Netflow Tracker Evaluation Guide

NetFlow Tracker – Real-time monitoring of NetFlow and IPFIX data for LAN/WAN analysis and troubleshooting Below you’ll find an introduction to several of the features available with NetFlow Tracker. This is provided to assist you in using the product during the evaluation period in order to understand the capabilities it can provide. Throughout the evaluation period, you are encouraged to call your Fluke Networks sales team as often as necessary to help answer questions and assist in the evaluation. As you navigate the interface, keep in mind some of the benefits of NetFlow Tracker During the evaluation of NetFlow Tracker, you can start answering questions like:

• Who are the users and what applications are they using? • What are my busiest devices and what traffic do they support? • What was happening during a specific performance issue on the network? • Are there worms and viruses in my network, where are they, where did they come from, and where are they going? • How is quality of service working? • How do I report overall performance and usage of my network?

NetFlow Tracker Benefits 1. Quickly identify what makes up network traffic

• Up-to-the-minute interactive, context-sensitive menus that easily show who the users are, what applications they are using, and how much bandwidth they are taking

• Locate the users causing network congestion • Track unauthorized network traffic • Report on interface-based statistics in addition to flow data (utilization and throughput; average/peak traffic rate, etc) • Monitor multiple routers, switches, and interfaces • Report on traffic prioritization via Type of Service and DiffServ CoS settings • LAN and VLAN visibility • Next hop views to track traffic flows • Accurate multicast traffic reporting

2. Report on EVERY flow, not just the top N, using easy drill-down capability • View every single conversation flow with per-minute granularity on every device and interface • Forensic analysis allows identification of potential worms and viruses on the network • Within seconds, identify where suspicious activity is, where it came from and where it’s going • Report on every available NetFlow field for complete visibility (no aggregation)

3. Easy to install and administer • Leverage existing infrastructure for cost-effective and speedy deployment • Single tier architecture provides ability to collect, store and report from the same device. No additional network

probes are required. • A single Tracker server can handle 40K flow records/second. • Scalability by integrating multiple Tracker data into one management platform with Visual Performance Manager • Available for Windows 2003 Server, Linux, or Solaris, as well as a turnkey hardened Linux appliance • 100% browser based interface • Can utilize NeFlow, IPFIX, jFlow, NetStream and sFlow provided traffic information

4. Flexible Reports • Tracker supports a multitude of scenarios:

• Operations and troubleshooting • Capacity planning and trend analysis • Identifying security threats and abnormal behavior • QoS troubleshooting and trending • Internet traffic profiling BGP

• Support for real-time (raw NetFlow data), long-term, and executive reports • Archive real-time data to retain all flows forever • Filter on any combination of fields • Customize the granularity and length of time to store long-term data • Export in several formats; all reports can be accessed via URL

An Introduction to NetFlow Tracker

Quick Start • NetFlow Tracker 7 day trial license is available at:

http://www.flukenetworks.com/fnet/en-us/promotions/NetFlow+Tracker+7+Day+Demo+Page.htm• A complete Win2003 Server installation is simple and should take less than 15 minutes. • Tracker is also available on Linux and Solaris platforms, including a turnkey Linux appliance. • By default, Tracker will save 7 days of “real-time” data (EVERY flow) • By default, Tracker does not save any “long-term” data (up to 999 years) unless you create long-term reports • Please see Appendix 1 for info on enabling NetFlow Export/NDE

o Don’t forget to set the appropriate timeout for accurate reporting based on 1 minute granularity: ip flow-cache timeout active 1 (breaks up long-lived flows into 1-minute segments) ip flow-cache timeout active 15 (ensure flows that have finished are exported in a timely manner)

NetFlow Tracker Main Menu:

• After the install, access the web front-end via http://<ip_address_of_tracker_server:port> Access real-time data (EVERY flow) via Network Overview Devices Filter Editor Access user-configured long-term reports Access user-configured executive reports

NetFlow Tracker Settings:

• Click on the settings page from the main menu. o During the initial configuration of tracker, you should configure/verify SNMP community strings and whether

SNMP access was successful o You should also verify data is being received via the Performance Counters

Setup up SNMP community string(s) Verify SNMP access was successful Customize reports and filters (more info later) Assign applications based on port numbers Archiving allows you to save real-time data forever Verify that data is being received

Network Overview: Investigate Your Network

• Click on the Network Overview page from the main menu

This is the default home page and provides a simple overview of the top 5 (+ others) devices and interfaces currently carrying the most traffic on the network in the last 60 minutes.

Click on a device or interface to see its top apps and busiest interfaces

Devices: View Data on Every Device and their Interfaces

• Click on the Devices page from the main menu The Devices page lists ALL devices regardless of how busy they are.

Sort devices by name, address, recent peak traffic rate and recent peak packet rate by clicking on column header By default, each peak rate is the highest 2-minute rate in the last 6 hours Click on either device traffic meter to see recent activity: a) current rate (teal) b) recent peak (yellow)

• Click on a device to open a page listing all of that device’s interfaces Interface traffic meters: a) current in (green) peak in (top yellow) b) current out (blue) peak out (bottom yellow) % Usage scales to interface speed; Relative scales to busiest direction of busiest interface

Hover the mouse over an interface’s name to see its speed, type and description

• Click on a any interface traffic meter to see recent activity

View % Usage, Traffic Rate, or Packet Rate

Working with Charts

From the interface screen above, or from any chart with real-time data, you can drill down into that data by selecting a time window in the chart by dragging the left mouse button Highlight a 15-minute window and right-click to view the available reports

Select “Both” in/out directions, then select “All Reports” From this window, you can select several reports based on the type of information you want displayed in the chart. You can try any and all of them at this point to get an idea of the many different types of reports available. All are described in the User’s Manual.

A few samples of some of the available reports in pie, time, and tabular formats:

Recognized Applications Address Pairs Conversations

Source Address Dissemination

Chart Legend:

Select the entire visible time range

Zoom In/Out from center of chart (or center of selected time range)

Chart over time of top N + others displayed in a specific time-frame

Tabular report shows all data in time range in 1 table with multiple pages Pie chart of top N + others displayed as a pie chart

Filter Editor (see later section for more information)

Reload the page Switch between resolvable hostnames and IP addresses

Save the data in .csv format

Print the chart

Open the chart in a new window

Use the forward and backward buttons to easily look at earlier or later data

Select a 15-minute time period and then view the report “Address Pairs”. Next, click the “Tabular Reports” button

View more rows of a tabular report Sort on any column Select another report from the drop down list on all data or a single row (using the radio button)

Creating Filtered Reports Any chart or tabular report can be created using a powerful dialog called the filter editor. You can access the filter editor from the main menu, or via the Filter Editor icon on a chart or tabular report. You can create new filters here & in Settings-Report Settings. Select Filter Editor from the main menu

Choose the type of report you want to create Optionally override optimal sample size for time range chosen (chart and pie only) Choose one or more sources to include in the report Add/create specific filters (select Save… to save a new filter). Select OK to view report

Experiment with some preconfigured filters including: • Time Zone – Change the time zone used to interpret start/end times • Time Mask – Select only certain times of the day • Source Address – Restrict the report to traffic with a given source IP address (or set of addresses) • Recognized Application – Select traffic with the given source or destination application • TOS – Select only traffic with a type-of-service byte value Or create your own!

Report Settings Access the Report Settings from the Main Menu: Settings – Report Settings. This page lets you configure various values affecting the way reports and charts appear. You also manage filters, long-term reports, and executive reports from this page. Select Settings from the main menu, and then select Report Settings

Optionally override default values for reports (these changes affect all reports)

Optionally enable standard per-device and per-interface long-term reports Create filters to be used in real-time and long-term reports Create, edit, and delete long-term reports Create, edit, and delete executive reports

Creating a Long-Term Report Long-term reports allow you to look at data over much longer time ranges than is possible with the real-time database. The data is summarized in advance for performance reasons, so you must first identify which reports you would like to see via Settings-Report Settings. A basic report is created across the entire system (strongly recommended it has a filter on at least one source device). Per device and per inbound and outbound interface reports are created across each device or interface in the system.

Type a report name, select a Report Template, select a Report Type, and click New

ID will be auto-generated and can be used in custom URL reports Change the default storage settings to fit your needs Select one or multiple source devices Select one or more filters to apply to report Select OK to save, and then OK to confirm

Creating an Executive Report Executive Reports are pre-configured templates that contain one or more reports, charts, and/or user-defined HTML. They are used to provide easy access to often-used reports or to group related reports together on one page. You manage executive reports via Settings-Report Settings. You must first create any long-term reports and filters before you can add them to an executive report.

Enter a name for the executive report and click New

Enter a sub-report tag (to distinguish it from other reports you’ll add to the executive report) Choose whether Real-time, Long-term, or Custom and Select New

Depending on the report type, you’ll get a familiar dialog that let’s you customize a real-time report or select an existing long-term report and apply any filters. Real-time Report dialog Long-term Report dialog

Once you have added sub-reports, you must specify the report content, which is made up of rows, and each row contains one or more cells.

To add a row, click the Add Row button To add a cell to that row, click on Add Cell

Select the sub-report by its tag Optionally change defaults values of report view Press OK to save

You then repeat this process until the appropriate rows/cells with reports you’ve configured to view are configured for the executive report. These reports can then be viewed via Main Menu-Executive Reports