NetFlow Network Monitoring Explained
Cisco developed the NetFlow protocol as part of their Internetwork Operating System (IOS) back in 1996. NetFlow started life as a mechanism to control caching on Cisco routers, and thus speed-up network packets. It was but a small step from extracting routing information from the IP packets’ headers, to developing a reporting capability for NetFlow. Incidentally, this is why you cannot test SolarWinds Traffic Analyzers without access to a router.
Topics for NetFlow Network Monitoring
- Collecting Network Data
- Data Analysis and Interpretation
- Possible Network Problems NetFlow Can Tackle
- A Six Phase Network Monitoring Plan
By 2013 NetFlow has become a mature technology, and though the use of templates, Version 9 has become future proof. Network monitoring relies on the routers collecting then exporting detailed NetFlow (or J-Flow) information in UDP packets. These datagrams are then collected by software such as the Orion NetFlow Traffic Analyzer.
Since NetFlow is open source it can be used by other router manufacturers, and also with traffic analyzers other than Orion. In a parallel development Juniper Networks developed a protocol for their routers called J-Flow which is similar to NetFlow. This is why the Orion NetFlow Traffic Analyzer has the capability to process J-Flow packets in addition to NetFlow.
Because of the open source nature of NetFlow, collecting the UDP packets is straightforward, the skill of the SolarWinds software lies in analyzing the data and presenting it ways useful to network managers. To complete the picture of the comprehensive nature of the Orion Traffic Analyzer, it can also process ICMP, syslog and SNMP (Simple Network Management Protocol).
Creating the UDP Network Packets
Whether the network packet is TCP or UDP, its IP header has a mine of information. In order to its job the router needs to inspect the header of each packet it receives. As the router sends the packet to its next hop, so it record source, destination and port data. Once it has the records of about 50 packets it exports them into a UDP datagram. It is these UDP NetFlow or J-Flow datagrams that the traffic analyser collects.
Baselines are boring, but without a reference point how would you know if a particular trace is ‘normal’, or whether the network conversation indicates a new problem? It’s always difficult to know where you are going if you don’t know where you have come from.
NetFlow knows who talks to whom. Moreover, it reveals which protocols and ports are involved, and how much data they exchange. The data collection concentrates on the characteristics of the conversations without wasting time on recording the actual data in the conversation. In a nutshell, NetFlow concentrates on the basics of: who, what, when, where, and how.
One of the differences between SolarWinds Real-time and Orion software is that the Orion package stores the network traffic in and SQL database, as a result you can analyze historic data to search for patterns, or research when a particular trend started.
- Slow network. Latency caused by number of nodes and distance from the routers or backbone. Would sub-netting help?
- Tracing the root cause of a problem, run it to ground.
- Where to monitor? Traffic Analyzers can check multiple routers.
Many in the computing community suffered from the Slammer virus in 2003, but that could never happen again? Could it? In reality there will be other attacks and the problem is that the next successful network virus won’t be like the last.
The best that you can hope for is that people like Cisco will get early warning of the new killer virus and their engineers will be the first with a solution. If you have experience of network monitoring you will know if you are affected, and you will understand how to implement fixes that will posted on the internet quickly.
Reviewing the history may help to show patterns and thus put you on the right track for finding the sporadic cause.
If in doubt, Guy always blames the database
If a slow network problem is not immediately obvious, check the database(s) on the suspect server. What I find is that the problem is not with the trusty network, which has not changed in 2 years, but some new database administrator has done something ‘clever’ that is crippling the network.
- Preparation – Create a baseline and thus understand normal business activity.
- Identification – Record the UDP sources, destinations and the port number.
- Classification – What are the characteristics of the virus? E.g. packet size and port number.
- Trace-back – Identify the source of any virus or attack.
- Reaction – Block inbound and outbound access via ACLs
- Follow-up – Continue to be vigilant. Redouble preparation for the next attack.
Kiwi CatTools is a free program for backing up configuration settings on hardware devices. Here is Guy’s challenge. If you download CatTools, then it will not only take care of backups, but also it will show you something new about the hardware on you network. I could give you a money back guarantee – but CatTools is already free! Thus, I just make a techie to techie challenge, you will learn more about your network if you:
Additional Free and Trial SolarWinds Network Software
These are programs which I have enjoyed evaluating on my network. Some are completely free, while other downloads are trial versions of the full product. I think SolarWinds have a great strategy, namely, supplying a free gadget, which may be all a small company need, yet providing a big-brother suite of programs for larger organizations.