Network Monitoring & Management

Google

Monday, August 07, 2006

Monitor your network traffic using NetFlow enabled monitoring tools

This article provides information on how to monitor your network traffic going through interface using various Cisco NetFlow based monitoring tools available freeware and commercial versions.
This image gives the rough view of whole setup


1) What is NetFlow
2) NetFlow traffic converter
3) NetFlow collection engines and analyzers

1) What is NetFlow

NetFlow is a proprietary Cisco protocol, and all current Cisco routers and switches support this protocol. These devices record all traffic that traverses the network links and send detailed information concerning that traffic to a NetFlow collector using UDP packets.

NetFlow is the new standard for network traffic analysis; SNMP management just isn't sufficient anymore. Using NetFlow, you can see the utilization on a router—as well as the traffic that's causing the utilization.

According to Cisco a network flow is identified as a unidirectional stream of packets between a given source and destination—both are defined by a network-layer IP address and by transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of the following key fields:

•Source IP address
•Destination IP address
•Source port number
•Destination port number
•Layer 3 protocol type
•Type of service (ToS)
•Input logical interface

These seven key fields define a unique flow. If a packet has one key field different from another packet, it is considered to belong to another flow. A flow might contain other accounting fields (such as the AS number in the NetFlow export Version 5 flow format) that depend on the export record version that you configure.
Version 5 and 9 are most versions of NetFlow. NetFlow v7 is used for switching information.

2) NetFlow traffic converter
NDSAD (NetUP Data Stream Accounting Daemon) by NetUP is a daemon who intercepts all traffic going in the network and exports statistics into the NetFlow v.5 format in real-time. It is compatible with any traffic accounting system which supports Netflow protocol and is freeware!
Here is NDSAD home page

http://www.netup.biz//ndsad.php
NDSAD has been tested on Linux, FreeBSD, SPARC Solaris and Win32. and available on it’s Sourceforge project page

http://www.sourceforge.net/projects/ndsad/

3) NetFlow collection engines and analyzers

To collect and analyze NetFlow stream, collection engine and a analyzer is required. Some popular freeware and commertial tools are given below

Cisco NetFlow collection engine and analyzer
Platform: HPUX, Solaris, Linux
Link: ftp://ftp.cisco.com/pub/netmgmt/netflow/

FLOWD ( Freeware collection engine )
Platform: Solaris 9, Linux FC2, Linux RH9, FreeBSD 3.5+
Link: http://www.mindrot.org/flowd.html

FlowScane ( Analyzer only )
Platform: Linux, Unix
Link: http://www.caida.org/tools/utilities/flowscan/pub/

PRTG( Freeware, Analyzer only)
Platform: Windows 98/ME/2000/XP/2003
Link: http://www.paessler.com/prtg
Deepesh Goud 12:56 AM

9 Comments:

Well, NDSAD is a collector actually, and NetUP also has one more opensource tool: Get_XYZ - it's s converter. Also they offer a very flexible billing system UTM 5!
On the official web site www.netup.biz there has appeared a manual concerning the NDSAD collector
NFDUMP and NFSEN are very good free tools (BSD license) for collecting and analyzing Netflow data:

http://nfdump.sourceforge.net/

http://nfsen.sourceforge.net/

I use them in an ISP environment very effectively. Works great for researching DDoS attacks.
I have to correct that not all Cisco devices support NetFlow. Please have a look on this NetFlow supported platforms
Would like to add this new free Network Anomaly Detection tool using NetFlow:

http://www.akmalabs.com/flowmatrix.php
Can anyone recommend the robust Managed Service tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central remote pc software
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!
Nice Blog...very informative
Thanks for the providing good information.
You can visit http://www.solarwinds.com for more information on NetFlow.
Have anybody tried this end to end network monitoring software before from ManageEngine OPManager - http://www.manageengine.com/network-monitoring/
I Like these line of your article These seven key fields define a unique flow. If a packet has one key field different from another packet, it is considered to belong to another flow. A flow might contain other accounting fields (such as the AS number in the NetFlow export Version 5 flow format) that depend on the export record version that you configure. network monitoring

Add a comment

Blogger