub-report is a chart or pie chart, select which chart
to show.
Output Parameter
Name and Value
Enter a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
New Window
Drilldown Settings
Select to include all sections, controls, and columns in the
drill-down window.
If you have set the Drilldown or Open in a new window
options for a report cell, you must also set how the URL is
modified to create the new window. You can show all
sections and columns and allow all controls (which is
usually the case for a complex layout). You can also specify
custom parameters. Note: To remove a parameter from
the new window’s URL, leave its value blank.
Parameter Name
and Value
Enter a custom parameter name and value and click Add.
See Appendix C, “Report URL Parameters.”
Adding an HTML Cell
From the New Executive Report page, you can add HTML content,
such as explanatory text, links, or a company logo, to the report using
HTML cells. Store images to include in the report in the “customweb”
folder under NetFlow Tracker’s install folder. You can access these as
“customweb/<filename>.<ext>”.
CSS style controls an HTML cell’s appearance. Three standard styles
are offered:
70
•
Report Title produces a cell that matches a report title.
•
Report Description produces a cell with the blue background of a
report’s time range and filter description. If you use this, enclose
the text in the following HTML tag.
<span class=”repdesctext”>Test</span>
•
Content Cell produces a cell with a white background.
Setting up Reports
Viewing Executive and Real-Time Reports
6
When an executive report is formatted as PDF only the three standard
styles are used and all HTML tags are removed from the text.
You can control the layout of the report by moving rows up and
down and cells left and right within their rows. To create complex
layouts, make cells span multiple columns.
•
To increase the cell by a column, click
•
To decrease the cell by a column, click
•
To delete a cell or row, click
.
.
.
Viewing Executive and Real-Time Reports
You can view executive reports you have created from the Reports
page (Main Menu > Reports). Select a report to view its contents. To
create reports, see “Setting up Reports” on page 53.
71
NetFlow Tracker
User Guide
72
7: Working with Alarms
Topics include:
•
Alarms Overview
•
Configuring Alarms
•
Configuring Notification Settings
•
Viewing Events
Alarms Overview
Alarms are pro-active notifications of user-impacting performance
problems on the network. Alarms are triggered by events—problems
or other important incidents on the network.
When configuring an alarm, you choose the alarm type, metric, and
the threshold type for permitted performance. You can set thresholds
from specified values or from a baseline. NetFlow Tracker supports
two types of alarms:
•
Threshold alarms indicate changes in performance for a selected
metric, such as traffic rate or conversation rate over time or
utilization percentage on an interface, based on the filters
applied in the alarm. Threshold alarms compare recent
performance against configured thresholds. They can use a
baseline or specified values.
73
NetFlow Tracker
User Guide
•
Profile alarms indicate changes in the network. For example, the
Recognized Applications profile alarm indicates which
applications make up the traffic or packets observed in the last
minute against the configured baseline. They always use a
baseline.
Alarm Severity and Lifecycle
Alarms have two levels of severity: degraded and excessive. These
identify less and more severe performance conditions. You can
independently set the thresholds for degraded and excessive alarms.
An alarm’s severity can change over its duration. For example, an
alarm that is initially generated as degraded can later change to
excessive. Similarly, an alarm that was once excessive can later change
to degraded.
An alarm ends when the performance improves or after the alarm
times out. This occurs after if traffic falls within the accepted
threshold for one minute. This change in the severity of the alarm
throughout its duration is referred to as the event lifecycle.
By default, alarms are removed after 7 days, as real-time data is
replaced with more current data. You can set the length of time to
keep real-time data in the database. For more information, see
“Database Settings ” on page 93.
Thresholds and Baseline Sensitivity
When configuring an alarm, you can set values for degraded (orange)
and exceeded (red) thresholds or have the thresholds derived from a
baseline.
Thresholds with specified values set minimum permitted standards
for performance. Because of this, service level agreements (SLAs) are
often defined in terms of fixed thresholds. This option can require
more maintenance if you need to individually set thresholds for many
different devices or addresses, or if performance thresholds are
74
Working with Alarms
Alarms Overview
7
expected to change over time. Specified values are available for
Threshold alarms only.
When you set alarm thresholds using baselines, the sensitivity setting
is used to derive the alarm performance thresholds from the
baselines. A baseline records normal network behavior against which
future network problems and important incidents are measured. The
alarm sensitivity controls how a threshold is calculated in relation to
the baseline average and standard deviation. Because a default
sensitivity value must apply consistently across many different
baselines and also across individual baselines as they change over
time, sensitivity is a relative value.
There are two types of baselines:
•
Static—This baseline is calculated at the beginning and not
updated. It is useful when performance is usually stable and
consistent. In these cases, static baselines are often simpler to
configure and maintain than specified value thresholds.
•
Weekly—This baseline is most useful for detecting sudden
changes from recent performance. Weekly updated baselines
change to reflect recent performance. As baselines change over
time, the thresholds adapt to these changes
To configure alarm thresholds that use baselines, adjust the sensitivity
slider. The maximum sensitivity for both thresholds is 10.
Alarming for Persistent Changes
The “Alarm only for persistent change” option blocks out alarms that
are based on random and transitory changes that are too short-lived
to require attention. When this setting is enabled, an alarm is
generated only when the most recent performance is consistently
above the performance threshold. This lets you focus on userimpacting performance changes.
Alarms marked for persistent changes are based on the most recent
20 minutes of data taken at one-minute samples by NetFlow Tracker.
Alarms not marked for persistent changes are based on the most
recent minute of data only.
75
NetFlow Tracker
User Guide
Alarm status is checked every minute. After every check, new alarms
can be generated, existing alarms can end, or alarms can continue.
Baseline Learning and Reset
For the baseline to accurately reflect performance, time is required to
gather data. The following states are possible:
•
Learning—Baselines are still learning the typical network
performance. Alarms are not generated.
•
Available—There is enough data to calculate a profile of typical
network performance. However, more data is desired for a more
accurate profile. Alarms are generated.
•
Complete—The profile has a good sample of data to calculate
reliable profiles. Alarms are generated.
These states are shown in the Alarm List (Settings > Configure
Alarms).
Only available and complete baselines are used to set thresholds and
generate alarms. NetFlow Tracker can collect enough data in a day to
create an available baseline. A complete baseline usually takes a
week.
Note
When you first install NetFlow Tracker or change alarm
parameters, baselines are reset. NetFlow Tracker must “learn”
the normal network performance and generate new baseline
profiles.
Static baselines are static only after the status is Complete. When
status of a static baseline is Available, the baseline is still adjusting.
Tips and Techniques
In general, configuring alarm thresholds too low results in too many
alarms that are ignored and makes it difficult to identify the more
serious problems as they arise.
76
Working with Alarms
Configuring Alarms
7
Note:
•
Always enable the “Alarm only for persistent change” option
unless there is a specific reason to disable it.
•
To disable Degraded alarms but leave Excessive alarms enabled,
set the Degraded threshold to match the Excessive threshold.
•
If your network experiences poor performance that an alarm is
not identifying, decrease the threshold. If alarms are being
generated but the performance is acceptable, increase the
threshold.
Configuring Alarms
Use the Alarm List page (Settings > Configure Alarms) to manage and
create alarms. For each alarm, the name, type, template, exceeded
and degraded thresholds, filter, and persistent changes settings are
shown.
Options include:
•
To view events triggered by an alarm, click
Event List” on page 83.
. See “Viewing the
•
To add a new alarm, click New. See “Creating an Alarm.”
•
To add a new Interface Alarm, click New Interface Alarm. See
“Creating an Interface Alarm”.
•
To edit an alarm, click its name.
•
To delete an alarm, select its checkbox and click Delete.
Creating an Alarm
In NetFlow Tracker, you can create up to 100 alarms.
77
NetFlow Tracker
User Guide
Figure 14 Creating an Alarm
To create an alarm:
1
Select Main Menu > Settings > Configure Alarms.
2
Click New. The Create Alarm page is shown
3
Enter a name.
4
Select an alarm type:
5
78
•
Threshold Alarm—Indicates changes in performance. You can
use a baseline or specified values.
•
Profile Alarm—Indicates changes in the network. You can use
a baseline only. Select a report template for the alarm.
Select a metric. Available metrics vary based on the alarm type
and, for Profile alarms, the report template:
•
For Threshold alarms, select: Traffic Rate, Packet Rate,
Address Pair Rate, or Conversation Rate.
•
For Profile alarms, select: Traffic Rate, Packet Rate.
6
Set the source device. If you need more than one device, click
Multiple. Then select devices in the left column and click > to
include them. Note: If you select multiple devices, some or all
traffic may be counted multiple times.
7
Select a filter and click Add. For more information, see Table 4 on
page 39.
Working with Alarms
Configuring Alarms
7
8
Set Alarm only for persistent change to exclude alarms that do
not fall into a consistent pattern over a 20-minute period and
may represent random jumps in data.
9
Set the threshold type:
•
Weekly Baseline—The baseline adjusts weekly, based on current data. Adjust the slider to set the alarm sensitivity.
•
Static Baseline—The baseline does not adjust once it is complete. Adjust the slider to set the alarm sensitivity.
•
Specified Values—Available only for Threshold alarms. Set the
degraded and exceeded thresholds.
For more information, see “Thresholds and Baseline Sensitivity.”
10 Click OK.
Creating an Interface Alarm
You can use an interface alarm to indicate when a network interface
exceeds a designated utilization.
Interface Alarms employ the usage data in NetFlow records and the
configured interface speed to determine the percentage utilization
of each interface on a per-minute basis. Interfaces are monitored
individually and alarms are generated for each event that exceeds the
configured threshold (for example, if two interfaces exceed the
threshold, then two alarms will be triggered).
79
NetFlow Tracker
User Guide
Configuration
Figure 15 Creating an Interface Alarm
To create an interface alarm:
80
1
Select Main Menu > Settings > Alarm Settings > New Interface
Alarm.The New Interface Alarm page is shown
2
Enter a Name.
3
Set the threshold levels for the Degraded and Excessive
utilization percentages. Select the pointers above (Degrade) or
below (Excessive) and drag them to set the desired values.
4
Add interfaces to alarm. Select Add. The Interface Selector
window appears.
Working with Alarms
Configuring Notification Settings
7
Figure 16 Interface Selector
5
Enable the checkbox next to each interface that you want to be
part of the alarm. Use the arrow keys to scroll through the list, or
you can use the Search field to look for a string (for example, an
IP address) within the list.
6
Select Add when done.
7
Select Create Alarm.
Configuring Notification Settings
NetFlow Tracker generates SNMP traps when an alarm first exceeds
its threshold, when it returns below its threshold, and when it
changes from a degraded to excessive state for the first time. You can
set up NetFlow Tracker to send event notifications to any platform
that can receive them.
To configuring notification settings:
1
Select Main Menu > Settings > Notification Settings.
2
Enter the IP address of the trap receiver.
3
Enter the SNMP port number and community.
4
Select the SNMP version: SNMP V1 or SNMP V2C.
81
NetFlow Tracker
User Guide
Viewing Events
Events are displayed at one-minute granularity. Events are removed
as real-time data is removed, by default after seven days. You can
view events in the following ways:
Viewing the Events Timeline
To view degraded and exceeded events in chart format over time,
select Main Menu > Events Timeline.
Figure 17 Events Timeline
Options include:
82
•
To view data in chart format based on the report template used,
click the alarm name.
•
To view event data for a point in time, right-click and select from
the menu.
•
View data in the chart back and forward in time, zoom in and
out, or in a table. For more information, see “Viewing Chart
Data” on page 42.
Working with Alarms
Viewing Events
7
Viewing the Event List
Use the Event List to view events in table format.
Figure 18 Event List
To view the Event List:
1
Select Main Menu > All Events.
Viewing the Event Lifecycle
To view event lifecycle information, click on an entry in the Event List.
83
NetFlow Tracker
User Guide
Figure 19 Event Lifecycle
The Event Lifecycle page shows the alarm name, interface
information, the event start and end time, duration, current status,
initial and maximum severity levels, and a table that shows interface
usage. You can hover the mouse over an area on the graph to see
detailed information for the time period (one minute granularity).
Four states are:
84
•
Exceeded—
(Red) The conditions have surpassed the Excessive
threshold or baseline setting.
•
Degraded—
(Orange) The conditions have surpassed the
Degraded setting but have not reached the Excessive setting.
•
Normal— Green. The conditions have not reached the
Degraded setting.
•
No Data—
(Black) No data was available.
8: Optimizing NetFlow
Tracker
Using Settings, you can determine how data is gathered and
managed, and optimize NetFlow Tracker performance. Topics
include:
•
Data Display and Filtering Settings
•
Data Management and System Performance Monitoring
For other settings, see:
•
“Setting up NetFlow Tracker” on page 15.
•
“Setting up Reports” on page 53.
•
“Creating an Alarm” on page 77.
•
“Configuring Notification Settings” on page 81.
Data Display and Filtering Settings
Use these settings to apply additional filters and to set up NetFlow
Tracker for use through a management portal. Topics include:
•
Management Portal Settings
•
IP Application Names
•
DiffServ Names
•
Hostname Resolution Settings
•
Subnet Names
•
AS Names
85
NetFlow Tracker
User Guide
Management Portal Settings
Use Management Portal Settings to set up access to NetFlow Tracker
through a management portal (such as the Visual Performance
Manager Web Portal).
NetFlow Tracker lets users of a management portal have device or
interface-level access to interactive reports, as long as the portal’s
HTTP proxy server can conceal the initial URL sent to NetFlow Tracker
and can direct subsequent HTTP requests from the user interacting
with the page to the NetFlow Tracker server. You may use an Apache
web server as a proxy if the management portal does not contain one
or is not sufficiently programmable. See “Using Apache as a Portal
Server” on page 87.
Note
When using management portal settings, you must use
password protection to prevent the system from being
bypassed. See “Applying Security Settings” on page 27.
To set up portal access control:
1
Select Main Menu > Settings > Management Portal Settings.
2
Under Tag, enter a tag that is used to identify the secret value if
you need to change or delete it.
3
Under Secret, enter the secret value and under Confirm, enter the
secret value again. To remove a secret value, check its box and
click Delete.
4
Click Add.
5
Click OK.
How Access Control Works
A user’s web browser requests a URL from the portal’s proxy server
that identifies a particular NetFlow Tracker report. For example:
http://<proxy>/NetFlow Tracker1/report1
86
Optimizing NetFlow Tracker
Data Display and Filtering Settings
8
The portal’s proxy server sends a request to the NetFlow Tracker
server that selects the report and contains one of the configured
secret values and some access control parameters describing what the
user can access:
http://<NetFlow
Tracker1>/report.jsp?portalsecret=<secret>&aclif=...
NetFlow Tracker creates a session for the portal and logs it in. This
session is restricted so that only requests containing access list
identifiers are accepted.
The report generated by NetFlow Tracker ensures that any
interaction (such as clicking a link) results in a request containing a
securely-generated access list identifier:
http://<proxy>/NetFlow Tracker1/report.jsp?portalacl=...
The portal’s proxy server sends the unaltered request to the correct
NetFlow Tracker server:
http://<NetFlow Tracker1>/report.jsp?portalacl=...
Using Apache as a Portal Server
The Apache web server supports several directives in its configuration
file (httpd.conf) for use as a programmable proxy server:
Table 11 Apache Web Server Commands
Command
Definition
RewriteEngine On
Enables the URL rewriting module.
RewriteRule ^/NetFlow Tracker1/report1$ Sets up a rule to proxy requests for
http://1.2.3.4/report.jsp?portalsecret= http://<proxy>/NetFlow Tracker1/report1 to an
s3cr3t&acldevice=4.3.2.1&templid=0000
access controlled request to the NetFlow Tracker server.
[P,L]
RewriteRule ^/NetFlow Tracker1/(.*)$
http://1.2.3.4/$1 [P,L,QSA]
Sets up a rule to proxy any requests for URLs starting
with http://<proxy>/NetFlow Tracker1/ to an
equivalent request to the NetFlow Tracker server.
ProxyPassReverse /NetFlow Tracker1/
http://1.2.3.4/
Makes sure that NetFlow Tracker handles the HTTP
redirects correctly when it creates a session for the
portal and logs it in.
87
NetFlow Tracker
User Guide
IP Application Names
Use IP Application Names to apply custom applications and ports that
you want to track. You can define simple and grouped applications.
Figure 20 IP Application Name Settings
Simple applications
Grouped applications
Defining a Simple Application Name
A simple IP application is determined by its protocol (for example TCP
or UDP) and an application port number. Applications you define
here are used to display readable names in reports.
Protocol name and port numbers correspond directly to specific
network applications. Many are predefined (well-known ports) while
others (registered ports) are defined by the software manufacturer.
88
Optimizing NetFlow Tracker
Data Display and Filtering Settings
8
NetFlow Tracker comes configured with the well-known ports in
addition to many others. For a list of all well-known and registered
ports, see http://www.iana.org/assignments/port-numbers.
To define a single application:
1
Select Main Menu > Settings > IP Application Names.
2
Under Protocol, select a protocol from the drop-down list.
3
Under Port, enter a port number. By default, ports below 1024
are not shown on this page. To see them, click (more…).
4
Under Name, enter a unique name.
5
Click Add. To delete an application, select its checkbox and click
Delete.
6
On the IP Application Names page, click OK.
Defining a Grouped Application Name
You often need more than a simple application port to correctly
identify an application.
In IP Application Names settings, you can create multiple grouped
applications, with each grouped application containing multiple
rules. A rule consists of at least one IP address and a range of port
numbers for a given protocol, traffic class, or identified application.
Each item in a rule is optional. Traffic that passes at least one rule is
considered part of that application.
To avoid double-counting data between single and grouped
applications, grouped applications have a configurable precedence.
Each group has a higher precedence than any simple application. If
traffic is considered part of more than one grouped application, the
one with the highest precedence is chosen.
A grouped application also has a unique identifier that is used when
creating long-term report data and in filter URLs. Because long-term
data uses identifiers, assign these carefully.
To define a grouped application:
1
Select Main Menu > Settings > IP Application Names.
89
NetFlow Tracker
User Guide
2
On the lower part of the page, enter a unique identification
number and name for the application.
3
Set the precedence of the application.
4
Click New. The Grouped Application page is shown.
5
Apply an address range, protocol, port or port range, traffic class,
identified application, and click Add. To delete a grouped
application, select its checkbox and click Delete.
Note
Do not change the identifier of an existing grouped application
because long-term data uses this. Use caution when deleting
grouped applications.
6
Click OK.
7
On the IP Application Names page, click OK.
DiffServ Names
Use DiffServ Names settings to assign names to each of the 64
differentiated service code points. Standard code point names are
already configured.
To add a DiffServ name:
90
1
From the NetFlow Tracker Main Menu, select Settings > IP
Application Names.
2
Enter the DiffServ codepoint and name.
3
Click Add. To remove a code name from the list, select its
checkbox and click Delete.
4
Click OK.
Optimizing NetFlow Tracker
Data Display and Filtering Settings
8
Hostname Resolution Settings
Use Hostname Resolution Settings to configure aspects of the
resolution of hostnames for addresses encountered on reports. These
names are kept to increase reporting speed and reduce the amount
of network traffic NetFlow Tracker generates when generating a
report. You can set the length of time to store resolved hostnames
and failed lookups in cache. You can also control the size of the cache
and the number of threads used to resolve hostnames.
Note:
•
If hostname resolution is not working, click Defaults and then OK
to return to useful default values.
•
To clear the cache of resolved hostnames, clear Enable hostname
resolution and click OK. Then return to the Hostname Resolution
settings page and check this setting again.
To set hostname resolution:
1
Select Main Menu > Settings > Hostname Resolution.
2
Select Enable hostname resolution.
3
Set the length of time to cache successful lookups. The default is
1800 seconds (30 minutes).
4
Set the length of time to cache failed lookups. The default is 10
seconds.
5
Set the maximum number of cached lookups and concurrent
resolutions.
6
Click OK.
Subnet Names
Use Subnet Names to assign names to the IP subnets that appear in
reports. You define an IP subnet by its network address and mask
length. Subnet names you define here are shown in subnet reports.
Because routers may use different mask lengths to route different
traffic, you can assign names to overlapping subnets.
91
NetFlow Tracker
User Guide
To set subnet names:
1
Select Main Menu > Settings > Subnet Names.
2
Enter the subnet IP address and a mask.
3
Enter a unique subnet name.
4
Click Add. To delete a subnet, select its checkbox and click Delete.
5
Click OK.
AS Names
Use AS Names to assign names to autonomous system (AS) numbers
appearing in reports.
•
AS numbers from 0 to 34816 are assigned by several agencies;
NetFlow Tracker comes with many of these ASes already named.
You can, however, edit these.
•
Numbers between 34816 and 64511 are held by the IANA and are
not available for use.
•
Numbers from 64512 to 65535 are available for use.
The AS names you define here are shown in reports.
To set AS names:
92
1
Select Main Menu > Settings > AS Names.
2
Enter an AS number. To assign or edit the name of a public or
reserved AS, click (more…).
3
Enter a unique subnet name.
4
Click Add. To delete a subnet, select its checkbox and click Delete.
5
Click OK.
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring
8
Data Management and System
Performance Monitoring
Use these settings to management the database, back up and archive
data, allocate memory, and monitor system performance. Topics
include:
•
Database Settings
•
Backup
•
Archiving
•
Memory Settings
•
Making Sure That Data is Received
Database Settings
Use Database Settings to improve the performance of reports and
charts and to change the number of days for which data is stored (see
Table 12).
Table 12 Database Settings
Option
Definition
Expect large result sets
Controls how the database server manipulates raw data. Leave the default
setting, Auto, to let the database optimize itself. If you have a fast disk
subsystem, set this to Always to make sure reports with large amounts of data
perform well. If you have a slower disk subsystem, a lot of RAM, and a relatively
small amount of data, consider setting this to Never. Note, however, that reports
with large amounts of data may take much longer to run.
Maximum in-memory
temporary table size
The maximum amount of memory the database server will use during a query
when you do set “Expect large result sets” to Never. Increasing this increases the
amount of data that it can report before performance drops significantly.
Sort buffer size
The size of the buffer used to reduce the amount of disk seeks when sorting
rows for grouping or final display. Increasing this improves reporting speed. You
are unlikely to see any benefit for sizes above 128MB.
93
NetFlow Tracker
User Guide
Table 12 Database Settings
Option
Definition
Hold back real-time data
for
Set the number of seconds after its end that each one-minute sample of realtime data is held in RAM before being committed to disk. You may need to
increase this to avoid ignored flows.
MySQL can not access
temporary files
Leave clear to improve the database performance. However, on Unix if the user
you run as has a umask that creates temporary files that MySQL cannot read,
check this setting.
Number of threads to use Set the number of threads used to generate real-time charts over time and pie
to generate a report
charts. Do not set this to more than the number of CPU cores in your system. You
are unlikely to see any benefit beyond 4.
Store real-time data for
Change the number of days full real-time data is stored for. Reduce this to save
disk space. Increase this if you have enough free space.
Store long-term report
data for...
Change how long the different types of long-term data are stored. Each type of
data allows a long-term chart to display blocks of that size. If the block size is not
specified when opening a long-term report, then the closest available size to the
ideal for the selected time range is used.
Use compression
Reduce the amount of disk space used. Note: Reducing the disk space is likely to
slow down report generation.
Backup
Use Backup settings to back up the configuration of your NetFlow
Tracker server and its real-time and long-term databases.
Note
A full backup can take a long time to complete and uses a large
amount of disk space. Test the effect a full backup has upon the
system before scheduling it.
You can start a backup on demand or configure a schedule. The
folder’s contents are erased before the backup, so make sure that you
move scheduled backups to long-term storage if you need to save
space. Schedule a backup to different locations on alternate days.
94
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring
8
Backing Up Data
To back up data:
1
Select Main Menu > Settings > Backup.
2
For a scheduled backup:
3
4
a
Enter the scheduled time and days.
b
Select the databases to include.
c
Enter the destination folder on the NetFlow Tracker server.
d
Click Add. To delete a scheduled backup, select its checkbox
and click Delete.
For an on-demand backup:
a
Enter the destination folder on the server.
b
Select the databases to include.
c
Click Start.
Click OK.
Restoring a Backup on Linux
The following procedure assumes that the backup is in:
/media/disk/trackerbackup
To restore a backup on Linux :
1
Log in as root. On an appliance one needs to login as VPMadmin,
and then sudo to be root:
sudo bash
2
Install NetFlow Tracker. The version number of the new
installation must be the same as the NetFlow Tracker that the
backup was done on.
3
Stop the NetFlow Tracker service:
/etc/init.d/nftracker stop
4
Change directory to the nftracker directory:
cd /opt/fnet/Tracker
5
Run the restore program:
95
NetFlow Tracker
User Guide
./jre1.6.0_05/bin/java -jar jars/restore.jar -d
/media/disk/trackerbackup
6
Restart NetFlow Tracker:
/etc/init.d/nftracker start
Restoring a Backup on Windows
The following procedure assumes that the backup is in:
x:\trackerbackup
To restore a backup on Windows:
1
Log in as an administrator.
2
Install NetFlow Tracker. The version number of the new
installation must be the same as the NetFlow Tracker that the
backup was done on.
3
Stop the NetFlow Tracker service:
net stop nftracker
4
Change directory to the nftracker directory:
cd c:\nftracker
5
Run the restore program:
"c:\Program Files\java\jre1.6.0_05\bin\java" -jar
jars\restore.jar -d x:\trackerbackup
6
Restart NetFlow Tracker:
net start nftracker
Archiving
Use Archiving settings to archive real-time data instead of deleting it
when it exceeds the length of storage time configured in Database
Settings. You can set the archive location and access archived data by
mounting the archive containing the data you want to examine and
using the Filter Editor.
Note:
96
Optimizing NetFlow Tracker
Data Management and System Performance Monitoring
8
•
You must enable archiving for each device that you want to
archive data from in Device Settings. See “Database Settings ” on
page 93.
•
Archived data is not deleted. You must move archived data to
long-term storage in a timely manner.
•
You cannot mount an archive from a device that was deleted or
was never present on the server.
•
Mounting and unmounting archives does not affect the archive
file itself.
•
You can restore archived data from the previous version of
NetFlow Tracker.
You can store all archives in the archive folder or in subfolders for
each device or day.
To mount an archive:
1
Select Main Menu > Settings > Archiving.
2
Under Mount Archives, enter the directory containing the archive
and click List.
3
Select archives and click Mount. When archives are mounted they
appear under Currently Mounted Archives. To unmount these,
select and click Unmount.
4
Click OK.
Memory Settings
Use Memory Settings to control the amount of initial and maximum
memory used by NetFlow Tracker. During normal operation, NetFlow
Tracker uses a small amount of memory, so in most cases you do not
need to change the default settings
Note the following:
•
By incorrectly allocating memory you can prevent NetFlow
Tracker from functioning properly.
97
NetFlow Tracker
User Guide
•
98
The Memory Settings page is not available on Unix installations.
To change the memory settings on Unix you must edit the start
script.
A: Setting up NetFlow
on Network Devices
Topics include:
•
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
•
Configuring NetFlow Input Filters for Traffic Class Reporting
•
Enabling Flow Detail Records on a Packeteer Device
•
Enabling NetFlow on an Enterasys Device
•
Enabling sFlow on a Foundry Device
For information about other supported flow standards and devices,
see the Fluke Networks Knowledge Base.
Enabling NetFlow Export/NDE on a Cisco
Router or Layer 3 Switch
Only users experienced in configuring Cisco devices should attempt to
apply these commands. If you are in doubt, contact your network
administrator or Cisco consultant. Note: If you are running hybrid
mode on a layer 3 switch you must set up IOS on the MSFC and CatOS
on the Supervisor Engine. Native IOS also requires extra commands
which are documented in the following sections. For more
information, see http://www.cisco.com/go/netflow.
99
NetFlow Tracker
User Guide
Enabling Netflow Export on an IOS Device
In configure mode on the router or MSFC, issue the commands in
Table 13 to enable NetFlow export:
Table 13 IOS NetFlow Commands
Command
Definition
ip cef
Enables Cisco Express Forwarding, which is required for NetFlow in most recent
IOS releases.
ip flow-export
destination
<address> 2055
Use the address of your NetFlow Tracker server and one of the ports configured
in the Listener Ports settings page. Port 2055 is monitored by default.
ip flow-export
source loopback 0
The source interface is used to set the source IP address of the NetFlow exports
that the router sends. NetFlow Tracker makes SNMP requests of the router on
this address. If you experience problems, set the source interface to an Ethernet
or WAN interface instead of the loopback.
ip flow-export
version 5 [peer-as |
origin-as]
or
ip flow-export
version 9 [peer-as |
origin-as]
Sets the export version. NefFlow Tracker supports IOS versions 5 and 9. If you
have a Native IOS switch you may need to use version 9 to work around an issue.
If your router uses BGP, you can include the origin or peer ASes in exports. You
cannot include both.
ip flow-cache
timeout active 1
Breaks up long-lived flows into one-minute segments.
ip flow-cache
timeout inactive 15
Makes sure that flows that have finished are exported in a timely manner.
100
Note: Enabling or disabling NetFlow versions 5 or 9 on a 12000 series router
causes packet forwarding to stop for a few seconds while the route processor
and line card CEF tables reload. To avoid interruption of service to a live network,
apply this command during a change window, or include it in the startupconfiguration file to be executed during a router reboot.
Setting up NetFlow on Network Devices
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
A
Table 13 IOS NetFlow Commands (continued)
Command
Definition
interface
<interface>
Enable NetFlow on each interface through which the traffic you are monitoring
flows (normally the Ethernet and WAN interfaces. Note: There are several
commands to enable NetFlow on an interface and you must use the same
command for every interface.
ip route-cache flow
or ip flow ingress
or ip route-cache
cef
bandwidth <kbps>
exit
ip route-cache flow and ip flow ingress enable NetFlow for inbound
traffic on the interface, but you apply the latter to individual sub-interfaces and
the former to the physical interface. Do not enable NetFlow for a physical
interface and one or more of its sub-interfaces.
ip flow egress enables NetFlow for outbound traffic on the interface and is
required if you are using input filters. You may enable NetFlow for both inbound
and outbound traffic on a single interface. In this case, make sure that no other
interface has NetFlow enabled.
Egress NetFlow is also useful if you are monitoring a router that applies QoS to
the traffic it routes. By using egress NetFlow, you see QoS settings that the router
applied rather than those on the traffic before it was routed.
You may also need to set the speed of the interface in kilobits per second. It is
important to do this for frame relay or ATM virtual circuits. Note: A Catalyst 4000
series switch does not support any of the commands to enable NetFlow for an
interface. Instead, NetFlow is enabled for all interfaces using the following
special command.
show ip flow export
Shows the current NetFlow configuration. Issue this in normal (not
configuration) mode.
show ip cache flow
These commands issued in normal mode summarize the active flows and indicate
of how much NetFlow data the router is exporting.
show ip cache
verbose flow
Enabling NDE on a Native IOS Device
In addition to commands listed in Table 13, use the commands in
Table 14 to get NetFlow information on route-switched traffic from a
Catalyst 6000 or above. These are not required for a Catalyst 4000
series.
Table 14 IOS NDE Commands
Command
Definition
mls netflow
Enables NetFlow on the supervisor.
101
NetFlow Tracker
User Guide
Table 14 IOS NDE Commands (continued)
Command
Definition
mls nde
version
or
mls nde
version
sender
5
Sets the export version. Due to IOS issues, the export version you must use on the
supervisor depends on your hardware configuration and IOS version:
sender
7
Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
12.2(15.1)S, 12.2(17a)SX or above: Use version 5. Note: This configuration causes
Performance Counters to report missed flows that are not actually missed as a
result of an IOS bug fixed in the SXF strains.
Distributed Forwarding Cards and older than 12.1(13)E03, 12.1(18.1)E,
12.2(13.6)S, 12.2(15.1)S or 12.2(17a)SX: This configuration causes serious
problems. Contact Fluke Networks TAC if your device matches this description.
No Distributed Forwarding Cards and 12.0(24)S, 12.2(18)S, 12.3(1) or above: Use
version 5 and configure the MSFC to export version 9 as described above.
No Distributed Forwarding Cards and 12.1(13)E03, 12.1(18.1)E, 12.2(13.6)S,
12.2(15.1)S, 12.2(17a)SX or above: Use version 5.
All others: Use version 7. Note: Version 7 may not include AS or subnet mask
information.
mls aging long 64
Breaks up long-lived flows into one-minute segments.
mls aging normal 32
Makes sure that completed flows are exported in a timely manner.
mls flow ip
interface-full
If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher,
you must use the first two commands to put interface and routing information
into the NetFlow Exports. This information is unavailable with any earlier IOS
version on the Supervisor Engine 2 or 720.
mls nde interface
or
mls flow ip full
If you have a Supervisor Engine 1, use the third command to put full information
into the NetFlow Exports.
ip flow ingress
A PFC3B or PFC3BXL running 12.2(18)SXE or higher is required for this command,
layer2-switched vlan which enables NDE for all traffic within the specified VLANs rather than just
<vlanlist>
inter-VLAN traffic.
ip flow export
layer2-switched vlan
<vlanlist>
Enabling NetFlow Export on a 4000 Series Switch
The 4000 and 4500 series switches require a Supervisor IV with a
NetFlow Services daughter card (WS-F4531), or a Supervisor V, and
IOS version 12.1(19)EW or above to support NetFlow. First configure
102
Setting up NetFlow on Network Devices
Enabling NetFlow Export/NDE on a Cisco Router or Layer 3 Switch
A
the device as for an IOS device, omitting the command ip route-cache
flow on each interface, and then issue the following command:
ip route-cache flow infer-fields
This makes sure that routing information is included in the flows.
Configuring NDE on a CatOS Device
A layer 3 switch running CatOS appears as two devices. You can set
up the MSFC to export NetFlow information on all the packets it
routes by following the instructions for configuring an IOS device
above.
Table 15 IOS Commands on CatOS Device
Command
Definition
set system name
<name>
In privileged mode on the Supervisor Engine, issue this to enable NDE:
set mls nde
<address> 2055
Use the address of the NetFlow Tracker server and one of the ports configured in
the Listener Ports settings page. Port 2055 is monitored by default.
set mls nde version
7
Sets the export version. Version 7 is the most recent full export version supported
by switches.
set mls agingtime
long 64
Breaks up long-lived flows into one-minute segments.
Set the name of your switch. Note: Even if the prompt has been set to the name
of the switch you still need this command.
set mls agingtime 32 Makes sure that completed flows are exported in a timely manner.
set mls flow full
Sets the flow mask to full flows. This is required to get useful information from
the switch.
set mls bridgedflow-statistics
enable <vlanlist>
CatOS 7.(2) or higher is required for this command, which enables NDE for all
traffic within the specified VLANs rather than just inter-VLAN traffic.
set mls nde enable
Enables NDE.
show mls nde
These commands help debug your NDE configuration.
show mls debug
103
NetFlow Tracker
User Guide
Configuring NetFlow Input Filters for
Traffic Class Reporting
IOS versions 12.2(25)S, 12.2(27)SBC and 12.3(4)T and greater support
the NetFlow Input Filters feature, which NetFlow Tracker can use to
report upon the traffic class used to route each flow.
Table 16 NetFlow Input Filters for Traffic Class Reporting
Command
Definition
flow-sampler-map allflows
Create a flow sampler that exports every flow record.
mode random one-out-of 1
exit
policy-map netflowpolicymap
class <class>
Create a policy map containing NetFlow sampling actions. You must
include each class for which you want information.
netflow-sampler allflows
exit
exit
interface <interface>
service-policy input
netflowpolicymap
Associate the policy map with an interface. You must associate the
policy map with each NetFlow-enabled interface from which you
want traffic class information.
exit
Enabling Flow Detail Records on a
Packeteer Device
A Packeteer 1200, 1550, 2500, 4500, 6500, 8500, 9500, or 10000 series
running PacketWise v7.0.0 or above and having 256MB or more of
memory can send either NetFlow records or a similar proprietary
format to NetFlow Tracker. For more information, see
http://support.packeteer.com/documentation/packetguide/rc3.1/overv
iews/flowdetail.htm.
104
Setting up NetFlow on Network Devices
Enabling NetFlow on an Enterasys Device
A
To enable Flow Detail Records:
1
Log in to the PacketShaper in touch mode.
2
Open the flow detail records page on the setup tab.
3
In a collector rows, enter the IP address of the NetFlow Tracker
server and one of the ports configured in Listener Ports settings
(2055 is monitored by default). Packeteer-1 is the recommended
record type for use with NetFlow Tracker. Packeteer-2 is not
recommended because NetFlow Tracker does not use the extra
information and bandwidth is wasted.
You can also export NetFlow v5 records. This prevents the Traffic
Classes and Identified Applications reports and filters from
functioning for the device.
4
Set the value under Enabled to on and click apply changes.
5
To make sure that NetFlow Tracker receives enough information
from the PacketShaper device, verify that the Look Community
String configured in the SNMP page is set up in SNMP Settings,
and set Packeteer-0 Packets to on in the system variables page.
6
If you have a recent version of PacketWise, you may need to
change extra settings on the system variables page. Set
Intermediate FDR to on, Intermediate FDR Timeout to 30000
milliseconds, and Reset Packeteer 1/2 counters to on. If these
settings are not available, then the PacketShaper describes all
traffic for a long-lived flow in one record, and NetFlow Tracker
counts it all in the minute during which the flow ended. This
leads to large spikes in charts for the device.
Enabling NetFlow on an Enterasys Device
NetFlow Tracker supports Enterasys devices capable of exporting
NetFlow version 9 exports. To enable NetFlow, enter the following
commands while logged in to the router with read/write access:
105
NetFlow Tracker
User Guide
Table 17 NetFlow on an Enterasys Device
Command
Definition
set netflow cache
enable
Enables NetFlow.
set netflow exportdestination
<address> 2055
Use the address of your NetFlow Tracker server and a configured port in the
Listener Ports settings page. Port 2055 is monitored by default.
set netflow exportinterval 1
Breaks up long-lived flows into one-minute segments.
set netflow port
You must enable NetFlow on each interface through which traffic you are
<port-string> enable monitoring flows, normally the Ethernet and WAN interfaces.
set netflow exportversion 9
Sets the export version. Version 9 is required for NetFlow Tracker to associate
NetFlow information with the interfaces it relates to.
Enabling sFlow on a Foundry Device
NetFlow Tracker supports Foundry devices capable of exporting sFlow
version 2 and 5 exports. To enable NetFlow, enter the following
commands while logged in to the router with read/write access:
For more information, see the Foundry Command Reference Guide.
Table 18 sFlow on a Foundry Device
Command
Definition
(config)# sflow enable
Enable sFlow globally
(config)# sflow destination x.x.x.x
Configure a destination
(config)# interface eth 1
or
(config)# interface eth 1 to 48)
Enable sFlow on a port or ports
(config-if-1)# sflow forwarding
106
B: Report Templates
When you create a report or chart you can choose from the report
templates, depending on the type of data you want to examine.
•
Address Reports
•
Session Reports
•
QoS Reports
•
Network Reports
•
Interface Reports
•
Traffic Identification Reports
•
Full Flow Forensics Reports
•
Other Reports
Address Reports
Report
Shows...
Source Addresses
The IP addresses that were the source of most traffic
or packets.
Destination Addresses
The destination IP addresses that were the
destination of most traffic or packets.
Addresses
Busiest addresses. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
107
NetFlow Tracker
User Guide
Report
Shows...
Address Pairs
The pairs of connected IP addresses that exchanged
most traffic or packets.
Bi-directional Address
Pairs
In extra columns, the traffic and packets sent from
destination to source for each address pair.
Source Address
Dissemination
The source addresses that conversed with the most
distinct destination addresses and that were involved
in the most distinct endpoint-to-endpoint
conversations. This can help detect file sharing or
virus infected hosts.
Destination Address
Popularity
The destination addresses that conversed with the
most distinct source addresses and that were
involved in the most distinct conversations.
Session Reports
108
Report
Shows...
Protocols
The IP protocols, such as TCP or UDP, used by most
traffic or packets.
Source Applications
The IP applications that were the source of the most
traffic or packets. An IP application is a combination
of an application port and protocol: for example,
HTTP or FTP. You can assign names to applications
using the IP Application Names settings page.
Examining the source applications inwards on an
interface can show you what applications are using
your Internet bandwidth.
Destination Applications
The IP applications that were the destination of most
traffic or packets. The destination applications
outwards can show the most requested applications
on a link.
Report Templates
Session Reports
B
Report
Shows...
Recognized Applications
The IP applications that were the source or
destination of most traffic or packets. Whether the
application was the source or destination depends on
whether it has a name defined in the IP Application
Names settings page or, if both or neither have
names, which has the lower port number.
Conversations
The pairs of connected endpoints that exchanged
most traffic or packets. A single conversation
represents, for example, a web browser downloading
a single image.
Bi-directional
Conversations
In extra columns, the traffic and packets sent from
destination to source for each conversation.
Source Endpoints
The IP addresses and corresponding applications that
were the source of most traffic or packets. The top
source endpoints inwards on a link are the remote
services using your bandwidth.
Destination Endpoints
The IP addresses and corresponding applications that
were the destination of most traffic or packets.
Server-Client Sessions
The pairs of connected source endpoints and
destination addresses that exchanged most traffic or
packets. A session might represent, for example, a
web browser downloading several web pages with
images from a web server.
Client-Server Sessions
The pairs of connected source addresses and
destination endpoints that exchanged the most
traffic or packets. A session could represent a client’s
requests to a web server for several pages and
images.
Sessions
Source and address destination, application, traffic,
percentage of total traffic, packets, and percentage
of total packets.
Bi-directional Sessions
Data in Sessions report, plus forward and reverse
traffic and packets.
109
NetFlow Tracker
User Guide
QoS Reports
Report
Shows...
Types of Service
The ToS levels with most traffic or packets.
Differentiated Services
The DiffServ code points with most traffic or packets.
Network Reports
110
Report
Shows...
Source ASes
The autonomous systems that were the source of
most traffic or packets. Note: A switch does not know
anything about ASe.s
Destination ASes
The autonomous systems that were the destination
of most traffic or packets.
ASes
Busiest ASes. Includes total traffic, source traffic,
destination traffic, total packets, source packets, and
destination packets. For each metric, includes
percentage of total traffic.
AS Pairs
The pairs of connected ASes that exchanged most
traffic or packets.
Bi-directional AS Pairs
In extra columns, the traffic and packets sent from
destination to source for each AS pair.
Source Networks
The IP subnets that were the source of most traffic or
packets. Note: A router may not know the subnet of
a particular address and a switch never knows it.
Destination Networks
The IP subnets that were the destination of most
traffic or packets.
Network Pairs
The pairs of connected IP subnets that exchanged
most traffic or packets.
Bi-directional Network
Pairs
In extra columns, the traffic and packets sent from
destination to source for each network pair.
Report Templates
Interface Reports
B
Interface Reports
Report
Shows...
In Interfaces
The router interfaces or switch ports that were the
arrival point of most traffic or packets. Note: This is
only meaningful for the outwards direction.
Out Interfaces
The router interfaces or switch ports that were the
departure point of most traffic or packets. Note: This
is only meaningful for the inwards direction.
Interface Pairs
In and out interfaces, in and out percentage of
usage, traffic, percentage of total traffic, packets,
and percentage of packets for devices.
VPNs
The VPNs with most traffic or packets. You must
associate interfaces with VPNs in Device Settings for
this report to function.
Next Hops
The next-hop addresses that received most traffic or
packets. Note: Only a router can supply a next-hop
address.
Traffic Identification Reports
Report
Shows...
Identified Applications
Identified applications with the most traffic or
packets.
Traffic Classes
Traffic classes that with the most traffic or packets.
111
NetFlow Tracker
User Guide
Full Flow Forensics Reports
Report
Shows...
TCP Flags
TCP flag, traffic, percentage of total traffic, packets,
and percentage of total packets.
Duration
Flows ranked by duration—the full length of a flow.
Includes amount of traffic, percentage of total
traffic, number of packets, and percentage of total
packets.
Full Flow Conversations
Start and end times, source and destination addresses
and applications, in and out interfaces, TCP flags, and
traffic for each flow.
Other Reports
112
Report
Shows...
Total Address Pairs
Total number of address pairs.
Total Conversations
Total number of conversations.
Total
Traffic, percentage of total traffic, packets, and
percentage of total packets.
C: Report URL
Parameters
In addition to the filters used when configuring NetFlow Tracker
reports, you can apply additional custom parameters to further
define data. You can generate your own URLs or modify
automatically created ones for use in network management portals
favorites lists.
Table 19 Customizable Filter Parameters
Parameter
Specifies...
templid
The report template to use.
id
The long-term report to open.
cid
The executive report to open
output
The type of report to generate: tabular or chart.
nrecords
The number of rows to show per page of a tabular view.
others
That a tabular view shows an “others” row instead of a page navigator.
visible
A visible column of a table or chart.
nelements
The number of elements to chart.
chartTitle
The chart to show.
chartWidth
The width of the chart.
chartHeight
The height of the chart.
sections
The report sections to output.
features
The available interactive report features.
resolve
How domain names will be handled in a report with an IP address column.
format
The output format of the report or chart.
reload
The number of seconds between automatic refreshes of the report.
splash
Show the splash screen.
113
NetFlow Tracker
User Guide
Table 19 Customizable Filter Parameters (continued)
Parameter
Specifies...
stime
The start of the required time range.
etime
The end of the required time range.
length
The length of the required time range.
unit
The unit to measure the time range in.
nunitsago
The number of units before the time of report generation the time range should end.
nunits
The number of units required.
date_unit
The unit to measure how long before the report is generated the time range starts
and ends.
sdate_unit
The unit to measure how long before the report is generated the time range starts.
sdate_nunitsago
The number of units before the time of report generation of the first day of the time
range.
edate_unit
The unit to measure how long before the report is generated the time range end.
edate_nunitsago
The number of units before the time of report generation of the last day of the time
range.
stime
The time of day at which the time range starts (simple calendar).
etime
The time of day at which the time range ends (simple calendar).
timemask
An inclusive mask to apply the to time range.
timezone
The time zone of the view.
sample_unit
The unit to measure the sample size in.
sample_nunits
The number of units in each sample.
range
The source long-term data to use.
sample
The source long-term data to use.
sf
Saved filter to apply to the report.
device
The address of a permitted NetFlow-exporting device.
inif
A permitted input interface, thus selecting inbound traffic on the interface.
outif
A permitted output interface, thus selecting outbound traffic on the interface.
if
A permitted input or output interface of the flow, thus selecting traffic passed in both
directions across the interface.
invpn
A Virtual Private Network (VPN) that the input interface must be part of.
outvpn
A VPN that the output interface must be part of.
114
Report URL Parameters
C
Table 19 Customizable Filter Parameters (continued)
Parameter
Specifies...
vpn
A VPN that either interface must be part of.
srcaddr
A permitted source address.
dstaddr
A permitted destination address.
addr
A permitted source or destination address.
proto
A permitted IP protocol.
srcport
A permitted source application port number.
dstport
A permitted destination application port number.
srcappl
A permitted source IP application.
dstappl
A permitted destination IP application.
appl
A permitted source or destination IP application port.
recappl
A permitted recognized IP application port.
applid
A permitted identified application.
tos
A permitted Type-of-Service byte.
ds
A permitted differentiated service codepoint.
class
A permitted traffic class.
srcas
A permitted source autonomous system number.
dstas
A permitted destination autonomous system number.
as
A permitted source or destination autonomous system number.
srcnet
A permitted source subnet.
dstnet
A permitted destination subnet.
net
A permitted source or destination subnet.
srcmask
A permitted source subnet mask, as supplied by the router.
dstmask
A permitted destination subnet mask.
mask
A permitted source or destination subnet mask.
nexthop
A next-hop address.
j_username
The username.
j_password
The password.
portalsecret
The secret value assigned to the management portal.
acldevice
The address of a permitted device that exports NetFlow.
aclif
A permitted interface.
115
NetFlow Tracker
User Guide
Table 19 Customizable Filter Parameters (continued)
Parameter
Specifies...
aclvpn
A permitted VPN.
acltemplid
A permitted report template.
aclid
A permitted long-term report.
aclcid
A permitted executive report.
aclfiltereditor
A filter that will show in the Filter Editor
aclsf
A visible saved filter.
aclfeatures
The permitted interactive report features.
General Format
http://<server>:<port>/report.jsp?prm=value&prm=value...
server
The domain name or IP address of the NetFlow Tracker server
port
The HTTP port of the NetFlow Tracker server
prm, value
A named parameter and its value. Supply as many parameters
as necessary in any order with each prm=value pair separated
by an ampersand.
Report Parameters
templid – specifies the report template to use. Do not use this
parameter with id or cid.
116
0000
Source Addresses
0001
Destination Addresses
0002
Address Pairs
Report URL Parameters
Report Parameters
0003
Protocols
0006
Source Applications
0007
Destination Applications
0008
Source Endpoints
0009
Destination Endpoints
0010
Server-Client Sessions
0011
Client-Server Sessions
0012
Conversations
0013
Types of Service
0014
Differentiated Services
0015
Source ASes
0016
Destination ASes
0017
AS Pairs
0018
Source Networks
0019
Destination Networks
0020
Network Pairs
0021
In Interfaces
0022
Out Interfaces
0023
Next Hops
0024
Source Address Dissemination
0025
Destination Address Popularity
0026
Recognized Applications
0027
Traffic Classes
0028
Identified Applications
0029
Bi-directional Address Pairs
0030
Bi-directional Conversations
0031
Bi-directional AS Pairs
0032
Bi-directional Network Pairs
0033
Total
0034
VPNs
0035
Addresses
C
117
NetFlow Tracker
User Guide
0036
Endpoints
0037
Networks
0038
ASs
0039
Sessions
0040
Bi-directional Sessions
0041
Interface Pairs
_flows
Full flows
id – specifies the long-term report to open. You can enable several
standard long-term reports in Report Settings. The IDs for these
reports are given below. The ID for a custom report is available in
Report Settings. Do not use this parameter with templid or cid.
0000
Source Addresses per inbound interface
0001
Source Addresses per outbound interface
0002
Destination Addresses per inbound interface
0003
Destination Addresses per outbound interface
0004
Recognized Applications per inbound interface
0005
Recognized Applications per outbound interface
0100
Source Addresses per source device
0101
Destination Addresses per source device
0102
Recognized Applications per source device
<id>
A custom long-term report ID
cid – specifies the executive report to open. The ID for an executive
report is available in Report Settings. Do not use this parameter with
templid or id.
<id>
118
An executive report ID
Report URL Parameters
Report Parameters
C
output – specifies the type of report to generate: tabular or chart.
table
A tabular report is generated (default)
chart
A chart over time is generated
pie
A pie chart is generated
nrecords – specifies the number of rows to show per page of a
tabular view.
<number>
The number of rows per page
-1
Show all rows
others – specifies that a tabular view shows an Others row instead of
a page navigator. The long-term tabular view always show an Others
row.
true
An Others row is shown instead of a page navigator
false
No Others row is shown (default)
visible – specifies a visible column of a table or chart. Apply this as
often as needed to include all desired columns. By default, all
columns are visible.
<heading>
The URL-encoded column heading; note that % is URL-encoded
as %25
-<heading>
A column to make invisible; parameters specifying invisible
columns cannot be mixed with those specifying visible columns
nelements – specifies the number of elements to chart.
<number>
The number of elements to chart
119
NetFlow Tracker
User Guide
chartTitle – specifies the chart to show.
<title>
The chart title
chartWidth – specifies the width of the chart. Use this as an output
parameter in an executive report.
<width>
The chart width in pixels
chartHeight – specifies the height of the chart. Use this as an
output parameter in an executive report.
<height>
The chart height in pixels
sections – specifies the report sections to output.
<sections>
-<sections>
The sections, formed by summing the values for each section
1
Title
2
Time range & filter description
4
Main report or chart body
8
Chart title, if applicable
16
Chart legend, if applicable
32
Result information, if applicable
The sections that are not displayed
features – specifies the available interactive report features.
120
Report URL Parameters
Report Parameters
<features>
-<features>
C
The features, formed by adding the values for each feature
1
Navigation Menu
2
Select All button, if applicable
4
Zoom In button, if applicable
8
Zoom Out button, if applicable
48
Open as Tabular Report, Chart or Pie buttons as
applicable
64
Filter Editor button, if applicable
128
Refresh and Resolve All buttons, if applicable
256
Print and CSV buttons, if applicable
512
Open in New Window button
1024
Drilldown controls
2048
Direct drilldown links (found in navigation reports)
4096
Page navigator
8192
Sortable column headers
16384
Chart scrollbar
32768
Chart selection headers
65536
Time range editor, if specified
The features that are not displayed
resolve – specifies how domain names are handled in a report with
an IP address column.
all
All domain names will be resolved and shown in full
available
Only already resolved names will be shown, as tooltips (default)
format – specifies the output format of the report or chart.
html
Fully interactive HTML (default)
print
Printable/saveable HTML
121
NetFlow Tracker
User Guide
csv
Comma separated values
pdf
Printable/saveable pdf
reload – specifies the number of seconds between automatic
refreshes of the report. Use this with one of the dynamic time ranges
(see “Time Range Parameters” on page 122). Only the interactive
HTML format supports this parameter.
-1
The report will not reload automatically (default)
<seconds>
Number of seconds between refreshes
splash – controls whether the splash screen is shown.
true
The splash screen is shown if it has not already been shown
(default).
false
The splash screen is not shown.
Time Range Parameters
Setting Start and End Times
You can specify a fixed start and end time in plain text or in UTC,
which is the number of milliseconds since 1 Jan 1970.
stime – specifies the start of the required time range.
<time>
122
The time in milliseconds UTC
Report URL Parameters
Time Range Parameters
C
<dd>/<MM>/<yyyy>%20<HH> The time: <dd> is the date, <MM> the month,
:<mm>
<yyyy> the year, %20 a URL-encoded space
character, <HH> the hour in the 24-hour clock and
<mm> the minutes
etime – specifies the end of the required time range.
<time>
The time in milliseconds UTC
<dd>/<MM>/<yyyy>%20<HH>: The time: <dd> is the date, <MM> the month,
<mm>
<yyyy> the year, %20 a URL-encoded space
character, <HH> the hour in the 24-hour clock
and <mm> the minutes
Creating a Fixed Length URL with Current Time Range
To create a URL that always shows a current time range, specify a
number of milliseconds ending at the time the report is generated.
length – specifies the length of the required time range.
<millis>
The length in milliseconds
Setting a Simple Calendar-Based Time Range
A simple calendar-based time range is a given number of units ending
when the report generates or at the end of the last full unit before
the report generates.
unit – specifies the unit to measure the time range in.
hour
Hours
day
Days
week
Weeks
mon
Weeks starting on a Monday
123
NetFlow Tracker
User Guide
tue
Weeks starting on a Tuesday
wed
Weeks starting on a Wednesday
thu
Weeks starting on a Thursday
fri
Weeks starting on a Friday
sat
Weeks starting on a Saturday
sun
Weeks starting on a Sunday
month
Months
quarter
Quarters
halfyear
Half-years
year
Years
nunitsago – specifies the number of units before the time of report
generation the time range should end.
0
The time range will end at end of the current unit at the time of
report generation; this is likely to be later than the time of report
generation
1
The time range will extend to the end of the last full unit before
the time of report generation (default)
<number>
The time range will extend to the end of this number of full units
before the time of report generation
nunits – specifies the number of units required. This may include a
partial unit.
124
1
The time range will extend for a single unit (default)
<number>
The time range will extend for this number of units
Report URL Parameters
Time Range Parameters
C
Setting an Advanced Calendar-Based Time Range
An advanced calendar-based time range has an optional start date
specified as a given number of units before the time of report
generation, defaulting to the day of report generation. Specify the
start time in plain text. Specify the optional end date in the same way
as the start date, defaulting to the same day as the start date. Specify
the end time in plain text.
date_unit – (optional) specifies the unit to measure how long
before the report is generated that the time range starts and ends.
day
Days
week
Weeks
mon
Weeks starting on a Monday
tue
Weeks starting on a Tuesday
wed
Weeks starting on a Wednesday
thu
Weeks starting on a Thursday
fri
Weeks starting on a Friday
sat
Weeks starting on a Saturday
sun
Weeks starting on a Sunday
month
Months
quarter
Quarters
halfyear
Half-years
year
Years
sdate_unit – (optional) specifies the unit to measure how long
before the report is generated that the time range starts. Format as
for date_unit above.
sdate_nunitsago – (optional) specifies the number of units before
the time of report generation of the first day of the time range.
1
The first day of the time range is the first day of the current
unit at the time of report generation (default)
125
NetFlow Tracker
User Guide
<number>
The first day of the time range is at the start of this number of
full units before the time of report generation
edate_unit – (optional) specifies the unit to measure how long
before the report is generated that the time range ends. Format as
for date_unit above.
edate_nunitsago – (optional) specifies the number of units before
the time of report generation of the last day of the time range.
0
The last day of the time range is the first day of the unit
following the current unit at the time of report generation
1
The last day of the time range is the first day of the current unit
at the time of report generation (default)
<number>
The time range extends to the end of this number of full units
before the time of report generation
stime – specifies the time of day at which the time range starts.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
etime – specifies the time of day at which the time range ends.
<HH>:<mm>
The time, with <HH> being the hour in the 24-hour clock and <mm>
being the minutes
Applying a Time-of-Day Mask to the Time Range
If the time range is longer than a day, you may want to restrict it to
just certain times on each day. For example, you can select only
working hours or only non-working hours.
126
Report URL Parameters
Time Range Parameters
C
If a long-term report has a configured time zone or mask, this
parameter will have no effect.
timemask – specifies an inclusive mask to apply to the time range. To
specify multiple inclusive masks, include a parameter name and value
in the URL for each mask.
<day1><day2>/<time1><time2>
The range of weekdays and the times on those
weekdays to include in the mask. A weekday is SUN,
MON, TUE, WED, THU, FRI or SAT, day2 coming on or
after day1 in the list above. Time is in the 24-hour
form hh:mm, and time2 is after time1
Setting a Time Zone
By default, the time zone of the NetFlow Tracker is used to interpret
calendar-based time ranges and time-of-day masks. You can specify a
non-default time zone. Note: If a long-term report has a configured
time zone or mask, this parameter has no effect.
timezone – specifies the time zone of the view.
0
(GMT-12:00) International Date Line West
1
(GMT-11:00) Midway Island, Samoa
2
(GMT-10:00) Hawaii
3
(GMT-09:00) Alaska
4
(GMT-08:00) Pacific Time (US & Canada); Tijuana
15
(GMT-07:00) Arizona
10
(GMT-07:00) Mountain Time (US & Canada)
13
(GMT-07:00) Chihuahua, La Paz, Mazatlan
33
(GMT-06:00) Central America
20
(GMT-06:00) Central Time (US & Canada)
30
(GMT-06:00) Guadalajara, Mexico City, Monterrey
25
(GMT-06:00) Saskatchewan
45
(GMT-05:00) Bogota, Lima, Quito
127
NetFlow Tracker
User Guide
128
35
(GMT-05:00) Eastern Time (US & Canada)
40
(GMT-05:00) Indiana (East)
50
(GMT-04:00) Atlantic Time (Canada)
55
(GMT-04:00) Caracas, La Paz
56
(GMT-04:00) Santiago
60
(GMT-03:30) Newfoundland
65
(GMT-03:00) Brasilia
70
(GMT-03:00) Buenos Aires, Georgetown
73
(GMT-03:00) Greenland
75
(GMT-02:00) Mid-Atlantic
80
(GMT-01:00) Azores
83
(GMT-01:00) Cape Verde Is.
90
(GMT) Casablanca, Monrovia
85
(GMT) Greenwich Mean Time: Dublin, Edinburgh, Lisbon, London
110
(GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
95
(GMT+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
105
(GMT+01:00) Brussels, Copenhagen, Madrid, Paris
100
(GMT+01:00) Sarajevo, Skopje, Warsaw, Zagreb
113
(GMT+01:00) West Central Africa
130
(GMT+02:00) Athens, Beirut, Istanbul, Minsk
115
(GMT+02:00) Bucharest
120
(GMT+02:00) Cairo
140
(GMT+02:00) Harare, Pretoria
125
(GMT+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
135
(GMT+02:00) Jerusalem
158
(GMT+03:00) Baghdad
150
(GMT+03:00) Kuwait, Riyadh
145
(GMT+03:00) Moscow, St. Petersburg, Volgograd
155
(GMT+03:00) Nairobi
160
(GMT+03:30) Tehran
165
(GMT+04:00) Abu Dhabi, Muscat
Report URL Parameters
Time Range Parameters
170
(GMT+04:00) Baku, Tbilisi, Yerevan
175
(GMT+04:30) Kabul
180
(GMT+05:00) Ekaterinburg
185
(GMT+05:00) Islamabad, Karachi, Tashkent
190
(GMT+05:30) Chennai, Kolkata, Mumbai, New Delhi
193
(GMT+05:45) Kathmandu
201
(GMT+06:00) Almaty, Novosibirsk”
195
(GMT+06:00) Astana, Dhaka
200
(GMT+06:00) Sri Jayawardenepura
203
(GMT+06:30) Rangoon
205
(GMT+07:00) Bangkok, Hanoi, Jakarta
207
(GMT+07:00) Krasnoyarsk"
210
(GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi
227
(GMT+08:00) Irkutsk, Ulaan Bataar
215
(GMT+08:00) Kuala Lumpur, Singapore
225
(GMT+08:00) Perth
220
(GMT+08:00) Taipei
235
(GMT+09:00) Osaka, Sapporo, Tokyo
230
(GMT+09:00) Seoul
240
(GMT+09:00) Yakutsk
250
(GMT+09:30) Adelaide
245
(GMT+09:30) Darwin
260
(GMT+10:00) Brisbane
255
(GMT+10:00) Canberra, Melbourne, Sydney
275
(GMT+10:00) Guam, Port Moresby
265
(GMT+10:00) Hobart
270
(GMT+10:00) Vladivostok
280
(GMT+11:00) Magadan, Solomon Is., New Caledonia
290
(GMT+12:00) Auckland, Wellington
285
(GMT+12:00) Fiji, Kamchatka, Marshall Is.
300
(GMT+13:00) Nuku'alofa
C
129
NetFlow Tracker
User Guide
Setting the Chart Sample Size
When you create a real-time chart, the system chooses a sample size
that creates as close to 150 samples over the full width of the chart as
possible. You can specify a different sample size to show, for example,
a day in hour-long samples or a month in day-long samples.
sample_unit – specifies the unit to measure the sample size in.
minute
Minutes
hour
Hours
day
Days
week
Weeks
month
Months
quarter
Quarters
halfyear
Half-years
year
Years
sample_nunits – specifies the number of units in each sample.
1
Each sample will be one unit long (default)
<number>
Each sample will be this number of units long
Setting the Source Long-term Data
When you create a long-term chart or tabular report, the source data
is chosen so the time range will be in as close to 150 samples as
possible. You can override this if you wish.
range – specifies the source long-term data to use.
daily
130
Daily data (ten minute samples) are used
Report URL Parameters
Time Range Parameters
weekly
Weekly data (one hour samples) are used
monthly
Monthly data (six hour samples) are used
quarterly
Quarterly data (twelve hour samples) are used
halfyearly
Half-yearly data (one-day samples) are used
yearly
Yearly data (two-day samples) are used
C
sample – specifies the source long-term data to use.
10minute
Daily data (ten minute samples) are used
1hour
Weekly data (one hour samples) are used
6hour
Monthly data (six hour samples) are used
12hour
Quarterly data (twelve hour samples) are used
1day
Half-yearly data (one-day samples) are used
2day
Yearly data (two-day samples) are
Filter Parameters
You can apply any number of filters to a report. Each filter is a set of
acceptable values for a certain aspect of the source data. If you do
not specify a filter, then all values element are accepted.
To specify multiple acceptable values for a filter, include the
parameter name and value in the URL once for each value.
Note: The filters that you can apply to a long-term report depend
upon the report’s type.
sf – specifies a saved filter to apply to the report. The ID for a saved
filter is available in Report Settings.
<id>
A saved filter ID
device – specifies the address of a permitted NetFlow-exporting
device.
131
NetFlow Tracker
User Guide
<addr>
The address in dotted-decimal format (a.b.c.d)
inif – specifies a permitted input interface, thus selecting inbound
traffic on the interface.
<addr>/<id>
The interface: addr is the address of the NetFlow-exporting
device in dotted-decimal format and id is the NetFlow
Tracker-specific interface identifier
<addr>/<ifindex>
The interface: addr is the address of the NetFlow-exporting
device in dotted-decimal format and ifindex is the current
SNMP interface index assigned to the interface
outif – specifies a permitted output interface, thus selecting
outbound traffic on the interface. Format as for inif above.
if – specifies a permitted input or output interface of the flow, thus
selecting traffic passed in both directions across the interface. Format
as for inif above.
invpn – specifies a Virtual Private Network (VPN) that the input
interface must be part of.
<name>
The VPN name; see Device Settings for more information
<id>
The VPN identifier
outvpn – specifies a VPN that the output interface must be part of.
Format as for invpn above.
vpn – specifies a VPN that either interface must be part of. Format as
for invpn above.
srcaddr – specifies a permitted source address.
132
Report URL Parameters
Time Range Parameters
<addr>
C
The address in dotted-decimal format
srcaddr_exclude=true – specifies that the supplied source
addresses are excluded rather than included.
dstaddr – specifies a permitted destination address. Format as for
srcaddr above.
dstaddr_exclude=true – specifies that the supplied destination
addresses are excluded rather than included.
addr – specifies a permitted source or destination address. Format as
for srcaddr above.
addr_exclude=true – specifies that the supplied source or
destination addresses are excluded rather than included.
proto – specifies a permitted IP protocol.
<name>
The protocol name, such as TCP or UDP
<number>
The protocol number, in the range 0-255
proto_exclude=true – specifies that the supplied protocols are
excluded rather than included.
srcport – specifies an acceptable source application port number.
<port>
The application port number in the range 0-65535
<port1><port2>
A range of port numbers, with port1 being the start of the
range and port2 the end
srcport_exclude=true – specifies that the supplied source
application port numbers are excluded rather than included.
dstport – specifies an acceptable destination application port
number. Format as for srcport above.
133
NetFlow Tracker
User Guide
dstport_exclude=true – specifies that the supplied destination
application port numbers are excluded rather than included.
srcappl – specifies a permitted source IP application.
<port>/<name>
The application: port is the application port number in the
range 0-65535 and name is the protocol name, such as TCP
or UDP
<port>/<number> The application: port is the application port number in the
range 0-65535 and num is the protocol number in the
range 0-255
<name>
The name of a grouped application
srcappl_exclude=true – specifies that the supplied source
applications are excluded rather than included.
dstappl – specifies a permitted destination IP application. Format as
for srcappl above.
dstappl_exclude=true – specifies that the supplied destination
applications are excluded rather than included.
appl – specifies a permitted source or destination IP application port.
Format as for srcappl above.
appl_exclude=true – specifies that the supplied source or
destination applications are excluded rather than included.
recappl – specifies a permitted recognized IP application port.
Format as for srcappl above.
recappl_exclude=true – specifies that the supplied recognized
applications are excluded rather than included.
applid – specifies a permitted identified application.
<name>
134
The identified application name; see Device Settings for more
information
Report URL Parameters
Time Range Parameters
<id>
C
The identified application identifier
applid_exclude=true – specifies that the supplied identified
applications are excluded rather than included.
tos – specifies a permitted Type-of-Service byte.
<prec>
The precedence, in the range 0-7
<tos>
A string of letters indicating which ToS bits you must set or
unset.
D - low delay, d - normal delay
T - high througput, t - normal througput
R - high reliability, r - normal reliability
M - minimize monetary cost, m normal monetary cost.
Any bits not specified as set or unset are disregarded.
<prec>%20<tos The precedence and ToS as above; %20 being a URL-encoded
>
space character
tos_exclude=true – specifies that the supplied Type-of-Service
values are excluded rather than included.
ds – specifies a permitted differentiated service codepoint.
<name>
The assigned name of the codepoint
<code>
The six-digit binary representation of the codepoint
<byte>
The value of the entire Type-of-Service byte, in the range 0-255
ds_exclude=true – specifies that the supplied differentiated service
codepoints are excluded rather than included.
class – specifies a permitted traffic class.
<name>
The traffic class name. See “Applying Traffic Class IDs” on page 21.
<id>
The traffic class identifier
135
NetFlow Tracker
User Guide
class_exclude=true – specifies that the supplied traffic classes are
excluded rather than included.
srcas – specifies a permitted source autonomous system number.
<as>
The AS number, in the range 0-65535
srcas_exclude=true – specifies that the supplied source
autonomous system numbers are excluded rather than included.
dstas – specifies a permitted destination autonomous system
number. Format as for srcas above.
dstas_exclude=true – specifies that the supplied destination
autonomous system numbers are excluded rather than included.
as – specifies a permitted source or destination autonomous system
number. Format as for srcas above.
as_exclude=true – specifies that the supplied source or destination
autonomous system numbers are excluded rather than included.
srcnet – specifies a permitted source subnet. Note that the subnet
mask supplied by the router is ignored.
<addr>/<mask>
The subnet: addr is the network address in dotted-decimal
format and mask is the mask length, in the range 0-32
srcnet_exclude=true – specifies that the supplied source subnets
are excluded rather than included.
dstnet – specifies a permitted destination subnet. Format as for
srcnet above.
dstnet_exclude=true – specifies that the supplied destination
subnets are excluded rather than included.
136
Report URL Parameters
Time Range Parameters
C
net – specifies a permitted source or destination subnet. Format as
for srcnet above.
net_exclude=true – specifies that the supplied source or
destination subnets are excluded rather than included.
srcmask – specifies a permitted source subnet mask, as supplied by
the router.
<mask>
The mask length, in the range 0-32
srcmask_exclude=true – specifies that the supplied source subnet
masks are excluded rather than included.
dstmask – specifies a permitted destination subnet mask. Format as
for srcmask above.
dstmask_exclude=true – specifies that the supplied destination
subnet masks are excluded rather than included.
mask – specifies a permitted source or destination subnet mask.
Format as for srcmask above.
mask_exclude=true – specifies that the supplied source or
destination subnet masks are excluded rather than included.
nexthop – specifies a next-hop address.
<addr>
The address in dotted-decimal format
nexthop_exclude=true – specifies that the supplied next-hop
addresses are excluded rather than included.
137
NetFlow Tracker
User Guide
Security Parameters
If a username and password is required to access a report you can
specify it in the URL.
j_username – specifies the username.
<username>
The username
j_password – specifies the password.
<password>
The password
Management Portal Access Control
Parameters
A management portal that provide users with access to NetFlow
Tracker reports uses the following parameters. For more information,
see “Management Portal Settings” on page 86.
portalsecret – specifies the secret value assigned to the
management portal in Management Portal Settings.
<secret>
The secret value
acldevice – specifies the address of a permitted device that exports
NetFlow data. Format as for device above.
aclif – specifies a permitted interface. Format as for inif above.
aclvpn – specifies a permitted VPN. Format as for invpn above.
138
Report URL Parameters
Management Portal Access Control Parameters
C
acltemplid – specifies a permitted report template.
null
No report templates are permitted
<id>
A permitted report template; see templid in Report Format
Parameters above for permitted values
aclid – specifies a permitted long-term report.
null
No long-term reports are permitted
<id>
A permitted long-term report; see id in Report Format
Parameters above for permitted values
aclcid – specifies a permitted executive report.
null
No executive reports are permitted
<id>
A permitted executive report; see cid in Report Format
Parameters above for permitted values
aclfiltereditor – specifies a filter that will appear in the Filter
Editor. Note that it will be possible for the user to create reports with
other filters by drilling down or manually editing a URL.
null
No filter editors are permitted
0
Source Device
1
Source Address
2
Dest Address
3
Src/Dest Address
4
Next Hop
5
In Interface
6
Out Interface
7
In/Out Interface
8
Protocol
9
Source Port
139
NetFlow Tracker
User Guide
10
Dest Port
11
Src/Dest Port
12
Source Application
13
Dest Application
14
Src/Dest Application
15
ToS
16
DiffServ
17
Source AS
18
Dest AS
19
Src/Dest AS
20
Source Subnet
21
Dest Subnet
22
Src/Dest Subnet
23
Source Mask
24
Dest Mask
25
Src/Dest Mask
26
Recognised Application
27
Traffic Class
28
Identified Application
29
VPN
30
In VPN
31
Out VPN
aclsf – specifies a visible saved filter.
null
No saved filters are visible
<id>
A visible saved filter; see sf in Filter Parameters above for
permitted values
aclfeatures – specifies the permitted interactive report features.
For parameters, see features.
140
D: File Formats
CSV File Format
You can convert every standard chart and tabular report to commaseparated-value format for import into a database server or
spreadsheet.
Chart CSV format
Each section is separated by a row of “=” signs. The first section is the
chart title; the second is the time range and filter.
Each following section represents a single chart, equivalent to the
tabs above the chart in interactive mode. The first line of the section
is the name of the chart. The next two rows contain the start and end
time of each sample in milliseconds UTC. Each has an empty column
at the start to accommodate the description of each data row below.
Each data row consists of a description followed by a usage, octet
count or packet count for each sample.
Pie chart CSV format
Each section is separated by a row of “=” signs. The first section is the
chart title; the second is the time range and filter.
Each following section represents a single chart, equivalent to the
tabs above the chart in interactive mode. The first line of the section
is the name of the chart, followed by a row for each charted element
141
NetFlow Tracker
User Guide
consisting of a description followed by a usage, octet count or packet
count.
Tabular report CSV format
Each section is separated by a row of “=” signs. The first section is the
report title; the second is the time range and filter.
The third section starts with the title of each column, separated by a
comma. Each following line in the section is a row with each value
separated by a comma, and text values contained within double
quotes. There are several differences between a report viewed in a
browser and one converted to CSV. In CSV format all rows are
included, information normally available by hovering the mouse over
a label is unavailable, and traffic and packets passed are output as
simple counts rather than rates.
The fourth section contains column totals, again separated by
commas. There are usually empty values in the total row
corresponding to non-numeric columns.
XML Format
You can convert every standard chart and tabular report to XML for
use in external software. The XML schemas in the xml subfolder
underneath the NetFlow Tracker installation folder.
The root of each XML document contains the report title. The first tag
in the root contains data about the NetFlow Tracker version that
generated the document.
The next tag contains data about the filter applied to the report. The
time range is set as a start and end in both milliseconds UTC and year,
month, day, hour, etc. The number of milliseconds spanned by the
142
File Formats
XML Format
D
time range is provided, taking into account the time mask applied, if
any.
Chart XML format
Each chart is described in a separate tag with a title attribute
equivalent to the title in the tabs above the chart in interactive mode.
The next tag describes the types and headings of each column in the
description of each charted element; the subsequent tag provides the
type, heading and overall total for each summary column.
The final tag describes each charted element, or dataset. Each dataset
has a value for each description column (unless it is marked as being
an “others” dataset) and a value for each summary column. This is
followed by the start and end time and value for each sample that
makes up the dataset.
Pie chart XML format
The pie chart format is very similar to the chart format, but there are
no datasets.
Tabular report XML format
A tabular report is described using two tags. The first describes the
type and heading of each column in the report; any column totals are
included here.
The second section describes each row in the table. If the number of
rows is restricted, the attributes of the result tag provide the start
result, number of results output and the total number of results in
the report. Each result contains a value for each column.
143
NetFlow Tracker
User Guide
144
A
Acrobat Reader, version supported 7
Address Pairs report 108
Addresses report 107
alarms 73
baselines 74, 75, 76
configuring 77, 78, 80
interface 79
metrics 78, 80
persistent changes 75, 79
severity and life cycle 74
thresholds and sensitivity 74, 79
tips 76
types 73
applications
conversations 32
top for device 31
top for interface 32
archiving data 96
AS names 92
AS Pairs report 110
ASes report 110
B
baselines 74, 75
setting 79
status 76
BGP
applying for devices 18, 19
per-AS data 36
Bi-directional Address Pairs report 108
Bi-directional AS Pairs report 110
Bi-directional Conversations report 109
Bi-directional Network Pairs report 110
Bi-directional Sessions report 109
C
Cflow 1
charts 42
145
NetFlow Tracker
User Guide
navigating 42
pie 44
viewing data on 42
cid URL parameter 118
Client-Server Sessions view 109
contacting Fluke Networks 2
conversations 32
Conversations report 109
creating
alarms 77
custom home page 28
reports 53
executive 65
long-term 60
real-time 54
scheduled 56
Creating an Interface Alarm 79
D
data
archiving 96
management 3
scaling samples 20
database 3
backing up 94
settings 93
Destination Address Popularity report 108
Destination Addresses report 107
Destination Applications report 108
Destination ASes report 110
Destination Endpoints report 109
Destination Networks report 110
device
deleting 24
top applications and interfaces 31
device settings 18–24
deleting a device 24
146
device list 20
identified applications 22
interface 22
traffic class IDs 21
devices
deleting 24
viewing 33
viewing long-term 49
Differentiated Services report 110
diffserv names 90
dstport URL parameter 133
Duration report 112
E
etime URL parameter 126
events
forwarding notifications 81
events, viewing 82
lifecycle 83
list 83
timeline 82
executive reports 71
creating 65
HTML cells 70
sub-report cells 68
viewing 71
F
features URL parameter 120
filter parameters 39
custom 113–137
saving 55
filtering data
for long-term reports 50
real-time 37
Fluke Networks, contacting 2
Forensic Conversations report 112
forensics reports 112
147
NetFlow Tracker
User Guide
H
hostname resolution settings 91
I
id URL parameter 118
Identified Applications report 111
identified applications, applying 22
In Interfaces report 111
installing
Java on Windows 9
NetFlow Tracker
on Linux 11
on Windows 9
preparing 7
interface
conversations 32
marking as inactive 23
scans 25
top applications and usage 32
Interface Pairs report 111
interface settings, applying 22
interfaces
top for device 31
viewing long-term 49
viewing on NetFlow Tracker 34
IP application names 88
grouped applications 89
simple applications 88
IPFIX 1
J
j_password URL parameter 138
j_username URL parameter 138
Java
installing on Windows 9
versions supported 7
JFlow 1
148
L
language, selecting 14
licensing 15
Linux
installing NetFlow Tracker on 11
versions supported 7
listener ports 16
long-term data
creating reports for 60
database 3
filtering 50
network overview 47
viewing devices and interfaces 49
M
management portal settings 86
URL parameters 138
using Apache as portal server 87
memory settings 97
Microsoft Windows
installing Java on 9
installing NetFlow Tracker on 8, 9
versions supported 6
MPLS 23
MySQL
installation 8
requirements for installation 7
N
NetFlow 2
data received 25
devices exporting 33
enabling on network devices 18, 99–105
versions supported 1
NetFlow Monitor 8
NetFlow Tracker 1
appliance 2
applying settings 15
devices 18
149
NetFlow Tracker
User Guide
licensing 15
listener ports 16
security 27
SNMP 17
data management 3
deploying 2
filtering real-time data 37
installing
on Linux 11
on Windows 8, 9
monitoring performance 24
opening 13
preparing for installation 7
product services 3
reports 53
selecting language 14
settings
alarm 77
archiving 96
AS names 92
backup 94
database 93
diffserv names 90
hostname resolution 91
IP application names 88
management portal 86
memory 97
notification 81
performance counters 24
report settings 53
subnet names 91
system requirements 5
version information 28
web server 8
netstream 1
NetWatch 8
150
network devices, enabling NetFlow 18, 99–105
network overview
long-term data 47
real-time data 30
Network Pairs report 110
Next Hops report 111
Nortel IPFIX 1
notification settings 81
nrecords URL parameter 119
O
Out Interfaces report 111
output URL parameter 119
P
packet rate, for application 32
passwords, choosing a protection level 27
performance counters 24
profile alarms 74, 78
Protocols report 108
R
RAID 6
RAM 6
range URL parameter 130
real-time data
database 3
filter parameters 39
filtering data 37
network overview 30
reports
creating 54
viewing 71
Recognized Applications report 109
reports
address 107
chart data 42
executive 65
full flow forensics 112
interface 111
151
NetFlow Tracker
User Guide
long-term 60
network 110
other 112
QoS 110
scheduling 56
session 108
setting up 53
tabular 45
templates 107
for real-time filtering 38
traffic identification 111
ResponseWatch 8
S
sample URL parameter 131
scheduling reports 56
security settings 27
Server-Client Sessions report 109
Sessions report 109
settings 15
alarms 77
archiving 96
AS names 92
backup 94
database 93
devices 18
diffserv names 90
hostname resolution 91
IP application names 88
licensing 15
listener ports 16
management portal 86
memory 97
notification 81
performance counters 24
reports 53
security 27
152
SNMP 17
subnet names 91
sf URL parameter 131
sFlow 1
enabling on network devices 106
SNMP
overriding properties for a device 18, 19
setting up trap notifications 81
settings 17
Source Address Dissemination report 108
Source Addresses report 107
Source Applications report 108
Source ASs report 110
Source Endpoints report 109
Source Networks report 110
splash URL parameter 122
srcport URL parameter 133
static baseline 75
stime stime URL parameter 126
subnet names 91
system requirements 5, 6
T
tables 45
TCP Flags report 112
technical support 4
templid URL parameter 116
threshold alarms 73, 78
Total Address Pairs report 112
Total Conversations report 112
Total report 112
traffic class IDs, applying 21
Traffic Classes report 111
traffic rate
for application 32
interface 32
training 4
Types of Service report 110
153
NetFlow Tracker
User Guide
U
unprocessed flowsets 26
URL parameters 113–140
general format 116
usage, top for interface 32
V
Visual Performance Manager, NetFlow Tracker deployment in 2
VPNs
associating interface with 22
report 111
W
web browsers 6
weekly baseline 75
Windows
versions supported 6
154
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising