Make the most of NetFlow by using a collector to analyze the data
Takeaway: David Davis recently wrote an article about the benefits of Cisco's NetFlow technology, and members asked for more. Now he's back with a look at how to use one of the many available NetFlow collectors to analyze the data.
Recently, I wrote an article about Cisco's NetFlow technology. In response to the article, I heard from several TechRepublic members, who wanted to learn more about NetFlow and see it in action.
To answer those requests, let's look at how to use one of the many available NetFlow collectors, one that came recommended from a TechRepublic member. But first, let's quickly review why you need a collector.
While Cisco's routers can generate NetFlow information, you must have a collector and analysis program to use the data. This is similar to working with the Simple Network Management Protocol (SNMP).
Just like a network device can generate SNMP traffic, to make it truly useful, you must have a SNMP management station that can collect it. Many times, that management station will also put the SNMP statistics in a database, which allows you to run reports or generate some sort of alerts. With NetFlow, the situation is no different.
A NetFlow collector collects all the NetFlow information from the various network devices. Most collectors can also perform some kind of data analysis. However, analysis capabilities vary greatly from one collector to another, and so does the price.
In general, most NetFlow collectors offer several capabilities, including network monitoring, application monitoring, user monitoring, network planning, security analysis, accounting and billing, and network traffic data warehousing and mining. Cisco offers a list of third-party NetFlow applications on its Web site. In addition, it also lists freeware NetFlow collector software.
In a discussion post in response to my article, TechRepublic member Mrichardson recommended Plixer Scrutinizer as a NetFlow collector; the company even offers a free version.
To demonstrate how a NetFlow collector works, I downloaded and installed the Scrutinizer software. During the installation, I accepted all of the default options. One thing to consider: The free version does limit you to monitoring a single device.
Next, I took a router with a fresh configuration and I configured it to obtain a DHCP IP address. On the router, I entered the following commands:
Router# conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)# ip flow-export source e0/0 Router(config)# ip flow-export version 5 peer-as Router(config)# ip flow-export destination 10.253.15.72 2055 Router(config)# interface e0/0 Router(config-if)# ip route-cache flow
When that completed, I ran the Scrutinizer application from my desktop. It opened a Web browser interface and prompted me to log in. I used the default username and password combination of admin/admin.
On the Status screen, it had already found the router that I had configured. Figure A offers a screenshot of what I saw.
Figure A |
 |
The interface is very intuitive. After clicking the router, I could view graphics for top talkers and top applications. I could even see individual conversations between hosts that the router was able to view. In addition, I could view information by day, week, month, or year.
Figure B, Figure C, Figure D, and Figure E offer some more screenshots from the Plixer Scrutinizer. Keep in mind that this is only a test router without any unicast traffic flowing to it. Therefore, it should only be receiving network broadcasts. In addition, don't forget that there are some disabled features since this is the free version.
Figure B |
 |
Figure C |
 |
Figure D |
 |
Figure E |
 |
While SNMP is great for learning about network utilization, you still wonder what traffic is using the network. With NetFlow, you can determine both the network utilization and the traffic that's causing it—and that can be invaluable when it comes to network monitoring.
For more information, check out Cisco's Configuring NetFlow documentation.
Miss a column?
Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!
David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.
Print/View all Posts Comments on this article
 Thanks for the article, and...mrichardson@... | 07/28/06 |
 Some help pleasepruthven@... | 08/26/07 |
SponsoredWhite Papers, Webcasts, and Downloads
- SQL Server Advanced Protection and Fast Recovery with Dell EqualLogic Auto-Snapshot Manager Dell EqualLogic
- Live Webcast: Simplified IT with Software-as-a-Service (SaaS) ZDNet
- Software Development's Cone of Uncertainty Construx Software Builders
- Getting the Foundation Right - Unified Communications ShoreTel
- 10 Deadly Sins of Software Estimation Construx Software Builders
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
