NetFlow Analyzer User Guide ()
Contents
1. 60 Bytes 3600 seconds Flows Per Second You can use the recommendation provided by the software to set your Raw data storage period The maximum raw data storage period is 1 month and the minimum is a day Similar to the alerting feature you can choose to have a mail sent whenever the disk space is less than a threshold value This is set as a percentage value In addition you can specify the free disk space threshold below which old raw data will be cleared up This could be as percentage value of the total disk space This can also take on the value of Never in which case the disk place is not cleared up at all One minute Data Storage Settings To set the period for which one minute flow data has to be stored use the Retain One Minute Data option You could choose one of 1 month 3 months 6 months or 1 year You will require a free disk space of 2MB to store one month of one minute traffic data for a single interface The default period is 3 Months NBAR Data Storage Settings You can use this option to specify the time period for which NBAR data has to be retained You could retain the NBAR data a minimum of 1 day or a maximum of 1 year You will require a free disk space of 30 MB in order to store NBAR data for a month for each interface The default value is 2 months Click on the Update button for the settings to take effect 97 Zoho Corporation gt a ManageEngine NetFlow Analyzer Professional2. SS 8 Click Test button to check whether the credentials are correct If the test fails the credentials may be wrong recheck and enter the correct credentials 9 Click Save button to save the SQL Server configuration Note that it will take few minutes to configure the settings of the SQL Server database 10 Start the netflow Analyzer Server Service to work with the MS SQLSERVER as the database 247 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Migrating NetFlow Analyzer from MySQL to MSSQL Database Product Limitations e Only the configuration of NetFlow Analyzer can be migrated from MYSQL to MSSQL Data Migration of the same is not possible e Migration to MSSQL database can take place only if the product is installed on Microsoft Windows operating system e NetFlow Analyzer does not support the following o Automatic deletion of oldest raw data when free disk space goes below the user defined value o email alert generation when the free disk space goes below the user defined value Note Please login to the NetFlow Analyzer server as Local Administrator and make sure that the database user which you have specified on the product has Sys Admin permission The steps to migrate and run the NetFlow Analyzer server with SQLSERVER as the database is given below 1 Stop the NetFlow Analyzer Server Service Invoke the lt NetFlow Analyzer Home gt troubleshooting Mysql_Mssql_BackUpContf
3. address Operator specific Dashboard permissions Operators and guest accounts can also create dashboards Top N AS reports Top N AS reports can be selected from the drop down Last 15 30 Min reports You can see the reports for the last 15 and 30 mins also additional to the already existing time period options 1 5 15 Min averages in traffic report You have an option to view 1 5 15 mins average data points in the traffic page Consolidated report for a device Clicking on the device name IP address from the interface view will let you drilldown and view the top 10 of interface by speed amp utilization top 10 protocols applications source destination DSCP conversation of that particular device Localization NetFlow Analyzer also support Croatian Spanish Dutch New Features in Release 7 5 Feature Description Users can create dashboard by placing the widgets as Customizable dashboard per their requirements This enables easy understanding of the network behavior in one glance Applying this filter in any cryptomap tunnel prevents the GRE traffic getting double counted Otherwise the cryptomap interface in which NetFlow is enabled double counts the GRE traffic Support for MSSQL database NetFlow Analyzer now supports MSSQL Database also This option allows the user to send a screenshot of a page to a particular mail ID Now an user can set alerts based on the DSCP names DSCP names in alerts and IP gr
4. Enhanced Granularity interface maintained with 1 minute granularity for upto 1 year e Performance improvement in IP group classification Performance improvement engine Google Map Integration Integration with Google Maps for a better view of the network S NG ili icati i ingle logical Application Grouping SC to group together applications into a single logical DSCP Mapping Ability to report on DSCP mapping 11 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition New Features in Release 5 5 0 Feature Description NBAR based Reporting NBAR Network Based Application Recognition By intelligent classification of traffic lets you set QoS standard Scheduling of Reports Allows setting of time intervals at which network traffic reports are generated automatically and mailed to desired recipient s NetFlow V9 Support Basic V9 support Associating IP address to application Associate IP address to an application in addition to port amp protocol Create Interface Groups ToS amp TCP_flag Ability to group interfaces together and monitor traffic Reports based on TCP flags amp TOS can be generated from the Trouble shooting page New Features in Release 5 0 Feature Description Threshold based Alerting Set up alerts based on link utilization and send emails or SNMP Traps when thresholds are exceeded Troubleshooting Retain raw data
5. Once the schedule settings have been configured click on the Save button to apply this settings from hereon Also click on Close button to close the window and proceed to the Schedule List page 117 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Device Group Management NetFlow Analyzer lets you create device groups which consist of a set of routers A device group can contain any number of routers and a router can belong to any number of device groups The Device Group Management option lets you create manage and delete device groups Initially when no device groups have been created you will see a message that lets you start creating device groups EY The options visible under the Admin Operations menu depend on the user level you have logged in as Look up User Management to know more about user levels and the respective administrative operations allowed Creating a Device Group Follow the steps below to create a new device group 1 Click the Add button to create a new device group Enter a unique name to identify the device group The same name is displayed in the Device Group menu on the left and will be listed under Available device groups when managing a user 3 Use the Device Group Description box to enter useful information about the device group 4 Select the routers needed for this device group from the list of available routers displayed Once all values have been entered c
6. 1 Click the Configure network layout on the top right in the google map view In the pop up select the nodes routers or switches Provide the link name and description Click Next 3 Select the interface relative to which you need to see the traffic details and save 4 Now you can see the traffic between the two link as per your need 56 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Various Reports in WAAS You can find the WAAS reports of each router in the index page of the NetFlow Analyzer Here the routers that are mapped to a specific WAE along with router s IP address peer WAE volume of LAN WAN traffic and its reduction percentage can be viewed Click on the router name to view the detailed statistics optimized traffic application and connections of the router selected Dashboards Interface View Autonomous System View Security Analytics Select Period Last Hour Report From Feb 22 11 14 00 and Feb 22 11 15 00 Router Name Router IP Peer WAE WAN Traffic LAN Traffic 127 0 0 1 127 0 0 1 Mahagi Bunia WAAS 0 0 Reduction 0 Optimized Traffic Details the percentage of traffic that is WAN and LAN traffic in the specified time period The WAN traffic denotes optimized traffic whereas LAN traffic denotes unoptimized traffic Optimized Traffic Optimized Application Optimized Connections Custom Report J From 2010 06 20 00 00 To 2011 02
7. Source Destination Address Source Destination Network Source Destination Nodes Application Port Port Range The From and To boxes let you choose custom time periods for the report Use the IN OUT box to display values based on IN traffic OUT traffic or both IN and OUT traffic The View per page lets you choose how many results to display Once you select all the desired criteria click the Generate Report button to display the corresponding traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values You can also sort the data displayed either by Number of packets or Bytes 54 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Dashboard AS View The Autonomous System View displays information on all the autonomous systems AS to which a router belongs along with traffic details for each AS In order to get AS info in this view you need to configure your router to include AS info AS information collection is resource intensive especially when configured for origin AS In case you are not interested in monitoring peering arrangements disabling AS collection may improve NetFlow Analyzer performance The Router List displays each router along with the AS to which it belongs Click on the AS Name to view the traffic report for that AS The Dashboard also shows the organization to which the AS belongs and the amount of incoming a
8. 64 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition e RTP Packet Lost Event Count e RTP Loss Percent System Metrics INTF Profile Octet input at Ingress Octet output at Egress Packets received with errors at Ingress Packets with errors at Egress Packets discarded at Ingress Packets discarded at Egress System Metrics CPU Profile e CPU Utilization e Collection timestamp System Metrics MEMORY Profile e Processor memory utilization e Collection timestamp Alert Reports NetFlow Analyzer generates alerts when the set threshold values are violated It lists the alert type threshold value the hops involved along with the description The alert page varies for each of the session created Top Dash The Top Dash tab gives you at a glace view of the entrie medianet reports It reports on the Top hops with respect to certain standard metrics e Top Packet Discarded IN Lists the Top N hops with respect to no of packets by discarded each hop during traffic IN The table lists the session name the hop it is monitoring and the amount of packets discarded e Top Packet Discarded OUT Lists the Top N hops with respect to no of packets by discarded each hop during traffic OUT The table lists the session name the hop it is monitoring and the amount of packets discarded e Top CPU Utilized The table shows the CPU utilization of top N hops along with the session name es Top Mem
9. K me ManageEngine NetFlow Analyzer Professional Edition The Last 7 Days option would generate the report for the last 7 days from the time at which the report is to be generated Again the exclude weekend option would generate for the last 7 days with the data for the weekend saturday sunday excluded For instance if the report is to be generated at Monday 10 00 am with the rules set as last 7 days and Exclude weekend enabled then the report will be generated for the time period last week s Monday 10 00 hours to Friday 23 59 hours and from this week Monday s 00 00 hours till 10 00 hours The 52 most recent reports for this schedule can be accessible from the Schedule List page e Monthly By opting for the Monthly option you can set the date of the month along with the time at which the report needs to be generated every month The report could be generated for the previous day the last 24 hours or any of the options available in the dropdown By selecting Exclude Weekends the report can be made to include only data corresponding to monday through friday When Previous Month option is enabled and the report generation date is set to 5 th of every month at 10 00 hours then the report will be generated for the whole of last month first to the last day of the month When Exclude weekend option is enabled then the generated report will exclude all the intervening weekends saturday amp sunday When Last 30 Days opti
10. The table gives you an instant view about the bandwidth utlization perecentage of the top interfaces It details top interface name the device where it is present utilization percentage of IN and OUT traffic Clicking on the interface Name will give you the traffic report of the specific interface Top IP groups by speed The table reports you on the top IP groups according to the spped at which traffic passes through eac interface associated with it The table lists the IP group name along with IN and OUT traffic in kbps Clicking on the IP group Name will give you the traffic report of the specific IP group Top IP groups by Utilization The table gives a glance about the top IP groups according to the percentage of bandwidth utilized The table lists the IP group name and the percentage of IN and OUT traffic Clicking on the IP Group Name will give you the traffic report of the specific IP group 45 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Alert The alerts report provides an at a glance view of the alerts generated in the network for the last hour and a specified time period The alerts are generated based on the list of critiria provided in the alert profile Click on the last hour or all alert link to view the type of alerts The report lists the device name the interface and the time at which the alert was last generated and the number of such alerts You can generate reports from 1 hour to 24 ho
11. To configure BGP neighbors issue the following command in router configuration mode Command Purpose neighbor ip address peer group name remote as as number Specifies a BGP neighbor BGP Neighbor Configuration Examples The following example shows how BGP neighbors on an autonomous system are configured to share information router bgp 109 network 131 108 0 0 network 192 31 7 0 neighbor 131 108 200 1 remote as 167 neighbor 131 108 234 2 remote as 109 neighbor 150 136 64 19 remote as 99 In the example a BGP router is assigned to autonomous system 109 and two networks are listed as originating in the autonomous system Then the addresses of three remote routers and their autonomous systems are listed The router being configured will share information about networks 131 108 0 0 and 192 31 7 0 with the neighboring routers The first router listed is in a different autonomous system the second neighbor s remot e as router configuration command specifies an internal neighbor with the 34 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition same autonomous system number at address 131 108 234 2 and the third neighbor s remote as router configuration command specifies a neighbor on a different autonomous system Including AS Info in Netflow Exports If you have configured BGP on your network and want Netflow to report on autonomous systems AS info issue the following command on the
12. 1 Empty TCP flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Empty TCP flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Empty TCP Empty TCP flows from single multiple source hosts to multiple Scans Zoho Corporation 189 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Diagonal Scan Empty TCP Grid Scan destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Empty TCP flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Probes Span at the destination end hosts ports endpoints Scans Probes Empty TCP Port Scan Reverse 1 Empty TCP flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Empty TCP flows from fewer source hosts to single multiple destinat
13. Billing in Admin Operations Creating a Bill Plan A bill plan can be created on basis of either one of the following 1 Speed 2 Volume Speed based billing The Bill Plan List tab lets you create a new bill plan To create a bill plan click on the Add Plan tab The Fields and their description are given below Enter Billing Details Field Description Bill Plan Enter the name you wish to assign for this bill plan Bill Plan Describe the plan for detailed understanding and for future reference Description Billing Type Select speed Base Speed Enter the base speed of the connection in bps bits per second Base Cost Select the currency from the drop down box and enter the cost Additional Enter the additional speed of the connection in bps Speed Additional Cost Enter the cost for additional usage 95th Select one of the two options from the drop down box Percentile Selecting In amp Out merge will merge the In and Out values and calculate the Calculation 95 percentile value Selecting In amp Out separate will calculate 95th percentile value of IN and 95th percentile value of OUT separately and the higher of the two is considered This is calculated using 5 minutes average data points For better understanding see the example Billing Period Lets you select the option as quarterly or monthly Incase you select the billing plan as quarterly the bill will be generated quartely on the da
14. CBQoS Class Based Quality of Service is a Cisco feature set that is part of the IOS 12 4 4 T and above This information is retrieved using SNMP and provides information about the QoS policies applied and class based traffic patterns within an enterprise s network Why do I need CBQoS Typically networks operate on the basis of best effort delivery in which all traffic has equal priority and an equal chance of being delivered When congestion results all traffic has an equal chance of being dropped QoS selects network traffic prioritizes it according to its relative importance and uses congestion avoidance to provide priority indexed treatment CBQoS can also limit the bandwidth used by network traffic CBQoS can make network performance more predictable and bandwidth utilization more effective Network administrators implement CBQoS policies to ensure that their business critical applications receive the highest priority on the network CBQoS provides you in depth visibility into the policies applied on your links and the traffic patterns in your various class of traffic The pre policy post policy and drops in different traffic class along with the queuing status enables you to validate the efficiency of your QoS settings Creating a traffic class Creating a traffic policy Attaching a Traffic Policy to an Interface Verifying the Traffic Class and Traffic Policy Information How do I start CBQoS data collection Configuring Policies
15. Chargen Broadcast multiple destination hosts exceeding Minimum Divergence and Flash Outflood Minimum Flux Rate at the source end Crowd 222 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition 2 UDP Echo Chargen Broadcast flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Problem Name Description Class 2 UDP Echo Chargen Broadcast flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Echo 1 UDP Echo Chargen Broadcast flows from single multiple source Scans Chargen Broadcast hosts to multiple destination hosts on a single destination port Probes Host Scan exceeding Minimum Horizontal Span at the destination end Minimum Aspect Ratio at the destination end Zoho Corporation UDP Echo 1 UDP Echo Chargen Broadcast flows from multiple source hosts to Scans Chargen Broadcast single multiple destination hosts using a single source port exceeding Probes Host Minimum Horizontal Span at the source end Scan Reverse 2 UDP Echo Chargen Broadcast flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Excess Empty UDP Flows without any payload ie BytePer
16. Latency Packet Loss etc SNMP V3 support Support for SNMP V3 has been added in this build FNF NBAR integration Now users can get data on NBAR by configuring flexible NetFlow V9 Sampling NetFlow Analyzer now does NetFlow V9 sampling as well Cisco ASA NetFlow Analyzer now supports Cisco ASA ISO version 8 2 onwards CBQoS Child Policy Child policies can be created under parent policies PDF Option in CBQoS CBQoS reports can be exported as PDF Geo Locations reports of IP Addresses Resolves and groups IP addresses into groups of countries Lists the traffic usage and bandwidth utilization of the link by the IP address from separate countries Single Click Scheduling Option Scheduling reports have been made easier now Network Layout using google maps and Google map Devices can be located on google maps and a click on widgets link between devices will give details about the link utilization and more More Graphical Widgets and some new Widgets The widgets have become more graphical which means added in Dashboard it is now easier to interpret data Sampling rate accounted during the flow calculation Flow calculation also takes sampling rate defined by the network administrator into account Global search for IP Address link Type in the IP address of the source destination network or any of the given choices and Voila you will get Traffic IN and Traffic OUT details for the particular IP
17. NetFlow Traffic Reports This section explains all the traffic reports generated by NetFlow Analyzer NetFlow Traffic reports are based on real time NetFlow data exported from the NetFlow enabled routers The traffic reports give you an in depth view about the traffic patterns in your network The traffic reports give you interface specific details of network traffic with one minute granularity The traffic reports can be accessed by clicking on the interface names displayed in the device view The traffic reports gives you details about the Traffic IN and OUT details of every interface in the network The traffic reports in NetFlow Analyzer include information on Traffic Trends Top Applications Top Hosts Top Conversations The reports can be generated for a specific time period from last 15 minutes to last quarter You can also generate reports for a user specified time period by selecting custom report The time period for these graphs is based on the current system time Once you select the desired date and time click on Show to display the appropriate traffic report NetFlow analyzer also offers other reports like troubleshoot consolidated search and compare reports which will be explained in this section Note You can also view traffic reports for specific IP groups Click on the IP Group name listed in the Device View 70 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Real time Traffic Graphs Ne
18. Probes the source end 2 TCP Fin flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Fin Host 1 TCP Fin flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Fin flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Fin Diagonal TCP Fin flows from multiple source hosts to single multiple destination Scans Scan Reverse hosts where the number of distinct source hosts is equal to the number Probes of distinct source ports which is also equal to the number of source end 201 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Zoho Corporation Problem Name Description Class points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Fin Grid TCP Fin flows from multiple source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span or Probes Minimum Horizontal Span and Minimum Occupancy at the source end TCP Null Violations TCP Flows
19. Select Devices option allows the user to select the devices in terms of Interface or IP Group By default the top 10 interfaces or IP Group by utilization are chosen which can be modified by clicking on the Modify button Generate Report The Generate Report invokes the report for the defined criteria Report Options The Report Options could be chosen to be one of e Show Speed e Show Utilization e Show Packets Maximize When the Generate Report option is invoked the filter condition frame is minimized to offer a better view of the graph report without scrolling The filter frame can be restored by using the Maximize button Minimize The Minimize button can be used to minimize the Filter Frame for a better view of the report graph generated without scrolling 53 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Search Devices The Search link lets you set criteria and view specific details about the traffic across the network on various interfaces Data to generate this report is taken directly from aggregated data Upon clicking the Search link a pop up with provision to Select Devices amp set criteria comes up In the pop up window that opens up click the Select Devices link to choose the interfaces on which the report should be generated Under Search Criteria enter the criteria on which traffic needs to be filtered You can enter any of the following criteria to filter traffic
20. They are assigned based on an algorithm Status Denotes the status of the event like open close you can choose to close or open an even and also delete it once the issue is resolved View Click on view to get Event Details report Note You can also view the IP address as resolved DNS value using the Show DNS option Dashboards Interface View Autonomous System View WAAS Reports Problem Glossar Event List Hide Filter Period Last 6Hour Ki From To Status Open v Match All Match any Resource v Ip 192 168 5 2 v Class Problem Class Scans Probes Problem Short TCP Ack Port Scan sw Generate Report White Listy Manage v Algorithm Settings v Location v More Actions Show DNS Flows Processed 60709 Report Details 4 1 25 gt Per Page 25 v ID Problem Offender s Routed via Target s Time A Hits 4715 Scans Probes NA 1 192 168 1 1 2 192 168 116 172 IfIndex1 NA 1 192 168 5 2 2011 05 25 17 59 19 30 O EI View Short TCP Ack Port Scan 192 168 116 172 IfIndex2 SS 2011 05 25 18 01 15 4667 Scans Probes NA 1 192 168 1 1 2 192 168 116 172 IfIndex1 NA 1 192 168 5 2 2011 05 25 17 56 29 30 O EI view Short TCP Ack Port Scan 192 168 116 172 IfIndex2 E 2011 05 25 17 58 25 3 4614 Scans Probes US 1 62 210 136 128 2 192 168 116 172 IfIndex1 NA 1 192 168 5 2 2011 05 25 17 53 38 25 O EI view Short TCP Ack Port Scan 192 168 116
21. User Name The authentication user name for the proxy server Password The corresponding password for the proxy server authentication Click on Update once the above required details have been entered 98 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Google Map Settings Google maps feature lets you physically locate your network resources on a map This enables network administrators to have a feel of how distributed their network is and more importantly for quick and easier drill down to resource specific information Information on up to 3 top interfaces linked to a router is shown in the map The Google Map settings lists all the devices and their corresponding location This page gives you the option to place each of the devices in their respective locations Assigning a location to a router Clicking on the Assign link opens up the Google map Follow the instructions below to place a device on the map 1 Click on the location to place the device on the map Use the controls on the top left to navigate or zoom 2 You will see an image indicating your selection 3 To change the location click on the image it will vanish and then select a new location 4 Enter the location in the Location Name field and hit Save location Now a location has been assigned to a router Editing a location To edit a specific location on the map click on the Edit link under the Google Map Settings
22. You are asked for a confirmation to delete and if you confirm the group is deleted DSCP Mapping The DiffServ model for DSCP Mapping was developed to differentiate IP traffic so that the traffic s relative priority could be determined on a per hop basis Using DSCP Mapping you can name the DiffServ code points and monitor their traffic in troubleshooting reports under the DSCP tab Note that the DSCP reports can be viewed on the Troubleshooting page by clicking on the DSCP tab 103 Zoho Corporation SA ManageEngine NetFlow Analyzer Professional Edition Adding a new DSCP Mapping Click on the Add button to create a new DSCP Mapping A window pops out where you may enter the Group Name and the Code Point a six digit Binary Number For Example Data Centre devices 001001 Click on the Add button to add this mapping Modifying a DSCP Mapping EY Please note that it is not possible to modify a DSCP Mapping Deleting a DSCP Mapping Select the DSCP Mapping the combination of QoS Group Name and Code Points you want to delete and click on the Delete button DSCP Group Quality of Service is used to measure improve and guarantee transmission rates error rates and other characteristics in a networkes setting The DiffServ model for DSCP Mapping was developed to differentiate IP traffic so that the traffic s relative priority could be determined on a per hop basis Using DSCP Mapping you can name the Dif
23. any keyword specifies that one of the match criterion must be met Use one or more of the following match commands as applicable Step 4 Router config cmap match access group Optional Configures the match criteria for a access group name access group name class map on the basis of the specified access control list ACL Note Access lists configured with the optional log keyword of the access list command are not supported when configuring a traffic class Step 5 Router config cmap match any Optional Configures the match criteria for a class map to be successful match criteria for all packets Step 6 Router config cmap match class map Optional Specifies the name of a traffic class name class to be used as a matching criterion for nesting traffic class nested class maps within one another Step 7 Router config cmap match cos cos number Optional Matches a packet based on a Layer 2 class of service CoS marking Step 8 Router config cmap match destination Optional Uses the destination Media Access address mac address Control MAC address as a match criterion Step 9 Router config cmap match discard class Optional Matches packets of a certain class number discard class Step 10 Router config cmap match ip dscp Optional Identifies a specific IP dscp value dscp value dscp value dscp value differentiated service code point DSCP dscp value dscp value dscp value dscp value value as a
24. www ietf org html charters ipfix charter html IPFIX is an effort to standardize on architecture for IP flow measurement and export In an IPFIX model an exporter such as a switch or router collects IP flows and then exports the IP flow information using a transport protocol to a collection server or servers An IP flow is defined as a set of packets over a period of time that has some common properties Please refer to the PDF document published by Nortel Devices in this page to configure IPFIX flow exports from your Nortel Devices 38 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a sFlow exporting devices sFlow Reporting What is sFlow According to sFlow org sFlow is an industry standard technology for monitoring high speed switched networks It gives complete visibility into the use of networks enabling performance optimization accounting billing for usage and defense against security threats It further says sFlow is a sampling technology that meets the key requirements for a network traffic monitoring solution e sFlow is an industry standard with interoperable implementations provided by a wide range of network equipment and software application vendors e sFlow provides a network wide view of usage and active routes It is a scalable technique for measuring network traffic collecting storing and analyzing traffic data This enables tens of thousands of interfaces to be monitored from
25. 10 136 82 84 10 136 58 11 1250 8014 TFO DRE LZ 2010 07 26 14 58 03 0 618 00 Bytes 564 00 Bytes 54 00 Bytes 0 09 59 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Medianet Cisco s Medianet is an end to end architecture that is capable analyzing voice video and data traffic and report on loss latency and jitter thereby helping you optimize rich media applications It enables you to monitor the flow of packets in your network and become aware of any issues that might impact the flow before it starts to significantly impact the performance of the application in question Performance monitoring is especially important for video traffic because high quality interactive video traffic is highly sensitive to network issues Even minor issues that may not affect other applications can have serious effects on video quality The Medianet performance monitoring capability Mediatrace gives network administrators the ability to view video performance on a specific router to isolate poor video performance NetFlow Analyzer uses Cisco Medianet to generate reports on the voice and video performance helping network administrators to isolate specific hop of network problem and support quality of service classification or policies Mediatrace Configuration Mediatrace feature in NetflowAnalyzer uses Web Service Management Agent W SMA to import data from the router To enable wsma in your router please do the following steps Enabli
26. 172 IfIndex2 EC 2011 05 25 17 55 34 2 4567 Scans Probes US 1 62 210 136 128 2 192 168 116 172 IfIndex1 NA 1 192 168 5 2 2011 05 25 17 50 48 30 O EI view Short TCP Ack Port Scan 192 168 116 172 IfIndex2 Gd 2011 05 25 17 52 44 4518 Scans Probes US 1 62 210 136 128 2 192 168 116 172 IfIndex1 NA 1 192 168 5 2 2011 05 25 17 47 58 30 O F view Short TCP Ack Port Scan 192 168 116 172 IfIndex2 e 2011 05 25 17 49 54 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition 2 1 Customization 2 1a White List The White List option allows you to ignore specific events and discard specific flows deemed trusted or allowed network activities for certain resources and problems Ignore Events Allows you to ignore specific events of problems for any resource Select a specific event you want to ignore click white list and select Ignore Events In the dialog box that appears you can view the problem name and the resource to be ignored Click OK to confirm the selection Note The problem displayed here is the base problem and criteria selected can be managed for all the problems derived from the base problem View Ignored Allows you to view the resources ignored for a specific problem Select a specific event you have already ignored click white list and select View Ignored In the new window that appears you can view the problem name and the resource ignored You can also rem
27. 20 devices will be automatically polled and CBQoS configured Schedule Reports CSV option Geo location PDF and CSV You can export the scheduled reports as CSV additional to the PDF option already available The geo location reports can be exported as PDF and CSV Schedule Business hours for last month In the scheduled reports you can define business hours for the previous month and previous week reports Standard Deviation calculation in Traffic Report Standard deviation values are displayed in the traffic report Interface performance dashboard In the consolidated reports pie chart has been added for ease of interpretation Add custom URL widget in Dashboard You can add custom URL user defined in dashboard as a widget New Features in Release 8 5 The latest release of NetFlow Analyzer 8 5 can be downloaded from the website at http www netflowanalyzer com download html Feature Description Advanced Security Analytics Module New Features in Release 8 0 Security analytics tool that helps in detecting network intrusions and classifying the intrusions to tackle network security threats in real time Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Feature Description IPSLA VoIP Monitors the key performance metrics of the VoIP network to determine its health The parameters measured include Jitter
28. 21 17 36 Show 60 a 50 g 2 30 E E Optimized E 20 Da Unoptimized 10 o e Jul 2010 Sep 2010 Nov 2010 Jan 2011 Time Name DI WAN Traffic E LAN Traffic Reduction Increased Capacity Mahagi Bunia WAAS 328 79 MB 703 05 MB 53 23 2 14x 57 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition Optimized Application This shows the NetFlow Application Traffic for the mapped WAE application in the selected time period Click on the application to view the graphical representation of traffic against time Optimized Traffic Optimized Application Optimized Connections Custom Report From 2010 06 20 00 00 To 2011 02 21 17 36 Show ba CAD 328 79 MB 703 05 MB 374 25 MB 53 23 2 14x Weekly Average 1 00 S 5 0 75 a o en seg oO S 0 25 Te 0 00 Jul 2010 Aug 2010 Sep 2010 Oct2010 Nov2010 Dec 2010 Jan 2011 Feb 2011 Time NetFlow Application Traffic for CAD Application Name IN Traffic TCP_App 143 2 KB re mail ck 96 5 KB rap 85 5 KB msp 84 5 KB ni ftp 84 0 KB telnet 82 0 KB tacacs 77 5 KB rje 77 0 KB rip 77 0 KB mpm snd 76 0 KB 58 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Optimized Connections Lists the conversations that passed through the selected WAE device and their corresponding statistics Optimized Traffic Optimized Application Optimized Connections Custom Report EI Fro
29. 438 0 231 0 347 0 689 0 940 1 248 1 385 1 427 3 988 1 265 1 221 1 013 0 992 0 874 0 896 1 002 Sorted_In amp Out 3 988 1 435 1 427 1 385 1 347 1 265 1 248 1 229 1 221 1 013 1 002 0 992 0 971 0 940 0 896 0 874 0 689 0 653 0 523 0 438 0 370 0 347 0 231 0 276 0 233 0 218 0 203 0 201 0 198 0 185 0 182 0 169 0 157 0 139 0 131 0 126 0 116 0 084 0 047 0 032 Sorted In and Out contains set contains 40 samples 5 of 40 is 2 so discarding the top 5 means we must discard the top two samples from the data set We are now left with Sorted_In amp Out 1 427 1 385 1 347 1 265 1 248 1 229 1 221 1 013 1 002 0 992 0 971 0 940 0 896 0 874 0 689 0 653 0 523 0 438 0 370 0 347 0 231 0 276 0 233 0 218 0 203 0 201 0 198 0 185 0 182 0 169 0 157 0 139 0 131 0 126 0 116 0 084 0 047 0 032 The highest sample from remaining data set is the 95th percentile value for the originating set So we obtain the following value 95th_in amp out 1 427 Mbps IN amp OUT SEPERATE 121 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition inbound 0 139 0 653 0 201 0 116 0 084 0 032 0 047 0 185 0 198 0 203 0 276 0 370 0 971 0 233 0 218 0 182 0 169 0 126 0 131 0 157 outbound 1 347 1 435 1 229 0 523 0 438 0 231 0 347 0 689 0 940 1 248 1 385 1 427 3 988 1 265 1 221 1 013 0 992 0 874 0 896 1 002 After sorting we obtain sorted_in 0 971 0 653 0 370 0 276 0 233 0 218 0 203 0 201 0 198 0 185 0 182 0 169 0 157 0 139 0 131 0 126 0 116 0
30. Analyzer classifies data into 2 types namely Aggregated Data and the Raw Data Aggregated Data represents the total IN and OUT traffic the top 100 application and the top 100 conversation for each interface for every 10 minute intervals Data is progressively stored in 10 minute 1 hour 6 hour 24 hour and weekly data points for older data the most recent data is available with 10 minute granularity and data older than 90 days is available in weekly granularity This mechanism of storing the top 100 is done to ensure that the database does not grow infinitely The amount of hard disk space required to store the aggregated data forever is about 150 MB per interface In addition to the aggregated data NetFlow Analyzer 5 allows you to store all raw netflow data for up to 1 month The time period for which you can store this raw data Raw Data Period depends on the number of flows received by NetFlow Analyzer and the amount of free disk space available on your computer Each flow is about 60 bytes Troubleshooting and Alert reports are generated from Raw data since it provides high level of granularity NetFlow Analyzer indicates the flows received per second in the Raw Data Settings tab on the Settings link You should set the raw data period Retain Raw Data based on the calculation below Free hard disk space 150 MB No of Managed Interfaces Raw Data Period in hours
31. Configuring NetFlow for BGP The Border Gateway Protocol BGP defined in RFC 1771 provides loop free interdomain routing between autonomous systems An autonomous system AS is a set of routers that operate under the same administration BGP is often run among the networks of Internet service providers ISPs In order to get AS info you need to configure your router to include AS info AS information collection is EY resource intensive especially when configured for origin AS In case you are not interested in monitoring peering arrangements disabling AS collection may improve NetFlow Analyzer performance Enabling BGP Routing Enter the global configuration mode and issue the following commands to enable BGP routing and establish a BGP routing process Command Purpose Enables the BGP routing process which places the router b as number z ga router in router configuration mode network network number mask network Flags a network as local to this autonomous system and mask route map route map name enters it to the BGP table Configuring BGP Neighbors BGP supports two kinds of neighbors internal and external Internal neighbors are in the same autonomous system external neighbors are in different autonomous systems Normally external neighbors are adjacent to each other and share a subnet while internal neighbors may be anywhere in the same autonomous system
32. Events Filter Options The Filter option is used to generate reports based on the filter criteria Click on the Show Filter button to view the filters You can filter the events based on Period For any selected time period from last hour to last month The custom time option can be used to generate report for a specific time period Status Denotes the status of the event on whether it is open closed or ignored You can also choose all to select all the available events Dashboards Interface View Autonomous System View vi ic WAAS Reports Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Hide Filter Period Last 6Hour v From To Status Open ei Match All Match Any Class Problem ze Class Suspect Flows Problem Al vb Offender Geogr UNITED KINGDOM UK x Generate Report You can also choose to match all or any of the filter criteria given below Class Problem Select the specific Class and Problem name Offender IP Specify the IP network address of the offender Target IP Specify the IP network address of the target Offender Geography Select the Country of the offender from the list Target Geography Select the Country of the target from the list Offender Topology Select the specific location of the offenderfrom the list Target Topology Select the specific location of the target from the list Rouiter Interface Specify the router or interface name Severity Sele
33. For instance if the maximum flow happens during your working hours from 08 00 hours to 18 00 hours you can set it in the window that pops up When you opt for the last 24 hours then the report is generated for the flow in the intervening 24 hours from the time at which the report is to be generated today The 30 most recent reports for this schedule can be accessible from the Schedule List page Exclude weekends When you choose the Exclude Weekend option with Previous day reports will be generated on Tuesday Wednesday Thursday Friday and Saturday These will be reports pertaining to Monday Tuesday Wednesday Thursday and Friday respectively When you choose the Exclude Weekend option with Last 24 hours reports will be generated on Monday Tuesday Wednesday Thursday and Friday e Weekly When you opt for the Weekly option you have the option to specify the day and time at which the report needs to be generated The report could be generated for the previous day the last 24 hours or any of the options available in the dropdown By additionally opting for the Exclude Weekend the report can be made to include only data corresponding to monday through friday The previous week option would generate the report for the time period Sunday 00 00 hours till Saturday 23 59 hours When Exclude Weekends is enabled the report will be generated for the time period Monday 00 00 hours till Friday 23 59 hours 115 Zoho Corporation
34. For more information refer this link http www cisco com en US docs ios netmgmt configuration guide nm_cfg_wsma html wp1 105726 Enable Mediatrace Before implementing a Mediatrace session you have to enable Mediatrace on each network interface that you want to collect flow information from The steps to enable meidatrace are given below SUMMARY STEPS 1 enable 2 configure terminal 3 mediatrace initiator source ip ip address source interface interface name force max sessions number 4 mediatrace responder max sessions number 5 end Mediatrace Settings 1 Configure Medianet Initiator The Medianet Initiator must be enabled on the network interface that you will use to configure initiate and control the Mediatrace sessions You can configure a Initiator using the NetFlow Analyzer web interface 1 Navigate to Medianet gt Settings gt Add Session gt Click Add Initiator 2 Inthe new pop up window that appears 1 Select the IP address of the router you would like to configure as the Initiator from the dropdown list 2 Specify the username and password of the selected router 3 Click update to save the changes 3 Now an initiator has been configured 2 Configure Medianet Monitoring profile Cisco Mediatrace provides pre packaged system data monitoring profiles video monitoring profile and system data profile that contain all of the parameter settings you need to start a system data monit
35. Hours and Minutes for the time zone is set properly E g PST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router going into the configure terminal and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 P To enable NetFlow in an MPLS environment refer Cisco s documentation on MPLS NetFlow 23 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition 24 Zoho Corporation gt a ManageEngine NetFlow Analyzer Professional Edition Cisco NetFlow Device Support The following charts include information on the various vendors and devices supporting NetFlow version 5 or 7 or 9 data export Use these charts to determine if your devices are compatible with NetFlow Analyzer Cisco Routers Cisco IOS Software Release Version Supported Cisco Hardware Platforms 11 1CA 11 1CC Cisco 7200 and 7500 series RSP 7200 series Cisco 1720 2600 3600 4500 4700 AS5800 RSP 7000 and 7200 series 12 0 uBR 7200 and 7500 series RSM series Cisco 1720 2600 3600 4500 4700 AS5800 12 0T 12 0S RSP 7000 and 7200 series uBR 7200 and 7500 series RSM series MGX8800RPM series and BPx8600 series Cisco 1720 2600 3600 4500 4700 AS5300 AS5800 RSP 7000 and 7200 series uBR 7200 and 7500 series RSM series MGX8800RPM series and BPx8650 series Cisco 1400 1600 1720 2
36. MIRA Reports iiiaio aaea niaaa aiana Taa E EEEE aara ETa ia Eter i i aR 80 e ene ein e EE E E EE T REE a 81 Consolidated Te 82 Compare Report NetFlow Analyzer Global Heport eee eeeeeenneeeeeeeeeeteneeaee 83 Search FG E 84 Capacity Planning ME 85 Medianet Reporting E 86 ADMIN OPERATIONS eege 92 Prod t Seting EE 93 E ue GE 94 Adyamced Settings E 95 Storage te EE 97 Mail Server Proxy Server Geitings tnnt tt tnnt tt nnnt tn Annt EA AnnE EEEn nEn Annn Ennan Ennn ne ennaa 98 Google Mapaettp gesgiegeuggecreie e geed deeg ere ae e aaae aaaea a e a abaa ENa 99 OR EE 100 Application Mapping Application Group DSCP Mapping and DSCP Group 101 Alert Profiles Ee E E 110 2 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition SEENEN 113 Device Group Ee EE 118 Geet 120 NEE EE EES 125 NBAR ReportiNg sisets acs acaie he ainsrccesunprahesdauscnnidiiore neuiiatshonhest aasangnisione AE eO EEEE O E EAE 125 NBAR Repott EE 129 NBAR Supported Applications c cccccceceececeeeeeseeeeeaeeceeeeeceaeeesaaeseeneeseeeeesaaesseaaeseeeeeseaeessaeeseneeesaees 130 NBAR supported platforms amp IOS Versions cccccesceceeeeeseeeeeeeaeeeeeeeeeeeeesaaeeeeaeeseeeeeseaeeeeaeeseneessaes 134 Flexible NetFlow and NBAR integration A 135 EI E 137 GCBQO0S Child de 145 User Management E 148 LIGHTS GIANTS ON E 150 Change IPASSWONE EE 152 BD DONS scsisnssivtactacesansncaasencsanasancasenensuasasantiidasancadsnusateadesandndc
37. Minimum Occupancy at the destination end Scans Probes Zoho Corporation 187 e ManageEngine NetFlow Analyzer Professional Edition Short TCP Syn_Ack Inflood or exceeding the Upper Limit and none of the following derived 1 Short TCP Syn_Ack Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 Short TCP Syn_Ack Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end Problem Name Description Class Excess Short TCP TCP Flows with nominal payload ie BytePerPacket between 40 Suspect Syn_Ack Packets and 44 octets bytes and TCP Flags value equals 18 SA touching Flows problems gets satisfied DoS Flash Crowd Short TCP Syn_Ack Outflood Short TCP Syn_Ack Port Scan Short TCP Syn_Ack Host Scan 1 Short TCP Syn_Ack Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Syn_Ack Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end 1 Short TCP Syn_Ack Flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Short TCP Syn_Ack Flows from single multiple source hosts to fewer d
38. NetFlow Analyzer Professional Edition Supported Web Browsers NetFlow Analyzer has been tested to support the following web browsers and versions e Internet Explorer 5 5 and later e Netscape 7 0 and later e Mozilla 1 5 and later 15 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Prerequisites Before setting up NetFlow Analyzer in your enterprise ensure that the following are taken care of Ports Required NetFlow Analyzer requires the following ports to be free Default Port Port Name Hee Usage This is the port on which you will connect to the NetFlow Analyzer Web server port 8080 server from a web browser You can change this at any time from the Settings tab NetFlow Listener 9996 This is the port on which NetFlow exports are received from routers You can port change this at any time from the Settings tab This is the port used to connect to the MySQL database in NetFlow Analyzer MySQL port on Changing this port requires configuration level changes Recommended System Setup Apart from the System Requirements the following setup would ensure optimal performance from NetFlow Analyzer e Run NetFlow Analyzer on a separate dedicated PC or server The software is resource intensive and a busy processor can cause problems in collecting NetFlow data e Use the MySQL pre bundled with NetFlow Analyzer that runs on port 13310 You need not start another separate ins
39. ProCurve 6200yl series ProCurve 6400cl series ProCurve 9300m series ProCurve Routing Switch 9408sl Hitachi GR4000 GS4000 e GS3000 NEC e IP8800 R400 series e IP8800 S400 series e IP8800 S300 series 41 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Enabling sFlow How do I enable sFlow If your device supports sFlow then you will have to enable sFlow on each of the interfaces that you want to collect flow statistics on Enabling sFlow on various devices Foundry Networks switch foundry2402 enable Password foundry2402 configure terminal foundry2402 config interface ethernet 10 foundry2402 config if el100 10 sflow forwarding foundry2402 config if exit foundry2402 config sflow enable foundry2402 config sflow destination 192 168 0 2 9996 foundry2402 config sflow sample 256 foundry2402 config sflow polling interval 10 Please note that the part in red has to be repeated for each interface individually For more information on Foundry devices configuration refer to www foundrynet com Force10 switch force enable Password force configure terminal force config interface sflow enable This command has to be repeated for all interfaces force config sflow destination 192 168 0 2 9996 agent addr 192 168 1 2 force config sflow sample 256 force config sflow polling 10 For more information on Force10 devices refer to w
40. Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Short TCP Syn_Ack flows from multiple source host to single multiple Scans Syn_Ack Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short TCP TCP Flows with nominal payload ie BytePerPacket between 40 Suspect Syn_Rst Packets and 44 octets bytes and TCP Flags value equals 6 RS denoting Flows TCP Syn_Rst Flows but without Urg Ack Psh Flags touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Short TCP Short TCP Syn_Rst flows from multiple source hosts to fewer DoS Syn_Rst Attack destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd Short TCP Short TCP Syn_Rst flows from single multiple source hosts to DoS Syn_Rst Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash destination end Crowd Short TCP 1 Short TCP Gun Bet flows from fewer source hosts to multiple DoS Syn_Rst Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 Short TCP Syn_Rst flows from single multiple source hosts to single multiple destination hosts exc
41. Queue The pre policy post policy and drops in different traffic class along with the queuing status enables you to validate the efficiency of your QoS settings Individual graphs are displayed for Pre Policy Post Policy and Dropped Pre Policy refers to the state before the CBQoS policy was applied Post Policy refers to the state after the CQoS policy is applied Dropped gives information on the packets that are dropped as a result of applying the policies CBQoS reports can be exported as PDF or can be mailed by going to Actions and clicking on the necessary action Based on these information suitable correction can be done to the policies to make it best suit the business goals of the organization 144 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition CBQoS Child Policies Now NetFlow Analyzer lets you to create child policies under parent policies Creating a traffic policy To configure a traffic policy sometimes also referred to as a policy map use the policy map command The policy map command allows you to specify the traffic policy name and also allows you to enter policy map configuration mode a prerequisite for enabling QoS features such as traffic policing or traffic shaping Associate the Traffic Policy with the Traffic Class After using the policy map command use the class command to associate the traffic class created in the Creating a Traffic Class section with the traffic po
42. Relay frame to 1 for all traffic leaving an interface Step 16 Router config pmap c set Optional Sets the precedence value in the packet precedence precedence value from header field table table map name Step 17 Route config pmap c set Optional Designates the value to which the MPLS mpls experimental value bits are set if the packets match the specified policy map Step 18 Router config pmap c set qos group Optional Sets a QoS group identifier ID that can group id from field table table map be used later to classify packets namel Step 19 Router config pmap c service policy Optional Specifies the name of a traffic policy policy map name used as a matching criterion for nesting traffic 142 Zoho Corporation T ManageEngine NetFlow Analyzer Professional Edition Configuration Steps Command or Action Purpose policies hierarchical traffic policies within one another Step 20 Router config pmap c shape Optional Shapes traffic to the indicated bit rate average peak mean rate burst size according to the algorithm specified excess burst size Step 21 Router config pmap c exit Optional Exits policy map class configuration mode Attaching a Traffic Policy to an Interface To attach a traffic policy to an interface use the service policy command The service policy command also allows you to specify the direction in which the traff
43. Series Switches Enter privileged mode on the Supervisor Engine and issue the following commands to configure NDE Command Purpose Specifies NetFlow Analyzer as the NDE collector and the set mls nde hostname ip_address 9996 configured Netflow listener port as the UDP port for data export of hardware switched packets Specifies NetFlow Analyzer as the NDE collector and the configured Netflow listener port as the UDP port for data export of software switched packets ip flow export destination fhostname ip_address 9996 Breaks up long lived flows into 1 minute fragments This ensures that traffic graphs do not have spikes It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data set mls agingtime long 64 Ensures that flows that have finished are periodically exported Ensure that the set value is not too low else NetFlow Analyzer may report traffic levels that are too low set mls agingtime 32 This sets the flow mask to full flows This is required to ls fl full P SE Se get useful information from the switch set mls nde enable This enables NDE To monitor data and statistics about Layer 3 traffic that is switched in software by the MSFC you must specify the NDE collector and UDP port on the MSFC This requires that you enter the ip flow export destination command on the MSFC P Use the show mls debug command to debug the NDE configurat
44. The Show Ports Link will be displayed next to an unknown application only in the Last Hour report Click on an application s name to see the Top Conversations that contributed to this application s traffic The Show box above this table lets you choose how many applications need to be displayed You can set the maximum value for this option from the Settings page The pie chart below this table shows what percentage of bandwidth is being used by each application e The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can the export as a PDF CSV file or email the report by going to the Actions button on top and selecting as per your requirement Applications Group This report displays different applications that are grouped together for the ease of view This feature enables you to group the applications as a single entity Creating an application group To create applications group click applications QoS maps 1 Select Application Group 2 Click on add to create a new application group 73 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 3 Specify the group name a description about the group and select the applications you want to group together 4 Click save to view the application group Now a new application group has been created Top Sites This report displays the applications contributing to the maximum network traffic
45. Traffic Source Destination QoS Conversation Medianet _NBAR CBQoS Security Events IN our Last Hour From 2011 10 07 09 59 To 2011 10 07 10 59 Application Application Groups ze Protocol Distribution Showing 1 to 11 View per page 50 e et Application Traffic Total 11 75 MB of total traffic S snmp 4 96 MB 42 Expanding the applications displays name of the website if the DNS is resolved and names of top 10 machines in your network if the DNS is resolved connecting to that website It will also give the contribution of traffic in terms of upload amp download volume and of total traffic from each IP address to the particular site through that application You can also view the total traffic percentage across each application The report gives a detailed view about the traffic in terms of upload amp download volume and percentage of total traffic from each IP address to the specific site via the application Further drill down to the website name gives you information on the upload or download traffic detail and the specific IP address that accessed that site Adding a sub application The Add Sub App options allows you to add a sub application to the list of applications under top sites tab By this way you can add a name to the IP address range or network and associate it with an application name This helps identify the IP network range or address that has accessed a particular application Viewing Top Protocols C
46. UDP 161 162 Simple Network Management Protocol 132 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition TCP or UDP Type Well Known Description Static Port Number Port Protocol SOCKS TCP 1080 Firewall security protocol SPOP3 TCP UDP 995 Secure POP3 SSH TCP 22 Secured Shell STELNET TCP 992 Secure TELNET Syslog UDP 514 System Logging Utility Telnet TCP 23 Telnet Protocol X Windows TCP 6000 6003 X11 X Windows 6 For more information click here Zoho Corporation 133 ManageEngine NetFlow Analyzer Professional Edition NBAR supported platforms amp IOS Versions Platforms amp Cisco IOS Versions that currently support CISCO NBAR PROTOCOL DISCOVERY MIB are e Cisco 1700 Series Router since Release 12 2 2 T e Cisco 2600 3600 7100 7200 Series Routers since Release 12 1 5 T e Cisco 3700 and 7500 Series Routers since Release 12 2 8 T The following Platforms also support NBAR Cisco 800 Series Routers Cisco 1800 Series Integrated Services Routers Cisco 2600XM Series Router Cisco 2800 Series Integrated Services Routers Cisco 3700 Series Multiservice Access Routers Cisco 3800 Series Integrated Services Routers Cisco 7300 Series Routers Cisco 7400 Series Routers Catalyst 6500 Family Switch with a FlexWAN card To know the supported IOS versions check here 134 Zoho Corporation ManageEngine NetFlow Analyzer Professional Ed
47. Usage based billing Customizable DNS names helps in easier management of the network Generation of periodic bills for accounting and for charge back Reporting on source network and destination network This allows the user to view the source networks destination networks and conversation between them Different IN and OUT speed can be configured for interfaces Helps in setting appropriate speed for IN and OUT interfaces Support for exporting reports to CSV Helps in easier maintenance of data for historical reporting besides the flexibility to import in XLS sheets for any analysis Sorting on the Autonomous Systems view for easier tracking and for peering arrangement Ability to group together applications into a single logical entity Option to exclude ESP_App on user defined interfaces Ensures that traffic is not double counted in case of ESP tunnels Option to suppress output interface accounting on user defined interfaces Useful when working with WAN accelarators Quick view traffic graph in Dashboard view Offers Enhanced usability Graphs enhanced to one min granularity and also to real time in Network Snapshot Ability to set snmp parameters globally for all routers Offers a more realistic reporting of the network health for quicker action to avoid any network eventuality Offers the flexibility to avoid havign to set the same SNMP parameters on each individual router Suppo
48. WAAS is designed optimize application performance and infrastructure consolidation in WAN environments Top 10 IN and Out Application Growth report and Standard deviation graph added Support IPV6 Address Format Support for IPV6 Flow format in Troubleshoot reports and Top applications and Top Conversations report has been added Wan RTT The WAN RTT monitor is used to monitor WAN availability Latency and Quality of Service Option to map IP addresses to site names Ability to add a new site name to known IP addresses Report Filter Enhancements Support for Radius server Authentication in MSSQL You can filter reports according to your requirement NetFlow Analyzer now offers support for MSSQL Creating Alert Profile with IP Address as Criteria IP address has been added as one of the alert criteria Scheduling option for Compare Reports and Report Profiles Compare reports and Report Profiles can be scheduled prior and reports that are compared can be generated Enhancements to Consolidated Reports The user interface of consolidated report has been changed for easy of use Network Snapshot Improved with Widget for Top N Alerts The Top N Alerts widget can now be viewed in the network snapshot dashboard This way you can get a quick view of all the alerts generated String Search Option for IP groups IP Groups and Addresses can now be located easily using the search option C
49. a CLI session on the destination router and enable the EXEC mode as follows Router gt enable b Start the global configuration mode Router configure terminal c Enable the IP SLA responder Router config ip sla responder or Router config ip sla monitor responder Note Enter any one of the command to enable IP SLA responder as it varies according to the IOS versions d Repeat the above steps for all the destination routers on which you want to monitor VoIP performance Step 3 Creating the VoIP monitor a Go to Modules gt VoIP Monitors gt Configure VolP Monitor gt Create New and enter a name for the monitor b Select the source router from the list of routers discovered in NetFlow Analyzer and select the relevant interface c Specify the destination router either by using the Search option to pick from the discovered routers or use the Add option to specify the IP address of the destination router and submit the details d You will see the summary of the monitor you are about to configure Now click Apply to device to submit the details to the device This will take few seconds to configure Refresh the page after few seconds to see the new monitor The data will be collected every hour from the time you have configured 156 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a or You can also create the VoIP monitor from the Router snapshot page To do so go
50. at the source end 1 Malformed UDP flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Malformed UDP flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Crowd Scans Probes Malformed UDP Host Scan Malformed UDP Diagonal Scan 1 Malformed UDP flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Malformed UDP flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Malformed UDP flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Scans Probes Scans Probes Malformed UDP Grid Scan Malformed UDP flowsfrom single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Oc
51. between IN and OUT to display the top conversations in incoming or outgoing traffic The Time Period box lets you choose between options available in the drop down as per your requirement The From and To boxes let you choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show button to display the appropriate conversation traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS names The Show box above this table lets you choose how many conversations need to be displayed You can set this value from the Settings page The Group by box lets you group conversations by source destination or application The default list shows the conversations sorted in descending order of number of bytes of traffic The pie charts below this report show the top sources destinations and conversations contributing to traffic for the selected time period The icon above the pie chart lets you see the pie chart enlarged in a new window From here you can the export the report as a PDF CSV file or email the report by going to the Actions button on top and selecting as per your requirement Support for Internet Protocol Version 6 IPV6 IP version 6 IPv6 is a new version of the Internet Protocol designed as the su
52. consolidated traffic report for the respective IP group This report shows you all the details about incoming and outgoing traffic in this IP group in a single report Click the 8 icon to see the speed graph for the particular IP group 67 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Report Profiles Report Profiles allow users to create customized reports using extensive filter options The profiles created are saved for future use thereby reducing the time consumed for generating new reports Report profile option provides high level of customization and easy generation of reports on user defined criteria Creating a new profile The report profile option is present under the admin tree at the left hand side of the product UI Click Add Profile option under the report profile tab On the new window that appears enter the profile details that you want to create Select the filter type from the existing ones or create a new filter Click add to submit the details and view the new profile created Once the profiles are added they will appear on the bottom left side of product tab by default This can be toggled and the position can be changed This can be edited later by clicking on found adjacent to the profile name Expanding the profile by clickin on the arrow left to it gives the list of reports configured for this profile Note If you have configured more than four reports for a
53. destination hosts is Probes Span at the destination end hosts ports endpoints Zoho Corporation Short TCP Short TCP Syn_Ack flowsfrom single multiple source hosts to multiple Scans Syn_Ack Grid Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short TCP 1 Short TCP Syn_Ack flows from single source host to single multiple Scans Syn_Ack Port destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span at the source end 2 Short TCP Syn_Ack flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Soan Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP 1 Short TCP Syn_Ack flows from multiple source hosts to Scans Syn_Ack Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 Short TCP Syn_Ack flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Short TCP Syn_Ack flows from multiple source hosts to single multiple Scans Syn_Ack Diagonal destination hosts where the number of distinct source hosts is equal to
54. destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Urg Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Urg Diagonal TCP Urg Flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts where the number of distinct source hosts is equal to Probes the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Urg Grid TCP Urg Flows from multiple source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span or Probes Minimum Horizontal Span and Minimum Occupancy at the source end 206 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class TCP Xmas TCP Flows with TCP Flags value equals 41 UPF touching or Suspect Violations exceeding the Upper Limit and none of the following derived Flows problems gets satisfied TCP Xmas Inflood 1 TCP Xmas flows from multiple source hosts to fewer destination DoS hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd 2 TCP Xmas flows from single multiple sourc
55. destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Scans Probes Zoho Corporation 196 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Short TCP Psh Grid Scan Reverse Short TCP Psh flows from multiple source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans Probes Excess Short TCP Rst_Ack Packets TCP Flows with nominal payload ie BytePerPacket between 40 and 44 octets bytes and TCP Flags value IN 20 AR 21 ARF denoting TCP Rst_Ack Flows touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows Short TCP Rst_Ack Inflood 1 Short TCP Rst_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 Short TCP Rst_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd Short TCP Rst_Ack Outflood 1 Short TCP Rst_Ack flows from fewer source hosts to multiple destination hosts
56. end Probes ICMP Time Exceeded Flows ICMP Time Exceeded Flows with Dst Port IN 2816 Time to live equals 0 During Transit 2817 Time to live equals 0 During Reassembly touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Indicates Traceroute attempt or datagram fragment reassembly failure Suspect Flows ICMP Time Exceeded Inflood 1 ICMP Time Exceeded flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 ICMP Time Exceeded flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd ICMP Time Exceeded Outflood 1 ICMP Time Exceeded flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 ICMP Time Exceeded Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd ICMP Time Exceeded Host Scan 1 ICMP Time Exceeded flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 ICMP Time Exceeded flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum
57. exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Rst_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd Short TCP Rst_Ack Port Scan 1 Short TCP Rst_Ack flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Short TCP Rst_Ack flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Rst_Ack Host Scan 1 Short TCP Rst_Ack flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Rst_Ack flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Rst_Ack Diagonal Scan Short TCP Rst_Ack flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at
58. exceeding Minimum Vertical Span at Probes the destination end 2 TCP Fin flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Fin Host Scan 1 TCP Fin flows from single multiple source hosts to multiple Scans destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 TCP Fin flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Fin Diagonal TCP Fin flows from single multiple source hosts to multiple destination Scans Scan hosts where the number of distinct destination hosts is equal to the Probes number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Fin Grid Scan TCP Fin flowsfrom single multiple source hosts to multiple destination Scans hosts on multiple destination ports exceeding Minimum Vertical Span Probes or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Fin Port 1 TCP Fin flows from single source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span at
59. family inet sampling input output address 206 80 253 26 25 For more information refer here and this link to configure V9 Template record 36 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition gr Huwaei 3com devices Netstream Configuring NetStream Export On HSC routers Please refer to this link to configure Netstream exports on H3C devices On Huawei Devices Follow the below command to enable NetStream on huawei devices ip netstream export host hostname ip_address 9996 This exports the NetStream exports to the specified IP address Use the IP address of the NetFlow Analyzer server and the configured listener port The default port is 9996 ip netstream export source interface interface name Sets the source IP address of the NetStream exports sent by the device to the specified IP address NetFlow Analyzer will make SNMP requests of the device on this address For enabling Netstream on the desired interface please execute the following command ip netstream inbound 37 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Nortel Devices IPFIX Configuring IPFIX Export According to Nortel Devices Internet Protocol Flow Information eXport IPFIX has evolved as an improvement upon the Netflow V9 protocol t is an upcoming standard that has been proposed by an IETF Working Group http
60. flows from multiple source hosts to single multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Scans Probes Short TCP Rst_Ack Grid Scan Reverse Short TCP Rst_Ack flows from multiple source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans Probes Excess Short TCP Syn_Ack Packets Short TCP Syn_Ack Inflood TCP Flows with nominal payload ie BytePerPacket between 40 and 44 octets bytes and TCP Flags value equals 18 SA touching or exceeding the Upper Limit and none of the following derived problems gets satisfied 1 Short TCP Syn_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 Short TCP Syn_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd DoS Flash Crowd Short TCP Syn_Ack Outflood Short TCP Syn_Ack Port Scan 1 Short TCP Syn_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Syn_Ac
61. from raw data Hence results depend on the raw data retention time period set in Settings Click this icon to see a quick report for the respective interface This report shows you all the details about the traffic across that interface for the past one hour ta EN 49 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Icon Button Purpose HERR Indicates that NBAR report is available for the interface Indicates a serial interface el Indicates an ethernet interface de Indicates an unknown interface x Indicates FDDI Objects ze Indicates a MPLS Tunnel Virtual Interface a Indicates a Point to Point Protocol Interface D Indicates an ATM interface Ei Indicatesan ISDN and X 25 interface posd Indicates an Asymmetric Digital Subscriber Loop interface Lei Indicates a Symmetric Digital Subscriber Loop interface The Interface Name column lists all the interfaces on a discovered device Click on an interface to view the traffic details for that interface The Status column indicates the current status of that interface Icon Description The Status of the interface is unknown and no flows have been received for the past 10 minutes The interface is not responding to SNMP requests e The interface is responding to SNMP requests and the link is up but no flows have been received for the past ten minutes The link is up and flows are bei
62. from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Empty UDP Empty UDP flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to 223 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Empty UDP Grid Empty UDP flowsfrom single multiple source hosts to multiple Scans Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Empty UDP Port 1 Empty UDP flows from single source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span at the source end 2 Empty UDP flows Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Soan Minimum Occupancy and Minimum Aspect Ratio at the source end Empty UDP Host 1 Empty UDP flows from multiple source hosts to single multiple Scans Scan
63. group This lets the user monitor the top N source destination conversation application and many more by IN OUT for a particular interface group which can be configured in the dashboard view after creating the dashboard 4 IP group This lets the user monitor the top N source destination conversation application and many more by IN OUT for a particular IP group which can be configured in the dashboard view after creating the dashboard Ey The N can be either 5 or 10 and can be configured through the dashboard view after creating the dashboard 47 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition You can reload a widget by clicking on icon delete a particular widget by clicking on zz and configure edit a widget by clicking on configure or icon You can delete a dashboard view by clicking on Actions on the top right In the dropdown click on Delete This deletes the current dashboard view Click Save to save this particular dashboard view It can be later edited at any time by going to the particular dashboard view and clicking on Actions on the top right In the dropdown click on either Edit layout if the need is to change the name layout description OR click on Add Widgets to add additional widgets Once the view is saved the particular dashboard will be displayed You can move the widgets as per your wish by dragging and dropping the widget at another
64. is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Scans Probes Short TCP Psh Grid Scan Short TCP Psh flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans Probes Short TCP Psh Port Scan Reverse 1 Short TCP Psh flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Short TCP Psh flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Short TCP Psh Host Scan Reverse 1 Short TCP Psh flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 Short TCP Psh flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Short TCP Psh Diagonal Scan Reverse Short TCP Psh flows from multiple source hosts to single multiple
65. match criterion Up to eight DSCP values can be included in one match statement Step 11 Router config cmap match field protocol Optional Configures the match criteria for a protocol field eq mask neq mask class map on the basis of the fields defined in gt It range range regex string the protocol header description files PHDFs value next next protocol Step 12 Router config cmap match fr dlci dlci Optional Specifies the Frame Relay data number link connection identifier DLCI number as a match criterion in a class map Step 13 Router config cmap match input interface Optional Configures a class map to use the interface name specified input interface as a match criterion 139 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Configuration steps Command or Action Purpose Step 14 Router config cmap match ip rtp starting Optional Configures a class map to use the port number port range Real Time Protocol RTP protocol port as the match criterion Step 15 Router config cmap match mpls Optional Configure a class map to use the experimental mp s values specified value of the Multiprotocol Label Switching MPLS experimental EXP field as a match criterion Step 16 Router config cmap match mpls Optional Matches the MPLS EXP value in experimental topmost values the topmost l
66. of location modes for offenders and Targets column You can choose the type of location to be displayed in the offender location and target location column in the event list report 2 1c More Actions Allows you to change the status of a specific or set of selected Events You can open close or delete the selected event 181 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition Event Details Report Event Details Report displays all the attributes of a specific event generated Click on view in the event list report to get to this page Event Details Report displays the event id and the problem that you have selected The report displays volume packets hits unique source IP unique destination IP unique source networks unique destination networks unique source ports unique destination ports unique applications unique TCP flags unique protocols unique ToS values unique In interfaces unique out interfaces unique connections unique router IP Event Details Show DNS Event Id 4715 Field Volume Packets Hits Unique Source IPs Offenders Unique Destination IPs Targets Unique Source Networks Unique Destination Networks Unique Source Ports Unique Destination Ports Unique Applications Unique TCP Flags Unique Protocols Unique ToS Values Unique In Interfaces Routed Via Unique Out Interfaces Unique Connections Unique Router IPs Problem Short TCP Ack Port Scan More
67. of the applications of IP addresses 80 UDP traffic multiple interfaces using a particular details fora for a range of IP DSCP name range of IP addresses addresses Port Protocol View Web View Web View Web 80 TCP View web traffic using 80 TCP 80 UDP 80 TCP 80 UDP traffic the particular DSCP traffic details fora 80 UDP traffic generated across name range of IP generated across multiple interfaces addresses the network Interfaces View bandwidth View Web Not possible details across 80 TCP View the traffic multiple interfaces 80 UDP traffic traversing through for a range of IP generated across the multiple addresses multiple interfaces with the interfaces particular DSCP name DSCP View bandwidth View web traffic View the traffic Not possible details of the using the traversing through applications using particular DSCP the multiple a particular DSCP name interfaces with the name particular DSCP name Creating an IP The IP Group Management link in the Admin Operations box lets you create modify and delete IP Group groups Click this link and then click Create to create a new IP group Fill in the following information and click Add to add the new IP group to the current list of IP groups Field Description IP Group Name Enter a unique name to identify this IP group IP Group Enter descriptive information for this IP group to help other operators Descripti
68. on the router Initially CBQoS has to be enabled on the router manually Further policies have to be defined on the router Usually Traffic Policies are dependent on the type of the enterprise and its business needs heavy voice traffic heavy document transfer heavy streaming video traffic etc The policy classification can be done on the basis of Class Maps and Policy Maps A class map is a mechanism that you use to isolate and name a specific traffic flow or class from all other traffic The class map defines the criterion used to match against a specific traffic flow to further classify it the criteria can include matching the access group defined by the ACL or matching a specific list of DSCP or IP precedence values If you have more than one type of traffic that you want to classify you can create another class map and use a different name After a packet is matched against the class map criteria you can specify the QoS actions via a policy map A policy map specifies the QoS actions for the traffic classes Actions can include trusting the CoS or DSCP values in the traffic class setting a specific DSCP or IP precedence value in the traffic class or specifying the traffic bandwidth limitations and the action to take when the traffic is out of profile Before a policy map can be effective you must attach it to an interface After a packet is classified and has an internal DSCP value assigned to it the policing and marking process
69. option allows the user to select the devices in terms of Interface or IP Group By default the top 10 interfaces or IP Group by utilization are chosen which can be modified by clicking on the Modify button The Generate Report invokes the report for the defined criteria Report Options The Report Options could be chosen to be one of Generate Report e Show Speed e Show Utilization e Show Packets When the Generate Report option is invoked the filter condition frame is minimized to offer a Maximize better view of the graph report without scrolling The filter frame can be restored by using the Maximize button The Minimize button can be used to minimize the Filter Frame for a better view of the report SES graph generated without scrolling 83 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Search Report Search Reports can be used to generate reports specific to the user This is especially useful in finding out the bandwidth utilization of a specific host or application Click More Reports and select Search Reports to set the criteria and view reports In the pop up window that opens up click the Select Devices link to select the routers and or interfaces whose traffic needs to be analyzed Under Report Criteria you can specify a maximum of three filtering criteria Source Destination Address Source Destination Network Source Destination Nodes Application Port Port Ra
70. options can be selected utilization graph as percentage OR speed graph in bps e Mail attachment options If you like the attachments as ZIP or PDF In case you select PDF you can also select the number of PDF s you want attached with the mail e QoS options You can select between DSCP and ToS You can also enable the option to access older reports from the UI Configuring a new Schedule The steps to configure a Schedule are 1 Login to the NetFlow Analyzer client and click Schedule Reports under Admin Operations in the left panel 2 Click Add to add a new Schedule Profile 3 Fill in the following details Field Description Scheduler Enter a unique name to identify this scheduler Name Description Enter descriptive information for this scheduler profile to help other operators understand why it was created By default all IP Groups are selected If you want this schedule configuration to apply to certain IP Groups only click the Modify Selection link In the pop up window select the required devices and IP Groups and click Update to save your changes 114 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Field Description Report Type Select whether the reports that need to be generated from the srop down It consists of consolidated traffic source NBAR custom QoS reports or many more available options Schedule Select the report gener
71. out the HTTP connection parameters by placing the lt tag before and the gt tag after the following lines lt A HTTP 1 1 Connector on port 8090 gt lt Connector port 8090 address S jboss bind address maxThreads 150 minSpareThreads 25 maxSpareThreads 75 enableLookups false redirectPort 8493 acceptCount 100 connectionTimeout 20000 disableUploadTimeout true gt Enabling SSL 1 Inthe same file enable the HTTPS connection parameters by removing the lt tag before and the gt tag after the following lines lt SSL TLS Connector configuration using the admin devl guide keystore lt Connector port 8493 address S jboss bind address maxThreads 100 minSpareThreads 5 maxSpareThreads 15 scheme https secure true clientAuth false keystoreFile jboss server home dir conf chap8 keystore keystorePass rmit tssl sslProtocol TLS gt gt 252 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 2 Replace the default values for the following parameters as follows Default Value New Value keystoreFile S jboss server home dir conf chap8 keys tore keystoreFile S jboss server home dir conf server keys tore keystorePass rmitssl keystorePass pqsecured Changing the web server port 1 Edit the sample bindings xml file present in directory lt NetFlowAnalyze
72. path link to view the statistics of a monitor e The Monitorwise Health Report details you on the performance of each path By clicking on the status image you can view details of threshold violation availability errors and round trip time 166 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Enabling WAN RTT Monitoring using IP Group Management IP Group Management lets you monitor departmental intranet or application specific traffic exclusively You can create IP groups based on IP addresses and or a combination of port and protocol Now using IP Group Management you can also monitor wan round trip time for specific IP address or IP range and analyze the latency and quality of service between two locations In order to enable WAN RTT monitoring using IP Group Management you need to specify the individual IP address or IP range You can also monitor range latency between two different sites under IP group option The IP address under the specified IP group acts as the destination IP address while you have to specify the source IP address Using the include and between sites option you can monitor WAN performance for individual and range of IP addresses but for for IP networks The added monitor can be viewed under the traffic tab of IP groups along with the average WAN round trip time details Click on the check box that reads Also Enable WAN RTT to enable WAN RTT monitoring under IP Group Management 167 Zoho Co
73. period of time Choose between IN and OUT to display the application wise distribution of incoming or outgoing traffic respectively The default view of the application report shows Traffic IN details The applications for the ease of monitoring can be grouped as application groups and top sites Applications Report The report shows application wise distribution of incoming and outgoing traffic The list of applications are ordered to show the top applications that contribute to maximum network traffic along with the volume of traffic and the total percentage of network traffic it occupies Clicking on the application name will open the detailed report of all the conversations The conversations detail report lists the number of resources accessed the specific application It gives the details of the conversation like source destination application type Ports involved Protocol DSCP volume of traffic and the perecentage of traffic the specific conversation contributes The pie graph below the table gives a quick view about the top applications and the percentage of traffic it occupies in the network The Show Ports Link next to an application name indicates that that application is not identified by NetFlow Analyzer When you click on Show Ports Link a window opens up showing the port and protocol details for this application If it is a valid application you can then add it to the list of applications in the Application Mapping page Es
74. port number of the new application To enter a port range separate the start and end points of the range with a hyphen eg 1400 1700 3 Choose the protocol from the list of protocols 4 Choose one of the options from IP Address IP Network IP Range Depending on what you opt a set of fields are enabled and should be filled o If you opt for IP Address then you have to enter the address in the IP Address box o If you opt for IP Network then you have to enter the IP Network and IP Netmask details o If you opt for IP Range then you have to enter the Start IP End IP and IP Netmask Enter a unique name for the application 5 The Application Name has to be entered finally by which the IP address is associated with an application A Ensure that the combination of port number and protocol is unique If not the older application mapping will be deleted Once you are done click the Update button to save your changes Modifying an Application Select an application and click the Modify button to modify its properties Es You can only change the name of the application If you need to change the port or the protocol you have to delete the application and add it as a new application Once you are done click the Update button to save your changes Deleting an Application Select an application and click the Delete button to delete it The application is permanently deleted the corresponding port is freed and can b
75. profile and click on Delete to delete the profile Once an alert profile is deleted all alerts associated with that profile are automatically cleared However it is not possible to delete the Link Down alert profile 112 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Schedule Reports ei It is a good idea to schedule reports to be run at non peak traffic hours since generation of reports is a resource hungry process especially for large interface numbers An easy scheduling option is available in NetFlow Analyzer for any particular interface while drilling down Click on the Actions tab on the top right and from the dropdown options click on Add Schedule You can give a schedule name description and other scheduling options as per your requirement A Scheduler is configured to set the parameters for automating the generation of reports The parameters to be set for creating a Scheduler are e Source The Interfaces or IP Groups which are the source of traffic o Interfaces The list of interfaces who s bandwidth utilization must be watched One report will be generated for each interface selected o IP Groups The IP groups who s bandwidth utilization must be watched One report will be generated for each IP Group created e Report Type The type of report to be generated Please select as per your requirement from the dropdown consisting the following o Consolidated report Traffic report Applicatio
76. router in global configuration mode Command Purpose ip flow export destination fhostname ip_address 9996 Exports the Netflow cache entries to the specified IP address Use the IP address of the NetFlow Analyzer server and the configured Netflow listener port The default port is 9996 ip flow export version peer as origin as Exports NetFlow cache entries in the specified version format 5 or 7 If your router uses BGP you can specify that either the origin or peer ASs are included in exports it is not possible to include both 35 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a Juniper Devices cflowd J Flow Configuring flow exports on Juniper Routers This section gives the steps to configure cflowd J Flow export on Juniper devices To enable sampling and to export the flow records to specific destination address follow the below command forwarding options sampling input family inet rate 100 run length 9 max packets per second 7000 output cflowd lt destination address gt port lt port number gt source address lt source address gt version lt version number gt no local dump autonomous system type origin To enable packet sampling on the particular interface s from which flow analyzis to be done follow the below steps interfaces ge 1 3 0 vlan tagging unit 101 vian id 101
77. so on 7 How do I configure NetFlow Version 9 Please refer the following document for configuring netflow version 9 http www cisco com en US docs ios 12_3 feature gde nfv9expf html Technical Information 1 How is traffic information stored in the NetFlow Analyzer database For each report NetFlow Analyzer stores traffic information in a different manner The following tables describe the data storage pattern for the various reports generated by NetFlow Analyzer 237 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Data storage pattern Granularity Traffic Tables SRC amp DST Application Source Destination and Conversation 10Min 30 hours 25 hours Hourly 62 Days 45 Days 6 Hour 32 Days 62 Days 24 Hour 92 Days 92 Days Weekly forever forever Reports for last day Time Period Traffic Tab Application Source Destination and Conversation Last 26 hour period 1 minute granularity hourly granularity Less than 6 hour interval 1 minute granularity 10 minute granularity Less than 2 hour interval 1 minute granularity 1 minute granularity Reports for last week Time Period Traffic Tab Application Source Destination and Conversation Last days hourly granularity hourly granularity Less than 12 hour interval 1 minute granularity hourly granularity Less than 2 hour interval 1 minute granularity 1 minute granularity Cif no raw table is available goes to hourly granularity Reports for
78. source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Rst Grid TCP Rst Flows from multiple source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span or Probes Minimum Horizontal Span and Minimum Occupancy at the source end TCP Syn_Fin TCP Flows with TCP Flags value IN 3 SF 7 RSF denoting TCP Suspect Violations Syn_Fin or Syn_Rst_Fin Flows but without Urg Ack Psh Flags Flows touching or exceeding the Upper Limit and none of the following derived problems gets satisfied TCP Syn_Fin TCP Syn_Fin Flows from multiple source hosts to fewer destination DoS Attack hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd TCP Syn_Fin TCP Syn_Fin Flows from single multiple source hosts to single multiple DoS Inflood destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Syn_Fin 1 TCP Syn_Fin Flows from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 TCP Syn_Fin Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Syn_Fin Port 1 TCP Syn_Fin Flows from single multiple source hosts to single Scans Scan destination host on multiple destination ports exceeding Minimum Probes Vertical
79. source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP Request 1 ICMP Requests from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 ICMP Requests from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Request 1 ICMP Requests from single multiple source hosts to multiple Scans Host Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 ICMP Requests from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Request 1 ICMP Requests from multiple source hosts to single multiple Scans Host destination hosts using a single source port exceeding Minimum Probes Scan Reverse Horizontal Span at the source end 2 ICMP Requests from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Excess ICMP ICMP Response Flows with Dst Port value IN 0 Echo Reply Suspect Responses 3584 Timestamp Reply 4096 Information Reply 4608 Address Flows Mask Reply touching or exceeding the Upper Limit and none of the following de
80. tab Now the map view will open up with the location you had last specified To edit it to move the pointer to the desired location click on the area of the map where you think it should point to The last location you spot click in the course of locating your resource through n different clicks on the map is taken as the final Deleting a location You may remove any resource router from being shown on the map by clicking on the delete button against the resource in the Google Map Settings tab 99 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition WAAS Settings Cisco s Wide Area Application Services WAAS is a solution designed optimize application performance and infrastructure consolidation in WAN environments WAAS consists of a GUI and a set of system devices called wide area application engines WAE that work together to optimize TCP traffic over your network When client and server applications attempt to communicate with each other the network intercepts and redirects this traffic to the WAEs so that they can act on behalf of the client application and the destination server The WAAS GUI is used to centrally configure and monitor the WAEs and application policies in your network WAAS Central Manager CM Settings Cisco WAAS is centrally managed by a function called the Cisco WAAS Central Manager that runs on Cisco WAE Appliances The Cisco WAAS Central Manager can be accessed from a w
81. technologies such as NAT MPLS BGP next hop and Multicast The main feature of Version 9 Export format is that it is template based 2 What is the memory impact on the router due to V9 The memory used depends upon the data structures used to maintain template flowsets As the implementation does not access the NetFlow cache directly the memory used is not very high 3 Receiving non V5 V7 V9 packets from the following devices Click here for further details What does this mean If you get this message on the user interface it means that NetFlow packets with versions other than version 5 7 9 are being received by NetFlow Analyzer Check your router settings to make sure that only version 5 7 9 NetFlow exports are being sent to NetFlow Analyzer This is because NetFlow Analyzer supports only NetFlow version 5 7 9 exports 4 Is version 9 backward compatible Version 9 is not backward compatible with Version 5 or Version 8 If you need Version 5 or Version 8 then you must configure Version 5 or Version 8 5 What is the performance impact of V9 Version 9 slightly decreases overall performance because generating and maintaining valid template flowsets requires additional processing 6 What are the restrictions for V9 Version 9 allows for interleaving of various technologies This means that you should configure Version 9 if you need data to be exported from various technologies such as Multicast DoS IPv6 BGP next hop and
82. the IP SLAs video operation must be capable of providing platform assisted video traffic generation and reflection e Time synchronization such as that provided by Network Time Protocol NTP is required between the source and the responder device in order to provide accurate one way delay latency measurements Restrictions for IP SLA video operations e This feature is supported only on Cisco devices that are capable of generating platform assisted video traffic and reflection such as the Cisco Catalyst 3560 3560 E 3560 X 3750 3750 E and 3750 X Series switches e IP SLAs video operations do not support Round Trip Time RTT traffic e Because IP SLAs video operations support only one way traffic an operation and a responder must be configured on both the source and responder and both devices must support SNMP access e IP SLAs video operations are supported in IPv4 networks only 174 Zoho Corporation CZ ManageEngine NetFlow Analyzer Professional Edition Advanced Security Analytics Module Advanced Security Analytics Module ASAM is a flow based network security analytics tool that helps detect and classify network intrusions It offers intelligence to detect a broad spectrum of external and internal security threats Using the Continuous Stream Mining Engine technology ASAM analyzes NetFlow packets in real time and matches multiple events without duplication It also offers continuous overall assessment of network
83. the source IP in the filter created e Destination Add the destinnation IP address IP Address IP Range IP Network that has to be include or excluded in the filter You can add more than one IP address as destination IP in the filter created e DSCP Select the appropriate Differentiated Services Code Point DSCP name from the list provided You can also select the appropriate type of service from the available ToS e Protocol From the list provide select the appropriate protocols that has either to be included or excluded from the filter Managing Report Profiles Report profiles are created based on user defined criteria You can individually edit and X delete report profiles created The user can also edit and delete the created filters for specific report profiles using the Wand X icons You can also create weekly and monthly filters only for the business hour period You can view the records either as a Widget or as in Tab The widget view lists the top ten records of the selected report profile while the tab view lists all conversations The report profile can either be downloaded as PDF or exported as CSV using NetFlow Analyzer The report profile also offers schedule report option where reports can be scheduled instantly The scheduled reports can be exported as CSV and PDF and contains top 100 records of the time specified 69 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Traffic Reports
84. this AS for the selected time period The Traffic IN Details and the Traffic OUT Details show sampled values of traffic generated over the selected time period 80 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Troubleshooting The Troubleshoot link lets you set criteria and view specific details about the traffic across a single interface Data for Troubleshooting reports is taken directly from raw data Which means that Troubleshooting reports will be available only for the maximum time period for retaining raw data configured under Settings Click the icon against an interface on the Dashboard Interface View or the Troubleshoot link present above the traffic graphs for an interface to open a popup with options to set criteria for viewing reports In the pop up window that opens up click the Select Devices link to change the interface that you want to troubleshoot Under Search Criteria enter the criteria on which traffic needs to be filtered You can enter any of the following criteria to filter traffic Source Destination Address Source Destination Network Source Destination Nodes Application Port Port Range The From and To boxes let you choose custom time periods for the report Use the icon to select the date and time easily Ensure that the time period selected falls within the Raw Data Retention Period set under Settings otherwise graphs will show no data Use the IN OUT box to display v
85. time taken for a caller s voice at the source site to reach the other caller at the destination site is called as latency Network latency contributes to delay in voice transmission resulting in huge gaps between the conversation and interruptions Packet Loss Packet loss is a measure of the data lost during transmission from one resource to another in a network Packets are discarded often due to network latency MOS The jitter codec determines the quality of VoIP traffic and each codec provides a certain quality of speech The Mean Opinion Score is a standard for measuring voice codecs and is measured in the scale of 1 to 5 poor quality to perfect quality The quality of transmitted speech is a subjective response of the listener How it works NetFlow Analyzer primarily relies on Cisco s IP SLA for monitoring the VoIP and the prerequisite therefore is that the device should be a Cisco Router and must have IPSLA agent enabled on it From IOS Version 12 3 14 T all Cisco routers support monitoring of VoIP QoS metrics Cisco s IPSLA an active monitoring feature of Cisco IOS software facilitates simulating and measuring the above mentioned parameters to ensure that your SLAs are met Cisco IP SLA provides a UDP jitter operation where UDP packets are sent from the source device to a destination device This simulated traffic is used to determine the jitter the round trip time packet loss and latency This data is gathered for multiple test
86. to Scans Handshake multiple destination hosts where the number of distinct destination Probes Diagonal Scan hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Short TCP Short TCP Handshake flowsfrom single multiple source hosts to Scans Handshake Grid multiple destination hosts on multiple destination ports exceeding Probes 193 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Scan Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short TCP 1 Short TCP Handshake flows from single source host to Scans Handshake Port single multiple destination hosts using multiple source ports exceeding Probes Scan Reverse Minimum Vertical Span at the source end 2 Short TCP Handshake flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP 1 Short TCP Handshake flows from multiple source hosts to Scans Handshake Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 Short TCP Handshake flows from multiple sour
87. transport protocol and use the Version 9 export format To configure a flow exporter for the flow monitor in order to export the data that is collected by Cisco Performance Monitor to a remote system for further analysis and storage perform the following optional task For Cisco Performance Monitor flow exporters are configured the same way as they are configured for Cisco IOS Flexible NetFlow Summary Steps enable configure terminal flow exporter exporter name description description destination ip address hostname vrf vrf name export protocol netflow v9 dscp dech source interface type interface number option exporter stats interface table sampler table timeout seconds 10 output features 11 template data timeout seconds 12 transport udp udp port 13 ttl seconds 14 end OONOAPRWNH gt 87 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 4 Configuring a Flow Record for Cisco Performance Monitor The basic concepts and techniques for configuring a flow record for Cisco Performance Monitor are the same as flow records for Flexible NetFlow The flow record specifies how the data collected data is aggregated and presented The only significant difference is that for Cisco Performance Monitor the command includes type performance monitor Summary Steps enable configure terminal flow record type performance monitor record name match ipv4 destination address prefix min
88. use the bandwidth command Not all QoS features are available on all platforms or in all Cisco IOS releases For the features and commands available to you see the Cisco IOS documentation for your platform and version of Cisco IOS software you are using 141 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Configuration Steps Command or Action Purpose Step 1 Router gt enable Enables privileged EXEC mode Step 2_ Router configure terminal Enters global configuration mode Step 3 Router config policy map policy Creates or specifies the name of the traffic policy name and enters policy map configuration mode Step 4 Router config pmap class class Specifies the name of a traffic class previously name class default created in the Creating a Traffic Class section and enters policy map class configuration mode Use one or more of the following commands to enable the specific QoS feature you want to use Step 5 Router config pmap c bandwidth Optional Specifies a minimum bandwidth bandwidth kbps percent percent guarantee to a traffic class in periods of congestion A minimum bandwidth guarantee can be specified in kbps or by a percentage of the overall available bandwidth Step 6 Router config pmap c fair queue Optional Specifies the number of queues to be number of queues reserved for a tra
89. values ten minutes before and after the alert was generated along with details on top applications sources destinations and conversations recorded during that time interval Link Down Alert This is a preconfigured alert to send an email when the link goes down or when there are no flows for more than 15 minutes By default this profile is disabled This is similar to other alerts that are manually configured except that it can t be deleted It is possible to have emails sent by this alert whenever no flows are received for over 15 minutes It becomes activated only after the mail server settings are configured Operations on Alert Profiles You can create new alert profiles modify or delete existing ones from the Alert Profiles page Creating a new Alert Profile Remember to set the active timeout value on the router to 1 minute so that alerts are generated correctly Refer the Cisco commands section for more information on router settings The steps to create an Alert Profile are 1 Login to the NetFlow Analyzer client and click Alert Profile Management under Admin Operations in the left panel 2 Click Add to add a new Alert Profile 3 Fill in the following details 4 Field Description Alert Profile Enter a unique name to identify this alert profile Name OO Description Enter descriptive information for this alert profile to help other operators understand why it was created Select Source
90. violation trends and e Advanced Security Analytics Module Advanced security Analytics Module ASAM helps you safeguard your network with zero day security analytics ASAM offers continuous network security monitoring and anomaly detection capabilities and helps you trouble shoot network incidents faster e Wide Area Application Services Wide Area Application Services WAAS optimizes the performance of TCP based applications in WAN NetFlow Analyzer interprets optmized data from Waas Central Manager with netflow data to provide in depth visibility in optimization of WAN Applications It also reports on complete distribution of applications optimized by any WAE in series with routers exporting netflow 153 Zoho Corporation gt a ManageEngine NetFlow Analyzer Professional Edition VoIP Monitor About VoIP Monitor Cisco IPSLA monitor or VoIP monitor comes as an add on feature in NetFlow Analyzer and requires license to run NetFlow Analyzer continuously monitors the key performance metrics of the VoIP network to determine its health The parameters measured include Jitter Latency Packet Loss etc Jitter Jitter indicates a variation in delay between arriving packets inter packet delay variance Users often experience uneven gaps in speech pattern of the person talking on the other end and sometimes there are disturbing sounds over a conversation coupled with loss of synchronization etc Latency The delay measured is the
91. where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Xmas Grid TCP Xmas Flows from multiple source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Malformed TCP TCP Flows with BytePerPacket less than the minimum 40 octets Suspect Packets bytes touching or exceeding the Upper Limit and none of the Flows following derived problems gets satisfied Malformed TCP Malformed TCP flows from multiple source hosts to fewer destination DoS Attack hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Malformed TCP Malformed TCP flows from single multiple source hosts to DoS Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash destination end Crowd Malformed TCP 1 Malformed TCP flows from fewer source hosts to multiple DoS Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 Malformed TCP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Malformed TCP 1 Malformed TCP flows from s
92. with TCP Flags value equals 0 Null touching or Suspect exceeding the Upper Limit and none of the following derived Flows problems gets satisfied TCP Null Attack TCP Null flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd TCP Null Inflood TCP Null flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Null Outflood 1 TCP Null flows from fewer source hosts to multiple destination hosts DoS exceeding Minimum Divergence and Minimum Flux Rate at the source Flash end Crowd 2 TCP Null flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Null Port Scan 1 TCP Null flows from single multiple source hosts to single Scans destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 TCP Null flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Null Host 1 TCP Null flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 TCP Null flows from single mul
93. 0 Internet Gopher Protocol HTTP TCP 80 Hypertext Transfer Protocol Zoho Corporation 131 KZ lt ManageEngine NetFlow Analyzer Professional Edition TCP or UDP Type Well Known Description Static Port Number Port Protocol HTTPS TCP 443 Secured HTTP IMAP TCP UDP 143 220 Internet Message Access Protocol IRC TCP UDP 194 Internet Relay Chat Kerberos TCP UDP 88 749 The Kerberos Network Authentication Service LOTP UDP 1701 L2F L2TP Tunnel LDAP TCP UDP 389 Lightweight Directory Access Protocol MS SQLServer TCP 1433 Microsoft SQL Servertop videoconferencing NetBIOS TCP 137 139 NetBIOS over IP Microsoft Windows NetBIOS UDP 137 138 NetBIOS over IP Microsoft Windows NES TCP UDP 2049 Network File System NNTP TCP UDP 119 Network News Transfer Protocol Notes TCP UDP 1352 Lotus Notes NTP TCP UDP 123 Network Time Protocol PCAnywhere TCP 5631 65301 Symantec PCAnywhere PCAnywhere UDP 22 5632 Symantec PCAnywhere POP3 TCP UDP 110 Post Office Protocol PPTP TCP 1723 Point to Point Tunneling Protocol RIP UDP 520 Routing Information Protocol RSVP UDP 1698 1699 Resource Reservation Protocol SFTP TCP 990 Secure FTP SHTTP TCP 443 Secure HTTP SIMAP TCP UDP 585 993 Secure IMAP SIRC TCP UDP 994 Secure IRC SLDAP TCP UDP 636 Secure LDAP SNNTP TCP UDP 563 Secure NNTP SMTP TCP 25 Simple Mail Transfer Protocol SNMP TCP
94. 084 0 047 0 032 sorted_out 3 988 1 435 1 427 1 385 1 347 1 265 1 248 1 229 1 221 1 013 1 002 0 992 0 940 0 896 0 874 0 689 0 523 0 438 0 347 0 231 Each sample set contains 20 samples 5 of 20 is 1 so discarding the top 5 means we must discard he top sample from each data set We are now left with remaining _in 0 653 0 370 0 276 0 233 0 218 0 203 0 201 0 198 0 185 0 182 0 169 0 157 0 139 0 131 0 126 0 116 0 084 0 047 0 032 remaining out 1 435 1 427 1 385 1 347 1 265 1 248 1 229 1 221 1 013 1 002 0 992 0 940 0 896 0 874 0 689 0 523 0 438 0 347 0 231 The highest sample from each remaining data set is the 95th percentile value for the originating set So for each set above we obtain the following values 95th_in 0 653 Mbps 95th_out 1 435 Mbps The higher of the two computed 95th percentile values becomes the final 95th percentile value used for billing 95th percentile 1 435 Mbps Volume based billing The Bill Plan List tab lets you create a new bill plan To create a bill plan click on the Add Plan tab The Fields and their description are given below 122 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Enter Billing Details Field Description Bill Plan Enter the name you wish to assign for this bill plan Bill Plan Describe the plan for detailed understanding and for future reference Description Bill Type Select Volume Base Volume Enter the base volume
95. 50 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 183 e ManageEngine NetFlow Analyzer Professional Edition Problem class catalogue Advanced Security Analytics Module The table below lists some of the important abbreviations with their fully expanded word phrase used in this document Setting Description IP Internet Protocol Address Src Source Dst Destination P2P Peer to Peer ToS Type of Service DoS Denial of Service TCP U A P R S F _ TCP Urg Ack Psh Rst Syn Fin The table below lists the set of classes used for classifying problems with a brief description Class Name Description Bad Src Dst Either the Src IP or the Dst IP of the flow is suspicious Suspect Flows Some attribute s other than Src IP and Dst IP of the flow is suspicious DoS Denial of Service Attack Scans and Probes Flows are sent to a specific host using multiple ports or to multiple hosts on single port The table below lists different threshold definitions Aggregation Limit Settings Lower Limit Minimum number of flows required for performing heuristical analysis and verifying the presence of derived problems like Port Scan Host Scan Inflood etc Upper Limit Maximum number of flows accrued in a single event under default
96. 500 2600 3600 4500 4700 AS5300 AS5800 12 0 4 T RSP 7000 and 7200 series uBR 7200 and 7500 series RSM series MGX8800RPM series and BPx8650 series 12 0 3 T 12 0 3 S 12 0 4 XE Cisco 7100 series 12 0 6 S Cisco 12000 series NetFlow is also supported by these devices Cisco 800 1700 1800 2800 3800 6500 7300 7600 10000 CRS 1 and these Catalyst series switches 45xx 55xx 6xxx A These devices do not support NetFlow Cisco 2900 3500 3660 3750 Cisco Switches NetFlow export is also supported on other Cisco switches when using a NetFlow Feature Card NFFC or NFFC Il and the Route Switch Module RSM or Route Switch Feature Card RSFC However check whether version 5 is supported as most switches export version 7 by default NetFlow Version 9 Support Supported Platforms The following platforms support NetFlow Version 9 Data Export Cisco 2600 series Cisco 3600 series Cisco 7100 series Cisco 7200 series Cisco 7300 series Cisco 7400 series 25 Zoho Corporation D ManageEngine NetFlow Analyzer Professional Edition Cisco 7500 series Cisco 12000 series Other Vendors Some of the major vendors supporting NetFlow include 3Com 8800 Series Switches Adtran NetVanta 3200 3305 4305 5305 1524 1624 3430 3448 3130 340 and 344 Supports NetFlow version 9 Juniper Networks Does not support sampling interval attribute First and last times are stored in second
97. 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 Destination IP 73 168 11 73 168 1 3 73 168 1 5 73 168 1 7 73 168 1 9 73 168 1 11 73 168 1 13 73 168 1 15 73 168 1 17 73 168 1 19 73 168 11 73 168 1 3 73 168 1 5 73 168 1 7 73 168 19 73 168 1 11 73 168 1 13 73 168 115 73 168 1 17 73 168 119 73 168 11 73 168 1 3 73 168 15 73 168 17 73 168 19 Application tepmux tepmux tepmux tepmux tepmux tepmux tepmux tepmux tepmux tepmux topmux tepmux tepmux tepmux tepmux tepmux tepmux topmux tepmux tepmux topmux tepmux tepmux tepmux tepmux Report Generation Time Showing 1 to 100 Source Port Dest Port Protocol TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP obt bb babbar aw Wan HHH HHH Hab bb bot Zoho Corporation Tos ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH ONNNH View per page 100 TCP_FLAGS oo mom o om ou o om o om oo mom o om o Packets o oo oo o go oo oo o po oo oo po vw o 2011 06 09 14 54 17 0 To 2011 06 09 14 54 17 0 Traffic 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 450 00 Bytes 4
98. Accessing the Web Client NetFlow Analyzer is essentially a bandwidth monitoring tool that uses Cisco NetFlow exports to analyze network traffic and determine bandwidth usage Once the server has successfully started follow the steps below to access NetFlow Analyzer 1 Open a supported web browser window Type the URL address as http lt hostname gt 8090 where lt hosiname gt is the name of the machine on which NetFlow Analyzer is running and 8090 is the default web server port 3 Log in to NetFlow Analyzer using the default username password combination of admin admin Once you log in you can start managing devices exporting Cisco NetFlow generate bandwidth reports and more 20 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition License Information NetFlow Analyzer comes in two flavors e Free Edition collect analyze and report on Netflow data from a maximum of two interfaces e Professional Edition collect analyze and report on Netflow data from a maximum of n interfaces where n is the number of interfaces for which NetFlow Analyzer has been purchased e Professional Plus Edition It has all the features of professional edition reporting on Cisco CBQoS Cisco NBAR and usage based billing Once installed NetFlow Analyzer runs in evaluation mode for 30 days You can obtain a registered license for NetFlow Analyzer at any time during the evaluation period by contacting NetFlow Analyzer Sup
99. Analyzer Professional Edition When you configure a flow monitor you must use either e Anexisting flow record that you configured e One of the following default predefined records o The default RTP record default rtp o The default TCP record default tcp Restrictions To modify a flow record you must remove it from all flow monitors it is associated with Summary Steps enable configure terminal flow monitor type performance monitor monitor name description description exporter exporter name record record name default rtp default tcp end PO OT ich 6 Configuring a Flow Class for Cisco Performance Monitor The basic concepts and techniques for configuring a class for Cisco Performance Monitor are the same as for any other type of class The class specifies the filter that determines which flow traffic to monitor The filter is configured using various match commands in class map mode If you do not already have a flow monitor configured you can either e Configure a flow monitor See the Configuring a Flow Monitor for Cisco Performance Monitor section e e Use the flow monitor inline option See the Configuring a Flow Policy for Cisco Performance Monitor Using an Existing Flow Monitor section Note Nested class maps are not supported In other words you cannot use the class map command while in class map configuration mode config cmap Summary Steps enable configure terminal class ma
100. By default all Interfaces IP Groups Interface Group sending NetFlow exports are selected If you want this alert profile to apply to certain interfaces ip groups Interface Groups only click the Modify Selection link In the pop up window select the required devices and interfaces or select the IP Group Names and click Update to save your changes Define Alert Select whether alerts need to be generated based on incoming traffic outgoing traffic or both The Criteria default setting is for both combined Then select the alert criteria for which the alert has to be generated The criteria can be based on application protocol DSCP or IP address To identify the overall link utilization the No Criteria 111 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition Field Description option has to be chosen Define Enter the threshold conditions like utilization volume speed and packet which on exceeding the Threshold threshold limit alerts will be generated You can also specify an action to be taken during the alert and Action creation Email An email notification with customizable subject along with a PDF attachment to one or more people SNMP Trap to send a trap to the manager application specify the lt server name gt lt port gt lt community gt For details on configuring trap forwarding refer to SNMP Trap Forwarding section under Appendix To add more thresh
101. CP Citrix published application Netshow TCP UDP Microsoft Netshow 130 Zoho Corporation KZ lt ManageEngine NetFlow Analyzer Professional Edition TCP or UDP Siateful Protocol Type Description RealAudio TCP UDP RealAudio Streaming Protocol r commands TCP rsh rlogin rexec StreamWorks UDP Xing Technology Stream Works audio video SQL NET TCP UDP SQL NET for Oracle SunRPC TCP UDP Sun Remote Procedure Call TFTP UDP Trivial File Transfer Protocol VDOLive TCP UDP VDOLive streaming video 4 Non TCP amp Non UDP protocols 5 TCP amp UDP static port protocols Non UDP or Type Well Known Port Description Non Number TCP Protocol EGP IP 8 Exterior Gateway Protocol GRE IP 47 Generic Routing Encapsulation ICMP IP 1 Internet Control Message Protocol IPINIP IP 4 IP in IP IPsec IP 50 51 IP Encapsulating Security Payload Authentication Header EIGRP IP 88 Enhanced Interior Gateway Routing Protocol TCP or UDP Type Well Known Description Static Port Number Port Protocol BGP TCP UDP 179 Border Gateway Protocol CU SeeMe TCP UDP 7648 7649 Desktop videoconferencing CU SeeMe UDP 24032 Desktop videoconferencing UDP 67 68 Dynamic Host Configuration Ge Protocol Bootstrap Protocol DNS TCP UDP 53 Domain Name System Finger TCP 79 Finger User Information Protocol Gopher TCP UDP 7
102. Click on the Schedule s name to see more information about the schedule s configuration Schedule Information on when the schedule will run Details Status By default all schedules are Enabled which means they are active Click the Enabled icon to disable a schedule When this is done reports will no longer be generated for that configuration Click the Pisabled icon to enable the schedule again Report Type Whether it is a consolidated report are user defined Custom report Last Report This column lists the last time when this schedule was run and a report created Time Generated By clicking on View Reports it is possible to view all the previous reports that have been Reports generated The number of reports that are stored is based on the user definition in the Schedule Setting page By enabling the item Enable older reports to be accessed from UI it is possible to retrieve even older reports For Daily Schedule up to 90 reports can be stored For Weekly Schedule up to 104 reports can be stored For Monthly Schedule up to 60 reports can be stored Operations on Schedule Reports You can create new schedules or delete existing ones from the Schedule List page The Schedule settings tab on the right lets you define settings needed for the schedule reports The settings are e Host name options Select the option as you want to view in the reports IP Address or DNS names e Graph options Either of the two
103. Configures NBAR to match gnutella file transfer regu ar expression Gnutella peer to peer traffic Step 25 Router config cmap match protocol http Optional Configures NBAR to match url url string host hostname string mime Hypertext Transfer Protocol HTTP traffic by MIME type c header field c header field URL host Multipurpose Internet Mail string s header field s header field string Extension MIME type or fields in HTTP packet headers Step 26 Router config cmap match protocol rtp Optional Configures NBAR to match Real audio video payload type payloaa string Time Transfer Protocol RTP traffic 140 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Configuration steps Command or Action Purpose Step 27 Router config cmap match qos groupgos gos group value Optional Identifies a group value specific QoS group value as a match criterion Step 28 Router config cmap match source Optional Uses the source MAC address as address mac address destination a match criterion Step 29 Router config cmap match start I2 start Optional Configures the match criteria for a 13 start offset number size number eq class map on the basis of the datagram neq gt It range range regex string header Layer 2 or the network header value value2 string Layer 3 Step 30 Router config cmap match tag tag name Opti
104. Dashboard view The NetFlow Analyzer Dashboard gives a quick summary about the bandwidth usage of your devices interfaces and IP groups with respect to the widgets you have selected By default you can view the Network snapshot You can also customize the dashboard as per your own requirements Network Snapshot The Network Snapshot is the default view of the dashboard NetFlow Analyzer s web interface during login The Top Devices by Speed widget The table lists the top 5 devices routers switches according to the speed at which traffic passes through each interface Details of the Maximum Speed Average Speed is displayed against each device name Clicking on the Device Name will give you a consolidated report that gives you interface level details of the device Top devices by Volume The table lists the top 5 devices routers switches according to the volume of traffic passing through each device The table displays the device volume of traffic and the total percentage of traffic Clicking on the device name will give you a consolidated report for the selected device Top interfaces by speed The table lists the top 5 devices routers switches according to the speed at which traffic passes through each interface It details top interface name the device where it is present Traffic IN and OUT speed in Kbps Clicking on the Interface Name will give you the traffic report of the specific interface Top interfaces by utilization
105. Edition Mail Server Proxy Server Settings Mail server settings These settings are important when e mail notifications have to be sent for alerts generated and when Scheduled Reports have to be emailed Option gie Description Outgoing SMTP Server smtp The name of the outgoing SMTP server used to send e mails Port 25 The port number on the outgoing server that is used to send e mails Default e mail address The default e mail address to which e mail notifications have to be sent to send alerts optional Separate multiple e mail addresses by a comma This is mandatory From Address optional The From address of the mail that is being sent This is optional Encryption Protocol none Enables SSL connection to send secure information Requires authentication unchecked Select this checkbox if the mail server needs authentication User Name optional The authentication user name for the mail server Password optional The corresponding password for mail server authentication Click on Update once the above required details have been entered You may also want to do a trial test of the mail being sent you can use the Test Mail setting for this Proxy settings This is to configure the network proxy settings Proxy settings are necessary for resolving Geo locations Fields Description Proxy Server The name or IP Address of the proxy server Port The port number on the server
106. Flow export contains information on the protocol source port and destination port When a flow is received NetFlow Analyzer tries to match the port and protocol in the flow to an application in the following order o The smaller of the source and destination port numbers to the list of ports configured to each application in the Application Mapping list o The larger of the source and destination port numbers to the list of ports configured to each application in the Application Mapping list o The smaller of the source and destination port numbers to the port ranges configured to each application in the Application Mapping list o The larger of the source and destination port numbers to the port ranges configured to each application in the Application Mapping list If a matching application is still not found then depending on the protocol received in the flow the application is listed as lt protocol gt _App eg TCP_App if a flow is received with TCP protocol and unmatched source and destination ports If the protocol received in the flow is also not recognized by NetFlow Analyzer the application is listed as Unknown_App Bd A single flow can be categorized as a single application only In case of a conflict applications with an exact match for the port number will be accounted for 3 Dol have to reinstall NetFlow Analyzer when moving to the fully paid version No you do not have to reinstall or shut down the NetFl
107. Flux Flash Rate at the source end Crowd 2 ICMP Trace Route flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Trace Route 1 ICMP Trace Route flows from single multiple source hosts to Scans Host Scan multiple destination hosts on a single destination port exceeding Probes Minimum Horizontal Span at the destination end 2 ICMP Trace Route flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Trace Route 1 ICMP Trace Route flows from multiple source hosts to Scans Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 ICMP Trace Route flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end ICMP ICMP ToS Unreachable Flows with Dst Port value IN 779 Network Suspect Unreachables for Unreachable for TOS 780 Host Unreachable for TOS touching or Flows ToS exceeding the Upper Limit and none of the following derived problems gets satisfied ICMP ToS 1 ICMP ToS Unreachable flows from multiple source hosts to fewer DoS Unreachable destination hosts exceeding Minimum Convergence and Mi
108. IN 32 40 42 63 denoting all Suspect Violations combinations of Urg Flag except the XMAS combination touching Flows or exceeding the Upper Limit and none of the following derived problems gets satisfied TCP Urg Attack TCP Urg Flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd TCP Urg Inflood TCP Urg Flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Urg Outflood 1 TCP Urg Flows from fewer source hosts to multiple destination hosts DoS 205 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class exceeding Minimum Divergence and Minimum Flux Rate at the source Flash end Crowd 2 TCP Urg Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Urg Port Scan 1 TCP Urg Flows from single multiple source hosts to single Scans destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 TCP Urg Flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Urg Host 1 TCP Urg Flows from single multiple source
109. IN OUT From here you can the export as a PDF CSV file or email or print it by clicking the amp Print icon 82 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Compare Report NetFlow Analyzer Global Report Compare Devices Compare Devices feature lets the user Compare multiple devices for the same time period or Compare the same Device over different time periods eg Every Day Report Every Hour Report Every Week Report Every Month Report Field Purpose Description The report type could be one of e Compare Multiple Devices over the same time period or Report Type e S STEE e Compare same device over different time periods as the case may be When the Report Type is chosen as Compare Multiple Devices over the same time period the available Periods are Last Hour Last 6 Hour Today Last 24 Hours Yesterday Last Week Last Month Last Quarter or Custom Selection Custom Selection lets one choose the time period for which one desires the report Select Period to be generated When the Report Type is chosen as Compare same device over different time periods the available Periods are Every Day Report Every Hour Report Every Week Report Every Month Report This allows the user to select the device if the same device is to be compared over various time periods or the set of devices that are to be compared for a single time period The Select Device s Select Devices
110. Info alue 2 02 KB 50 30 1 192 168 1 1 1 192 168 5 2 1 192 168 1 0 24 1 192 168 5 0 24 5 1 2 3 4 5 10 1 2 3 4 5 6 7 8 9 10 6 tcprux compressnet compressnet rje discard TCP_App EA 1 TCF 1 2 2 192 168 116 172 IfIndex1 192 168 116 172 IfIndex2 2 192 168 116 172 IfIndex3 192 168 116 172 IfIndex4 10 TCP 192 168 1 1 1 192 168 5 2 2 TCP 192 168 1 1 1 192 168 5 2 7 TCP 192 168 1 1 2 192 168 5 2 1 TCP 192 168 1 1 2 192 168 5 2 6 TCP 192 168 1 1 3 192 168 5 2 5 TCP 192 168 1 1 3 192 168 5 2 10 TCP 192 168 1 1 4 192 168 5 2 4 TCP 192 16 Expand 1 Router s 192 168 116 172 192 168 116 172 Security Event Troubleshoot Report Displays the list of aggregated flows for an event Click on the unique router IP in the event details report to view this reportr This report lists on the distribution of packets and traffic from the source to the destination giving more details about the event occurred You can also view the Application type ports involved protocol used ToS and TCP Flags used number of packets and the traffic volume 182 Zoho Corporation OI sti ManageEngine NetFlow Analyzer Professional Edition Device 192 168 116 172 Resolve DNS Source IP 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6 73 168 0 6
111. L Server are in the same domain and logged in with the same Domain Administrator account Database Setup Server Type SQL Server Host Name NETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TEST5 MSSQLSERVER 1433 g Database netflow Connect Using Windows Authentication SOL Server Authentication Domain Name Adventnet User Name Administrator Password tritici Cancel Test b SQL Server Authentication For SQL Server Authentication enter the User Name and Password 243 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Database Setup Server Type SQL Server Host Name NETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TESTS MSSQL SERVER 1433 Database netflow Connect Using O Windows Authentication SQL Server Authentication User Name Password SS 8 Click Test button to check whether the credentials are correct If the test fails the credentials may be wrong recheck and enter the correct credentials 9 Click Save button to save the SQL Server configuration Note that it will take few minutes to configure the settings of the SQL Server database 10 Start the netflow Analyzer Server Service to work with the MS SQLSERVER as the database 244 Zoho Corporation a ManageEngine NetFlow Analyzer Profess
112. ManageEngine Powering IT ahead NetFlow Analyzer 9 7 K me ManageEngine NetFlow Analyzer Professional Edition Table of Contents INTRODUC MON inicien iiaeaoee aeee Eaa aae Aee aeaea Aaaa aiaa 5 What s New in this Release cceccessenceeeesseeeeesenseeeee ees seneneeesnsseneeeeeseeeseeeneseneeeeensneneees 6 INSTALLATION AND SE CUP i iiiasasntocisnnntitausiabonusinalnsaunsnia aun nelnnnniiaindaeaiboeianunbttakiialme 14 Syst m e WT EE 14 Platform le e EEN 14 Supported Web Drowsers sseesseesseesseessetesrtstrtetn netr nesnnestnstrnsttnsttnnsnnstnntnnstnastnnstenstensnen stenst nnan nnn ennet 15 PreregUiSitES seresreeicrnretno ei E E E E 16 Installing and Uninstalling EE 17 Starting and Shutting DOWN EE 18 Accessing the Web Client visicsncsecchonccencnereseieseneiedenmenen seacimierenitenmasbnietenderaimieemuteeteniennmeies 20 License MformatiON EE 21 CONFIGURING FLOW EXPORTS wissssssssccdncsactsdndsicsnsiceanastadsancadsduacasdicsansndadeassstatvanecane 22 Cisco Devices E E 23 Configuring Cisco RRE 23 Cisco NetFlow Device Support cccccceecceceneeeeeeeeeeeeeceaeeeceaeeeeaeeseeeeseaeeesaaesseaeeseaeeescaeeesaeeeeneeenaees 25 Contiguring Cisco RE 27 Configuring NetFlow Export on an IOS Device ceecceceeeeeeeeeeeeeeeceneeeceaeeeeaaeeeeaeeseaeeesaeeesaeeseeeeesaees 28 Configuring NDE on Catalyst 6000 Series Gwitches 31 Configuring NDE on a Native IOS Device cececeeeeseeeeteeee
113. Minimum Aspect Ratio at the source end Short TCP Short TCP Psh_Ack flows from multiple source hosts to single multiple Scans Psh_Ack Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Short TCP Psh_Ack flows from multiple source host to single multiple Scans Psh_Ack Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short TCP TCP Flows with nominal payload ie BytePerPacket between 40 Suspect Psh_No Ack and 44 octets bytes and TCP Flags value IN 8 P 42 UPS Flows Packets 43 UPSF 44 UPR 45 UPRF 46 UPRS 47 UPRSF denoting TCP Psh but without Ack touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Short TCP Psh Short TCP Psh flows from multiple source hosts to fewer destination DoS Attack hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Short TCP Psh Short TCP Psh flows from single multiple source hosts to DoS Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash 195 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Editi
114. Minimum Convergence and Minimum Flux Rate at the destination end 2 UDP Echo Requests from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end 1 UDP Echo requests from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 UDP Echo requests from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd DoS Flash Crowd UDP Echo Request Host Scan 1 UDP Echo requests from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 UDP Echo requests from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes UDP Echo Request Port Scan Reverse 1 UDP Echo requests from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 UDP Echo requests from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes UDP Echo Request Host Scan Reverse 1
115. Network link to see the network wise top sources and destinations Ex 192 168 4 0 24 Here192 168 4 0 is thelPaddressand24 is thenetworkmask The Show box above this table lets you choose how many hosts need to be displayed You can set this value from the Settings page The pie chart below this report shows what percentage of bandwidth is being used by each host The Ex icon above the pie chart lets you see the pie chart enlarged in a new window From here you can the export the report as a PDF CSV file or email the report by going to the Actions button on top and selecting as per your requirement 76 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition QoS QoS or Quality of service is the most important factor that determines how effectively the available enterprise bandwidth is being used in the WAN It is also an index of the overall User Experience of the available Bandwidth The QoS feature by default lists out the Top DSCP IN Report Clicking on the Show Applications link lists out the various DSCP values along with the list of applications that comprise the DSCP It also list out details on Traffic and percentage utilization of the total traffic by each of the applications and the DSCP group as a whole Clicking on the b icon next to the DSCP value gives a detailed traffic graph in a pop up screen DSCP The DSCP Groups can be viewed by clicking on the View DSCP Group link If no DSCP Groups have b
116. Occupancy and Minimum Aspect Ratio at the destination end Scans Probes ICMP Time Exceeded Host Scan Reverse 1 ICMP Time Exceeded flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 ICMP Time Exceeded flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes ICMP Trace Route Flows ICMP Traceroute Flows with Dst Port equals 7680 Trace Route touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Indicates traceroute attempt Suspect Flows ICMP Trace Route Inflood 1 ICMP Trace Route flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 ICMP Trace Route flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd Zoho Corporation 216 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class ICMP Trace Route 1 ICMP Trace Route flows from fewer source hosts to multiple DoS Outflood destination hosts exceeding Minimum Divergence and Minimum
117. P Syn_Ack Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Scans Probes Short TCP 1 Short TCP Syn_Ack Flows from multiple source hosts to Scans Zoho Corporation 188 lt gt E ManageEngine NetFlow Analyzer Professional Edition Empty TCP Port Scan end 2 Empty TCP flows from single multiple source hosts to single multiple 1 Empty TCP flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Empty TCP flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Problem Name Description Class Syn_Ack Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 Short TCP Syn_Ack Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Short TCP Syn_Ack Flows from multiple source hosts to single multiple Scans Syn_Ack Diagonal destination hosts where the n
118. Packet exactly 28 Suspect UDP Packets octets bytes touching or exceeding the Upper Limit and none of Flows the following derived problems gets satisfied Empty UDP Attack Empty UDP flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Empty UDP Inflood Empty UDP flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd Empty UDP 1 Empty UDP flows from fewer source hosts to multiple DoS Outflood destination hosts exceeding Minimum Divergence and Flash Minimum Flux Rate at the source end Crowd 2 2 Empty UDP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Empty UDP Port 1 Empty UDP flows from single multiple source hosts to single Scans Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 Empty UDP flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Empty UDP Host 1 Empty UDP flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 Empty UDP flows
119. Rate at the destination end DoS Flash Crowd ICMP Source Quench Outflood 1 ICMP Source Quench flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 ICMP Source Quench flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd ICMP Source Quench Host Scan 1 ICMP Source Quench flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 ICMP Source Quench flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes ICMP Source 1 ICMP Source Quench flows from multiple source hosts to Scans Zoho Corporation 215 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Quench Host Scan Reverse single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 ICMP Source Quench flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source
120. Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 Empty UDP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Empty UDP Empty UDP flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Empty UDP Grid Empty UDP flows from multiple source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short UDP Flows with nominal payload ie BytePerPacket between 29 Suspect UDP Packets and 32 octets bytes touching or exceeding the Upper Limit and Flows none of the following derived problems gets satisfied Short UDP Attack Short UDP flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Short UDP Inflood Short UDP flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the dest
121. ST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router going into the configure terminal and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 2 The time sync issue may be related to high CPU load and reducing the IP group can help Each address range network will be checked seperately So 4 addresses of 10 10 10 1 10 10 10 2 10 10 10 3 and 10 10 10 4 will add more overload than creating the same as a single IP range of 10 10 10 1 to 10 10 10 4 While associating interfaces you are better off selecting All interfaces wherever appropriate since in that case no check will be done with the interface in the flow In your case since you had 180 interfaces associated the code had to check for these 180 interfaces in each flow received 241 Zoho Corporation a ManageEngine NetFlow Analyzer Professional Edition Other Configurations Configuring MSSQL Database NetFlow Analyzer lets you configure and use MSSQL database Product Limitations Configuring MSSQL database can take place only if the product is installed on Microsoft Windows operating system NetFlow Analyzer does not support the following Automatic deletion of oldest raw data when free disk space goes below the user defined value Email alert generation when the free disk space goes below the user defined value The steps to conf
122. Span at the destination end 2 ICMP Host Unreachable flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Host 1 ICMP Host Unreachable flows from multiple source hosts to Scans Unreachable Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 ICMP Host Unreachable flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Zoho Corporation 211 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Ratio at the source end ICMP Network ICMP Network Unreachable Flows with Dst Port value IN Suspect Unreachables 768 Network Unreachable 774 Network Unknown 777 Network Flows Administratively Prohibited 779 Network Unreachable for TOS touching or exceeding the Upper Limit and none of the following derived problems gets satisfied ICMP Network 1 ICMP Network Unreachable flows from multiple source hosts to DoS Unreachable fewer destination hosts exceeding Minimum Convergence and Flash Inflood Minimum Flux Rate at the destination end Crowd 2 ICMP Network Unreachable flows from single multip
123. Span at the destination end 2 TCP Syn_Fin Flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Syn_Fin Host 1 TCP Syn_Fin Flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes 204 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Horizontal Span at the destination end 2 TCP Syn_Fin Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Syn_Fin TCP Syn_Fin Flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Syn_Fin Grid TCP Syn_Fin Flowsfrom single multiple source hosts to multiple Scans Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Syn_Fin P
124. Src or Dst IP irrespective of whatever be the enterprise Bad Src Flows perimeter for example Loopback IPs or IANA Local IPs in either Src Dst or Dst IP Invalid ToS Flows Flows with invalid ToS values Bad Src Dst Land Attack Flows Flows with the same Src IP amp Dst IP Causes the target machine to Bad Src reply to itself continuously Dst Malformed IP Flows with BytePerPacket less than or equal to the minimum 20 octets Bad Src Packets bytes Dst Non Unicast Src IP is either Multicast or Broadcast or Network IP i e not Unicast Bad Src Source Flows Dst TCP Syn Violations TCP Flows with TCP Flags value equals 2 Syn touching or Suspect exceeding the Upper Limit and none of the following derived Flows problems gets satisfied TCP Syn Attack TCP Syn Flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Flux Rate and Minimum Convergence at the Flash destination end Crowd TCP Syn Inflood TCP Syn Flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Syn Outflood 1 TCP Syn Flows from fewer source hosts to multiple destination DoS hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 186 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class 2 TCP Syn Flows from single multiple source hosts to single
125. UDP Echo requests from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 UDP Echo requests from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Scans Probes Zoho Corporation 220 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end UDP Echo Request UDP Echo requests from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints UDP Echo Request UDP Echo requests from multiple source host to single multiple Scans Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end UDP Echo UDP Echo Request to Dst Port 7 Echo sent to a DoS Request Broadcast Multicast IP touching or exceeding the Upper Limit and Flash Broadcasts none of the following derived problems gets satisfied Indicates Crowd possible amplification attack on the S
126. a schedule from the Schedule List and click on Delete to delete the schedule Once a schedule is deleted no longer reports are generated at the stipulated intervals Deleting a schedule also deletes the corresponding folder 116 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition Schedule Settings In addition there is the Schedule Settings link in the Schedule List Page This link lets you set parameters that could be applied across all the generated reports The parameters include e Host Name display in reports This determines how the host name is displayed in reports It could be chosen as one of o IpAddress or o DNS Name e Graph Options Report Type to be shown in reports This determines how the data is to be shown in the generated reports This could be one of o Utilization in or o Speed in bps e Report Mail Attachment option The format in which the attachments are to be mailed It could be one of o Zipped file or o PDF The number of PDF files to be sent in a mail is to be specified The number may range from 5 to 50 in increments of five e Enable older reports to be accessed from Ul o Daily Schedules the number of daily reports to be stored it can take values of 7 30 60 90 o Weekly Schedules the number of weekly reports to be stored it can take values of 4 26 52 104 o Monthly Schedules the number of monthly reports to be stored it can take values of 12 36 60
127. a single location e sFlow is scalable enabling it to monitor links of speeds up to 10Gb s and beyond without impacting the performance of core internet routers and switches and without adding significant network load e sFlow is a low cost solution It has been implemented on a wide range of devices from simple L2 workgroup switches to high end core routers without requiring additional memory and CPU 39 Zoho Corporation lt ManageEngine NetFlow Analyzer Professional Edition sFlow Supported Devices Which devices support sFlow The following devices are capable of exporting sFlow AlaxalA Networks e AX7800R e AX7800S AX7700R AX5400S Alcatel OmniSwitch 6850 OmniSwitch 9000 Allied Telesis e SwitchBlade 7800R series e SwitchBlade 7800S series e SwitchBlade 5400S series Comtec Systems l Rex 16Gi amp 24Gi amp 24Gi Combo Extreme Networks Alpine 3800 series BlackDiamond 6800 series BlackDiamond 8800 series BlackDiamond 10808 BlackDiamond 12804C BlackDiamond 12804R Summit X450 Series Summit i series Force10 Networks E series Foundry Networks Biglron series Fastlron series lronPoint series Netlron series Securelron series Serverlron series 40 Zoho Corporation Ze ManageEngine NetFlow Analyzer Professional Edition Hewlett Packard ProCurve 2800 series ProCurve 3400cl series ProCurve 3500yl series ProCurve 4200vI series ProCurve 5300xl series ProCurve 5400zl series
128. abel Step 17 Router config cmap match not match Optional Specifies the single match criterion criteria value to use as an unsuccessful match criterion Step 18 Router config cmap match packet length Optional Specifies the Layer 3 packet length max maximum length value in the IP header as a match criterion ina min minimum length value class map min minimum length value max maximum length value Step 19 Router config cmap match port type routed switched Optional Matches traffic routed switched on the basis of the port type for a class map Step 20 Router config cmap match ip precedence Optional Identifies IP precedence values as precedence value precedence value match criteria precedence value precedence value Step 21 Router config cmap match protocol Optional Configures the match criteria for a protocol name class map on the basis of the specified protocol Note There is a separate match protocol NBAR command used to configure network based application recognition NBAR to match traffic by a protocol type known to NBAR Step 22 Router config cmap match protocol citrix Optional Configures NBAR to match Citrix app application name string ica tag ica tag traffic value Step 23 Router config cmap match protocol Optional Configures NBAR to match fasttrack file transfer regular expression FastTrack peer to peer traffic Step 24 Router config cmap match protocol Optional
129. abled events related to the problem will be not generated e Manage Algorithm Allows you to enable or disable a specific or set of Algorithms Click Manage Algorithm and choose to enable or disable an algorithm If a specific algorithm is disabled ASAM will not use the algorithm to generate events For a base problem like TCP Syn Violations you can manage three different alogorithms like TCP Syn Violations from Source SourceAggregation TCP Syn Violations to Destination DestinationAggregation TCP Syn Violations via router RouterAggregation 180 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition e Manage Resource Allows you to enable or disable resources for a specific resource type Click Manage Resources in the new window that appears select the resource type choose to either enable or disable the resources for the selected resource type To add a new resource specify the resource name in the Enter text box and click Add e Note Resource is the attribute that is used to group the flows for an Event For example Flows routed through a single router ip are aggregated as an Event RouterAggregation Flows from a single source ip are aggregated as an Event SourceAggregation Flows to a single destination ip are aggregated as an Event DestinationAggregation 2 1c Algorithm Settings Allows you to set the threshold value and the field type to be displayed in the offender and target colum
130. age of bandwidth is being used by each Application The Ex icon above the pie chart lets you see the pie chart enlarged in a new window From here you can the export as a PDF CSV file or email the report by going to the Actions button on top and selecting as per your requirement 129 Zoho Corporation E ManageEngine NetFlow Analyzer Professional Edition NBAR Supported Applications NBAR supports a wide range of network protocols The following list shows some of the supported protocols 1 Peer to Peer Protocols Peer to Peer Protocol Type Description BitTorrent TCP File sharing application Gnutella TCP File sharing application Kazaa2 TCP File sharing application eDonkey TCP File sharing application Fasttrack TCP File sharing application Napster TCP File sharing application 2 VolP Protocols VoIP Type Description Protocol SCCP TCP Skinny Call Control Protocol SIP TCP and Session Initiation Protocol UDP MGCP nee and Media Gateway Control Protocol TCP and An ITU T standard for digital videoconferencing over TCP IP H 323 UDP networks TCP and Application allowing telephone conversation over the Internet SKYPE UDP 3 TCP amp UDP stateful protocols TCP or UDP Siateful Protocol Type Description TCP File Transfer Protocol FTP Exchange TCP MS RPC for Exchange HTTP TCP HTTP with URL host or MIME classification Citrix T
131. ait for a response from the responder default value 100 seconds Specify Frequency the interval between samples taken of session params metrics and the amount of time the initiator will remain active without any activity from the responder The values are mentioned in second Default value 30 seconds 6 Specify Inactivity Timeout the amount of time in seconds the initiator will wait for the responder to react to its additional route changes Default value 90 seconds 7 Click on Add Param to save the changes and add the parameters to the session CONS a 4 Configure Flow Specifier A flow specifier profile defines the source IP address destination IP address source port destination port and protocol that identifies a flow A Mediatrace session configuration requires a flow specifier to identify the flows The session configuration in NetFlow Analyzer allows you to configure a flow profile using the web interface In order to configure a flow specifier do the following Navigate to Medianet gt Settings gt Add Flows Select the IP address of the router you have configured as the Initiator Enter the name of the flow specifier you intend to create Select the flow Click Add Flow to save the changes and add the flows to the session aaron 5 Configure Medianet Session The Mediatrace session allows you to link the profiles created to a session Only one of each type of profile can be associated with a Cisco Mediatrace se
132. al Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans Probes Zoho Corporation 226 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Snork Attack UDP Flows with Src Port IN 7 19 135 and Dst Port IN 135 DoS Flows touching or exceeding the Upper Limit and none of the following Flash derived problems gets satisfied Indicates denial of service attack Crowd against Windows NT RPC Service Zoho Corporation UDP Snork Attack UDP Snork flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd UDP Snork Inflood UDP Snork flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd UDP Snork 1 UDP Snork flows from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 UDP Snork flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Snork Host 1 UDP Snork flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 UDP Snor
133. alues based on IN traffic OUT traffic or both IN and OUT traffic The Show box lets you choose how many results to display You can set this value from the Settings page Once you select all the desired criteria click the Generate Report button to display the corresponding traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values You can also choose to print this report by clicking the amp icon or the Print link 81 Zoho Corporation Consolidated Reports Consolidated reports let you see all the traffic details for an interface or IP group at a glance You can then print this report or save it as a PDF file Click the Consolidated Report link to see all traffic details for an interface at one glance The same report can be accessed from the Global Dashboard by clicking on the ET icon beside an interface or an IP group The source list box list box lets you select an IP Group Interface or Interface Group to generate reports You can choose to generate hourly daily or reports based only on business hours The custom selection option allows you to generate reports on desired time period Use the icon to customise time period You can also select to view either top 10 ot top 5 applications to view Selet the appropriate report you want to generate from the given reports You can generate reports on Application IN OUT Source IN OUT and Destination
134. alyzer Professional Edition implemeted mib objects in the router If the router supports CISCO NBAR PROTOCOL DISCOVERY MIB then the above command gives the following objects cnpdStatusEntry 1 cnpdStatusEntry 2 cnpdAllStatsEntry 2 cnpdAllStatsEntry 3 cnpdAllStatsEntry 4 cnpdAllStatsEntry 5 cnpdAllStatsEntry 6 cnpdAllStatsEntry 7 cnpdAllStatsEntry 8 cnpdAllStatsEntry 9 cnpdAllStatsEntry 10 cnpdAllStatsEntry 1 1 cnpdAllStatsEntry 12 cnpdTopNConfigEntry 2 cnpdTopNConfigEntry 3 cnpdTopNConfigEntry 4 cnpdTopNConfigEntry 5 cnpdTopNConfigEntry 6 cnpdTopNConfigEntry 7 cnpdTopNConfigEntry 8 cnpdTopNStatsEntry 2 cnpdTopNStatsEntry 3 cnpdTopNStatsEntry 4 cnpdThresholdConfigEntry 2 cnpdThresholdConfigEntry 3 cnpdThresholdConfigEntry 4 cnpdThresholdConfigEntry 5 cnpdThresholdConfigEntry 6 cnpdThresholdConfigEntry 7 cnpdThresholdConfigEntry 8 cnpdThresholdConfigEntry 9 cnpdThresholdConfigEntry 10 cnpdThresholdConfigEntry 12 cnpdThresholdHistoryEntry 2 cnpdThresholdHistoryEntry 3 cnpdThresholdHistoryEntry 4 cnpdThresholdHistoryEntry 5 cnpdThresholdHistoryEntry 6 cnpdThresholdHistoryEntry 7 cnpdNotificationsConfig 1 cnpdSupportedProtocolsEntry 2 236 Zoho Corporation SA ManageEngine NetFlow Analyzer Professional Edition 1 What is NetFlow Version 9 This format is flexible and extensible which provides the versatility needed to support new fields and record types This format accommodates new NetFlow supported
135. an TCP Syn Port Scan TCP Urg Port Scan Short TCP Syn_Ack Port Scan Short TCP Handshake Port Scan Short TCP Rst_Ack Port Scan Short TCP Psh_Ack Port Scan Excess Broadcast Flows o eo He eH Hh He TCP Urg Violations Resource Analysis report Displays the top resources and the problem caused by them It also lists the number of events of the problem caused by each resource Here the pie chart represents the event distribution for each problem The time distribution graph is a multi line graph that represents the problem and the number of events for a specific resource over a given time period 177 Zoho Corporation K ManageEngine NetFlow Analyzer Professional Edition Dashboards Interface View Autonomous System View Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Show Filter Flows Processed 127580 Top Resources a Show All Hide All Rip 127 0 0 1 127 0 0 1 Problem Events Time Distribution MEvents Problems Hi Malformed TCP Attack 32 50 GiMalformed TCP Host Scan 22 a 40 OExcess Broadcast Flows 13 S 30 Empty TCP Port Scan 13 G S GiShort TCP Ack Port Scan 10 2 i GEmpty TCP Host Scan 10 Short TCP Ack Port Sca D R 12 00 14 00 16 00 18 00 20 00 22 00 00 00 02 00 04 00 06 00 08 00 10 01 BIC Syn Fin Port Scant D Time Empty TCP Port ScanfRe 08 Short TCP Syn _ Ack Port O7 WM Others H Ip 192 168 1 1 1 2 Security
136. an and Minimum Occupancy at the destination end Scans Probes TCP Syn Port Scan Reverse 1 TCP Syn Flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 TCP Syn Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes TCP Syn Host Scan Reverse 1 TCP Syn Flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 TCP Syn Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes TCP Syn Diagonal Scan Reverse TCP Syn Flows from multiple source hosts to single multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Scans Probes TCP Syn Grid Scan Reverse TCP Syn Flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and
137. anageEngine NetFlow Analyzer Professional Edition Frequently Asked Questions Installation When try to access the web interface another web server comes up How does this happen How can change the MySQL port in NetFlow Analyzer from 13310 to another port Can install and run NetFlow Analyzer as a root user Is a database backup necessary or does NetFlow Analyzer take care of this How do update patch in Linux Oi CO Nos Router Configuration Why can t add a router to NetFlow Analyzer My router has been set up to export NetFlow data but still don t see it on the Dashboard I ve deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard What s the difference between unmanaging and deleting an interface How to Configure SNMP community in router How do set the router time in SYNC with the NFA server on gt oor Reporting The graphs are empty What is Aggregate data and Raw data How to set Raw data Some of the applications are labeled as TCP_App or something similar What is that Why are only the top 5 or 10 values shown in the reports What if want more detail The graphs show only IN traffic for an interface although there is both IN and OUT traffic flowing through that interface Why s that Why are some interfaces labeled as Iflndex2 lflndex3 etc The total bandwidth usage seems to decrease depending on the length of the repor
138. andwidth used by the branch office while working with the ERP CRM application This information is very useful during traffic accounting and usage based billing End Note If the IP addresses in the branch offices are NATed network address translated by the web server you can view overall bandwidth usage for the branch office but not that of individual hosts within the IP group 106 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Campus Network Scenario A typical campus network with several departments Here IP addresses are usually not NATed by the web server Problem You need to analyze bandwidth used by each department Solution Create an IP group for each department IP address or address ranges without specifying any port protocol values The traffic reports for each IP group will then show bandwidth usage by that department along with information on top talkers and top conversations within that department Defining IP Groups IP groups can be defined based on IP address and or port protocol combinations In addition you can filter IP group traffic based on interfaces The following matrix shows the different combinations possible along with a typical example usage for each combination Combination IP Address Port Protocol Interfaces DSCP IP Address View bandwidth View Web View bandwidth View bandwidth details details fora range 80 TCP details across
139. asuadsidedendsaduueacuacsdanciadane 153 VOIR e DE 154 Adding a New VolP en EE 156 FAQS ON VolP MONITION EE 160 WAN RTT MONITO eect ase antaiia eei aara aaeain ERE Erei EEEn 162 2 Configuring new WAN RTT monitor 164 2 Reports in WAN RIT MOnTO s issisr irnar edd iaaa aaa E a aa EREE Ede Ree skech 166 Enabling WAN RTT Monitoring using IP Group Management 167 FAQs on WAN RTT Monitor 0 ceccceceeeeeeeeeeeee cee eeeeaeeeeeeeeeaeeeseaeeseaeeseaeeeseaeeseaaeseeeeeseaeeeeaesseaeeseeeees 168 EE 169 2 Getting Started with WAAS isic sssecciescccdcenasecevssevectsnnasdceiies ee iaaa Ree ae RAAR 170 BAG POrts IT 172 e E E 173 About IP SLA Video Operations ccccccccecceceeeeeceeeee cece eeeeaeeeeaeeseeeeeeeaeeseaaesseaeeseeeeeseaeeesaeeteeeseneees 173 Advanced Security Analytics Module AEN 175 Advanced Security Analytics Module 176 Viewing the Network Events 0 ccccescccceesseceeeeeseeeeeeeeeceeeesaeeeeesaaeceeessaeeeeesaeeeeesnneaeeeenseeeeesneeeeeeenaaes 179 Problem class catalogue 184 3 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition CONTACTING TECHNICAL SUPPORTEREN 229 FREQUENTLY ASKED QUESTIONS siccccesccedcnedccedccedecedsusdscadcusdeunususdseedsusdsusususdsususue 230 OTHER CONFIGURAT IONS acs caceicseccncestencececastcusustencasasasucusucteucaunastsucusuateusasastaucusucne 242 Configuring MSSQL DAL ASG 352 asta ctessangnst thst share aptesiantetedacsareeiaessieadiestrtuiessaneebecnieetd
140. at logziputil sh under the troubleshooting folder This will create a zip file under the support folder please send us the zip file 2 Send us the err file under the Mysq data folder 3 Also send your Machine configuration 9 How to safely migrate NFA installation to different machine Please follow the steps below to move your installation 1 Copy the data folder in mysq folder of the installation that you wish to move to a safe location 2 Install NetFlow Analyzer in the new location start it once and shut it down 3 Replace the data folder in mysql folder of the new installation with the data folder of the old installation 4 Start NetFlow Analyzer 10 What do I do if my NFA server becomes slow or How do I improve my NFA system performance Please refer this link for a brief note on database tuning http forums manageengine com ftid 49000002654617 240 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition 11 Why NFA says router time not is SYNC and stops collecting data Please follow these steps to fix this issue 1 Incase you see this please ensure the following on the router Check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock set hh mm ss month date year Check if the time zone and the offset in Hours and Minutes for the time zone is set properly E g P
141. ation filter Select interfaces to apply access control traffic filter Select interfaces to apply output interface suppression filter on cryptomap tunnel interfaces double counts the ESP traffic To prevent this please apply this filter on cryptomap tunnel interfaces It is possible to add or modify interfaces Access control filter drops the flow information which contains data pertaining to dropped traffic due to Access Control List Please apply this filter to drop such flows These flows have the destination interface as null If any interface is selected to apply this filter all the traffic coming from this interface with destination as null interface will be dropped Please select any WAN optimizer s LAN facing interfaces to suppress the incorrect out traffic due to compression reported by them This filter stops the out traffic for any interface that is coming as a destination interface of a flow for a selected interface When a WAN optimizer sends a flow which has source and destination interfaces as A and B respectively if you select interface A to perform output suppression B will not get out traffic which is not a correct traffic if reported by interface A since compression is happening on interface B on the WAN optimizer Select edge interfaces of a cryptomap tunnel to apply GRE application filter Please select any cryptomap tunnel interface in which you want to apply GRE fiter This prevents the GRE tra
142. ation frequency as one from Daily Weekly Monthly and Only Once Report Depending on this the report will be generated at the appropriate time intervals Generation Email Enter the email address to which the generated reports have to be emailed You can enter multiple Address to email addresses separated by a comma Send Reports 4 After setting the required parameters click Save Custom Report Opting for custom report lets you set criteria on the basis of which the report will be generated By clicking on the Add Criteria button one can set a matching condition on Source Address Source Network Source Nodes Destination Address Destination Network Destination Nodes and Application To add more criteria click on Add Criteria again Having created all the criterions you can decide whether to make the generated report to match all of the criterions created or any of them Scheduling Report Generation The report generation schedule can be chosen from one of the following e Daily When you opt for Daily you have the option to set the time at which the report should be generated Also the report could be generated for the previous day the last 24 hours or any of the options available in the dropdown When the Previous Day option is opted the report is generated for the time period from 00 00 hours to 23 59 hours of the previous day You have the option to narrow down this time period by using the time filter 3
143. be hulu FoxinteractiveMedia Users can also add remove other sites that they feel can under these predefined IP groups The IP groups feature lets you monitor departmental intranet or application traffic exclusively You can create IP groups based on IP addresses and or a combination of port and protocol You can even choose to monitor traffic from specific interfaces across different routers After creating an IP group you can view the top applications top protocols top hosts and top conversations in this IP group alone This section will help you understand IP Groups and walk you through the steps needed to create and later delete an IP group if needed e Understanding IP Groups e Defining an IP Group e Operations on IP Groups e Bulk Loading of IP Groups Understanding IP Groups To further understand how the IP grouping feature can help in understanding exclusive bandwidth usage consider the following two scenarios Enterprise Network Scenario A typical enterprise setup where the main servers and databases are located at a central office and all branch offices are given appropriate access privileges to these servers Problem You need to track bandwidth used by each branch office while accessing an ERP CRM application Solution Create an IP group for each branch office along with the port and protocol of the ERP CRM application running in the central office The traffic reports for each IP group will then show details on b
144. can change the storage period from Raw Data Settings under Settings page 128 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition NBAR Report The NBAR Report tab lists the various applications in your network and their percentage of the total traffic for the selected time period The default view shows the NBAR Application In Report This report shows the distribution of traffic application wise Choose between IN and OUT to display the application wise distribution of incoming or outgoing traffic respectively The Time Period box lets you choose between last hour last day last week last month and last quarter s traffic graphs The From and To boxes let you choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show button to display the appropriate application traffic report The table below the graph shows the distribution of traffic per application You can see what application caused how much traffic and how much of the total bandwidth was occupied by that application Click Supported Applications link to see the list of supported applications in a new window Viewing Top Applications Choose between IN and OUT to display the protocol wise distribution of incoming or outgoing traffic respectively The pie chart below shows what percent
145. can change your password by selecting the Change Password option in the Admin Operations menu Editing User Details Click on the icon against a user to edit the user s details A You can only modify the device groups and IP groups which have been assigned to the user You cannot modify the user name or the access level irrespective of your own access level Once you are done click the Update button to save your changes Deleting a User Click the icon against a user name to delete the respective user Once a user is deleted all details of this user are permanently deleted 149 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition License Management The License Management option lets you manage the interfaces exporting NetFlow data to NetFlow Analyzer depending on the license that you have purchased Ey The options visible under the Admin Operations menu depend on the user level you have logged in as Look up User Management to know more about user levels and the respective admin operations allowed The status box at the top of the page indicates the type of license currently applied the total number of interfaces currently managed and the number of days remaining for the license to expire Look up Licensing to know more about upgrading your license The Router List shows all the routers and interfaces from which NetFlow exports are received and whether they are manage
146. cans Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end ICMP Request ICMP Request Flows with Dst Port value IN 2048 Echo Request DoS Broadcasts 3328 Timestamp Request 3840 Information Request Flash 4352 Address Mask Request sent to a Broadcast Multicast IP Crowd touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Indicates possible amplification attack on the Src IP ICMP Request ICMP Request Broadcast flows from multiple source hosts to fewer DoS Broadcast Attack destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd ICMP Request ICMP Request Broadcast flows from single multiple source hosts to DoS Broadcast Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash destination end Crowd ICMP Request 1 ICMP Request Broadcast flows from fewer source hosts to multiple DoS Broadcast Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 ICMP Request Broadcast flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Request 1 ICMP Request Broadcast flows from single multiple source hosts to Scans Broadcast Host multiple destination hosts on a single destinati
147. ccessor to IP version A IPv4 IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy NetFlow Analyzer now offers support for IPV6 You can view the raw data records for the last two hours in IPV6 format since the IPV6 addressing format yet to be adapted by most people worldwide we are offering support for IPV6 format only at raw data level The raw data collected for top ten conversations for the past two hours can be viewed in IPV6 format You can also view the raw data of Troubleshoot Reports in IPV6 format 79 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition AS Traffic Reports The Traffic report for autonomous systems shows the amount of incoming and outgoing traffic for that AS over the past one hour Tabs above the traffic graph let you view the graph in terms of volume of traffic speed and number of packets received You can see traffic graphs for different time periods by choosing the appropriate values from the Time Period box Use the From and To boxes to choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show Report button to display the appropriate traffic report The table below the graph shows the legend along with total maximum minimum and average traffic values for
148. ce hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Short TCP Handshake flows from multiple source hosts to Scans Handshake single multiple destination hosts where the number of distinct source Probes Diagonal hosts is equal to the number of distinct source ports which is also Scan Reverse equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Short TCP Handshake flows from multiple source host to Scans Handshake Grid single multiple destination hosts using multiple source ports exceeding Probes Scan Reverse Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short TCP TCP Flows with nominal payload ie BytePerPacket between 40 Suspect Psh_Ack_No and 44 octets bytes and TCP Flags value IN 24 PA 28 APR Flows Syn_Fin Packets denoting TCP Psh_Ack but without Syn Fin touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Short TCP Short TCP Psh_Ack flowsfrom multiple source hosts to fewer DoS Psh_Ack Attack destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd Short TCP Short TCP Psh_Ack flows from single multiple source hosts to DoS Psh_Ack Inflood single multiple destination hosts exceedin
149. ceeding Minimum Probes Horizontal Span at the destination end 2 Short TCP Ack flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short TCP Ack Short TCP Ack flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Short TCP Ack Short TCP Ack flowsfrom single multiple source hosts to multiple Scans Grid Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short TCP Ack 1 Short TCP Ack flows from single source host to single multiple Scans Port destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span at the source end 2 Short TCP Ack flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Ack 1 Short TCP Ack flows from multiple source hosts to single multiple Scans Host destination hosts using a single source port
150. ch is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Xmas Grid TCP Xmas Flowsfrom single multiple source hosts to multiple Scans Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Xmas Port 1 TCP Xmas Flows from single source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span at the source end 2 TCP Xmas Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Xmas Host 1 TCP Xmas Flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Xmas Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end 207 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class TCP Xmas TCP Xmas Flows from multiple source hosts to single multiple Scans Diagonal destination hosts
151. ch the manager application is running o lt Port No gt The port number at which the manager application is listening for the traps o lt Community gt The community string of the manager application After the configuration one trap is sent to the manager application for every alert generated A trap contains an OID and a system description Entuity provides a MIB file with the OIDs and their descriptions for all the traps that can be forwarded The manager application can parse this MIB file and get meaningful messages for the forwarded traps The steps for the manager application to decode the meaning of each of the OIDs are e Copy ADVENTNET NETFLOWANALYZER MIB file from lt NetFlow Analyzer Home gt lib directory and save it in the system where the manager application is running e Load the MIB file ADVENTNET NETFLOWANALYZER MIB in the manager application e Make the required configuration in the manager application such that the OIDs are parsed and meaningful info is got 254 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Database Backup For MYSQL backup Please follow the below steps to migrate from one server to another 1 Shutdown the server Execute the file BackupDB bat BackupDB sh under lt NetFlow_Homes gt troubleshooting folder This will create a zip file under lt NetFlow_Home gt with name database_backup_ lt build_number gt _ lt date gt zip Please check the zip file to make sur
152. chart represents the percentage of rich media traffic to other traffic in the network The table below the displays the source destination application and their respective RTT Clicking on the respective source destination application will open the detail reports page that lists the traffic details of the source destination application selected Jitter Avg The time line graph gives at a glace view of the transport jitter average of the top 3 IP address The pie chart represents the percentage of rich media traffic to other traffic in the network The table below the displays the source destination application and their maximum minimum and average jitter values Clicking on the respective source destination application will open the detail reports page that lists the traffic details of the source destination application selected Packet Lost The time line graph gives at a glace view of the media packets lost by the top 3 IP address The pie chart represents the percentage of rich media traffic to other traffic in the network The table below the displays the source destination application and the number of packets lost along with the rate of packet loss Clicking on the respective source destination application will open the detail reports page that lists the traffic details of the source destination application selected All Reports The time line graph gives at a glance view of the top 3 contributors IP address of media traffic The pie chart repres
153. ches are more performance impacting than static port applications 4 Is performance dependent on the number of interfaces that NBAR is enabled on Does the link speed of the interface s that NBAR is enabled on affect performance No NBAR performance is not dependent on the number of interfaces that NBAR is enabled on or the link speed of those interfaces Performance is dependent on the number of packets that the NBAR engine has to inspect how deep into the packet it has to look to perform regular inspection 5 lam able to issue the command ip nbar protocol discovery on the router and see the results But NFA says my router does not support NBAR Why Earlier version of IOS supports NBAR discovery only on router So you can very well execute the command ip nabr protocol discovery on the router and see the results But NBAR Protocol Discovery MIB CISCO NBAR PROTOCOL DISCOVERY MIB support came only on later releases This is needed for collecting data via SNMP Please verify that whether your router IOS supports CISCO NBAR PROTOCOL DISCOVERY MIB 6 How do verify whether my router supports CISCO NBAR PROTOCOL DISCOVERY MIB a You can check CISCO NBAR PROTOCOL DISCOVERY MIB supported platforms and IOS using the follwoing link http tools cisco com ITDIT MIBS AdvancedSearch MibSel 250073 b Alternately you can execute show snmp mib include cnpd command at router to know the 235 Zoho Corporation w ManageEngine NetFlow An
154. ckup For MYSQL backup Steps to be followed to take backup of the Aggregated data 1 Shutdown Netflow Analyzer 2 Execute the file BackupDB bat A BackupDB sh A in Case of linux under troubleshooting folder This will create a zip file under lt Netflow_home gt with the name aggregated_database_backup zip Ensure that the zip file is not corrupted 3 Copy the zip file to a remote backup location 4 Install the Netflow Analyzer same build 5 Start Netflow Analyzer 6 Shutdown Netflow Analyzer 7 Copy the zip file under the lt Netflow_home gt and unzip the file at the same location 8 Navigate to the troubleshooting folder and execute the command rawCleanup bat rawCleanup sh in Case of Linux 9 Start the Netflow Analyzer Server For MSSQL backup Please get details here http msdn microsoft com en us library ms187048 aspx 257 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Geo Locations Geo Locations is an useful feature which has been added in NetFlow Analyzer source and destination tab Geo locations gives the country wise traffic usage interms of the total volume in Kbytes and the total utilization in To use the Geo locations feature please select the respective interface and click on the source or the destination tab There you would see Geo locations between Resolve DNS and Show network on the top left Click on Geo locations and the list of countries wi
155. configuration and it is also the threshold used for base problems like TCP Syn Violations TCP Fin Violations etc Source Pattern Settings Minimum Horizontal Span Minimum number of distinct source hosts Host Scan Reverse Minimum Vertical Span Minimum number of distinct source ports Port Scan Reverse Minimum Diagonal Span Minimum number of distinct source end points under the constraint source hosts source ports source end points Diagonal Scan Reverse Minimum Aspect Ratio 1 Minimum source hosts per source ports Host Scan Reverse 2 Minimum source ports per source hosts Port Scan Reverse Minimum Occupancy Minimum spread of source end points in an Event Host Scan Reverse Port Scan Reverse Grid Scan Reverse Occupancy Source End Points Source Hosts Source Ports Minimum Flux Rate Minimum hits per source end points Outflood 184 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Source Pattern Settings Minumum Divergence Mimimum destination hosts per source hosts Outflood Destination Pattern Settings Minimum Minimum number of distinct destination hosts Host Scan Horizontal Span Minimum Vertical Minimum number of distinct destination ports Port Scan Span Minimum Diagonal Minimum number of distinct destination end points under the constraint Span destination hosts destinat
156. created in the Creating a Traffic Class section and enters policy map class configuration mode Use one or more of the following commands to enable the specific QoS feature you want to use Step 5 Router config pmap c bandwidth Optional Specifies a minimum bandwidth bandwiadth kbps percent percent guarantee to a traffic class in periods of congestion A minimum bandwidth guarantee can be specified in kbps or by a percentage of the 145 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Configuration Steps Command or Action Purpose overall available bandwidth Step 6 Router config pmap c fair queue Optional Specifies the number of queues to be number of queues reserved for a traffic class Step 7 Router config pmap c police bos Optional Configures traffic policing burst normall burst max conform actionaction exceed actionaction violate action action Step 8 Router config pmap c Optional Gives priority to a class of traffic priority bandwidth kbps percent belonging to a policy map percentage burst Step 9 Router config pmap c queue limit Optional Specifies or modifies the maximum number of packets number of packets the queue can hold for a class configured in a policy map Step 10 Router config pmap c random detect Optional Enables Weighted Random Early dscp ba
157. ct the severity type from the list Algorithm Type Select the algorithm type from the list Resource Select the resource from the list Click Generate Report button to generate the reports based on the filter criteria 178 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Viewing the Network Events Event List The Security Event List Report displays the number of security events present in the network The parameters included in the event list are listed in the following table Parameter Description Algorithm Type Image representation of the type of Algorithm used namely Source Aggregation Destination Aggregation and Router Aggregation ID Its an unique ID which is assigned for an event for your ease of identifying Problem The class and the particular problem to which the event belongs Offender Location The geographical topological location of the Offender Offenders The unique source IP network addresses of the event Routed Via The router and interface through which the event routed Target Location The geographical topological location of the Target Targets The unique destination IP network addresses of the event Time The date and time of the first flow and the last flow of the event Hits The number of flows aggregated in a specific event Severity Denotes the severity of the event generated There are 4 types of severity Info warning major critical
158. cupancy at the destination end Scans Probes Malformed UDP Port Scan Reverse 1 Malformed UDP flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Malformed UDP flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Malformed UDP Host Scan Reverse Malformed UDP Diagonal Scan Reverse 1 Malformed UDP flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 Malformed UDP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Malformed UDP flows from multiple source hosts to single multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Scans Probes Scans Probes Malformed UDP Grid Scan Reverse Malformed UDP flows from multiple source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertic
159. d TCP 1 Malformed TCP flows from single source host to single multiple Scans Port destination hosts using multiple source ports exceeding Minimum Probes 208 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition of source end points exceeding Minimum Diagonal Span at the source Problem Name Description Class Scan Reverse Vertical Span at the source end 2 Malformed TCP flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Malformed TCP 1 Malformed TCP flows from multiple source hosts to single multiple Scans Host destination hosts using a single source port exceeding Minimum Probes Scan Reverse Horizontal Span at the source end 2 Malformed TCP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Malformed TCP Malformed TCP flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number end hosts ports endpoints Zoho Corporation Malformed TCP Malformed TCP flows from multiple source host to single multiple S
160. d a new credential click on add new VSO SEINGS TOT All MOULErS Credential Setting Credential Name Description User Name Context Name o m Authentication m Encryption Protocol Password Password Protocol Add 5 Once the credential setting pops up users can key in the credentials as per the following table Parameters Description Credential name Users can name it as they find necessary Description Write a brief description for ease of understanding Username Same as the one set in the router Context name Same as the one set in the router Authentication protocol Same as the one set in the router Authentication password Same as the one set in the router Encryption protocol Same as the one set in the router Encryption password Same as the one set in the router SNMP V3 Security Models and Levels Model Level Authentication Encryption What happens V3 noAuthNoPriv Username No Uses a username match for authentication MD5 or SHA No Provides authentication based on the HMAC v3 AuthNoPriv MD5 or HMAC SHA algorithms 52 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Model Level Authentication Encryption What happens MD5 or SHA DES Provides authentication based on the HMAC MD5 or HMAC SHA algorithms Provides DES 56 bit encryption in addition to authentication base
161. d on the CBC DES DES 56 standard For more details on SNMP V3 you can also view the Cisco site v3 AuthPriv More Reports Click on More Reports to Compare Device s over various time period s and to Generate Report based on custom defined criterion Compare Devices Compare Devices feature lets the user Compare multiple devices for the same time period or Compare the same Device over different time periods eg Every Day Report Every Hour Report Every Week Report Every Month Report Field Purpose Description Report Type The report type could be one of e Compare Multiple Devices over the same time period or e Compare same device over different time periods as the case may be Select Period When the Report Type is chosen as Compare Multiple Devices over the same time period the available Periods are Last Hour Last 6 Hour Today Last 24 Hours Yesterday Last Week Last Month Last Quarter or Custom Selection Custom Selection lets one choose the time period for which one desires the report to be generated When the Report Type is chosen as Compare same device over different time periods the available Periods are Every Day Report Every Hour Report Every Week Report Every Month Report Select Device s This allows the user to select the device if the same device is to be compared over various time periods or the set of devices that are to be compared for a single time period The
162. d or not Managing a router interface To select the router and all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Once you have selected the required interfaces click the Manage button to manage these interfaces This means that flows received from these interfaces will be processed by NetFlow Analyzer and traffic graphs and reports can be generated The maximum number of interfaces that can be managed depends on the current license applied Unmanaging a router interface To select the router and all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Click the Unmanage button to unmanage these interfaces This means that flows received from these interfaces will be dropped by NetFlow Analyzer Once unmanaged these interfaces will not be seen on the Dashboard or be listed in device groups However they will still be listed in the Router List in the License Management page Deleting a router interface To select the router and all its interfaces check the checkbox next to the router name To select a specific interface check the checkbox next to the interface name Click the Delete button to delete these interfaces This means that these interfaces are completely removed from all screens of the NetFlow Analyzer client However if flows are still being sent fr
163. data to the port on which NetFlow Analyzer is listening o Check if the router is exporting NetFlow version 5 data Flows with any other version will be discarded 3 I ve deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard This happens because NetFlow packets are still being received from that router Unless you configure the router itself to stop exporting NetFlow data to NetFlow Analyzer it will reappear on the Dashboard 4 What s the difference between unmanaging and deleting an interface or When do unmanage a device and when do delete it from the License Management page If you need to temporarily stop monitoring a router interface unmanage it from License Management In this case the router interface is still shown under License Management If you need to permanently stop monitoring a router interface disable NetFlow exports from the interface router and then delete it from License Management In this case the router interface is not displayed on any of the client screens unless new flows are sent from it 5 How to Configure SNMP community in router For configuring SNMP follow the steps below 1 Logon on to the router 2 Enter into the global configuration mode 3 Type the command snmp server community public RO to set public as Read Only community 4 Press ctrl and Z 5 Type the command write mem 6 How do I set the router time in SYNC with
164. dows Authentication SQL Server Authentication Domain Name Adventnet User Name Administrator Password CO te b SQL Server Authentication For SQL Server Authentication enter the User Name and Password 249 Zoho Corporation 12 13 14 r gt ManageEngine NetFlow Analyzer Professional Edition Database Setup Server Type SQL Server Host Name NETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TEST5 MSSQLSERVER 1433 Database netflow Connect Using O Windows Authentication SOL Server Authentication User Name Password Click Test button to check whether the credentials are correct If the test fails the credentials may be wrong recheck and enter the correct credentials Click Save button to save the SQL Server configuration Note that it will take few minutes to configure the settings of the SQL Server database Invoke the lt NetFlow Analyzer Home gt bin run bat to start the NetFlow Analyzer server in the command prompt After the server is started completely stop the server by terminating the run bat in the command prompt or invoke the lt NetFlow Analyzer Home gt bin shutdown bat Invoke the lt NetFlow Analyzer Homes gt troubleshooting Mysql_Mssql_RestoreConfig bat Start the NetFlow Analyzer server service 250 Zoho Corporation ManageEngine NetFlow Analyzer P
165. duction in the reporting of bandwidth usage over time NBAR 1 Which features are not supported by NBAR The following features are not supported by NBAR o More than 24 concurrent URLs HOSTs or MIME type matches o Matching beyond the first 400 bytes in a URL o Non IP traffic o Multicast and other non CEF switching modes o Fragmented packets 234 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Pipelined persistent HTTP requests URL HOST MIME classification with secure HTTP Asymmetric flows with stateful protocols Packets originating from or destined to the router running NBAR DO 0 0 2 Any restrictions on where we can configure NBAR You can t configure NBAR on the following logical interfaces o Fast EtherChannel Interfaces that use tunneling or encryption VLANs Dialer interfaces Multilink PPP Oo Oo 0 Note NBAR is configurable on VLANs as of Cisco IOS Release 12 1 13 E but supported in the software switching path only 3 What Does NBAR Performance Depend On Several factors can impact NBAR performance in software based execution A Router Configuration 1 Number of protocols being matched against it 2 Number of regular expressions being used 3 The complexity of packet inspection logic required B Traffic Profile Packet Protocol Sequence 1 The number of flows 2 Long duration flows are less expensive than shorter duration flows 3 Stateful protocol mat
166. due to incorrect SNMP read community configured or of the Responder is not enabled on the destination device Make sure that the correct SNMP read community is configured and the SLA Responder is enabled 5 What are the critical parameters monitored to determine the VoIP QoS performance The monitored parameters include Latency Jitter Packet Loss and MOS The parameters are described below for reference Jitter Jitter is defined as a variation in the delay of received packets Users often experience disturbing sounds over a conversation coupled with loss of synchronization at times and is referred to as jitter High levels of jitter can result in some packets getting discarded and thereby impact the call quality Ensuring a jitter free transmission to provide qualitative service depends on identifying the bottle neck responsible for the jitter and acting on it to eliminate it NetFlow Analyzer s VoIP monitoring feature helps you find the problem and ensures maximum QoS on your VoIP network 160 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Packet Loss Packet loss is a measure of the data lost during transmission from one resource to another in a network Packets are discarded often due to network latency Using NetFlow Analyzer you can monitor the packet loss and take corrective actions based on the information One way Latency Latency delay is the time taken for a packet to reach the destinat
167. dwidth usage seems to decrease depending on the length of the report Why is that NetFlow Analyzer aggregates older data in less granular format and due to this reason some of the spikes may not show in older reports While reports pertaining to last day is generated from tables with 10 minute granularity reports pertaining to last week is generated from tables with 1 hour granularity For example data in 10 minute table pertaining to 10 00 10 10 10 20 10 30 10 40 and 10 50 would all be aggregated and moved into hourly data tables for one data point pertaining to 10 00 While the total data volumes is correct the traffic rates will be averaged over this period So 10 00 gt volume transferred 100MBytes ten minute average rate 1 333Kbits s 10 10 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 20 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 30 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 40 gt volume transferred 1MByte ten minute average rate 13 3Kbits s 10 50 gt volume transferred 1MByte ten minute average rate 13 3Kbits s When aggregated into the one hour table we get 10 00 gt volume transferred 105MBytes one hour average rate 233Kbits s The spike up to 1 333Kbits s has been lost by this averaging process as the data get aggregated into longer and longer time periods so this average value will decrease further This is the reason for the re
168. e 2 What is Aggregate data and Raw data How to set Raw data As far as aggregated data is concerned NetFlow Analyzer maintains the top n flows for every ten minutes slot The record count determines this n values By default it is set to 50 You may set your own criteria for this purpose you can change this from the Settings option Apart from this NetFlow Analyzer allows you to store raw data all flows not just the top n for upto one month 1 Aggregated data is stored in 5 levels of tables 10 Min Hourly 6 Hour 24 Hour and Weekly tables and reports for different periods need to access the corresponding table For example very recent reports need to access the 10 Min table and old reports need to access the Weekly table You can access the table MetaTable to determine the table which contains data for the required time period 2 Raw data is stored in dynamically created tables and data pertaining to different devices routers reside in different table for different periods of time You can access the table RawMetaTable to determine the table which contains data for the required report 3 Some of the applications are labeled as TCP_App or something similar What is that If an application is labeled as TCP_App or something similar it means that NetFlow Analyzer has not recognized this application i e the combination of port and protocol is not mapped as any application Once you add these applications under Applicati
169. e Short TCP Handshake Port Scan SN Others 254 oo JAE ms is Si Events o LE I ei io Si EI EI ER of a k 7 r Resources 11 30 12 00 12 30 13 00 13 30 14 00 14 30 15 00 15 30 16 00 16 30 17 00 Si EI Si BRBBBBER EB ko lo l lo In KN ho ho o a ba o Si Offenders amp Targets report Displays the top algorithm types and the unique resources involved It also lists the number of events and distinct problem created by each resource Click on the resource name to go to the resource analysis tab The event distribution for each resource is represented as a pie chart and the number of problems created by each resource is represented as a bar graph The time distribution graph is a multi line graph that represents the number of events problems and resources involved for an algorithm over a given time period 176 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Dashboards Interface View Autonomous System View WAAS Reports Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Show Filter Flows Processed 13873034 Top Algorithm Types Show All Hide All Destination Aggregation Resource Events Problems Time Distribution eEvents Resources WProblems mip 192 168 6 109 Events mip 192 168 6 103 a Olp 192 168 6 100 750 Dier 192 168 6 101 g mio 192 168 6 127
170. e database There are 2 ways of backup 1 You can execute the script backupdb bat backupdb sh which can be found under NETFLOW_HOME troubleshooting This will created a back up of the database in a zip format When you want to restore You have to extract the zip to the NETFLOW_HOME directory This is a slow process 2 You can copy the folder NETFLOW_HOME mysq data to a different location and to restore you can copy it back to the same location This is a fast process In both the above process the version of NFA should be the same 231 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition 5 How do I update patch in Linux Please use the command sh UpdateManager sh c and follow the instructions to upgrade NetFlow Analyzer Router Configuration 1 Why can t I add a router to NetFlow Analyzer NetFlow Analyzer does not choose which routers or interfaces to monitor Devices are auto discovered All you need to do is set up your interfaces to send NetFlow data to the specified port on NetFlow Analyzer Once NetFlow Analyzer starts receiving NetFlow data you can see the device and its interfaces listed on the Dashboard 2 My router has been set up to export NetFlow data but still don t see it on the Dashboard There are a number of things you can check here o Check if NetFlow is enabled on the device and that it has started sending flows o Check if your router is exporting NetFlow
171. e destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end ICMP Host ICMP Host Unreachable Flows with Dst Port value IN 769 Host Suspect Unreachables Unreachable 773 Source Route Failed 775 Host Unknown Flows 776 Source Host Isolated obsolete 778 Host Administratively Prohibited 780 Host Unreachable for TOS 781 Communication administratively prohibited by filtering touching or exceeding the Upper Limit and none of the following derived problems gets satisfied ICMP Host 1 ICMP Host Unreachable flows from multiple source hosts to fewer DoS Unreachable destination hosts exceeding Minimum Convergence and Minimum Flux Flash Inflood Rate at the destination end Crowd 2 ICMP Host Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP Host 1 ICMP Host Unreachable flows from fewer source hosts to multiple DoS Unreachable destination hosts exceeding Minimum Divergence and Minimum Flux Flash Outflood Rate at the source end Crowd 2 ICMP Host Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Host 1 ICMP Host Unreachable flows from single multiple source hosts to Scans Unreachable Host multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal
172. e CM Server IP Denotes the IP address of the Central Server you want to configure e CM Server Port Denotes the port number of the WAAS central manager The Default port number is 8443 e CM Server Protocol The server protocol is either http or https e CM Server User Name Password Provide the login credentials of the Central Manager you want to configure e CM Server Timezone Mention the current time zone of the Central Manager you want to configure e CM Server Certificate Path Denotes the location of the SSL server certificate Now the Central Manager has been configured Click update to submit the details of the Central Manager Note In order to obtain the SSL server certificate open the central manager in the desired browser click on the identity information of the https url Click More Information In the new pop up that opens click view certificate In th ecertificate viewer that opens select the details tab in and click export to save the certificate as cer file Now enter the location of this cer file in the above CM Server Certificate Path text box 170 Zoho Corporation You can configure any number of CM and manage them using the manage devices option once configured the central manager cannot be edited any further NetFlow WAE Device Mapping By mapping the NetFlow router name we instruct the WAE on which router to monitor The mapped routers are monitored by the WAE and the netflow generates reports on t
173. e Description Class single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Malformed ICMP ICMP Flows with BytePerPacket less than the minimum 28 octets Suspect Packets bytes touching or exceeding the Upper Limit and none of the Flows following derived problems gets satisfied Malformed ICMP 1 Malformed ICMP flows from multiple source hosts to fewer DoS Inflood destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd 2 Malformed ICMP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end Malformed ICMP 1 Malformed ICMP flows from fewer source hosts to multiple DoS Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 Malformed ICMP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Malformed ICMP 1 Malformed ICMP flows from single multiple source hosts to multiple Scans Host Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 Malformed ICMP flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the des
174. e assigned to another application 101 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Additional Notes on Application Mapping Applications are categorized based on the source address destination address source port destination port and protocol values in the flow record These values are matched with the list of applications in the Application Mapping The check is done first with the smaller of the 2 ports source port destination port and if no match is found the bigger of the 2 ports is mapped Application mappings created with specific IP address IP Range IP Network is given higher priority over applications mappings with no IP address For example assume you have 2 application mappings as below Port Protocol IP Address IP Application Range 80 TCP 10 10 1 0 APP1 255 255 255 0 80 TCP Any APP2 If a flow is received with source address 10 10 10 10 and Port as TCP 80 then it is classified as APP1 Only TCP 80 flows from non 10 10 10 0 network will be classified as APP2 Application mappings created with single port is given higher priority over applications mappings with port range For example assume you have application mappings as below Port Protocol IP Address IP Application Range 80 TCP any APP1 70 to 90 TCP any APP2 If a flow is received with Port as TCP 80 then it is classified as APP1 Applications are catego
175. e hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Parameter 1 ICMP Parameter Problem Flows from multiple source hosts to Scans Problem Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 ICMP Parameter Problem flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end ICMP Port ICMP Port Unreachable Flows with Dst Port value equals 771 Port Suspect Unreachables Unreachable touching or exceeding the Upper Limit and none of Flows the following derived problems gets satisfied ICMP Port 1 ICMP Port Unreachable flows from multiple source hosts to fewer DoS Unreachable destination hosts exceeding Minimum Convergence and Minimum Flux Flash Inflood Rate at the destination end Crowd 2 ICMP Port Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end 1 ICMP Port Unreachable flows from fewer source hosts to multiple DoS ICMP Port destination hosts exceeding Minimum Divergence and Minimum Flux Flash Unreachable Rate at the source end Crowd Outflood 2 ICMP Port Unreachable flows from single multiple source hosts to single mult
176. e hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end TCP Xmas 1 TCP Xmas Flows from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 TCP Xmas Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Xmas Port 1 TCP Xmas Flows from single multiple source hosts to single Scans Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 TCP Xmas Flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Xmas Host 1 TCP Xmas Flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 TCP Xmas Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Xmas TCP Xmas Flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports whi
177. e it believes that the delay of the available paths is too high actually the network manager can override this behavior through creative use of routing metrics but this is strongly discouraged setting the TOS field is intended to give better service when it is available rather than to deny service when it is not Use of the TOS Field in Routing Both hosts and routers should consider the value of the TOS field of a datagram when choosing an appropriate path to get the datagram to its destination The mechanisms for doing so are discussed in this section Whether a packet s TOS value actually affects the path it takes inside a particular routing domain is a choice made by the routing domain s network manager In many routing domains the paths are sufficiently homogeneous in nature that there is no reason for routers to choose different paths based up the TOS field in a datagram Inside such a routing domain the network manager may choose to limit the size of the routing database and of routing protocol updates by only defining routes for the default 0000 TOS Neither hosts nor routers should need to have any explicit knowledge of whether TOS affects routing in the local routing domain Inherent Limitations The most important of all the inherent limitations is that the TOS facility is strictly an advisory mechanism It is not an appropriate mechanism for requesting service guarantees There are two reasons why this is so e Not all
178. e it is not corrupted 3 Install the NetFlow Analyzer on a new machine and start the server 4 Shutdown the server 5 Copy the zip file under lt NetFlow_home gt unzip it and restart the server Note 1 The new server s Operating System must match with that of the old one Cross platform migration is not supported 2 The build number of the NetFlow Analyzer should be the same For MSSQL backup Please get details here http msdn microsoft com en us library ms187048 aspx 255 Zoho Corporation E ManageEngine NetFlow Analyzer Professional Edition Configuration Backup Please follow the below steps to take the backup of configuration data Step 1 Shutdown the NetflowAnalyzer server Step 2 Navigate to lt NetFlow_Home gt troubleshooting folder Step 3 Run the backupConfig bat backupContig sh file which will create a ConfigBackup sq under lt NetFlow_Home gt Note The ConfigBackup sq file will contain all your configuration Please keep it in a safe location Please follow the below steps to restore the configuration data Step 1 Install the NetFlow Analyzer Step 2 Shutdown the server Step 3 Copy the ConfigBackup sq under lt NetFlow_Home gt Step 4 Navigate to lt NetFlow_Home gt troubleshooting folder Step 5 Run restoreConfig bat restoreConfig sh file Step 6 Start the server 256 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition Aggregated Data Ba
179. e levels help in cutting costs involved in logistics thereby cutting operational costs and boosting operational efficiency e Lower frequency of network outages When troubleshooting is accelerated the downtime can be controlled Lower downtime means cost savings e Network Readiness Assessment Video operations for IP SLA acts as a tool to assess if the network is ready for deploying video e Network troubleshooting When the network performance takes a hit there are disturbances that need to be identified and corrective action needs to be taken IP SLA VO gives you critical metrics that help you achieve this objective IP SLA Video Operations metrics Here are the broad and specific categories of data that NetFlow Analyzer is capable of displaying Jitter Under jitter the following subtypes are displayed Maximum positive jitter Maximum positive jitter Minimum positive jitter Average positive jitter Maximum negative jitter Minimum negative jitter Average negative jitter Average of positive and negative jitter 173 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition e nter arrival jitter at source and destination e Latency Maximum minimum and average e Packet information Number of delayed packets number of packets skipped number of packets out of the sequence and the number of packets lost Prerequisites for IP SLA video operations e Both the source and responder devices for
180. eb browser therefore managing these devices is possible from anywhere in the world Access to the Cisco WAAS Central Manager is secured and encrypted with Secure Sockets Layer SSL and users can be authenticated through a local database or a third party authentication service In NetFlow Analyzer the WAAS manager can be configured using the WAAS Settings page In the WAAS Settings enter the details of the WAAS Central Manager you want to configure The NetFlow Analyzer WAAS module supports all versions of the WAAS Central Manager e CM Server IP Denotes the IP address of the Central Server you want to configure e CM Server Port Denotes the port number of the WAAS central manager The Default port number is 8443 e CM Server Protocol The server protocol is either http or https e CM Server User Name Password Provide the login credentials of the Central Manager you want to configure e CM Server Timezone Mention the current time zone of the Central Manager you want to configure e CM Server Certificate Path Denotes the location of the SSL server certificate Now the Central Manager has been configured Click update to submit the details of the Central Manager Note In order to obtain the SSL server certificate open the central manager in the desired browser click on the identity information of the https url Click More Information In the new pop up that opens click view certificate In th ecertificate viewer that opens s
181. ed Historical Trend Reports Generate daily weekly monthly and custom time period bandwidth reports showing peak traffic patterns Bandwidth Usage Reports View reports showing top applications top hosts and top conversations using bandwidth 12 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition Feature Description View bandwidth reports per interface showing all details EE on bandwidth usage for that interface View AS and peering information for routers configured with BGP useful for service providers Categorize devices exporting NetFlow into logical groups and monitor them exclusively Autonomous Systems Reports NetFlow Devices Create departments based on IP addresses ports IP Groups protocols or interfaces and generate specific bandwidth usage reports Identify most standard applications out of the box and Application Configuration configure custom applications to recognize specific traffic Add users with different privileges assign device groups and selectively allow access NetFlow Analyzer can be installed and run in Chinese and Japanese languages with support for more Localized setup languages being added frequently Check the website for the latest list of languages localized and also contribute to translation works User management 13 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Editi
182. eeding Minimum Flux Rate at the source end Short TCP 1 Short TCP Syn_Rst flows from single multiple source hosts to single Scans Syn_Rst Port Scan destination host on multiple destination ports exceeding Minimum Probes 199 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Short TCP Syn_Rst Host Scan Vertical Span at the destination end 2 Short TCP Syn_Rst flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end 1 Short TCP Syn_Rst flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Syn_Rst flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Gun Her Diagonal Scan Short TCP Syn_Rst flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Scans Probes Span at the destination end hosts ports endpoints of sou
183. eeeeeeeee cence ceaeeesaaeeeeaeeseaeeeseaeeesaaeeseeeeenaees 32 Configuring NDE on 4000 Series Gwitches 33 Configuring NetFlow for BGP cccsccceseeceeeeeceneeeeaeeeeeeeecaeeeeaaeeeeaaeseeeeeceaeeesaaeeseaeeseeeeesaeeesaeeseneeenaes 34 Juniper Devices CflOWd J FIOW kee 36 Huwaei 3com devices Netstream lt s lt s cierahonieesaiseunutabesieusisescdenebeniuersiasdeuce lion tetuemedemmueeiuees 37 Configuring NetStream Export 37 Nortel Ben e211 KE 38 Configuring IPFIX EXPO ncurses sianida aa EEN Eed ENEE en 38 sFlow exporting RE 39 sFlow Supported Devices cccccceecceeeeeeeeseeceeeeeceaeeeenaesaaeeeceaeeeeaaesaeesaeeesaaesseaaesgeeeseaeessaeseeneeesaees 40 Enabling Elle VE 42 r Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition GETTING STARTED sissa EE EE eEN 44 Da SMO ard KL 45 D shboard KT 47 Dashboard Device ViGW xrciccceiciccascraccrtnereiecatererseinetesexuterandednoreienisehiekeiareiehereiieereienmeerenineled 49 Ries Geer 55 Google AER 56 Various Reports in WAASER ENNEN 57 E tkrh enisi E ER A ERARE E E EIER KEE EA EREKE ian 60 Medianet REPONS ec n E a T a 64 IP Grops E 67 Report Gre 68 TRAFFIC el A KE 70 Real time Traffic Eat et eugesbeenggr redeuese end EuERENE EE hel detaendieaienioetenrereeeaewientieneece 71 WD PRG OIA a essa esecieiais vacate a ys deeanetescanbans acca ceemceais nassavesctaass hess 73 TOD MOS oes Soe Saas Delage eset ocean ee ee eee 76 DDO yeas ee a eee eee 77 AS
184. een created earlier then an appropriate message is displayed and the user is prompted to create a DSCP group The bottom of the page lists the Top DSCP IN Traffic as a Pie Distribution The time period for which the report is shown can be controlled by using the time selection bar at the top TOS Because the Internet by itself has no direct knowledge of optimizing the path for a particular application or user the IP protocol provides a facility for upper layer protocols to convey hints to the Internet Layer about how the tradeoffs should be made for a particular packet This facility is the Type of Service facility abbreviated as the TOS facility The TOS facility is one of the features of the Type of Service octet in the IP datagram header The Type of Service octet consists of three fields The first 3 bits 0 1 2 are for the first field labeled Precedence intended to denote the importance or priority of the datagram The second field labeled TOS denotes how the network should make tradeoffs between throughput delay reliability and cost The last field labeled MBZ for must be zero above is currently unused The originator of a datagram sets this field to zero unless participating in an Internet protocol experiment which makes use of that bit Routers and recipients of datagrams ignore the value of this field This field is copied on fragmentation Specification of the TOS Field The semantics of the TOS field value
185. elated Documents Related Topic Document Title Cisco IOS commands Cisco IOS Master Commands List All Releases Overview of Flexible NetFlow Cisco IOS Flexible NetFlow Overview Flexible NetFlow Feature Roadmap Cisco IOS Flexible NetFlow Features Roadmap 135 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Related Topic Document Title Emulating original NetFlow with Flexible NetFlow Getting Started with Configuring Cisco IOS Flexible NetFlow Configuring flow exporters to export Flexible Configuring Data Export for Cisco IOS Flexible NetFlow data NetFlow with Flow Exporters Configuring flow sampling to reduce the overhead Using Cisco IOS Flexible NetFlow Flow Sampling to of monitoring traffic with Flexible NetFlow Reduce the CPU Overhead of Analyzing Traffic Configuring Flexible NetFlow using predefined Configuring Cisco IOS Flexible NetFlow with records Predefined Records Using Flexible NetFlow Top N Talkers to analyze Using Cisco IOS Flexible NetFlow Top N Talkers to network traffic Analyze Network Traffic Configuring IPv4 multicast statistics support for Configuring IPv4 Multicast Statistics Support for Flexible NetFlow Cisco IOS Flexible NetFlow Configuration commands for Flexible NetFlow Cisco IOS Flexible NetFlow Command Reference 136 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition CBQoS What is CBQoS
186. elect the details tab in and click export to save the certificate as cer file Now enter the location of this cer file in the above CM Server Certificate Path text box You can configure any number of CM and manage them using the manage devices option Once configured the central manager cannot be edited any further NetFlow WAE Device Mapping By mapping the NetFlow router name we instruct the WAE on which router to monitor The mapped routers are monitored by the WAE and the netflow generates reports on the compressed and uncompressed data NetFlow WAE Application Mapping The applications of WAE are mapped with NetFlow Analyzer s applications for ease of monitoring and generation of reports By this way you can view the optimized amount of traffic and the amount of compressed data for each application 100 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Application Mapping Application Group DSCP Mapping and DSCP Group Application Mapping The Application Mapping option lets you configure the applications identified by NetFlow Analyzer You can add new applications modify existing ones or delete them Please see the Additional Notes on Application Mapping section to understand this feature more clearly Also it is possible to associate an IP address with an application Adding an Application Follow the steps below to add a new application 1 Click the Add button to add a new application Enter the
187. ents the percentage of rich media traffic to other traffic in the network The table below the displays the source destination application that has sent received maximum number of media packets the volume of media traffic maximum minimum and average jitter values number of packets lost the rate of packet loss Clicking on the respective source destination application will open the detail reports page that lists the traffic details of the source destination application selected Detail Report The Detail report provides a complete view about the resource selected The Media Volume graph is a bar graph that details on the volume of media traffic sent received by a specific resource during the selected time period It also shows the RTT and Jitter average of the resource selected in the given time period The table below the graph lists the Source Destination Application Media Packets Media Volume RTT Jitter Max Jitter Min Jitter Average Packet Lost Packet Lost Rate of the resource 91 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Admin Operations NetFlow Analyzer lets you perform many administrative tasks typical of an enterprise network administrator such as managing a group of routers handling different users setting up alerts etc Explore the following sections to know more about the administrative options available in NetFlow Analyzer Setting Descri
188. eo operations That makes it 3 IP SLA VoIP IP SLA WAN Operations RTT and IP SLA Video operations Every possible kind of SLA verfication is now possible with NetFlow Analyzer Billing module Interface grouping is now possible in the billing module This improves manageability enhanced by leaps and bounds New Features in Release 9 6 Feature Description Advanced Security In the enhanced version source and destination based anomaly detection is Analytics Module possible You can also ignore events for all resources It also supports IPv6 enhanced addressing Multicast Reporings You can now send packets from one host to a specific group of hosts through multicast Mediatrace On Demand You can now view the path of an IP flow on the go Get mediatrace reports reports instantly without any additional configuration New Features in Release 9 5 The latest release of NetFlow Analyzer 9 5 can be downloaded from the website at http www netflowanalyzer com download html Feature Description Re vamped User Interface The look and feel of NetFlow Analyzer s user interface has been modified for better user experience Cisco s Medianet technology Cisco s Medianet is an end to end architecture that is capable analyzing voice video and data traffic and report on loss latency and jitter thereby helping you optimize rich media applications Support for App flow A standard for application monitoring and re
189. er of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Short UDP Grid Short UDP flows from single multiple source hosts to multiple Scans Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short UDP Port 1 Short UDP flows from single source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span at the source end 2 Short UDP flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short UDP Host 1 Short UDP flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 Short UDP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short UDP Short UDP flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Sca
190. ertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end UDP Chargen UDP Flows from Src Port 19 Chargen to Dst Port 7 Echo sent to DoS Echo Broadcasts a Broadcast Multicast IP touching or exceeding the Upper Limit Flash and none of the following derived problems gets satisfied Crowd Indicates possible amplification attack on the Src IP UDP Chargen UDP Chargen Echo Broadcast flows from multiple source hosts to DoS Echo Broadcast fewer destination hosts exceeding Minimum Convergence and Flash Attack Minimum Flux Rate at the destination end Crowd UDP Chargen UDP Chargen Echo Broadcast flows from single multiple source hosts DoS Echo Broadcast to single multiple destination hosts exceeding Minimum Flux Rate at Flash Inflood the destination end Crowd UDP Chargen 1 UDP Chargen Echo Broadcast flows from fewer source hosts to DoS Echo Broadcast multiple destination hosts exceeding Minimum Divergence and Flash Outflood Minimum Flux Rate at the source end Crowd 2 UDP Chargen Echo Broadcast flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Chargen 1 UDP Chargen Echo Broadcast flows from single multiple source Scans Echo Broadcast hosts to multiple destination hosts on a single destination port Probes Host Scan exceeding Minimum Horizontal Span at the destination end 2 UDP Chargen Echo Broadcast flows from s
191. erver applications It can analyze amp classify application traffic in real time NBAR is supported in most Cisco switches and routers and this information is available via SNMP Click here to view the list of protocols that are recognized by NBAR Why do I need NBAR NBAR by adding intelligent network classification to your infrastructure helps in ensuring that the network bandwidth is used efficiently by working with QoS Quality Of Service feature With NBAR network traffic classification becomes possible and by this we can know how much of say HTTP traffic is going on By knowing this QoS standards can be set Unlike NetFlow which relies on port amp protocol for application categorization NBAR performs a deep packet inspection and allows you to recognize applications that use dynamic ports Also the NBAR approach is useful in dealing with malicious software using known ports to fake being priority traffic as well as non standard applications using non determinaly ports How do I enable NBAR You will first have to check whether your router supports NBAR Please visit here to know about the Platforms amp IOS that support NBAR NBAR can be enabled only on those interfaces which are identified by NetFlow Analyzer If your router supports NBAR then you will have to enable NBAR on each of the interface that you want to collect NBAR statistics NBAR can be enabled in two ways e Enabling on the device e Enabling from the N
192. essage Error in loading PGroup with name grp1 Already exists in the User Interface If there is no such file in the directory you can see the message NETFLOW_HOME troubleshooting ipGroup xml is not found in the User Interface After adding the IP group s it is possible to selectively include exclude a IP Network IP Address IP Range from the user interface of the product Enabling WAN using IP Group Management IP Group Management lets you monitor departmental intranet or application specific traffic exclusively You can create IP groups based on IP addresses and or a combination of port and protocol Now using IP Group Management you can also monitor wan round trip time for specific IP address or IP range and analyze the latency and quality of service between two locations In order to enable WAN RTT monitoring using IP Group Management you need to specify the individual IP address or IP range You can also monitor range latency between two different sites under IP group option The IP address under the specified IP group acts as the destination IP address while you have to specify the source IP address Using the include and between sites option you can monitor WAN performance for individual and range of IP addresses but for for IP networks The added monitor can be viewed under the traffic tab of IP groups along with the average WAN round trip time details Click on the check box that reads Also Enable WAN RTT to enable WAN RTT monito
193. estination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end 1 Short TCP Syn_Ack Flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Syn_Ack Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end DoS Flash Crowd Scans Probes Scans Probes Short TCP Syn_Ack Diagonal Scan Short TCP Syn_Ack Flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Scans Probes Short TCP Syn_Ack Grid Scan Short TCP Syn_Ack Port Scan Reverse Short TCP Syn_Ack from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end 1 Short TCP Syn_Ack Flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Short TC
194. etFlow Analyzer user interface Enabling on the device The following is a set of commands issued on a router to enable NBAR on the FastEthernet 0 1 interface router enable Password router configure terminal router 2621 config ip cef router 2621 config interface FastEthernet 0 1 router 2621 config if ip nbar protocol discovery router 2621 config if exit 125 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition router 2621 config exit router 2621 config show ip nbar protocol discovery AN Please note that the part in red has to be repeated for each interface individually Enabling from NetFlow Analyzer User Interface Alternately you may check the router s NBAR supported status and also enable NBAR on the interfaces from the NetFlow Analyzer s NBAR Configuration page The steps to enable from User Interface are 1 Under NBAR enabled interfaces You will first have to enable NBAR on an interface before you can start collecting NBAR data This step allows you to enable NBAR on the interface Enabling NBAR on the interface is done through SNMP and requires SNMP write community 1 Use the Click Here link to enable NBAR on Interfaces 2 Set SNMP Read Community SNMP Write Community amp the Port in case you want to alter the default parameters The values given during installation are prepopulated in the screen 3 Click on Check Status to see if
195. ewer source hosts to multiple destination hosts DoS exceeding Minimum Divergence and Minimum Flux Rate at the source Flash end Crowd 2 TCP Rst Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Rst Port Scan 1 TCP Rst Flows from single multiple source hosts to single Scans destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 TCP Rst Flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Rst Host Scan 1 TCP Rst Flows single multiple source hosts to multiple destination Scans hosts on a single destination port exceeding Minimum Horizontal Span Probes at the destination end 2 TCP Rst Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Rst Diagonal TCP Rest Flows from single multiple source hosts to multiple destination Scans Scan hosts where the number of distinct destination hosts is equal to the Probes number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Rst Grid Sca
196. example SFlowDisable HpProcurve 161 private For more information on HP devices refer to www hp com 43 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a Getting Started Once NetFlow Analyzer has been successfully set up and started in your network the next thing to do is to start receiving Netflow exports from routing devices on your network P The Configuring Cisco Devices section contains useful information on how to configure Netflow export on different Cisco routers and switches The sFlow section contains useful information on configuring sFlow As soon as you log in to the NetFlow Analyzer web client you will see the Global View Dashboard View This view shows you information on interfaces sending Netflow and sFlow exports AS info as well as traffic information for all IP groups created so far The Dashboard is populated as soon as Netflow or sFlow data is received from any interface The Global View is divided into three tabs a4 The Network Snapshot View which lists the top devices top interfaces and top IP Groups The Interface View which lists all the interfaces from which Netflow or sFlow exports are received The Autonomous System View which lists all the autonomous systems configured with each router From any tab click the tat icon to return to the Global View 44 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition
197. exceeding Minimum Probes Scan Reverse Horizontal Span at the source end 2 Short TCP Ack flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Ack Short TCP Ack flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Ack Short TCP Ack flows from multiple source host to single multiple Scans Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short TCP TCP Flows with nominal payload i e BytePerPacket between 40 Suspect Fin_Ack Packets and 44 octets bytes and TCP Flags value equals 17 FA touching Flows 191 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class or exceeding the Upper Limit and none of the following derived problems gets satisfied Short TCP Fin_Ack Inflood 1 Short TCP Fin_Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Ra
198. fServ code points and monitor their traffic in troubleshooting reports under the DSCP tab Note that the DSCP reports can be viewed on the Troubleshooting page by clicking on the DSCP tab The DCSP group is very valuable in the deployment of QoS Adding a new DSCP Group Follow the steps below to add a new application group 1 Click the Add button to proceed to the Add Group Screen 2 Enter the Group Name and the Group Description eg DataBase Group Contains the Oracle DB and MySql DB 3 Choose the DSCP Names from the list of names in the left pane o Select a name by clicking on it o Use the gt gt button to include the selected DSCP Name to the right pane Selected DSCP Names list o Add as many DSCP Names as you want to this group 4 Click on Save for the DSCP Group to be created with the list of DSCP Names you had selected You may create additional DSCP Group by clicking on the Add button and following the above steps Modifying a DSCP Group Select the DSCP Group you wish to modify and click on the Modify button Ey You can only change the Group description and the list of selected applications It is not possible to change the DSCP group name Once you are done click the Save button to save your changes 104 Zoho Corporation lt ManageEngine NetFlow Analyzer Professional Edition Deleting a DSCP Group Select the DSCP Group you want to delete and click on the Delete button Top Sites The Top Sites
199. face shows 100 utilization What information do need to send to NFA support for assistance 0 How to safely migrate NFA installation to different machine 1 What do do if my NFA server becomes slow or How do improve my NFA system performance 12 Why NFA says router time not is SYNC and stops collecting data A O oN Co Ni Installation 1 When Itry to access the web interface another web server comes up How does this happen During installation NetFlow Analyzer checks if the selected port is in use by another application If at that time the other webserver was down it will not get detected Either disable the other web server change its server port or change the NetFlow Analyzer web server port 2 How can I change the MySQL port in NetFlow Analyzer from 13310 to another port Edit the mysql ds xml file in the server default deploy directory Change the port number in the line jdbc mysql localhost 13310 netflow to the desired port number save the file and restart the server 3 Can l install and run NetFlow Analyzer as a root user NetFlow Analyzer can be installed and started as a root user but all file permissions will be modified and later you cannot start the server as any other user 4 Isa database backup necessary or does NetFlow Analyzer take care of this or How to back up data in NetFlow Analyzer NetFlow Analyzer includes a database backup utility that you can use to make a backup of th
200. ffic class Step 7 Router config pmap c police bos Optional Configures traffic policing burst normal burst max conform action action exceed action action violate action action Step 8 Router config pmap c priority Optional Gives priority to a class of traffic bandwidth kbps percent percentage belonging to a policy map burst Step 9 Router config pmap c queue limit Optional Specifies or modifies the maximum number of packets number of packets the queue can hold for a class configured in a policy map Step 10 Router config pmap c random detect Optional Enables Weighted Random Early dscp based prec based Detection WRED or distributed WRED DWRED Step 11 Router config pmap c set atm clp Optional Sets the cell loss priority CLP bit when a policy map is configured Step 12 Router config pmap c set cos cos Optional Sets the Layer 2 class of service CoS value from field table table map value of an outgoing packet name Step 13 Router config pmap c set discard Optional Marks a packet with a discard class class value value Step 14 Router config pmap c set ip dscp Optional Marks a packet by setting the dscp value from field table table differentiated services code point DSCP value in map name the type of service ToS byte Step 15 Router config pmap c set fr de Optional Changes the discard eligible DE bit setting in the address field of a Frame
201. ffic getting double counted Otherwise the cryptomap interface in which NetFlow is enabled double counts the GRE traffic O O Radius Server Settings Radius Server Remote Authentication Dial In User Service is an AAA Authentication Authorization and Accounting protocol for controlling access to resources in a network Radius Server is useful in centralised management of user credential details It facilitates a single global set of credentials that are usable on many public networks Once the user 95 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition roles are defined in the User Management feature of NetFlow Analyzer subsequent handling of the user profiles can be done from the Radius Server Option Description The IP address of the Radius Server where credentials are configures The authentication port of the Radius Server The Radius Server Protocol could be any of PAP CHAP MSCHAP MSCHAP2 The Secret refers to the password that is necessary to access the Radius Server Authentication Retries can take one of the Authentication Retries values from 1 3 5 This defines the number of times authentication attempt is allowed Radius Server IP Radius Server Authentication Port Radius Server Protocol Radius Server Secret 96 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Storage Settings NetFlow Raw Data Settings NetFlow
202. fies the name of a traffic policy policy map name used as a matching criterion for nesting traffic policies hierarchical traffic policies within one another Step 20 Router config pmap c shape Optional Shapes traffic to the indicated bit rate average peak mean rate burst size according to the algorithm specified excess burst size Step 21 Router config pmap c exit Optional Exits policy map class configuration mode Traffic policy can be nested with another traffic policy using the service policy command called as Hierarchical traffic policy The policy which holds another policy is the parent policy and the nested one is called child policy 146 Zoho Corporation Ze ManageEngine NetFlow Analyzer Professional Edition Sample configuration of policy with parent child relationship Router config policy map child Router config pmap class voice Router config pmap c priority 50 Router config policy map parent Router config pmap class class default Router config pmap c shape average 10000000 Router config pmap c service policy child Router config pmap c exit 147 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition User Management The User Management option lets you manage different users with varying access privileges You can assign different users to different device groups and IP groups and allow them to manage the assigned groups exclu
203. for longer time periods up to 2 weeks to enable increased visibility into traffic data for troubleshooting and alerts Support link Enhanced Router Settings Wide range of options to contact technical support in case of any problems running NetFlow Analyzer Specify whether router details need to be fetched based on IfName IfAlias or IfDescription value Dashboard View Filter Filter Dashboard Interface View to display only those interfaces exceeding specific values of incoming or outgoing traffic Traffic Graph Filters Filter daily and weekly traffic graphs to show hour based traffic details Enhanced IP Group Management Specify interfaces when creating IP groups to further filter traffic details for an IP group Localized Versions NetFlow Analyzer supports French German and Spanish along with Chinese and Japanese Features in Previous Releases 4 0 to 4 0 2 Feature Description Web based interface Generate reports and perform administrative tasks from just a web browser Support for NetFlow export versions As of release 4 0 2 NetFlow Analyzer includes support for NetFlow version 5 and version 7 exports Simply turn on NetFlow Simply configure NetFlow export on your router or switch and see it automatically added on the Dashboard Real time Traffic Graphs View instant graphs of bandwidth utilization per network interface as soon as NetFlow data is receiv
204. formance Monitor configure many of the same basic elements that you normally configure for Flexible NetFlow Interface Policy Class Flow monitor Flow record Flow exporter 86 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Interface Attach a performance monitor service policy to an interface using the service policy type performance monitor command Create a Performance Monitor policy using the policy map type performance monitor command This command is used to associate the flow monitor and one or more classes with the policy Create one or more classes using the class map command This command is used to specify the filtering criteria Create a Performance Monitor flow monitor using the f X flow monitor type performance monitor command Flow Monitor This command is used to associate a flow record and i an optional flow exporter with the flow monitor Create a Performance Monitor flow record using the flow record type performance monitor rr command Create a flow exporter using the flow Flow Exporter exporter command The flow record is used to specify match and collect fields and the exporter is used to Flow Record 3 Configuring a Flow Exporter for Cisco Performance Monitor Flow exporters are used to send the data that you collect with Cisco Performance Monitor to a remote system such as a NetFlow Collection Engine Flow exporters use user datagram protocol UDP as the
205. from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Chargen 1 UDP Chargen Echo flows from single multiple source hosts to Scans Echo Host Scan multiple destination hosts on a single destination port exceeding Probes Minimum Horizontal Span at the destination end 227 e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class UDP Chargen 2 UDP Chargen Echo flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans 1 UDP Chargen Echo flows from multiple source hosts to Echo Host Scan Reverse single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 UDP Chargen Echo flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Probes Excess UDP Echo Chargen Flows UDP Flows from Src Port 7 Echo to Dst Port 19 Chargen sent to any unicast IP touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Indicates possible amplification attack on the Src IP DoS Flash Crowd UDP Echo Chargen Inflood 1 UDP Echo Cha
206. from single multiple source hosts to DoS Handshake Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash destination end Crowd Short TCP 1 Short TCP Handshake flows from fewer source hosts to multiple DoS Handshake destination hosts exceeding Minimum Divergence and Minimum Flux Flash Outflood Rate at the source end Crowd 2 Short TCP Handshake flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Short TCP 1 Short TCP Handshake flows from single multiple source hosts to Scans Handshake Port single destination host on multiple destination ports exceeding Probes Scan Minimum Vertical Span at the destination end 2 Short TCP Handshake flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short TCP 1 Short TCP Handshake flows from single multiple source hosts to Scans Handshake Host multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 Short TCP Handshake flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short TCP Short TCP Handshake flows from single multiple source hosts
207. g Minimum Flux Rate at the Flash destination end Crowd Short TCP 1 Short TCP Psh_Ack flows from fewer source hosts to multiple DoS Psh_Ack Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 Short TCP Psh_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Short TCP 1 Short TCP Psh_Ack flows from single multiple source hosts to single Scans Psh_Ack Port Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 Short TCP Psh_Ack flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end 194 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Short TCP 1 Short TCP Psh_Ack flowsfrom single multiple source hosts to Scans Psh_Ack Host multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 Short TCP Psh_Ack flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short TCP S
208. g S Dier 192 168 6 160 zen mio 192 168 6 143 Wio 192 168 6 128 mio 192 168 6118 Eio 192 168 6 117 Others o A 09 00 09 30 10 00 10 30 11 00 11 30 12 00 12 30 13 00 13 30 14 00 14 30 Time Problems Io jo le fe le le je le le le e e e e e e E E BBEBBBBBEBE Source Aggregation Router Aggregation Flows Processed 13873368 Problem Analysis report Displays the top problem names and the unique resources involved It also lists the number of events and the problem caused by a specific resource The event distribution for each resource is represented as a pie chart The time distribution graph is a multi line graph that represents the number of events and resources involved for a specific problem over a given time period Dashboards Interface View Autonomous System View T WAAS Reports Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Flows Processed 13927141 Top Problems Show All Hide All TCP Rst Port Scan Resource Events Time Distribution WeEvents MResources mio 192 168 6 3 E Ep 192 168 6 46 Olp 192 168 6 80 2 mlp 192 168 6 1 8 100 lp 192 168 6 19 50 mlo 192 168 6 83 mio 192 168 6 2 Mio 192 168 6 44 mip 192 168 641 Elp 192 168 6 18 Others 09 00 09 30 10 00 10 30 11 00 11 30 12 00 12 30 13 00 13 30 14 00 14 30 Time e e e e e e e e je je EEEEKEEEEEE Empty TCP Port Scan TCP Syn_Fin Port Sc
209. gives you a quick view about all monitors in the network and their corresponding activities There are three tabs in the WAN Monitor Dashboard namely Overview All Monitors and Settings Overview The Overview tab has four widgets that display details on least performing paths least available paths time wise consolidated alert for top RTT and monitorwise health report The reports can view from the last hour to the last month The Overview tab also displays Netflow Traffic Reports for source router of the monitor You can choose the routers by clicking on the dropdown box e Least Performing Path All paths and their delay are displayed in a descending fashion along with their round trip time value giving you a clear idea about least performing paths Here you can view the details of the path by clicking on it e Least Available Path All paths and their availability are displayed in an ascending fashion along with their availability perecentage This gives you an overview about least available paths e TimeWise Consolidated Alert for Top Rit All paths that have violated the set threshold limits are displaye here along with their severity status and and a message indicating the round trip time and the threshold limit e Monitorwise Health Report This displays severity status of the monitor on an hourly and daily basis You can choose the monitor that you want to view from the dropdown box All Monitors The All Monitors tab d
210. has to be done Policing involves creating a policy that specifies the bandwidth limits for the traffic Packets that exceed the limits are out of profile or nonconforming Each policer specifies the action to take for packets that are in or out of profile These actions carried out by the marker include passing through the packet without modification dropping the packet or marking down the packet with a new DSCP value that is obtained from the configurable policed DSCP map 137 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Fetching Policy details from the router Under the QoS Configuration tab the interfaces that have policies applied on them are displayed along with the router names and specific IN and OUT Policies To facilitate the NetFlow Analyzer application to recognize the policies applied at each router level click on the icon This invokes a new window with the List of all routers along with their Read Community amp Port details By clicking on Check Status or Check All Status it is possible to fetch the policy details from the router about each individual interface Once the policy details have been fetched from the routers the following message is displayed Policy Details Updated If any policy is not found the the Not Available message is displayed Polling for CBQoS data After setting the policies on the router and fetching the policy details polling can be started Clic
211. hat may not affect other applications can have dramatic effects on video quality NetFlow Analyzer uses this feature of Cisco s Medianet to report on the rich media traffic It helps you to become aware of the volume and quality of media traffic in your network bandwidth NetFlow Analyzer reports on the volume of media traffic round trip time packet loss and jitter along with the source destination or application that is responsible for the media traffic These reports help you isolate network issues with regard to rich media applications and determine the quality of media traffic How do I Enable Cisco Medianet Performance Monitor The Cisco Medianet Performance Monitor provides per flow per hop visibility into flow metrics such as packet loss and network jitter for audio and video streams and packet loss events and round trip times RTT for data streams 1 Prerequisites for Configuring Cisco Performance Monitor The following prerequisites must be met before you can configure Cisco Performance Monitor e The networking device must be running a Cisco IOS release that supports Cisco Performance Monitor e e 6 Pv4 Traffic o The networking device must be configured for IPv4 routing o Cisco Express Forwarding or distributed Cisco Express Forwarding must be enabled on your router and on any interfaces on which you want to enable Cisco Performance Monitor 2 Configuration Components of Cisco Performance Monitor To configure Cisco Per
212. he compressed and uncompressed data NetFlow WAE Application Mapping The applications of WAE are mapped with NetFlow Analyzer s applications for ease of monitoring and generation of reports By this way you can view the optimized amount of traffic and the amount of compressed data for each application 171 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition 3 Reports in WAAS WAAS Central Manager Reports WAAS reports details you on the central manager you have created and the devices associated with it You can access WAAS reports using Modules tab Select Cisco WAAS from the modules tab You can view the reports based on hourly daily weekly monthly along with custom reports The Accelerator Group gives you the list of WAAS Accelerator Engines grouped together for easy identification purposes You can also view their reduction percentage Status and a brief description about the group You can also view the top 10 WAE s by compression percentage as a pie chart The report displays WAN LAN and compressed Traffic along with the reduction percentage The WAE devices List displays all the devices listed in the WAN Accelerator Engine The top ten devices are listed first you can locate the devices using the simple search option by indicating the name IP address Status Location or MAC address of the device By clicking on the device name you can view the WAE Reports WAE reports You can view the
213. he table below Click the Reset button to turn the filter off and switch to the regular traffic graphs 95 th Percentile The 95th percentile is the number that is greater than 95 of the numbers in a given set The reason this statistic is so useful in measuring data throughput is that it gives a very accurate picture of the maximum traffic generated on an interface This is a standard measure that is used for interpreting the performance data The 95th Percentile is the highest value left when the top 5 of a numerically sorted set of collected data is discarded It is used as a measure of the peak value used when one discounts a fair amount for transitory spikes This makes it markedly different from the average The following example would help you understand it better Consider if the data collected for CPU Utilization is 60 45 43 21 56 89 76 32 22 10 12 14 23 35 45 43 23 23 43 23 20 points This list is sorted in descending order and a single top value 89 is discarded Since 1 consitutes 5 of 20 we discarded 1 value in this case The highest value in the remaining list 76 is the 95th percentile Selectable Graph NetFlow Analyzer brings you the added advantage of drill down to the traffic graphs presented As you hover the mouse over the plot area you can see a cross hair icon Click on an area of the graph and 71 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition holding the mouse down drag
214. hort TCP Psh_Ack flows from single multiple source hosts to multiple Scans Psh_Ack Diagonal destination hosts where the number of distinct destination hosts is Probes Scan equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Short TCP Short TCP Psh_Ack flowsfrom single multiple source hosts to multiple Scans Psh_Ack Grid Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short TCP 1 Short TCP Psh_Ack flows from single source host to single multiple Scans Psh_Ack Port destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span at the source end 2 Short TCP Psh_Ack flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP 1 Short TCP Psh_Ack flows from multiple source hosts to Scans Psh_Ack Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 Short TCP Psh_Ack flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and
215. hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 TCP Urg Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Urg Diagonal TCP Urg Flows from single multiple source hosts to multiple Scans Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Urg Grid Scan TCP Urg Flowsfrom single multiple source hosts to multiple destination Scans hosts on multiple destination ports exceeding Minimum Vertical Span Probes or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Urg Port 1 TCP Urg Flows from single source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span at Probes the source end 2 TCP Urg Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Urg Host 1 TCP Urg Flows from multiple source hosts to single multiple Scans Scan Reverse
216. ic policy should be applied either on packets coming into the interface or packets leaving the interface The service policy command syntax is as follows service policy input output policy map name no service policy input output policy map name Procedure To attach a traffic policy to an interface perform the following steps EY Depending on the platform and Cisco IOS release you are using a traffic policy can be attached to an ATM permanent virtual circuit PVC subinterface a Frame Relay data link connection identifier DLCI or another type of interface Command or Action Purpose Step 1 Router gt enable Enables privileged EXEC mode Step 2 Router configure terminal Enters global configuration mode Step 3 Router config interface serial Configures an interface type and enters interface configuration mode Step 4 Router config if service policy output Attaches a policy map to an type access control input output policy interface map name Step 5 Router config if exit Optional Exits interface configuration mode EY Multiple traffic policies on tunnel interfaces and physical interfaces are not supported if the interfaces are associated with each other For instance if a traffic policy is attached to a tunnel interface while another traffic policy is attached to a physical interface with which the tunnel interface is associated only the traffic policy on the tunnel inte
217. ication Add the combination as a new application in the same popup and click Update to update the Application Mapping list with the Managing IP Groups Click the IP Group Management link in the Admin Operations box to view the list of IP groups created so far The current status of the IP Group is also shown as Enabled or Disabled Select the IP group that you want to modify and click the Modify button to edit its settings Once you are done click Add to save and activate the new changes To change a IP group s status from Enabled to Disabled or vice versa click on the current status of the IP Group It is possible to Enable or Disable all the IP Groups at once by using the Enable All and Disable All buttons To delete an IP group select the IP group and click the Delete button Deleting an IP group removes the IP group from the list of IP groups managed All users assigned to this IP group will not see this IP group listed on their Dashboard EY Unmanaging an IP group will lead to bill generation for the particular IP group IF that IP group has been selected for billing Bulk loading IP Groups NetFlow Analyzer allows bulk loading of IP group using the XML file ipGroup xml contained in the location AdventNet ME NetFlow troubleshooting using this file it is possible to define multiple IP groups at once A sample configuration code looks like lt IPGroups ip_group_name Engineering ip_group_desc description
218. ig bat to backup the data available in MySQL database and wait till the data backup is getting completed By default backup file will be stored under lt NetFlow Analyzer Home gt backup directory with the file name like BackupConfig_NFA_ lt Build_Number gt _MM_DD_YYYY_hh_mm data 3 From the installed MS SQLSERVER copy the files bep exe and bep rll to lt NetFlow Analyzer Home gt bin folder 4 Invoke the lt NetFlow Analyzer Home gt bin changeDBServer bat to configure the MS SQLSERVER credentials like ServerName Port UserName and Password 5 Database Setup Wizard pops up 6 Inthe wizard screen select Server Type as SQL Server Available SQL Server Instances are listed in a combo box Enter the Host Name and Port of the SQL Server from the instances NetFlow Analyzer will work only with default instance 7 Select the authentication type using the Connect Using options 8 The options are a Windows Authentication For Windows Authentication enter the Domain Name User Name and Password Ensure that both NetFlow Analyzer server and SQL Server are in the same domain and logged in with the same Domain Administrator account 248 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Database Setup Server Type SQL Server Host Name INETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TESTS5 MSSQLSERVER 1433 ED Database netflow Connect Using Win
219. igure and install Netflow Analyzer server with SQLSERVER as the database is given below 1 From the installed MS SQLSERVER copy the files bep exe and bep rll to lt NetFlow Analyzer Home gt bin folder 2 Invoke the lt NetFlow Analyzer Home gt bin changeDBServer bat to configure the MS SQLSERVER credentials like ServerName Port UserName and Password 3 Database Setup Wizard pops up 4 Please check if the TCP IP ports are turned on In case they are not please enable TCP IP E SOU Server Configuration eut File Action View Help e EI SR 2 Hs Server Configuration Manager Local i EE F Status d SOL Server 2005 Services Y Shared Memory Enabled z SOL Server 2005 Network Configuration gg Named Pipes Enabled ER Protocols for SQLEXPRESS SA TCPHIP Enabled Gei 7 ta 8 SQL Native Client Configuration va Disabled Client Protocols Aliases 5 Inthe wizard screen select Server Type as SQL Server Available SQL Server Instances are listed in a combo box Enter the Host Name and Port of the SQL Server from the instances NetFlow Analyzer will work only with default instance Select the authentication type using the Connect Using options The options are NO 242 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a Windows Authentication For Windows Authentication enter the Domain Name User Name and Password Ensure that both NetFlow Analyzer server and SQ
220. imum mask mask protocol source address prefix minimum mask mask 1 match ipv4 source address 2 match ipv4 destination address 3 match transport source port 4 match transport destination port 5 collect routing forwarding status 6 7 8 PO Me collect ipv4 dscp collect ipv4 ttl collect ipv4 source mask 9 collect ipv4 destination mask 10 collect transport packets expected counter 11 collect transport packets lost counter 12 collect transport packets lost rate 13 collect transport round trip time 14 collect transport event packet loss counter 15 collect transport rtp jitter mean 16 collect transport rtp jitter minimum 17 collect transport rtp jitter maximum 18 collect interface input 19 collect interface output 20 collect counter bytes 21 collect counter packets 22 collect timestamp interval 23 collect application media bytes counter 24 collect application media bytes rate 25 collect application media packets counter 26 collect application media packets rate 27 collect application media event 28 collect monitor event 5 End 5 Configuring a Flow Monitor for Cisco Performance Monitor The basic concepts for configuring a flow monitor for Cisco Performance Monitor are the same as flow monitors for Flexible NetFlow Each flow monitor has a separate cache assigned to it and requires a record to define the contents and layout of its cache entries 88 Zoho Corporation K me ManageEngine NetFlow
221. in as Operator or Guest For Admin users the password can be changed from the User Management page itself Enter the new password confirm it and click the Update button to save your changes A Enter the new password when you log in again into NetFlow Analyzer Your present session will not be terminated until you explicitly log out or your session expires 152 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Add ons NetFlow Analyzer Add on NetFlow Analyzer offers add on features to specific monitoring and managment needs Add ons from NetFlow Analyzer are enabled on applying a registered license e IPSLA e Cisco IOS IPSLA feature gives network administrators the ability to analyze performance metrics of IP applications and services over Internet and other remote connectivity links Users can ensure application delivery based on the statistics provided by Cisco IPSLA NetFlow Analyzer currently provides the following reports based on Cisco IPSLA o VoIP Monitoring Cisco IPSLA based VoIP monitoring allows users to test their links on its ability to carry voice traffic The VoIP monitor can report on jitter latency and packt loss for voice traffic on the links as well as give a Mean Opinion Score MoS report about the transmission o WAN RTT Monitoring Cisco IPSLA based WAN RTT allows users to test their links for the ability to carry data traffic The WAN RTT feature reports on latency SLA
222. in bytes Base Cost Select the currency from the drop down box and enter the cost Additional Enter the additional volume in bytes Volume Additional Cost Enter the cost for additional usage Data transfer Select one of the three options from the drop down box calculation Selecting Download will take only downloaded data for billing Selecting Upload will take only uploaded data for billing Selecting Download amp Upload will take both uploaded and downloaded data for billing Alert Checking this box will activate threshold based alerting This will send alerts if the user specified threshold value has been exceeded Billing Period Lets you select the option as quarterly or monthly Incase you select the billing plan as quarterly the bill will be generated quartely on the dateyou specify in the Bill generation date option Incase you select the billing plan as monthly the bill will be generated on a monthly basis on the date you specify in the Bill generation date option Bill Enter the date on which you want the bill to be generated either on monthly basis or Generation quartely basis Date optional fields Associated To This has the list of Routers interfaces and IP groups You can select the interfaces and or the IP groups Other fields are mandatory that is associated with this plan ES Once an Interface IP Group is added to one bill plan the specific interface IP Gr
223. in detail ip_group_speed 1000000 gt lt GrpIPAddress addr_id 12 12 12 12 flag include gt lt GrpIPNetwork netmask_addr_id 255 255 255 0 network_addr_id 12 12 13 0 flag include gt lt GrpIPRange netmask_addr_id 255 255 255 0 start_addr_id 12 12 14 1 end_addr_id 12 12 14 100 flag exclude gt lt ApplicationNames port 80 protocol TCP gt lt Selected_Devices gt lt Router Router_Name 192 168 111 113 gt lt Interface interface_name Iflndex1 gt lt Interface interface_name Iflndex3 gt lt Router gt lt Selected_Devices gt lt IPGroups gt 108 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition Within this configuration it is possible to have any number of GrpIPAddress or GrpIPNetwork or GrpIPRange or ApplicationNames with Inteface selection It is also possible to add specific criteria exceptions to the group definition such as configuring an IP group with just one network configuring an IP group with just one address configuring an IP group with just one range configuring an IP group with just port and protocol The user has to ensure that an IP group with the same name does not already exist and that the IP group name does not exceed 50 characters If all the IP groups are loaded succesfully you can see the message All ipgroups are succesfully loaded in the User Interface If you try to load the same IP groups twice you can see the m
224. ination end Flash Crowd Short UDP 1 Short UDP flows from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 Short UDP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Short UDP Port 1 Short UDP flows from single multiple source hosts to single Scans Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 Short UDP flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Soan Minimum Occupancy and Minimum Aspect Ratio at the destination end 224 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Short UDP Host 1 Short UDP flows from single multiple source hosts to multiple Scans Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 Short UDP flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short UDP Short UDP flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the numb
225. ingle multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end UDP Chargen 1 UDP Chargen Echo Broadcast flows from multiple source hosts to Scans Echo Broadcast single multiple destination hosts using a single source port exceeding Probes Host Minimum Horizontal Span at the source end Scan Reverse 2 UDP Chargen Echo Broadcast flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end UDP Echo UDP Flows from Src Port 7 Echo to Dst Port 19 Chargen sent to DoS Chargen a Broadcast Multicast IP touching or exceeding the Upper Limit Flash Broadcasts and none of the following derived problems gets satisfied Crowd Indicates possible amplification attack on the Src IP UDP Echo UDP Echo Chargen Broadcast flows from multiple source hosts to DoS Chargen Broadcast fewer destination hosts exceeding Minimum Convergence and Flash Attack Minimum Flux Rate at the destination end Crowd UDP Echo UDP Echo Chargen Broadcastflows from single multiple source hosts DoS Chargen Broadcast to single multiple destination hosts exceeding Minimum Flux Rate at Flash Inflood the destination end Crowd UDP Echo 1 UDP Echo Chargen Broadcast flows from fewer source hosts to DoS
226. ingle multiple source hosts to single Scans Port Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 Malformed TCP flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Malformed TCP 1 Malformed TCP flows from single multiple source hosts to multiple Scans Host Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 Malformed TCP flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Malformed TCP Malformed TCP flows from single multiple source hosts to multiple Scans Diagonal Scan destination hosts where the number of distinct destination hosts is Probes equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Malformed TCP Malformed TCP flows from single multiple source hosts to multiple Scans Grid Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Malforme
227. ion P For more information on configuring NDE on Catalyst 6000 Series switches refer Cisco s documentation 31 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Configuring NDE on a Native IOS Device To enable NDE on a Native IOS device enter the configure mode on the Supervisor Engine and follow the instructions for an IOS device Then issue the following commands to enable NDE Configuring NDE Enter privileged mode on the Supervisor Engine and issue the following commands to enable NDE Command Purpose mls nde sender Sets the export version Version 7 is the most recent full export version supported by version 7 switches Breaks up long lived flows into 1 minute fragments This ensures that traffic set mls aging long graphs do not have spikes 64 It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data set mls aging normal Ensures that flows that have finished are periodically exported A lower value may 32 result in NetFlow Analyzer reporting traffic levels that are too low In order to put interface an routing information into the Netflow exports issue the following commands depending on the Supervisor Engine Switch Configuration Lowest IOS MSFC Level Commands mls flow ip interface full Sup2 or 720 12 1 13 E NEE dE Sup1 12 1 13 E set mls flow ip full P This information is n
228. ion device When monitoring latency over VoIP the delay measured is the time taken for a caller s voice at the source site to reach the other caller at the destination site Network latency contributes to delay in voice transmission resulting in huge gaps between the conversation and interruptions Round Trip Time Round Trip Time is the time taken for a packet to reach the destination and again comes back to the source device The total time it takes for the round trip is measured in milliseconds MOS The Mean Opinion Score is the key quality indicator of VoIP traffic quality And is measured in the scale of 1 to 5 poor to excellent quality 6 What is VoIP codec Codecs Coder Decoder serve to encode voice video data for transmission across IP networks The compression capability of a codec facilitates saving network bandwidth and it is therefore appropriate that you choose the correct codec for your IP network Here is a quick reference to the codecs with the corresponding packets size and bandwidth usage Codec amp Bit Operation Frequency Default Voice Bandwidth Bandwidth Bandwidth Rate Kbps number of Payload MP or w cRTP MP Ethernet packets Size FRF 12 or FRF 12 Kbps Kbps Kbps G 711a u 60 msecs by default 1000 160 12 82 8kbps 67 6 87 2 64 kbps You can specify in the RTP range of 0 604800 bytes G 729 msecs 1000 20 12 26 8 kbps 11 6 31 2 8 kbps RTP bytes 7 How m
229. ion hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Empty TCP Host Scan Reverse 1 Empty TCP flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 Empty TCP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Empty TCP Diagonal Scan Reverse Empty TCP flows from multiple source hosts to single multiple destination hosts where the number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Scans Probes Empty TCP Grid Scan Reverse Empty TCP flows from multiple source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Scans Probes Excess Short TCP Ack Packets Short TCP Ack Inflood TCP Flows with nominal payload ie BytePerPacket between 40 and 44 octets bytes and TCP Flags value equals 16 A denoting TCP Ack touching or exceeding the Upper Limit and none of the following deri
230. ion ports destination end points Diagonal Scan Minimum Aspect 1 Minimum source hosts per destination ports Host Scan Ratio 2 Minimum source ports per destination hosts Port Scan Minimum Minimum spread of destination end points in an Event Host Scan Port Scan Grid Occupancy Scan Occupancy destination End Points destination Hosts destination Ports Minimum Flux Rate Minimum hits per destination end points Inflood Minumum Mimimum destination hosts per destination hosts Inflood Convergence The table below lists the anomalies detected by advanced security analytics module Anomaly Description Attack Flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end Inflood Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end Outflood 1 Flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end Port Scan 1 Flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Flows from single multiple source hosts to fewer destination hosts on multiple destinati
231. ional Edition Configuring MSSQL Database NetFlow Analyzer lets you configure and use MSSQL database Product Limitations Configuring MSSQL database can take place only if the product is installed on Microsoft Windows operating system NetFlow Analyzer does not support the following Automatic deletion of oldest raw data when free disk space goes below the user defined value Email alert generation when the free disk space goes below the user defined value The steps to configure and install Netflow Analyzer server with SQLSERVER as the database is given below 1 From the installed MS SQLSERVER copy the files bep exe and bep rll to lt NetFlow Analyzer Home gt bin folder 2 Invoke the lt NetFlow Analyzer Home gt bin changeDBServer bat to configure the MS SQLSERVER credentials like ServerName Port UserName and Password 3 Database Setup Wizard pops up 4 Please check if the TCP IP ports are turned on In case they are not please enable TCP IP a SOL Server Cuniiguration Weise File Action View Help e EI SR 2 KE Server Configuration Manager Local I Branca Nana i Status d SOL Server 2005 Services Shared Memory Enabled E SOL Server 2005 Network Configuration Named Pipes Enabled ER Protocols for SQLEXPRESS 3 TCPIIP Enabled 8 SQL Native Client Configuration l Y VIA Disabled Client Protocols Ka isable Aliases 5 Inthe wizard screen select Server Type as SQL Server Available SQL Se
232. iple destination hosts exceeding Minimum Flux Rate at the source end ICMP Port 1 ICMP Port Unreachable flows from single multiple source hosts to Scans Unreachable Host multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 ICMP Port Unreachable flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Port 1 ICMP Port Unreachable flows from multiple source hosts to Scans Unreachable Host single multiple destination hosts using a single source port exceeding Probes 213 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Scan Reverse Minimum Horizontal Span at the source end 2 ICMP Port Unreachable flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end ICMP Protocol Unreachables ICMP Protocol Unreachable Flows with Dst Port value equals 770 Protocol Unreachable touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Can be used to perform a denial of service on active TCP sessions causing the TCP connection to be dropped DoS Flash Cr
233. isplays all the available paths that are being monitored By clicking the path name you can view path and threshhold details along with NetFlow Traffic reports of the routers The graphs indicatethreshold violation percentage Error Percentage and Round Trip Time You can also add remove and view the history of monitors created so far using All Monitors tab Settings The Settings tab helps you configure WAN settings and add devices that needs to be monitored It has three tabs namely Add Monitor Test Parameters and Threshold Template You can also add device by the entering the SNMP parameters of the router 162 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Add Monitor This tab helps you to add a new monitor by specifying the name source IP source router and destination IP Test Parameters Here you can customize your test packet s payload type of service frequency and time out value and use it to test links in the network Threshold Template You can set upper and lower threshold limits for the round trip time Alerts are generated when these threshold limits are violated 163 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition 2 Configuring new WAN RTT monitor 2 1 Prerequisite The WAN RTT Monitor uses Cisco IOS IP Service Level Agreements SLAs to monitor latency between two locations therefore either of the location monitored using WAN RTT monit
234. it to the point time period you wish to further drill down to For example Having chosen a Last week report you could choose to study two specific days by selecting them You could further drill down on until the time period you have chosen is more than 1 minute Click on reset graph link to take you to a time period depending on the time difference between the From time and the system time Illustration If you choose Last Hour Report at 18 15 hours then a graph with a plot of data from 17 15 to 18 15 is shown If you choose the time period 17 25 to 17 50 then a corresponding graph with 1 Minute Average is shown When you click on the reset graph link the screen changes to the Last Hour report as the time difference between the From Time 17 25 and system time 18 20 is less than 1 hour Thus depending on the time difference you are either taken to the Last Hour or Last Day or Last Week or Last Month or Last Quarter graph WAN RTT Monitor The WAN RTT monitor that is configured using IP group management can be viewed here The graph shows the average round trip time graph of the IP group created The dial is also a representation of the average RTT The detailed statistics of the monitor can be viewed using WAN RTT monitor module 72 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Top Applications The Applications tab displays all the applications that pass through a specific interface for a selected
235. ition Flexible NetFlow and NBAR integration If a router supports flexible netflow FNF then the NBAR data can be collected without polling To do so 1 Go to the interface from NetFlow Analyzer 2 Click on the NBAR tab for that interface 3 In the NBAR tab click on the FNF radio button Configuring Flexible NetFlow for Network Based Application Recognition The FNF NBAR feature is easily enabled by conguring an additional application name field in the flow record configuration sub mode This may be configured as a key field under the match keyword or as a non key field under the collect keyword router config flow record match application name The flow record is then configured in flow monitors and the flow monitors configured on interfaces as usual for Flexible NetFlow Example The following example uses Network Based Application Recognition NBAR to create different flows for each application seen between any two IP hosts by applying a flow monitor having a flow record that collects the application name as a key field This sample starts in global configuration mode flow record rm_1 match application name match ipv4 source address match ipv4 destination address collect interface input collect interface output collect counter packets flow monitor mm_1 record rm_1 interface FastEthernet0 0 ip address 172 16 2 2 255 255 255 0 ip flow monitor mm_1 input end Flexible Netflow R
236. ive in the network it becomes increasingly important to consider the impact of video on the network Before going for new video end points it is important to assess the video handling capabilities of the network This can be done by means of simulation This involves creating a situation which the network will be subject to conditions that are similar to having real time video traffic These results help in assessing the performance of video traffic and baselining performance based requirements for deploying video The networking landscape is changing quite dynamically This makes constant assessment is a necessity in order to fulfill the ever growing demands on the network IP SLA Video operations acts as a stress tester on the network One can validate the effect of rich media applications on the performance of other applications on the network This helps a great way in ensuring that the network can handle video traffic smoothly and effectively Benefits IP SLA video operations offers the following benefits e Understand IP service levels By monitoring some critical parameters it is possible to understand the different IP service levels in the network e Increase Productivity A network that offers the best service levels has a direct impact on the productivity levels since the ultimate use for implementing voice and video applications is to improve productivity e Lower Operational Costs Applications with best in class servic
237. k flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end 1 Short TCP Syn_Ack flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Short TCP Syn_Ack flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end DoS Flash Crowd Scans Probes Short TCP Syn_Ack Host Scan 1 Short TCP Syn_Ack flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Syn_Ack flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Zoho Corporation 198 lt gt E ManageEngine NetFlow Analyzer Professional Edition Scan equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Problem Name Description Class Short TCP Short TCP Syn_Ack flows from single multiple source hosts to multiple Scans Syn_Ack Diagonal destination hosts where the number of distinct
238. k flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end UDP Snork Host 1 UDP Snork flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 UDP Snork flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Excess UDP UDP Flows from Src Port 19 Chargen to Dst Port 7 Echo sent to DoS Chargen Echo any unicast IP touching or exceeding the Upper Limit and none of Flash Flows the following derived problems gets satisfied Indicates possible Crowd amplification attack on the Src IP UDP Chargen 1 UDP Chargen Echo flows from multiple source hosts to fewer DoS Echo Inflood destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd 2 UDP Chargen Echo flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end UDP Chargen 1 UDP Chargen Echo flows from fewer source hosts to multiple DoS Echo Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 UDP Chargen Echo flows
239. k on the Modify Interfaces button to select unselect the interfaces on which polling has to be done The Polling Parameters namely Polling Interval and Time Out can also be modified The Polling interval can take any value from 5 10 15 25 30 60 Time Out can take values from 5 10 15 After selecting unselecting the list of interfaces on which Polling has to be done and after the Polling Parameters have been set click on Update to start the polling action Creating a traffic class To create a traffic class use the class map command The syntax of the class map command is as follows class map match any match all class name no class map match any match all class name The match all and match any Keywords The match all and match any keywords need to be specified only if more than one match criterion is configured in the traffic class The match all keyword is used when all of the match criteria in the traffic class must be met in order for a packet to be placed in the specified traffic class The match any keyword is used when only one of the match criterion in the traffic class must be met in order for a packet to be placed in the specified traffic class If neither the match all nor match any keyword is specified the traffic class will behave in a manner consistent with match all keyword About The match not Command The match not command rather than identifying the specific match parameter to use as a match criterion i
240. lash Rate at the destination end Crowd 2 UDP Echo Responses from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end UDP Echo 1 UDP Echo Responses from fewer source hosts to multiple DoS Response Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 UDP Echo Responses from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Echo 1 UDP Echo Responses from single multiple source hosts to single Scans Response Port destination host on multiple destination ports exceeding Minimum Probes Scan Vertical Span at the destination end 2 UDP Echo Responses from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end UDP Echo 1 UDP Echo Responses from single multiple source hosts to multiple Scans Response Host destination hosts on a single destination port exceeding Minimum Probes Scan Horizontal Span at the destination end 2 UDP Echo Responses from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end UDP Echo UDP Echo Responses from single multiple source hosts to multiple Scans Res
241. last month Time Period Traffic Tab Application Source Destination and Conversation Last 30 days hourly granularity 6 hour granularity Less than 24 hour interval 1 minute granularity hourly granularity Less than 2 hour interval 1 minute granularity 1 minute granularity Cif no raw table is available goes to hourly granularity Reports for last quater Time Period Traffic Tab Application Source Destination and Conversation Last quater 24 hour granularity 24 hour granularity Less than 24 hour interval d a S beyond last 30 days 1 minute granularity 24 hour granularity How do I reset admin password Please ensure that the server is running before doing the below steps 1 Open a command prompt 2 Goto the mysq bin directory 238 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition 3 Type mysql u root port 13310 Type use netflow 5 Execute the following query update AaaPassword AaaLogin AaaAccount AaaAccPassword setAaaPassword PASSWORD 0k6 FqR5WtJY5UCLrnvjQQ AaaPassword SALT 12345678 where AaaLogin LOGIN_ID AaaAccount LOGIN_ID and AaaAccount ACCOUNT_ID AaaAccPassword ACCOUNT_ID and AaaPassword PASSWORD_ID AaaAccPassword PASSWORD_ID and AaaLogin NAME admin 6 Type quit to quit mysql Type exit to exit command prompt 8 Login as admin admin You can change the password again if you wish A N 2 How are ports assigned as applications in NetFlow Analyzer A Net
242. le source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP Network 1 ICMP Network Unreachable flows from fewer source hosts to DoS Unreachable multiple destination hosts exceeding Minimum Divergence and Flash Outflood Minimum Flux Rate at the source end Crowd 2 ICMP Network Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Network 1 ICMP Network Unreachable flows from single multiple source hosts Scans Unreachable Host to multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 ICMP Network Unreachable flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Network 1 ICMP Network Unreachable flows from multiple source hosts to Scans Unreachable Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 ICMP Network Unreachable flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Bad Src Dst ICMP Parameter ICMP Parameter Problem Flows with Dst Por
243. lick on the Protocol Distribution link to see the top protocols for the selected interface or IP group in a new window Choose between IN and OUT to display the protocol wise distribution of incoming or outgoing traffic respectively This report sorts traffic based on the protocol used while the Application IN OUT Report sorts traffic based on the application i e the combination of port and protocol Click on a protocol s name to see the Top Conversations that used this protocol The Show box above this table lets you choose how many applications need to be displayed You can set the maximum value for this option from the Settings page The pie chart below this table shows what percentage of bandwidth is being used by each protocol The S icon above the pie chart lets you see the pie chart enlarged in a new window From here you can the export the report as a PDF CSV file or email the report by going to the Actions button on top and selecting as per your requirement 74 Zoho Corporation Support for Internet Protocol Version 6 IPV6 IP version 6 IPv6 is a new version of the Internet Protocol designed as the successor to IP version 4 IPv4 IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy NetFlow Analyzer now offers support for IPV6 You can view the raw data records for the last two hours in IPV6 format since the IPV6 addressing format yet to be adapted by mo
244. lick the Update button to create this device group and begin generating traffic reports for the same Managing a Device Group Select an existing device group and click the Modify button to modify its properties You can change all properties of the device group except its name Once you have made changes to the properties of this device group click the Update button to save your changes Select an existing device group and click the Copy button to copy its settings This is useful when you need to create a new device group that includes the same routers as that of this device group This saves you the trouble of adding the routers all over again Then follow the same steps as those in creating a new device group Select a device group and click the Delete button to delete the device group When a device group is deleted it is removed from the Device Group List and the Device Group menu All users assigned to this device group will not see this device group on their Dashboard Interface Group Interface Group allows you to combine interfaces in order to monitor traffic This can be useful for grouping multiple sub interfaces into a single logical entity Follow the steps below to create a new interface group 1 Click the Interface Group tab next to the Device Group tab 2 Enter a name to identify the interface group in the Interface Group Name box 3 Use the Interface group speed box to enter the speed limit for the interface group 118 Z
245. licy The syntax of the class command is as follows class class name no class class name For the class name argument use the name of the class you created when you used the class map command to create the traffic class Step 3 of the Creating a Traffic Class section After entering the class command you are automatically in policy map class configuration mode The policy map class configuration mode is the mode used for enabling the specific QoS features Procedure To create a traffic policy or policy map and enable one or more QoS features perform the following steps This procedure lists many of the commands you can use to enable one or more QoS features For example to enable Class Based Weighted Fair Queuing CBWFQ you would use the bandwidth command Not all QoS features are available on all platforms or in all Cisco IOS releases For the features and commands available to you see the Cisco IOS documentation for your platform and version of Cisco IOS software you are using Configuration Steps Command or Action Purpose Step 1 Router gt enable Enables privileged EXEC mode Step 2_ Router configure terminal Enters global configuration mode Step 3 Router config policy map policy Creates or specifies the name of the traffic policy name and enters policy map configuration mode Step 4 Router config pmap class class Specifies the name of a traffic class previously name class default
246. load on your server if you poll large amount of interfaces Time out value needs to be set to a higher value in case your routers are at remote locations After NBAR has been enabled on select interfaces the polling can be started on those interfaces Start Polling Polling can be done on those interfaces on which NBAR has been enabled earlier Please do the following to start polling on an interface 1 Under Polling for NBAR data 1 Use the link click here to invoke the screen which lists the NBAR enabled interfaces 2 Select the interfaces on which you want to do polling 127 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 3 Set the Polling Parameters the Polling Interval amp the Time Out The Polling interval decides the frequency at which the NetFlow Analyzer server will poll the device Time out is the amount of time for which NetFlow Analyzer server waits for the SNMP response from the device 4 Click Update to update the Polling Parameters Stop Polling Polling can be stopped on those interfaces by following these steps 1 Under Polling for NBAR data 1 Use the Modify Poll Parameters to invoke the screen which lists the already polled interfaces with the check box selected and the Polling Status set as Polling 2 Unselect the interfaces on which you want to stop polling 3 Click Update to stop polling EY The default NBAR data storage period is 2 months You
247. m 2010 06 20 00 00 To 2011 02 21 17 36 Show 10 136 82 74 157 150 195 212 4181 80 TFO DRE LZ 2010 07 26 15 01 38 0 99 38 KB 146 52 KB 47136 00 Bytes D 10 136 82 62 10 136 58 7 1453 80 TFO DRE LZ 2010 07 26 15 01 45 0 7 84 KB 2 74 KB 5 09 KB 0 65 10 136 82 84 10 136 16 5 1267 445 TFO DRE LZ 2010 07 26 15 02 10 0 7 7 KB 4 07 KB 3 63 KB 0 47 10 136 82 51 10 136 58 7 1459 80 TFO DRE LZ 2010 07 26 14 56 06 0 6 73 KB 6 95 KB 225 00 Bytes 0 10 136 82 61 10 136 58 11 2589 8014 TFO DRE LZ 2010 07 26 14 57 58 0 624 00 Bytes 574 00 Bytes 50 00 Bytes 0 08 10 136 82 73 10 136 58 11 4668 8014 TFO DRE LZ 2010 07 26 14 57 58 0 624 00 Bytes 572 00 Bytes 52 00 Bytes 0 08 10 136 82 66 10 136 58 11 1350 8014 TFO DRE LZ 2010 07 26 14 58 27 0 624 00 Bytes 567 00 Bytes 57 00 Bytes 0 09 10 136 82 69 10 136 58 11 2781 8014 TFO DRE LZ 2010 07 26 14 58 28 0 624 00 Bytes 382 00 Bytes 242 00 Bytes 0 39 10 136 82 81 10 136 58 11 3681 8014 TFO DRE LZ 2010 07 26 14 58 28 0 624 00 Bytes 560 00 Bytes 64 00 Bytes 0 1 10 136 82 100 10 136 58 11 3769 8014 TFO DRE LZ 2010 07 26 14 58 29 0 624 00 Bytes 522 00 Bytes 102 00 Bytes 0 16 10 136 82 70 10 136 58 11 1271 8014 TFO DRE LZ 2010 07 26 14 58 57 0 624 00 Bytes 402 00 Bytes 222 00 Bytes 0 36 10 136 82 58 10 136 58 11 2721 8014 TFO DRE LZ 2010 07 26 14 58 57 0 624 00 Bytes 362 00 Bytes 262 00 Bytes 0 42 10 136 82 64 10 136 58 11 2432 8014 TFO DRE LZ 2010 07 26 15 00 58 0 624 00 Bytes 439 00 Bytes 185 00 Bytes 0 3
248. mber end hosts ports endpoints Zoho Corporation Short TCP Short TCP Syn_Rst flows from multiple source host to single multiple Scans Syn_Rst Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end TCP Fin TCP Flows with TCP Flags value IN 1 F 5 RF touching or Suspect Violations exceeding the Upper Limit and none of the following derived Flows problems gets satisfied TCP Fin Attack TCP Fin flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash 200 e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class destination end Crowd TCP Fin Inflood TCP Fin flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Fin Outflood 1 TCP Fin flows from fewer source hosts to multiple destination hosts DoS exceeding Minimum Divergence and Minimum Flux Rate at the source Flash end Crowd 2 TCP Fin flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Fin Port Scan 1 TCP Fin flows from single multiple source hosts to single destination Scans host on multiple destination ports
249. multiple destination hosts exceeding Minimum Flux Rate at the source end TCP Syn Port Scan 1 TCP Syn Flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 TCP Syn Flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes TCP Syn Host Scan TCP Syn Diagonal Scan 1 TCP Syn Flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 TCP Syn Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Syn Flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Scans Probes Scans Probes TCP Syn Grid Scan TCP Syn Flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Sp
250. n TCP Rst Flowsfrom single multiple source hosts to multiple destination Scans hosts on multiple destination ports exceeding Minimum Vertical Span Probes 203 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Rst Port 1 TCP Rst Flows from single source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span at Probes the source end 2 TCP Rst Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Rst Host 1 TCP Rst Flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Rst Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Rst Diagonal TCP Rst Flows from multiple source hosts to single multiple destination Scans Scan Reverse hosts where the number of distinct source hosts is equal to the number Probes of distinct source ports which is also equal to the number of
251. n Reverse Minimum Vertical Span at the source end 2 UDP Echo Request Broadcast from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end UDP Echo Request 1 UDP Echo Request Broadcast flows from multiple source hosts to Scans Broadcast Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 UDP Echo Request Broadcast flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end UDP Echo Request UDP Echo Request Broadcast flows from multiple source hosts to Scans 221 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Broadcast single multiple destination hosts where the number of distinct source Probes Diagonal hosts is equal to the number of distinct source ports which is also Scan Reverse equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints UDP Echo Request UDP Echo Request Broadcast flows from multiple source host to Scans Broadcast Grid single multiple destination hosts using multiple source ports exceeding Probes Scan Reverse Minimum V
252. n Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short UDP Grid Short UDP flows from multiple source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Malformed UDP UDP Flows with BytePerPacket less than the minimum 28 octets Suspect Packets bytes touching or exceeding the Upper Limit and none of the Flows following derived problems gets satisfied Malformed UDP Malformed UDP flows from multiple source hosts to fewer destination DoS Attack hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Malformed UDP Malformed UDP flows from single multiple source hosts to DoS Inflood single multiple destination hosts exceeding Minimum Flux Rate at the Flash destination end Crowd Malformed UDP 1 Malformed UDP flows from fewer source hosts to multiple DoS Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash 225 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Malformed UDP Port Scan Rate at the source end 2 Malformed UDP flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate
253. n in the event list report e Threshold Settings Allows you to set threshold values for an algorithm Click Threshold Settings and set the upper threshold limit for an algorithm You can also set the Heuristics threshold values for a algorithm using the Advance Settings option These updated threshold values are used to generate events e Offender Target settings You can select specific Offender Target field to be displayed in the Event List report using this option Click Offender Target settings and choose the source and destination IP network field to be displayed in the event list 2 1d Location The Location option allows you to manage the geographical and topological locations for offenders and target Using this you can load update geographical location configure topological location view edit topological location list and configure location mode settings 1 Click on the Location drop down box 2 Select the appropriate option like Load GeoLocation Add Topolocation View Topolocation Location Mode Specify the requested details 4 Click OK Co Load Geolocation Allows you to load update the geographical location of the IP addresses Add Topolocation Allows you to configure the topological location for IP addresses View Topolocation Displays the Configured Topological Location and their associated IP addresses Also allows you to add remove IP addresses for the selected topolocation Location Mode Displays the List
254. n report Source report Source network report Destination report Destination network report QoS report Conversation report Conversation netrwork report Custom report NBAR report CBQoS report Compare report Report Profiles Capacity Planning Reports Medianet Reports oO 0 0 0 0 0 0 0 0 Oo OO 0 e Report Generation Schedule How and when the report is to be generated e g daily weekly monthly or only once o Generate report on This value determines the time when report is to the generated o Generate report for This value determines the start and the end time for the report e Email Address This is the address to which the generated reports will be sent e Email Subject The email subject can be customized according to the report selected Netflow Analyzer calculates the bandwidth utilization on the specified interfaces IP Groups every minute Based on the schedule opted for reports are generated at various time intrevals The Schedule Reports feature lets you Create new Schedules and Delete existing ones The Scheduler List page lists all existing schedules along with the Schedule details Status Report types and the Last Report Generated time 113 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition The various columns displayed in the Scheduler List page are described in the table below Column Description Name The name of the Schedule when it was created
255. names may be resolved only when Resolve DNS is clicked or automatically by default DNS count in cache The DNS count could take any value from 5000 7500 and 10 000 User Defined DNS names Clear DNS Cache User defined DNS names can be entered or modified This value will over ride the system resolved DNS value Clicking on this button will clear all DNS entries that have been resolved by the system The application asks for a confirmation before initating the clearing action Zoho Corporation 94 gt ManageEngine NetFlow Analyzer Professional Edition Advanced Settings The Advanced Settings option includes the Flow Filter Settings and the Radius Server Settings and their corresponding configuration settings Flow Filter Settings The Flow Filter settings empower the administrator with the option to o exclude ESP_App on user defined interfaces This helps in ensuring that traffic is not double counted in case of ESP tunnels o suppress Access Control List related drops based on destination interface being null on user defined interfaces o suppress output interface accounting on user defined interfaces Useful when working with WAN accelarator o apply GRE filter on the cryptomap tunnels to prevent double counting of GRE traffic Option Description Select edge GE a One could add or modify interfaces to apply the ESP application filter Enabling NetFlow tunnel to apply ESP applic
256. nd Short TCP Fin_Ack flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Scans Probes Scans Probes Short TCP Fin_Ack Grid Scan Short TCP Fin_Ack flowsfrom single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans Probes Short TCP Fin_Ack Port Scan Reverse 1 Short TCP Fin_Ack flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Short TCP Fin_Ack flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Short TCP Fin_Ack Host Scan Reverse 1 Short TCP Fin_Ack flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 Short TCP Fin_Ack flows from multiple source hosts to Scans Probes Zoho Corporation 192 lt gt E ManageEngine NetFlow Analyze
257. nd outgoing traffic for the past one hour You can select the time period for which you need to see the AS data from the dropdown Select Period The AS data can also be sorted as IN or OUT traffic You can opt to see only the top n AS by selecting the relevant number from the dropdown The purpose of icons and buttons in the Router List are explained below Seele Purpose k Click this icon or on the router name to view the autonomous systems to which this router belongs Ka Click this icon to hide the AS corresponding to a router d Click this icon before the router name to change the display name of the device its SNMP community string or its SNMP port 55 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Google Map View Google maps feature lets you physically locate your network resources on a map This enables network administrators to have a feel of how distributed their network is and more importantly in a quick and easy drill down to resource specific information Information on up to 3 top interfaces linked to a router is shown in the map NetFlow Analyzer by using google maps lets you position your devices on a map for a graphical presentation You need to obtain a Google API Key in order to set up this The steps to obtain one is elaborated below Generating the Google Maps API key The Google Maps API key is necessary to access the Google Map feature You can get it by followi
258. networks will consider the value of the TOS field when deciding how to handle and route packets Partly this is a transition issue there will be a probably lengthy period when some networks will use equipment that predates this specification Even long term many networks will not be able to provide better service by considering the value of the TOS field For example the best path through a network composed of a homogeneous collection of interconnected LANs is probably the same for any possible TOS value Inside such a network it would make little sense to require routers and routing protocols to do the extra work needed to consider the value of the TOS field when forwarding packets e The TOS mechanism is not powerful enough to allow an application to quantify the level of service it desires For example an application may use the TOS field to request that the network choose a path which maximizes throughput but cannot use that mechanism to say that it needs or wants a particular number of kilobytes or megabytes per second Because the network cannot know what the application requires it would be inappropriate for the network to decide to discard a packet which requested maximal throughput because no high throughput path was available 78 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition Top Conversations The Conversation tab shows the top conversations contributing to traffic in the selected time period Choose
259. ng http Router enable Router config terminal Router config ip http server Router config ip http authentication local Router config end Troubleshoot Router show ip http server status Enabling Service Listener The service listener is a type of WSMA profile that listens for incoming connections and accepts devices from allowed addresses or accepted user IDs Router enable Router config terminal Router config wsma profile listener mylistener Router config wsma listen encap soapll Router config wsma listen transport http path wsma Router config wsma listen transport http Router config wsma listen wsse Router config wsma listen exit Router config end Troubleshoot Router show wsma profile connections Enable WSMA agents that provide access to exec Router enable 60 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Router config terminal Router config wsma agent exec profile mylistener Router config end TroubleShoot WSMA format unable to get tty If The Max connection for the router is reached it will throw format unable to get tty For that you have to check the total users connected by show users Clear an unwanted line by using clear line lineno cisco2081_routerss show users cisco2081_routerss show line cisco2081_routerss clear line lineno confirm y OK
260. ng received e The interface is responding to SNMP requests and the link is down and no flows are being received The IN Traffic and OUT Traffic columns show the utilization of IN and OUT Traffic on the respective interfaces for the past one hour You can click on the IN Traffic or OUT traffic bar to view the respective application traffic graph for that interface Use the Custom Report link to generate custom reports Set the value in Refresh this Page to inform the application how frequently the refresh has to be done to fetch the most recent data Grid View The grid view lists the routers in a grid fashion It gives details about the different routers in the network the type of flows each router is exporting v5 or v9 and the interfaces asscosiated with each routers Click on the device name or number of interfaces listed to view the device interface snapshot of the selected resource The grid view also displays the Most Viewed Devices Most Viewed IP Groups 50 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Device Snapshot IP Group List A set of 4 IP groups have already been defined and have been named as Mail sites eg Gmail Yahoo Social network sites eg Facebook Twitter MySpace Sports sites eg Foxsports Cricinfo Video sites eg Youtube hulu FoxinteractiveMedia Using IP group list search option you can search for IP groups that are defined You can also add or
261. ng the below steps e Click on the Google Map View tab An alert message pops up which tells you the URL at which you can generate a key for your access e Proceed to the Configuring Google Map View screen e Follow Step 1 Click on the Click Here link A new window opens up which reads Sign up for the Google Maps API o Agree to the terms and conditions set forth in that page Specify the URL at which you will be accessing the application Click on the Generate API Key button A window will appear with the message Your Key is and the key below it Copy the key and paste it in the place provided in the application in Step 2 Click on Update Once the key is pasted a map can be seen with the devices located on it Refer to Settings to make any changes to the display Please note that NetFlow Analyzer allows you to store only one key for a particular installation In case you obtain the key using http lt 12 12 12 12 gt 8080 and try to access it using http lt servername gt 8080 you will not be able to access the Google Map View and you may be prompted to obtain a fresh key We recommend that you use the IP address DNS name when you obtain the key and access NetFlow Analyzer using the same URL Network layout in google map You can visually see the devices that you are monitoring with NetFlow Analyzer on the google map and you can also see the traffic interface details by clicking on the link Given below are the steps to do so
262. ng this command with the is tempdir lt directoryname gt option where lt directoryname gt is the absolute path of an existing directory lt fie_name gt bin is tempdir lt directory_name gt 3 Follow the instructions as they appear on the screen to successfully install NetFlow Analyzer on to your machine Uninstalling NetFlow Analyzer Windows 1 Navigate to the Program folder in which NetFlow Analyzer has been installed By default this is Start gt Programs gt ManageEngine NetFlow Analyzer 2 Select the option Uninstall NetFlow Analyzer 3 You will be asked to confirm your choice after which NetFlow Analyzer is uninstalled 1 Navigate to the lt NetFlowAnalyzerHome gt _uninst directory 2 Execute the command uninstaller bin 3 You will be asked to confirm your choice after which NetFlow Analyzer is uninstalled 17 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Starting and Shutting Down Once you have successfully installed NetFlow Analyzer start the NetFlow Analyzer server by following the steps below Starting NetFlow Analyzer Windows Click on Start gt Programs gt ManageEngine NetFlow Analyzer gt NetFlow Analyzer to start the server Alternatively you can navigate to the lt NetFlowAnalyzer_Home gt bin folder and invoke the run bat file Linux Navigate to the lt NetFlow Home gt bin directory and execute the run sh file When the server is started a c
263. nge The From and To boxes let you choose custom time periods for the report Use the icon to select the date and time easily Use the IN OUT box to display values based on IN traffic OUT traffic or both IN and OUT traffic The Show box lets you choose how many results to display You can set this value from the Settings page Once you select all the desired criteria click the Generate Report button to display the corresponding traffic report The report can be exported as csv also The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values You can also choose to print this report by clicking the amp icon or the Print link Search Reports are different from Troubleshooting Reports You can troubleshoot only one interface at a time whereas Custom Reports can be generated across interfaces Data for Troubleshooting reports is T taken directly from raw data whose maximum retention period can be set from Settings But data for Custom Reports is taken from aggregated data in the database 84 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Capacity Planning Capacity Planning feature in NetFlow Analyzer helps you make informed decisions about your network bandwidth It details on the traffic trend and bandwidth utilization pattern over a period of time The capacity planning Report is available for all interfaces monitored under the NetFlow Anal
264. nimum Flux Flash Inflood Rate at the destination end Crowd 2 ICMP ToS Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP ToS 1 ICMP ToS Unreachable flows from fewer source hosts to multiple DoS Unreachable destination hosts exceeding Minimum Divergence and Minimum Flux Flash Outflood Rate at the source end Crowd 2 ICMP ToS Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP ToS 1 ICMP ToS Unreachable flows from single multiple source hosts to Scans Unreachable Host multiple destination hosts on a single destination port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 ICMP ToS Unreachable flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP ToS 1 ICMP ToS Unreachable flows from multiple source hosts to Scans Unreachable Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 ICMP ToS Unreachable flows from multiple source hosts to 217 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Nam
265. nimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Zoho Corporation 228 ManageEngine NetFlow Analyzer Professional Edition Contacting Technical Support Click the Support link on the top left corner of the NetFlow Analyzer client screen to see a wide range of options to contact the NetFlow Analyzer Technical Support team in case of any problems Option Description Request Technical Click this link to submit a form from the NetFlow Analyzer website with a detailed Support description of the problem that you encountered Create Support Click this link to create a ZIP file containing all the server logs that the Technical Support Information File team will need to analyze your problem You can then send this ZIP file to netflowanalyzer support manageengine com or upload it to our server via FTP Troubleshooting Click this link to see troubleshooting tips for common problems encountered by users Tips User Forums Click this link to go to the NetFlow Analyzer user forum Here you can discuss with other NetFlow Analyzer users and understand how NetFlow Analyzer is being used across different environments Need a Feature Click this link to submit a feature request from the NetFlow Analyzer website Toll free Number Call the toll free number 1 888 720 9500 to talk to the NetFlow Analyzer Technical Support team directly 229 Zoho Corporation M
266. number the device on this address Sets the NetFlow export version to version 5 NetFlow Analyzer supports ip flow export version 5 only version 5 version 7 and version 9 If your router uses BGP you can peer as origin as specify that either the origin or peer AS is included in exports it is not possible to include both Breaks up long lived flows into 1 minute fragments You can choose any number of minutes between 1 and 60 If you leave it at the default of 30 minutes your traffic reports will have spikes It is important to set this value to 1 minute in order to generate alerts and view troubleshooting data ip flow cache timeout active 1 ip flow cache timeout Ensures that flows that have finished are periodically exported The default inactive 15 value is 15 seconds You can choose any number of seconds between 10 28 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition and 600 However if you choose a value greater than 250 seconds NetFlow Analyzer may report traffic levels that are too low Enables iflndex persistence interface names globally This ensures that snmp server ifindex persist 8 S 5 D the iflndex values are persisted during device reboots F For more information on BGP reporting in NetFlow Analyzer look up the section on Configuring NetFlow for BGP Verifying Device Configuration Issue the following commands in normal not config
267. oho Corporation ManageEngine NetFlow Analyzer Professional Edition gr 4 Select the routers needed and the interfaces under them for this interface group By selecting a router by default all interfaces are selected You can selectively unselect the unwanted interfaces from the list 5 Click on Add to save the changes The Interface group that is created is listed in the Dashboard view in the Interface View tab The Interface group name the In Traffic amp Out Traffic for the last 1 hour can be seen in it By clicking on the interface group name it is possible to further drill down to view further details To delete a particular interface group select the interface group and click on delete Modifying an interface group You can modify any interface group later by selecting the particular interface group to be modified and clicking on the Modify tab 119 Zoho Corporation gt ManageEngine NetFlow Analyzer Professional Edition Billing Billing Billing is the latest feature introduced in NetFlow Analyzer This feature helps keep a tab on resource usage and takes the bandwidth monitoring one step ahead Accounting It makes easy to understand the reports in terms of cost incurred Internally organizations can use this feature for department wise billing Also Internet Service Providers can use this to automatically generate reports for their customers Operations on Billing Billing can be accessed through
268. old values click Add Row and add values 5 Customizing from address 6 You can customize the From Address from the mail server settings in Settings page 7 After setting the required thresholds click Save The new alert profile is created and activated The system watches the utilization volume speed and packets and raises alarms when the specified conditions are met Only one alert is generated for a specified time duration For example say for a particular interface the threshold is set as 60 and number of times is set as 3 times and the time duration is set as 30 minutes Now lets assume that the utilization in that interface goes above 60 and Es stays above it Then in 3 minutes the above conditions will be met and an alert will be generated The next alert will NOT be generated after 6 minutes but only in the 33rd minute if the condition persists Thus for the specified 30 minutes time duration only one alarm is generated This is designed to avoid a lot of repetitive mail traffic Modifying or Deleting Alert Profiles Select an alert profile and click on Modify to modify its settings You can change all of the alert profile s settings except the profile name However it is possible to modify the Link Down alert profile s name There is also an option to clear details of all alerts created for this profile from this page itself Once you are done click Save to save your changes Select an alert
269. om single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 ICMP Redirect flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes ICMP Redirect Host Scan Reverse 1 ICMP Redirect flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 ICMP Redirect flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes ICMP Source Quench Flows ICMP Source Quench Flows with Dst Port value equals 1024 Source Quench touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Out dated But can be used to attempt a denial of service by limiting the bandwidth of a router or host DoS Flash Crowd ICMP Source Quench Inflood 1 ICMP Source Quench flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 ICMP Source Quench flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux
270. om these interfaces to NetFlow Analyzer they will reappear in the Dashboard To prevent this you need to disable NetFlow export from those interfaces 150 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Licensing New Interfaces If a NetFlow packet is received from a new interface and the number of interfaces presently managed is less than that allowed in the current license this interface is listed under Router List on the Dashboard with a message saying new flows have been received You need to then click the License Management option and change this interface s status to Managed in order to include this interface in the list of managed interfaces and also generate traffic graphs and reports for the same If a NetFlow packet is received from a new interface and the number of interfaces presently managed is equal to that allowed in the current license you need to either unmanage any other managed interfaces and then manage this interface or leave this interface in New status In any case graphs and reports can be generated only for managed interfaces At any time you can buy more licenses by clicking on the Buy Online image 151 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Change Password The Change Password option lets you change your own password for logging in to NetFlow Analyzer This is available as a separate option in the Admin Operations menu for users logged
271. ommand prompt window opens up showing startup information on several modules of NetFlow Analyzer Once all the modules have been successfully created the following message is displayed Server started Please connect your client at http localhost 8080 where 8080 is replaced by the port you have specified as the web server port during installation Starting as Service Windows If you have chosen the Start as Service option during installation NetFlow Analyzer will run as a service on Windows Linux 1 Login as root user 2 Navigate to the lt NetFlowAnalyzer_Home gt bin directory 3 Execute the linkAsService sh file 4 Then execute the command etc init d netflowanalyzer start This starts NetFlow Analyzer as a service on Linux As far as Fedora SUSE is concerned please open the mysqlI ds xml file under the server defaultideploy directory and change the lt connection url gt jdoc mysql localhost 13310 netflow lt connection url gt to lt connection url gt jdoc mysql 127 0 0 1 13310 netflow lt connection url gt and restart the NetFlow Analyzer server 18 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Please follow the instructions below 1 Navigate to bin folder and backup copy linkAsService sh to a safe location 2 Open file linkAsService sh in a editor and look for the following lines code 1 f5099fc2e0 for i in 0 6 do In s f initvar etc rc i d stopwith d
272. on Problem Name Description Class destination end Crowd Short TCP Psh Outflood 1 Short TCP Psh flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Psh flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd Short TCP Psh Port Scan 1 Short TCP Psh flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Short TCP Psh flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Psh Host Scan 1 Short TCP Psh flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Psh flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Psh Diagonal Scan Short TCP Psh flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts
273. on Installation and Setup System Requirements This section lists the minimum requirements for installing and working with NetFlow Analyzer Hardware Requirements The minimum hardware requirements for NetFlow Analyzer to start running are listed below e 2 4GHz Pentium 4 processor or equivalent e 1GBRAM e 10GB disk space for the database Interface Processor RAM E Upto 10 low end 2 6 GHz P D 3 0 GHz P4 HT or equivalent 1 GB 20 GB routers 11 25 2 8 GHz P D or equivalent 1 GB 40 GB 26 50 2 6 GHz Core 2 Duo or equivalent 1 GB 60 GB 51 100 3 0 GHz Core 2 Duo 2 4 GHz dual core Xeon 3000 series or 2 GB 75 GB equivalent 101 300 2 6 GHz dual core 3000 series Xeon Processor or equivalent 4 GB 225 GB 301 600 2 6 GHz quad core 3000 series Xeon Processor or equivalent 4 GB 450 GB NetFlow Analyzer is optimized for 1024 x 768 resolution and above For the device exporting NetFlow ensure that the NetFlow export version format is exactly the same as the Cisco NetFlow version 5 or version 7 or version 9 format For information on Cisco devices and IOS versions supporting Netflow consult the Cisco NetFlow Device Support table Software Requirements Platform Requirements NetFlow Analyzer can be installed and run on the following operating systems and versions Windows 2000 Server Professional with SP 4 Windows XP with SP 1 RedHat Linux 8 0 9 0 SUSE Linux 14 Zoho Corporation EZ ManageEngine
274. on Mapping they will be recognized 4 Why are only the top 5 or 10 values shown in the reports What if want more detail NetFlow Analyzer shows the top 50 results in all reports by default You can see up to 100 results in each report by changing the Record Count value in the Settings page 233 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition 5 The graphs show only IN traffic for an interface although there is both IN and OUT traffic flowing through that interface Why s that Check if you have enabled NetFlow on all interfaces through which traffic flows Since NetFlow traffic accounting is ingress by default only IN traffic across an interface is accounted for To see both IN and OUT traffic graphs for an interface you need to enable NetFlow on all the interfaces through which traffic flows 6 Why are some interfaces labeled as Iflndex2 lflndex3 etc This happens if the device interface has not responded to the SNMP requests sent by NetFlow Analyzer Check the SNMP settings of the interface or manually edit the interface name from the Dashboard NetFlow Analyzer uses port 161 and the public community string as default SNMP values If the SNMP settings of your device are different click the icon next to the device interface in the Dashboard Interface View to change the values If you need to change this globally enter the new values in the same fields under Settings 7 The total ban
275. on an ingress basis when you enable NetFlow data export on A interface A it will only export the IN traffic for interface A and OUT traffic for interface B The OUT traffic for interface A will be contributed by the NetFlow data exported from interface B Even if you are interested in managing only interface A please enable NetFlow data export on A and B You may subsequently unmanage interface B from the License Management link 29 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Turning off NetFlow Issue the following commands in global configuration mode to stop exporting NetFlow data Command Purpose no ip flow export destination This will stop exporting NetFlow cache entries to the specified hostname ip_address port_number destination IP address on the specified port number interface interface interface_number This will disable NetFlow export on the specified interface Repeat the commands for each interface on which you need to no ip route cache flow 2 disable NetFlow exit For further information on configuring your IOS device for NetFlow data export refer Cisco s NetFlow commands documentation 30 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Configuring NDE on Catalyst 6000 Series Switches Follow the steps below to configure NDE on Catalyst 6000 Series switches Configuring NDE on Catalyst 6000
276. on is enabled and the report generation date is set to 5 th of every month at 10 00 hours then the report will be generated from last month s 5 th 10 00 hours till this month 5 th s 10 00 hours When Exclude Weekend option is enabled then the generated report will exclude all the intervening weekends saturday amp sunday The 12 most recent reports for this schedule can be accessible from the Schedule List page e Only Once If you wish to generate report only once at a specified time you can do that by opting for Only Once The date and time at which the report should be run can be specified The date amp time can be altered by using the icon ES The report could be generated for the Previous Day Last 24 Hours Previous Week Last 7 Days Previous Month Last 30 Days or other options from the drop down When Previous Day option is enabled then the W button permits the setting of working hours The latest report for this schedule can be accessible from the Schedule List page Customizing from address You can customize the From Address from the mail server settings in settings A note on emailed reports A report is generated for each interface IP Group 50 such reports are zipped in a single email and mailed In case of more than 50 interface IP Groups selected the report will be sent in multiple emails The last generated reports for all schedules will be under the folder NetFlow gt Reports Deleting Schedules Select
277. on port exceeding Probes Scan Minimum Horizontal Span at the destination end 2 ICMP Request Broadcast flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Request 1 ICMP Request Broadcast flows from multiple source hosts to Scans Broadcast Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 209 lt gt E ManageEngine NetFlow Analyzer Professional Edition 2 ICMP Responses from single multiple source hosts to single multiple Problem Name Description Class 2 ICMP Request Broadcast flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Excess ICMP ICMP Requests with Dst Port value IN 2048 Echo Request Suspect Requests 3328 Timestamp Request 3840 Information Request Flows 4352 Address Mask Request touching or exceeding the Upper Limit and none of the following derived problems gets satisfied ICMP Request 1 ICMP Requests Flows from multiple source hosts to fewer DoS Inflood destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd 2 ICMP Requests Flows from single multiple
278. on ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Host Scan 1 Flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Diagonal Scan Flows from single multiple source hosts to multiple destination hosts where the number of distinct destination hosts is equal to the number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints Grid Scan Flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Port 1 Flows from single source host to single multiple destination hosts using multiple 185 Zoho Corporation E ManageEngine NetFlow Analyzer Professional Edition Anomaly Description Scan Reverse source ports exceeding Minimum Vertical Span at the source end 2 Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical S
279. on understand why it was created IP Group Based on Select whether you want to define this IP group based on IP address DSCP names or port protocol or the combination of any of the three Specify IP IP Range Network Select the IP address address range or network that this IP group is based on Use the Add More option to add additional specifications Zoho Corporation 107 K e ManageEngine NetFlow Analyzer Professional Edition Field Description Include Exclude Include option includes the particular the IP address address range or Between sites network Exclude option excludes the particular the IP address address range or network Between sites option allows you to group the traffic between sites which can be defined by two networks or IP addresses Filter based on Allows you to set filters based on the DSCP names of the applications DSCP names Associated If you need to filter this IP group further based on devices or different interface Interfaces combinations click the Select Devices link and select the different devices and interfaces whose traffic needs to be included in this IP group IP Group Speed Enter the interface speed in bits per second for calculating percentage of traffic for this IP group Es If you add a new combination of ports and protocol a popup opens stating that this combination of ports and protocol has not been mapped to any appl
280. onal Specifies tag type as a match criterion Step 31 Route config cmap exit Optional Exits class map configuration mode Creating a traffic policy To configure a traffic policy sometimes also referred to as a policy map use the policy map command The policy map command allows you to specify the traffic policy name and also allows you to enter policy map configuration mode a prerequisite for enabling QoS features such as traffic policing or traffic shaping Associate the Traffic Policy with the Traffic Class After using the policy map command use the class command to associate the traffic class created in the Creating a Traffic Class section with the traffic policy The syntax of the class command is as follows class class name no class class name For the class name argument use the name of the class you created when you used the class map command to create the traffic class Step 3 of the Creating a Traffic Class section After entering the class command you are automatically in policy map class configuration mode The policy map class configuration mode is the mode used for enabling the specific QoS features Procedure To create a traffic policy or policy map and enable one or more QoS features perform the following steps EY This procedure lists many of the commands you can use to enable one or more QoS features For example to enable Class Based Weighted Fair Queuing CBWFQ you would
281. onal Edition Cisco Devices NetFlow Configuring Cisco Devices This section offers a brief guide to setting up NetFlow on a Cisco router or switch For more detailed information refer the Cisco web site at http www cisco com go netflow It is recommended that only people with experience in configuring Cisco devices follow these steps Cisco devices with NetFlow support Configuring an IOS Device Configuring a Catalyst 6000 Series Switch Configuring a Native IOS Device Configuring a Catalyst 4000 Series Switch Configuring NetFlow for BGP Setting the appropriate time on the router NetFlow Analyzer stamps the flows based on the router time It is therefore important to ensure that the time on the router is set properly Netflow Analyer can handle routers from different time zones automatically provided the correct time is set Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear in the home page When this happens NetFlow Analyzer will stamp the flows based on the system time of the NetFlow Analyzer server In case you see this please ensure the following on the router e Check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock set hh mm ss date month year An example clock set 17 00 00 27 March 2007 e Check if the time zone and the offset in
282. one In s f initvar etc rc5 d startwith code 1 f5099fc2e0 3 Edit the above lines as follows suffixing rc d folder after etc folder code 1 f5099fc2e0 for i in 0 6 do In s f initvar etc rc d rc i d stopwith done In s f initvar etc rc d rc5 d startwith code 1 f5099fc2e0 4 Save the file 5 Shutdown NetFlow Analyzer 6 Execute linkAsService sh and start NetFlow Analyzer using the command etc init d netflowanalyzer start Shutting Down NetFlow Analyzer Follow the steps below to shut down the NetFlow Analyzer server Please note that once the server is successfully shut down the MySQL database connection is automatically closed and all the ports used by NetFlow Analyzer are freed Windows 1 Navigate to the Program folder in which NetFlow Analyzer has been installed By default this is Start gt Programs gt ManageEngine NetFlow Analyzer 2 Select the option Shut Down NetFlow Analyzer 3 Alternatively you can navigate to the lt NetFlowAnalyzer_Home gt bin folder and invoke the shutdown bat file 4 You will be asked to confirm your choice after which the NetFlow Analyzer server is shut down Linux Navigate to the lt NetFlowAnalyzer_Home gt bin directory Execute the shutdown sh file 3 You will be asked to confirm your choice after which the NetFlow Analyzer server is shut down php 19 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition
283. or should have the Cisco router IOS version 12 4 or later with the IPSLA agent The IPSLA agent enabled location will act as the source while the destination can be any IP in the other location 2 2 Creating a new monitor a Click Modules tab from the dropdown box that appears select IP SLA and then WAN Monitor b In the new page that appears click on the Settings tab c Select Add Monitor tab to add a new location to monitor e Enter the name of the monitor e Select the source router from the dropdown box The dropdown box displays the list of routers discovered in NetFlow Analyzer e Select the relevant interface of the source router from the dropdown box e Enter the destination IP address for example 203 199 21 11 and click Add e Check the option Create an IP group for this WAN Moniter if you wish to create a seperate IP group for the WAN monitor to be created e Click Submit to create add a new monitor d Once you submit the details you will see the summary of the monitor you are about to configure click Apply to device to sumbit the details to the device A new monitor will be created after submittting the details Click on the path name to view the details of that monitor The scan router option checks the router for new NetFlow enabled interfaces and adds them to the corresponding router Note If you are not able to view IPSLA enabled routers in the Source router s dropdown box click on the 2 icon to check the SNMP
284. oring session or video monitoring session The Profile configuration in NetFlow Analyzer allows you to configure a Mediatrace a monitoring profile for both system data and video monitoring using the web interface In order to configure a Mediatrace Profile do the following 1 Navigate to Medianet gt Settings gt Add Profile 2 Specify the profile name 61 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition 3 Select the type of profile It can either be video monitoring profile perf mon or system data profiles system The metrics will differ according to the type of profile you select 1 If you have selected video monitoring profile 1 Specify sampling interval the interval in seconds between samples taken of video monitoring metrics 2 Select the metrics being monitored are for TCP or RTP from the drop down list 2 If you have selected the system data profile 1 The metrics being monitored are for interfaces the CPU or the memory 4 Click add profile to save the profile and add the to the session 3 Configure Medianet Parameters The Parameters profile defines the characteristics of a Cisco Mediatrace session and help it to operate smoothly Navigate to Medianet gt Settings gt Add Parameters Select the IP address of the router you have configured as the Initiator Specify the parameter name you want to configure Specify response time the amount of time in seconds the initiator will w
285. ort 1 TCP Syn_Fin Flows from single source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span at the source end 2 TCP Syn_Fin Flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Syn_Fin Host 1 TCP Syn_Fin Flows from multiple source hosts to single multiple Scans Scan Reverse destination hosts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Syn_Fin Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Syn_Fin TCP Syn_Fin Flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Syn_Fin Grid TCP Syn_Fin Flows from multiple source host to single multiple Scans Scan Reverse destination hosts using multiple source ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end TCP Urg TCP Flows with TCP Flags value
286. ory Utilized The table shows the Memory utilization of top N hops along with the session name e Top IP packet dropped Lists the Top N hops with respect to no of packets dropped each hop The table lists the session name the hop it is monitoring and the amount of IP packets dropped e Top RTT The table lists the top N hops with respect to round trip time The hops with high latency are listed here along with the RTT and session name e Top RTT Packet Lost The table lists the top N hops with respect to RTT packet lost The hops with high RTT packet loss are listed here along with the RTT packets lost and session name e Top Jitter The table lists the top N hops with respect to Jitter The hops with high jitter are listed here along with the jitter value and session name 65 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Medianet OnDemand feature helps you discover an IP flow s path on the go The On Demand Mediatrace feature allows you to monitor and troubleshoot network incidents quickly without any additional configuration OnDemand Follow the steps given below to start Mediatrace On Demand 1 Click Mediatrace tab 2 Click OnDemand link in the Mediatrace page 3 Select the initiator IP and Flow you wish to monitor 4 Click Start The Mediatrace path details for the selected flow will be displayed 66 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition IP Gr
287. ot available with IOS versions earlier than 12 1 13 E on the Supervisor Engine 2 or 720 32 Zoho Corporation Configuring NDE on 4000 Series Switches Follow the steps below to configure NDE on a 4000 Series switches The 4000 and 4500 series switches require a Supervisor IV or a Supervisor Engine V with a NetFlow Es Services daughter card WS F4531 and IOS version 12 1 19 EW or above to support NDE Or you must have the Supervisor Engine V 10GE the functionality is embedded in the supervisor engine Configure this device as for an IOS device but omit the ip route cache flow command on each interface Then issue the following command ip route cache flow infer fields This command ensures routing information is included in the flows You will not enter the ip route cache flow command on each interface A Sample Device Configuration The following is a set of commands issued on a 4000 Series switch to enable NetFlow version 7 and export to the machine 192 168 9 101 on port 9996 using FastEthernet 0 1 as the source interface switch gt enable ip switch gt enable ip switch gt enable ip switch gt enable ip switch gt enable ip flow export destination flow export version 7 192 168 9 101 9996 flow export source Fast Ethernet 0 1 flow cache timeout active 1 route cache flow infer fields 33 Zoho Corporation SA ManageEngine NetFlow Analyzer Professional Edition
288. oups View A set of 4 IP groups have already been defined and have been named as Mail sites eg Gmail Yahoo Social network sites eg Facebook Twitter MySpace Sports sites eg Foxsports Cricinfo Video sites eg Youtube hulu FoxinteractiveMedia Users can also add remove other sites that they feel can under these predefined IP groups by going to Admin Operations gt gt IP Groups Information on IP groups created so far is displayed below both the Global View tabs This is also displayed when the All Groups link is clicked on the IP Groups pane on the left Initially when no IP groups have been created you will simply see a status message No IP groups have been configured The IP Group List shows all the IP groups that have been created so far Click the View Description link to view descriptive information on all IP groups created Alternatively you can click the View Description link against each IP group to view descriptive information on that IP group alone Click the IP Group name to view traffic graphs specific to that IP group From the traffic graph you can navigate to see the top applications top hosts and top conversations in this IP group The IN Traffic and OUT Traffic columns show the volume of incoming and outgoing traffic in the IP group generated over the past one hour You can click on the IN Traffic or OUT traffic bar to view the respective application traffic report Click the icon to see a
289. oups and also create IP groups to monitor application using particular DSCP names Ss The next level of billing is here after usage based billing Volume based billing Users can generate bills based on the Soe of data i GRE application filter Email option for sending reports Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Site to site traffic monitoring Users can create groups for monitoring site to site traffic Secondary DNS server lookup This allows the system to go through DNS servers other than primary ones for resolving DNS names Raw data storage For users who do not need an in depth report and for whom storing large data is an issue you can now store the raw data for as less as 1 hour New Features in Release 7 0 Feature Description Reporting on Cisco CBQoS Useful for monitoring class based pre and post policy traffic usage class based drops and queuing Authentication using radius server Useful for centralized controlling of access to resources in a network by a single global set of credentials Ability to create IP groups with exclude IP address option One could bulk load IP groups and selectively remove unwanted IP groups DNS resolving enhancement of source and destination addresses Faster retrieval of DNS names made possible Support for user configurable DNS names for IP addresses
290. oups does not get displayed while creating other bill plans Email ID To Send Reports Enter the mail ID IDs to which the generated Bill report needs to be sent Multiple mail IDs should be separated by comma The email subject can also be customized as per the user requirement On Demand Billing Bills can be generated on demand By clicking on OnDemand for a particular bill plan in the bill plan list a bill can be generated for the time period from the beginning of the billing cycle to the current date Editing Bill Plan Bill plans can be edited by clicking Bill plans list and editing any particular bill as the need may be Adding an interface IP group An interface IP group can be added during any point of the billing cycle The bill will be generated for this interface IP group during the mentioned billing date for the billing plan Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Removing an interface IP group When an Intereface IP group is removed from a bill plan the bill for that interface is generated at the same instant Other billing parameters Editing base speed volume base cost additional speed volume additional cost billing calculation 95th Percentile Data transfer will take effect only from the next billing cycle Editing email ID and threshold alerting will take effect at the same time Billing period and Bill generation date CANNOT be changed When
291. output policy name end Oi Go Noe 90 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Medianet Reports The Medianet report displays traffic IN and traffic OUT details based on media volume round trip time packet loss and jitter Clicking on the drop down box will help you choose the desired metrics for the report You can also choose to group the reports based on source destination application or none of these Click Show Top to view individual reports for media volume round trip time packet loss and jitter or choose Al reports to view all the metrics as a single reports Click on the icon in the table below the graph to view graphical details of the specific resource Media Volume The time line graph gives at a glance view of the top 3 contributors IP address of media traffic The pie chart represents the percentage of rich media traffic to other traffic in the network The table below the displays the source destination application that has sent received maximum number of media packets and volume of media traffic in the network It also reports the percentage of media traffic when compared to general traffic Clicking on the respective source destination application will open the detail reports page that lists the traffic details of the source destination application selected RTT The time line graph gives at a glance view of the top 3 IP address with high round trip time RTT The pie
292. ove the resources that were ignored using this option Note Move your mouse over the resource to view the delete button Discard Flows Allows you to discard flows for a specific problem Select a any event of a specific problem which you want to discard the flows for click white list and select Discard Flows In the new window that appears select the appropriate criteria for which you want to discard the flows Use the preview option to view the selected criteria Click save to confirm the selection Note The displayed problem here is the base problem and criteria selected is applicable for all the problems derived from the base problem In order to apply the selected criteria for all the problems detected by ASAM select All Problems View Discarded Allows you to view the flow fields and the values for discarded flows Select a event of a specific problem for which you have discarded the flows click white list and select View Discarded In the new window that appears you can view the problem name and all the selected criteria You can also remove the selected criteria using this option Note Move your mouse over the field value to view the delete button 2 1b Manage The Manage option allows you to manage Problems Algorithms and Resources e Manage Problem Allows you to enable or disable a specific or set of problems Click Manage Problem and choose to enable or disable a problem If a specific problem is dis
293. ow Analyzer server You just need to enter the new license file in the Upgrade License box 4 How many users can access the application simultaneously This depends only on the capacity of the server on which NetFlow Analyzer is installed The NetFlow Analyzer license does not limit the number of users accessing the application at any time 239 Zoho Corporation gt a ManageEngine NetFlow Analyzer Professional Edition 5 NetFlow Analyzer logs out after a period of inactivity How do avoid that You can change the time out value to a higher value than the default 30 minutes by increasing the parameter session timeout lt session contig gt lt session timeout gt 30 lt session timeout gt lt session config gt under lt NFA_Homes gt AdventNet ME NetFlow server default conf web xml Change the value 30 to your desired time range say 600 You will have to restart NFA server for this to take effect 6 How to create DBInfo log file 1 Please ensure that NFA is running 2 Navigate to Troubleshooting directory and execute the file DBInfo sh DBInfo bat 3 It creates a Info log file in the same folder Please send us the info log file 7 Why the interface shows 100 utilization Please refer this link for a brief explanation of 100 utilization http forums manageengine com ftid 49000002654747 8 What information do I need to send to NFA support for assistance 1 Please run your logziputil b
294. owd ICMP Protocol Unreachable Inflood 1 ICMP Protocol Unreachable flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 ICMP Protocol Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd ICMP Protocol Unreachable Outflood 1 ICMP Protocol Unreachable flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 ICMP Protocol Unreachable flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd ICMP Protocol Unreachable Host Scan 1 ICMP Protocol Unreachable flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 ICMP Protocol Unreachable flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes ICMP Protocol Unreachable Host Scan Reverse 1 ICMP Protocol Unreachable flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the
295. p class name description description match access group access group name access group name any cos cos value destination address mac address discard class class number dscp dscp value flow direction sampler fr de fr dici o ci number input interface interface name ip rtp starting port number port range precedence dscp mpls experimental topmost number not match criterion packet length max maximum length value min minimum length value min minimum length value max maximum length value precedence precedence criteriat precedence criteria2 precedence criteria3 precedence criteria4 protocol protocol name qos group gos group value source address mac address destination vlan vlan id vian range vian combination rename class name end Oe GN NO 89 Zoho Corporation SA ManageEngine NetFlow Analyzer Professional Edition 7 Configuring a Flow Policy for Cisco Performance Monitor Using an Existing Flow Monitor The basic concepts and techniques for configuring a class for Cisco Performance Monitor are the same as for any other type of class The class specifies which flow monitor is included The only significant difference is that for Cisco Performance Monitor the policy map command includes type performance monitor If you do not already have a flow monitor configured or do not want to use any of your existing flow monitors for a new class you can configure it u
296. pan Minimum Occupancy and Minimum Aspect Ratio at the source end Host 1 Flows from multiple source hosts to single multiple destination hosts using a single Scan Reverse source port exceeding Minimum Horizontal Span at the source end 2 Flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Diagonal Flows from multiple source hosts to single multiple destination hosts where the Scan Reverse number of distinct source hosts is equal to the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Grid Flows from multiple source host to single multiple destination hosts using multiple Scan Reverse source ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end The table below lists the set of problems detected their classification followed by a brief description Problem Name Description Class Excess Broadcast Broadcast traffic exceeds threshold for any given Src IP Bad Src Flows Dst Excess Multicast Multicast traffic exceeds threshold for any given Src IP Bad Src Flows Dst Excess Network IP destined traffic exceeds threshold for any given Src IP Bad Src Networkcast Flows Dst Invalid Src Dst Invalid
297. parameters and then click update to scan the router for IPSLA settings 2 3 Customizing Test Parameters NetFlow Analyzer uses a set of test parameters like payload type of service ToS frequency and timeout for monitoring WAN performance The test parameters are assigned default values in NetFlow Analyzer In order to customize the test parameters to suit your requirement do the following a In the WAN RTT Monitor page select the Settings tab b Select Test Parameters and edit the following fields according to your requirement e Payload The default value of payload is 24 bytes Specify an echo payload value between 0 to 3000 bytes e ToS The default value of ToS is 30 you can specify any echo ToS value between a range of 0 to 255 e Frequency The default value of operation frequency is 60 seconds You can specify any value between a range of 0 to 604800 msecs e Timeout The default value of operation timeout is 60 seconds You can specify the timeout between a rangeof 0 to 604800 seconds 164 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition c Click Save to save the changes Note The timeout interval value should be less than the configured operation frequency value so that if there is no response from the device or in the event of a delay the request is timed out and the subsequent operation is launched at the configured frequency 2 4 Customizing Thresholds NetFlow Analyzer generate
298. place 48 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Dashboard Device View The Device view gives an at a glance view of all routers switches present in the network This helps you determine the traffic statistics of every NetFlow enabled device in the network You can choose to view the devices in an Interface view or grid view Interface View The Interface view shows all the routers and interfaces from which NetFlow exports have been received so far along with specific details about each interface The default view shows the first router s interfaces alone The remaining routers interfaces are hidden Click the Show All link to display all routers interfaces on the Dashboard Click the Hide All link to hide all interfaces and show only the router names in the Router List You can click on the device name and drilldown to see the particular device based 10 top interfaces based on utilization and speed top protocols top application top source top destination top conversation top DSCP You can export this particular device based report as pdf by clicking on the pdf icon on the right top You can set filters on the Dashboard view to display only those interfaces whose incoming or outgoing traffic values exceed a specified percentage value Click the Filter link to specify minimum percentage values for IN or OUT traffic Click the Set button for the changes to take effect The filter se
299. ponding to the passwords field In the pop up enter the appropriate credentials and submit it After successfully submitting the correct SNMP credentials try to add the VoIP Monitor again for the Source device Modules gt WAN RTT gt Settings 168 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition WAAS Cisco s Wide Area Administrative Services WAAS Cisco s Wide Area Application Services WAAS is a solution designed optimize application performance and infrastructure consolidation in WAN environments WAAS consists of a GUI and a set of system devices called wide area application engines WAE that work together to optimize TCP traffic over your network When client and server applications attempt to communicate with each other the network intercepts and redirects this traffic to the WAEs so that they can act on behalf of the client application and the destination server The WAAS GUI is used to centrally configure and monitor the WAEs and application policies in your network Cisco WAAS is able to ensure high performance access for remote workers who access distant application infrastructure and information including file services e mail the Web intranet and portal applications and data protection 169 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition 2 Getting Started with WAAS The Cisco Wide Area Application Services WAAS network module works together wi
300. ponse destination hosts where the number of distinct destination hosts is Probes Diagonal Scan equal to the number of distinct destination ports which is also equal to 219 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints UDP Echo Response Grid Scan UDP Echo Responses from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans Probes UDP Echo Response Host Scan Reverse 1 UDP Echo Responses from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 UDP Echo Responses from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Excess UDP Echo Requests UDP Echo Request to Dst Port 7 Echo touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows UDP Echo Request Inflood UDP Echo Request Outflood 1 UDP Echo Requests from multiple source hosts to fewer destination hosts exceeding
301. port If you have not upgraded to the Professional Edition by the end of the evaluation period NetFlow Analyzer automatically reverts to the Free Edition Upgrading your License After obtaining the new license from ZOHO Corp save it on your computer and follow the steps below to upgrade your NetFlow Analyzer installation Log in to the NetFlow Analyzer web client Click License Management from Admin Operations Click the Upgrade License link present in the top right corner of the screen In the License window that opens up browse for the new license file and select it Click Upgrade to apply the new license file e ON EY The new license is applied with immediate effect You do not have to shut down or restart the NetFlow Analyzer server after the license is applied 21 Zoho Corporation Configuring Flow exports Devices and Supported Flow exports The following charts specifiesformation on the various vendors and the flow exports their devices support Click on the specific device name to know how to configure the corresponding flow export Device Vendor Supported Flow Export Cisco NetFlow Juniper Devices cflowd jFlow Nortel IPFIX Huwaei 3com H3C Netstream Alcatel Lucent Extreme Networks Foundry Networks HP Hitachi NEC AlaxalA sFlow Networks Allied Telesis Comtec Systems Force10 Networks Zoho Corporation 22 gt ManageEngine NetFlow Analyzer Professi
302. porting that doesn t require network taps protocol or span ports Create and Monitor IP Using WAN RTT monitor you can create specific IP groups for the IP address or IP groups using WAN RTT range monitored This way you can monitor both latency and the number of flows for monitor a specific IP address or range On demand billing in Capacity Planning Reports Generate on demand bills in capacity planning reports Performance tuning Improve the performance of product through user interface Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition New Features in Release 9 1 The latest release of NetFlow Analyzer 9 1 can be downloaded from the website at http www netflowanalyzer com download htm Feature Description Advanced Security analytics tool that helps in detecting network intrusions and classifying the intrusions to Security tackle network security threats in real time has been enhanced with Anomaly based detection Analytics Module Heuristics based event classification that includes Denial of Service Attack Host Scan Port Scan Diagonal Scan and Grid Scan New Features in Release 9 0 The latest release of NetFlow Analyzer 9 0 can be downloaded from the website at http www netflowanalyzer com download html Feature Description Wide Area Application Services WAAS Enhanced Capacity Planning Report Cisco Wide Area Application Services
303. profile then the reports will be displayed in a tabbed format else it will be shown in a widget grid fromat Add Profile Profile Name Device Select SS d Reports Application Report Conversation Report Source Report Destination Report Source Network Report Destinaton Network Report Conversation Network Report Time Period Last Hour v Filter oe Match All Filter s Match Any Filter s dh New Filter F filter Add Cancel 68 Zoho Corporation w ManageEngine NetFlow Analyzer Professional Edition Creating a new filter e Click on the new filter option in the report profile e Enter the filter parameters for customization e Click add to submit the details Now a new filter has been created Filter Filter Name Filter Type Include e Application Available Application s Selected Application s Source I 3PC_App a Destination 3com amp3 er 3com tsmux ame 914c g SS Protocol pfs J AN App Ge AH App ARGUS_App ARIS_App AX 25_App BBN RCC MON_App BNA_App X X Add Cancel The user can generate customized reports based on the filter options The Filter options are e Application Lists the available applications that can either be included or exclude in the filter e Source Here you can add the source IP Address IP Range IP Network that has to be include or excluded in the filter You can add more than one IP address as
304. ption Billing Allows you to Add Edit bill plans View reports Product Click this link to change default server settings for NetFlow Analyzer and also set Settings up the mail server for sending e mail notifications Application Click this link to configure applications based on port protocol combinations Mapping IP Group Click this link to create IP groups that let you view traffic details for a selected Management group of devices applications or interfaces Alert Profiles Click this link to add new alert profiles or modify existing ones Management Scheduler Allows setting of time intervals at which network traffic reports are generated Configuration automatically and mailed to desired recipient s Device Group Click this link to set up device groups based on devices exporting NetFlow data to Management NetFlow Analyzer NBAR CBQoS Click this link to learn how to configure your device for NBAR and CBQoS User Click this link to create different users for logging in to NetFlow Analyzer and Management assign access privileges to each user License Click this link to manage the list of devices exporting NetFlow data to NetFlow Management Analyzer based on the current license applied Change Click this link to change your own password for logging in to NetFlow Analyzer Password 92 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Product Settings The Settings option includes several server configuration setting
305. r Professional Edition Problem Name Description Class single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Fin_Ack Short TCP Fin_Ack flows from multiple source hosts to single multiple Scans Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Fin_Ack Short TCP Fin_Ack flows from multiple source host to single multiple Scans Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Short TCP TCP Flows with nominal payload i e BytePerPacket between 40 Suspect Fin_Ack Packets and 44 octets bytes and TCP Flags value IN 19 ASF 22 ARS Flows 23 ARSF denoting opened amp closed TCP Sessions touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Short TCP Short TCP Handshake flows from multiple source hosts to fewer DoS Handshake Attack destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd Short TCP Short TCP Handshake flows
306. r_Home gt server default cont 2 Replace the default values for the following parameters as follows Default Value New Value lt xsl variable name portHttps select Sport 363 gt lt xsl variable name portHttps select 8493 gt lt delegate config gt lt binding port 8090 gt lt service config gt lt delegate config gt lt binding port 8493 gt lt service config gt Verifying SSL Setup Restart the NetFlow Analyzer server 2 Verify that the following message appears Server started Please connect your client at http localhost 8493 3 Connect to the server from a web browser by lt hostname gt is the machine where the server typing https lt hostname gt 8493 where is running 253 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition SNMP Trap Forwarding The alerts generated by Netflow Anlayzer can be forwarded as a trap message to any manager application This helps in consolidating all the network alerts in a single place in the manager application The steps for the manager application to get the traps forwarded by Netflow Analyzer are 1 Configure a particular port in the manager application to listen for SNMP traps 2 In Netflow Analyzer alert profile form select alert action as SNMP Trap and specify lt Server Name gt lt Port No gt lt Community gt o lt Server Names The name or IP address of the server in whi
307. ration e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Rate at the source end ICMP Datagram 1 ICMP Datagram Conversion Error flows from single multiple source Scans Conversion Error hosts to multiple destination hosts on a single destination port Probes Host Scan exceeding Minimum Horizontal Span at the destination end 2 ICMP Datagram Conversion Error flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Datagram 1 ICMP Datagram Conversion Error flows from multiple source hosts Scans Conversion Error to single multiple destination hosts using a single source port Probes Host exceeding Minimum Horizontal Span at the source end Scan Reverse 2 ICMP Datagram Conversion Error flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Excess UDP Echo UDP Echo Response from Src Port 7 Echo touching or Suspect Responses exceeding the Upper Limit and none of the following derived Flows problems gets satisfied UDP Echo 1 UDP Echo Responses from multiple source hosts to fewer DoS Response Inflood destination hosts exceeding Minimum Convergence and Minimum Flux F
308. rc IP UDP Echo Request UDP Echo Request Broadcast flows from multiple source hosts to DoS Broadcast Attack fewer destination hosts exceeding Minimum Convergence and Flash Minimum Flux Rate at the destination end Crowd UDP Echo Request UDP Echo Request Broadcast flows from single multiple source hosts DoS Broadcast Inflood to single multiple destination hosts exceeding Minimum Flux Rate at Flash the destination end Crowd UDP Echo Request 1 UDP Echo Request Broadcast flows from fewer source hosts to DoS Broadcast Outflood multiple destination hosts exceeding Minimum Divergence and Flash Minimum Flux Rate at the source end Crowd 2 UDP Echo Request Broadcast flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end UDP Echo Request 1 UDP Echo Request Broadcast flows from single multiple source Scans Broadcast Host hosts to multiple destination hosts on a single destination port Probes Scan exceeding Minimum Horizontal Span at the destination end 2 UDP Echo Request Broadcast flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end UDP Echo Request 1 UDP Echo Request Broadcast flows from single source host to Scans Broadcast Port single multiple destination hosts using multiple source ports exceeding Probes Sca
309. rce end points exceeding Minimum Diagonal Span at the source Short TCP Short TCP Syn_Rst flowsfrom single multiple source hosts to multiple Scans Syn_Rst Grid Scan destination hosts on multiple destination ports exceeding Minimum Probes Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Short TCP 1 Short TCP Syn_Rst flows from single source host to single multiple Scans Syn_Rst Port destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span at the source end 2 Short TCP Syn_Rst flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP 1 Short TCP Syn_Rst flows from multiple source hosts to Scans Syn_Rst Host single multiple destination hosts using a single source port exceeding Probes Scan Reverse Minimum Horizontal Span at the source end 2 Short TCP Syn_Rst flowsFlows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Short TCP Syn_Rst flows from multiple source hosts to single multiple Scans Syn_Rst Diagonal destination hosts where the number of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the nu
310. remove IP groups to suit your requirement Enabling SNMP V3 SNMP V3 is the latest version of the Simple Network Management Protocol by Cisco With SNMP V3 data can be collected securely from SNMP devices without fear of the data being tampered with or corrupted and confidential information for example SNMP Set command packets that change a router s configuration can be encrypted to prevent its contents from being exposed on the network For NetFlow Analyzer to be able to successfully poll the routers users need to give the SNMP V3 credentials to NetFlow Analyzer In the Interface view tab click on set SNMP which appears on the top left besides router name 1 In the pop up that follows you can select the router name for which you need to create apply credentials from the drop down Note Retrieve the interface name and speed using the following SNMP parameters Set SNMP parameters Router Name All Routers v Router IP All Routers SNMP Community public SNMP Port 161 Default Interface Name Desc X F Also retrieve the router name this may over ride the router name set manually in NetFlow Analyzer E Enable SNMP v3 e Update Cancel 2 Check the Enable SNMP V3 box and click on the credential settings 3 You can add a new credential or apply an aldready present credential from the credential list 51 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 4 To ad
311. report displays the applications contributing to the maximum network traffic The top sites option maps application to the resolved DNS names Using this option you can now Add Modify or Delete the pre defined IP addresses and its corresponding application Adding a Top Site To add a top site follow the steps given below 1 Click Add 2 Inthe pop up screen that appears Select the IP Address IP Network or Ip range you wish to map 3 Specify the details 4 Select the application name 5 Click add to save the changes Now the Application has been succesfully mapped to the IP address Modifying a Top Site To Modify a top site follow the steps given below Select the Site Name you want to modify Click Modify In the pop up that appears specify the new site name Click Update to save the changes PON Now the site name has been succesfully changed Deleting a Top Site To Delete a top site follow the steps given below 1 Select the Site Name you want to modify 2 Click Delete 3 Inthe pop up that appears Click OK to delete the site name Now the site name has been permanently deleted 105 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition IP Group Management A set of 4 IP groups have already been defined and have been named as e Mail sites eg Gmail Yahoo e Social network sites eg Facebook Twitter MySpace e Sports sites eg Foxsports Cricinfo e Video sites eg Youtu
312. rface works properly 143 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Verifying the Traffic Class and Traffic Policy Information To display and verify the information about a traffic class or traffic policy perform the following steps Command or Action Purpose Step 1 Router gt enable Enables privileged EXEC mode Step 2 Router show class map type Optional Displays all class maps and their matching stack access control c ass criteria map name Step 3 Router show policy map policy Optional Displays the configuration for the specified map class class name class of the specified policy map Step 4 Router show policy map policy Optional Displays the configuration of all classes for map a specified policy map or all classes for all existing policy maps Step 5 Router show policy map Optional Displays the packet statistics of all classes interface type access control that are configured for all service policies either on type number ve vpi vei dici dici the specified interface or subinterface or on a specific input output permanent virtual circuit PVC on the interface Step 6 Router exit Optional Exits privileged EXEC mode Using the CBQoS data Once Polling has been started reports can be viewed under the CBQoS tab Reporting is available in terms of Volume of Traffic Number of Packets Traffic Speed and
313. rgen flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 UDP Echo Chargen flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd UDP Echo Chargen Outflood 1 UDP Echo Chargen flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 UDP Echo Chargen flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd UDP Echo Chargen Host Scan 1 UDP Echo Chargen flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 UDP Echo Chargen flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes UDP Echo Chargen Host Scan Reverse 1 UDP Echo Chargen flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 UDP Echo Chargen flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Mi
314. ring under IP Group Management 109 Zoho Corporation SA ManageEngine NetFlow Analyzer Professional Edition Alert Profiles Management An alert profile is created to set the thresholds for generating alerts The parameters to be set for creating an alert profile are e Interfaces IP Groups Interface Group The list of interfaces IP Groups Interface Group whose bandwidth utilization must be watched e Traffic pattern The traffic to be watched In Traffic Out Traffic or a Combination of both e Application Port s You can watch the traffic through all the applications or from a particular application Similarly through a single port or a range of ports e Threshold Settings It has 3 settings namely utilization no of times and duration o Utilization When the utilization exceeds this limit it is noted o No of time The number of times the utilization can be allowed to exceed the threshold before an alert is raised o Duration The time period within which if the threshold is exceeded the specified number of times an alert is created generated Netflow Analyzer calculates the bandwidth utilization of the specified interfaces IP Groups Interface Group every minute If the utilization exceeds the threshold value the time when it exceeded is noted Subsequently when it exceeds the corresponding times are noted If the number of times the utilization exceeds the specified limit in the specified time dura
315. rived problems gets satisfied ICMP Response 1 ICMP Responses from multiple source hosts to fewer destination DoS Inflood hosts exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd destination hosts exceeding Minimum Flux Rate at the destination end ICMP Response 1 ICMP Responses from fewer source hosts to multiple destination DoS Outflood hosts exceeding Minimum Divergence and Minimum Flux Rate at the Flash source end Crowd 2 ICMP Responses from single multiple source hosts to single multiple 210 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class destination hosts exceeding Minimum Flux Rate at the source end ICMP Response 1 ICMP Responses from single multiple source hosts to multiple Scans Host Scan destination hosts on a single destination port exceeding Minimum Probes Horizontal Span at the destination end 2 ICMP Responses from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end ICMP Response 1 ICMP Responses from multiple source hosts to single multiple Scans Host destination hosts using a single source port exceeding Minimum Probes Scan Reverse Horizontal Span at the source end 2 ICMP Responses from multiple source hosts to single multipl
316. rized based on the source address destination address source port destination port and protocol values in the flow record The smaller of the 2 ports source port destination port and protocol is matched with the port protocol in the application mapping list If no match is found the bigger of the 2 ports source port destination port and protocol is matched with the port protocol in the application mapping list If no match is found the smaller of the 2 ports source port destination port and protocol is matched with the port range protocol in the application mapping list If no match is found the bigger of the 2 ports source port destination port and protocol is matched with the port range protocol in the application mapping list If no match is found the application is categorized as protocol_App as in TCP_App or UDP_App In case the protocol is not available in the application mapping list the application is categorized as Unknown_App 102 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition The sequence in which the mappings are checked is as follows 1 Application mapping with specific IP address IP Range IP Network is matched 2 Application mapping with no IP address and single port number port range Application Group Application Groups allow you to define your own class of applications by including one or more applications For example you might want to classify all your da
317. rofessional Edition Appendix Working with SSL SNMP Trap Forwarding Database Backup Configuration Backup Aggregated Data Backup Geo Locations DARON 251 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Working with SSL The SSL protocol provides several features that enable secure transmission of Web traffic These features include data encryption server authentication and message integrity You can enable secure communication from web clients to the NetFlow Analyzer server using SSL The steps provided describe how to enable SSL functionality and generate certificates only Depending on EY your network configuration and security needs you may need to consult outside documentation For advanced configuration concerns please refer to the SSL resources at http www apache org and http www modssl org Stop the server if it is running and follow the steps below to enable SSL support Generating a valid certificate 1 Generate the encryption certificate and name it as server keystore 2 Copy the generated server keystore file to the lt NetFlowAnalyzer_Home gt server default conf directory Disabling HTTP When you have enabled SSL HTTP will continue to be enabled on the web server port default 8090 To disable HTTP follow the steps below 1 Edit the server xml file present in lt NetFlowAnalyzer_Home gt server default deploy jbossweb tomcat50 sar directory 2 Comment
318. rom 0 to 6000 msecs Latency Threshold Specify the delay allowed in msecs again in the range of O to 6000 Packet Loss Specify the number of packets that can be lost in transit Notification Profile Select the required notification profile s in order to notify when the any threshold rule is violated 158 Zoho Corporation Viewing Top 10 Call Paths ith VoIP Monitor you can view the top 10 call paths by MOS Packet Loss Jitter and Latency This provides you to have a quick view and react proactively To view the top 10 call paths follow the steps given below 1 Goto Modules and click on VoIP Monitors 2 Click on Top 10 The top 10 call paths by MOS Packet Loss Jitter and Latency are listed 3 Click on the required call path view its snapshot page 159 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition FAQs on VoIP Monitor Why do i need to set SNMP write community on the Source Router Why am getting Source router SNMP write community may be wrong error message Why should the SLA Responder be enabled on the destination device Why are the VoIP metrics shown as zero or Not available in NetFlow Analyzer What are all the VoIP QoS metrics measured by NetFlow Analyzer How do i choose the codec How much bandwidth does each monitor occupy NOaOPONM 1 Why do i need to set SNMP write community on the Source Router Both the SNMP read and write community
319. rporation ManageEngine NetFlow Analyzer Professional Edition FAQs on WAN RTT Monitor 1 Why there are no alerts from the device You might not have received alerts from the device if the trap host is not configured in the source Router Make sure you configure the routers to send traps to NetFlow Analyzer Telnet the router and type the following command snmp server host lt netflowanalyzer server IP gt traps lt host community string gt rtr For instance if the NetFlow Analyzer s host IP Address is 192 168 18 128 and the community string is private the command would be snmp server host 192 168 18 128 traps private rtr 2 Why should i give Snmp Write community to the router Both the SNMP read and write community string needs to be set on the source router The write community is used to configure the IPSLA agent on the device while the read community is used by NetFlow Analyzer to gather performance data from the router 3 Why I am getting Source router SNMP write community may be wrong error message NetFlow Analyzer uses SNMP to gather data from the Cisco IP SLA agent This error is displayed when wrong SNMP read write community string is configured for the source router of the WAN RTT Monitor in NetFlow Analyzer To configure the correct SNMP write community string in NetFlow Analyzer go to the snapshot page of the source router and change the SNMP credentials by clicking on the Click here to change corres
320. rt for sorting of interfaces based on usage in Dashboard View Helps in easier viewing of interfaces based on maximum minimum bandwidth usage and for appropriate action User management enhanced to provide last login time and current login status for all users Helps individual users to quickly confirm that one s login credentials have not been compromised Support for configuring alerts on interface groups User permission can be granted at a interface group level Interface groups can be used for checking the router traffic by combining all the interfaces into a single group This feature would enable providing permission at an interface level while creating a user Look and feel changed The user interface has been changed for a better user experience Localization supported New Features in Release 6 0 NetFlow Analyzer supports French German Chinese and Japanese 10 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Feature Description sFlow Support Support for sFlow data capture and reporting Selectable Graph Option to click and drag on the graph for easier drilldown Real time reports with graphs Updates immediately as Real Time Reports the data is received Alerting feature enhanced to send an alert when link goes down or when no flows are received for 15 minutes IN and OUT traffic in bytes and packets for each Link Down alert
321. rver Instances are listed in a combo box Enter the Host Name and Port of the SQL Server from the instances NetFlow Analyzer will work only with default instance Select the authentication type using the Connect Using options The options are NO 245 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition a Windows Authentication For Windows Authentication enter the Domain Name User Name and Password Ensure that both NetFlow Analyzer server and SQL Server are in the same domain and logged in with the same Domain Administrator account Database Setup Server Type SQL Server Host Name NETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TEST5 MSSQLSERVER 1433 g Database netflow Connect Using Windows Authentication SOL Server Authentication Domain Name Adventnet User Name Administrator Password tritici Cancel Test b SQL Server Authentication For SQL Server Authentication enter the User Name and Password 246 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Database Setup Server Type SQL Server Host Name NETFLOW TESTS Port 1433 Available SQL Server Instances NETFLOW TESTS MSSQL SERVER 1433 Database netflow Connect Using O Windows Authentication SQL Server Authentication User Name Password
322. s expressed as binary numbers 1000 minimize delay 0100 maximize throughput 0010 maximize reliability 0001 minimize monetary cost 0000 normal service The values used in the TOS field are referred to as TOS values and the value of the TOS field of an IP packet is referred to as the requested TOS The TOS field value 0000 is referred to default TOS 77 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Because this specification redefines TOS values to be integers rather than sets of bits computing the logical OR of two TOS values is no longer meaningful For example it would be a serious error for a router to choose a low delay path for a packet whose requested TOS was 1110 simply because the router noted that the former delay bit was set Although the semantics of values other than the five listed above are not defined they are perfectly legal TOS values and hosts and routers must not preclude their use in any way Only the default TOS is in any way special A host or router need not make any distinction between TOS values For example setting the TOS field to 1000 minimize delay does not guarantee that the path taken by the datagram will have a delay that the user considers low The network will attempt to choose the lowest delay path available based on its often imperfect information about path delay The network will not discard the datagram simply becaus
323. s alerts when threshold levels are violated The threshold template is assingned default values in NetFlow Analyzer In order to customize the threshold parameters to suit your requirement do the following a In the WAN RTT Monitor page select the Settings tab b Select Threshold Template c Configure the upper and lower threshold limits for round trip time the range being 0 60000 milliseconds d Click Save to save the changes 2 5 Add IP The Add IP option allows you to manually add an interface to be monitored a In the WAN RTT Monitor page select the Settings tab b Select Add IP c Select the Source Router from the drop down list d Select the Source Interface e Specify the IP address of the corresponding interface to be monitored f Click update to save the changes 165 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 3 Reports in WAN RTT Monitor After configuring the WAN RTT Monitor NetFlow Analyzer starts collecting data once in every 5 minutes It generates alerts when the set threshhold limits for WAN link availability or latency is violated e The recent alerts can be viewed in the WAN Monitor Dashboard s Overview tab The TimeWise Consolidated Alert for Top Rit widget lists the recent alerts along with the severity status e The WAN availability round trip time history latency SLA violation trends for any monitor can be viewed using the All Monitors tab Click on a
324. s are displayed a Min Max and Average value for a selected time period Application Report The pie chart displays the traffic associated each application This is also calculated on the basis of IN and OUT traffic The table below displays the application name the amount of traffic and the total traffic percentage by each application Application Growth Report Application Growth Report helps in identifying the usage of a specific application in the network over the selected time period It gives a graphical view shows the amount of bandwidth used by each application This helps in prioritizing the applications to suit your enterprise s need The table below report gives both application IN and OUT details and their usage over the selected time period 85 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Medianet Reporting What is Cisco Medianet Cisco s Medianet is an end to end architecture that is capable analyzing voice video and data traffic and report on loss latency and jitter thereby helping you optimize rich media applications It enables you to monitor the flow of packets in your network and become aware of any issues that might impact the flow before it starts to significantly impact the performance of the application in question Performance monitoring is especially important for video traffic because high quality interactive video traffic is highly sensitive to network issues Even minor issues t
325. s over a specified period to identify how the network performs at different times in a day or over a few days The VoIP monitor gathers useful data that helps determine the performance of your VoIP network equipping you with the required information to perform network performance assessment troubleshooting and continuous health monitoring 154 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition How it works NetFlow VolP Monitor Any IP device Gs S Ss Ss IPSLAs gt IP Network Source sn aen Responder Source Router d d e Ro Cisco 10S 12 3 14 or more Destination Device Cisco IOS 12 3 14 or more S 155 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Adding a New VolP Monitor Prerequisites When you want to test a link from your office to another location you need a Cisco router IOS version 12 4 or later at each end Steps to set up the monitor Using NetFlow Analyzer you can now monitor the voice and video quality of a call path Call path is the WAN link between the router in your main office and the one in the branch office that you want to monitor Step 1 Export NetFlow from the router in your LAN to NetFlow Analyzer And make sure the SNMP read and write community are configured properly for that router Step 2 Enable SLA responder on the destination device you wish to monitor Steps are detailed below a Open
326. s rather than milliseconds Riverbed Enterasys Networks Extreme Networks Does not support input output interface octets or first and last times Foundry Networks 26 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Configuring Cisco ASA 5500 series ASA NetFlow export is dependent on the version of ASA software running ASA version 8 2 software supports NetFlow export across all ASA models The following fields must be included in the ASA configuration to export flow data to the NetFlow Analyzer The following commands must be included in your global service policy for NetFlow export to function config flow export destination inside NetFlow Analyzer server P address 9996 config flow export template timeout rate 7 config flow export delay flow create 60 config logging flow export syslogs disable config access list netflow export extended permit ip any any config class map netflow export class config cmap match access list netflow export config policy map netflow export policy config pmap class netflow export class config pmap c flow export event type any destination NetFlow Analyzer server IP config service policy netflow_export_policy global 27 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Configuring NetFlow Export on an IOS Device Follow the steps below to configure NetFlow export on a Cisco IOS device P Refer the Cisco Ver
327. s that you can configure from the user interface namely Server Settings Advanced Settings Storage Settings Mail Server Proxy Server Settings Google Map Settings WAAS Settings 93 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Server Settings Server Settings The Server Settings option includes several configuration settings that you can configure from the user interface Requires Option at server Description restart The port on which NetFlow Analyzer listens for NetFlow exports You need to configure devices to send NetFlow E exports to this port In case you are exporting NetFlow from Listener 9996 yes multiple routers please configure multiple listener ports You Port can specify upto 5 listener ports each seperated by a comma You will need to restart the NetFlow Analyzer server when you change the listener port Webserver Port 8080 yes The port used to access NetFlow Analyzer from a web browser This number governs the top N conversations that are retained for every 10 minute interval for each interface Set it to 100 for maximum visibility into your traffic The default record count is oe 100 no 100 but the minimum number of records that can be kept in the database for all traffic data is 10 This is also the maximum value that can be selected from the Show box in all traffic reports DNS Settings Option Description Resolving DNS Names DNS
328. s used to specify a match criterion that prevents a packet from being classified as a member of the class For instance if the match not qos group 6 command is issued while you configure the traffic class QoS group 6 becomes the only QoS group value that is not considered a successful match criterion All other QoS group values would be successful match criteria Procedure To create a traffic class containing match criteria use the class map command to specify the traffic class name Then use one or more match commands to specify the appropriate match criteria Packets matching the criteria you specify are placed in the traffic class In the following steps a number of match commands are listed The specific match commands availab ry by platform and Cisco IOS release For the match commands available see the 138 Zoho Corporation lt gt E ManageEngine NetFlow Analyzer Professional Edition Configuration steps Command or Action Purpose Step 1 Router gt enable Enables privileged EXEC mode Step 2 Router configure terminal Enters global configuration mode Step 3 Router config class map match all Creates a class to be used with a class map match any class name and enters class map configuration mode The class map is used for matching packets to the specified class Note The match all keyword specifies that all match criteria must be met The match
329. sabling on the device The following is a set of commands issued on a router to disable NBAR on the FastEthernet 0 1 interface router enable Password router configure terminal router 2621 config interface FastEthernet 0 1 router 2621 config if no ip nbar protocol discovery router 2621 config if exit router 2621 config exit A Please note that the part in red has to be repeated for each interface individually Disabling from NetFlow Analyzer User Interface The steps to disable from User Interface are 1 Under NBAR enabled interfaces This step allows you to disable NBAR on the interface Disabling NBAR on the device is done through SNMP and requires you to provide the SNMP write community 1 Click on Modify Interfaces 2 Set SNMP Read Community SNMP Write Community amp the Port in case it is not already set 3 Select the interfaces on which you want to disable NBAR and click on Disable NBAR 4 If NBAR is disabled on the interface then the status will be displayed as Disabled against each of the selected interfaces If NBAR cannot be disabled on the interface then the status will be displayed in red Unknown or Enabled Polling What is Polling The process of sending the SNMP request periodically to the device to retrieve information Traffic usage Interface Statistics in this case is termed polling A low polling interval of say 5 minutes gives you granular reports but may place an increased
330. se reports by clicking on any of the devices in the WAE device list The WAE reports page gives you detailed statistics of every device associated with a specific Central Manager This Report Details you on Application Reduction The amount of compression each mapped application has gone through By Clicking on the application name you can view reports indicating bandwidth reduction by location bandwidth optimization trend and pass through summary trend of the specific Application Bandwidth Reduction by Location This details on the WAN LAN and amount of traffic compression for each application along with the increase in bandwidth capacity due to compression Pass Through Summary Trend Denotes the unoptimized traffic that passes through the WAE You can view graph based on peer traffic intermediate traffic overload traffic and policy applied WAE Device Connection Statistics Lists the conversations that passed through the selected WAE device and their corresponding statistics Using this you can view the Source destination of the conversation their respective ports type of policy applied and the duration of each conversation You can also view the type of policy applied the initial amount of traffic and compressed traffic in bytes along with the compression ratio 172 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Video About IP SLA Video Operations With video traffic becoming all pervas
331. security ASAM is available as an add on module for NetFlow Analyzer and requires a license to run Since NetFlow packets are exported directly from NetFlow Analyzer there is no configuration required on the module 1 Getting Started You can access the Advanced Security Analytics Module in three different ways e Click Security Dashboards in the Security Events section found on the left hand side of the UI e Click Security Analytics tab in the NetFlow Analyzer dashboard e Click Modules and select Security Analytics Dashboards Interface View Autonomous System View WAAS Reports Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Flows Processed 220 Top Classesa Show All Hide All Scans Probes Problem Events Resources Time Distribution MeEvents Resources WProblems M hort TCP Ack Port Scan 140 07 Events GIICMP Network Unreachable Hast 04 7 OICP Xmas Port Scan oF DICH Rst Port Scan ICP Urg Port Scan Reverse DICP Urg Port Scan ICFP Fin Port Scan MICE Rst Port Scan Reverse GIICP Syn Fin Port Scan Reverse 29 07 d Time Short TCP Handshake Port Scan 28 aa f Others 254 io Si io Si RI BRB BEB jo of r Resources 11 30 12 00 12 30 13 00 13 30 14 00 14 30 15 00 15 30 16 00 16 30 17 00 o Si EI Se o lt 175 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Advanced Securit
332. sed prec based Detection WRED or distributed WRED DWRED Step 11 Router config pmap c set atm clp Optional Sets the cell loss priority CLP bit when a policy map is configured Step 12 Router config pmap c set cos cos Optional Sets the Layer 2 class of service CoS value from field table table map value of an outgoing packet namel Step 13 Router config pmap c set discard Optional Marks a packet with a discard class class value value Step 14 Router config pmap c set ip dscp Optional Marks a packet by setting the dscp value from field table table differentiated services code point DSCP value in map name the type of service ToS byte Step 15 Router config pmap c set fr de Optional Changes the discard eligible DE bit setting in the address field of a Frame Relay frame to 1 for all traffic leaving an interface Step 16 Router config pmap c set Optional Sets the precedence value in the packet precedence precedence value from header field table table map name Step 17 Route config pmap c set Optional Designates the value to which the MPLS mpls experimental value bits are set if the packets match the specified policy map Step 18 Router config pmap c set qos Optional Sets a QoS group identifier ID that can group group id from field table table be used later to classify packets map name Step 19 Router config pmap c service policy Optional Speci
333. sing the flow monitor inline option and specifying which flow record and flow exporter are included Summary Steps enable configure terminal policy map type performance monitor policy name class class name class default flow monitor monitor name monitor metric ip cbr rate layer3 byte rate bps kbps mbps gbps packet exit monitor metric rtp 10 clock rate type number type name default rate 11 max dropout number 12 max reorder number 13 min sequential number 14 ssrc maximum number 15 exit 16 monitor parameters 17 flows number 18 interval duration number 19 history number 20 timeout number 21 exit 22 react D media stop mrv rtp jitter average transport packets lost rate 23 action snmp syslog 24 alarm severity alert critical emergency error info 25 alarm type discrete grouped count number percent number 26 threshold value ge number gt number le number It number range rng start rng ena 27 description description 28 end O 00 SIO ON GON zz 8 Applying a Cisco Performance Monitor Policy to an Interface Using an Existing Flow Policy Before it can be activated a Cisco Performance Monitor policy must be applied to at least one interface To activate a Cisco Performance Monitor policy perform the following required task Summary Steps enable configure terminal interface type number service policy type performance monitor input
334. sion Matrix for information on Cisco platforms and IOS versions supporting NetFlow Enabling NetFlow Export Enter global configuration mode on the router or MSFC and issue the following commands for each interface on which you want to enable NetFlow interfac interface interface_number ip route cache flow bandwidth lt kbps gt exit P In some recent IOS releases Cisco Express Forwarding has to be enabled Issue the command ip cef in global configuration mode on the router or MSFC for this This enables NetFlow on the specified interface alone Remember that on a Cisco IOS device NetFlow is enabled on a per interface basis The bandwidth command is optional and is used to set the speed of the interface in kilobits per second Interface speed or link speed value is used to later calculate percentage utilization values in traffic graphs Exporting NetFlow Data Issue the following commands to export NetFlow data to the server on which NetFlow Analyzer is running Command Purpose Exports the NetFlow cache entries to the specified IP address Use the IP address of the NetFlow Analyzer server and the configured NetFlow listener port The default port is 9996 ip flow export destination hostname ip_ address 9996 ip flow export source Sets the source IP address of the NetFlow exports sent by the device to interface the specified IP address NetFlow Analyzer will make SNMP requests of interface_
335. sively You can choose from three types of users in NetFlow Analyzer Administrator Operator and Guest You can create any number of users of each type and assign them to any number of device groups and IP groups The administrative privileges for each user are described below Privilege Administrator Operator Guest View all available devices and IP groups Create modify or delete device groups or IP groups Modify Runtime Administration properties Change other users passwords Manage licensed interfaces Apply different licenses Create other Administrator users Create other Operator users Create other Guest users Add modify or delete Alerts Enabling and Disabling Alerts Add modify or delete applications Change device settings View traffic reports View custom reports Assigned to one or more device groups or IP groups Scheduling of Reports NBAR Configuration Viewing NBAR Reports Ak kkk SS NEI NNN SNA slklklslslslslsl sl sl lt 8 8 s s 8 8 8 6 gisis lt lt 8 8 kl isll 8 8 8 only within the assigned group It is not possible to delete a Link Down Alert Link Down alert can be enabled or disabled only by Administrator Adding a New User On the User Management page click the Add button to add a new user Fill in the following fields and click the Add User button to create this user Field Description User Name Enter the
336. source end 2 ICMP Protocol Unreachable flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes ICMP Redirects ICMP Redirect Flows with Dst Port value IN 1280 Redirect for Network 1281 Redirect for Host 1282 Redirect for ToS and Network 1283 Redirect for ToS and Host touching or exceeding the Upper Limit and none of the following derived problems gets satisfied Suspect Flows ICMP Redirect Inflood 1 ICMP Redirect flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 ICMP Redirect flows from single multiple source hosts to DoS Flash Crowd Zoho Corporation 214 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP Redirect Outflood 1 ICMP Redirect flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 ICMP Redirect flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd ICMP Redirect Host Scan 1 ICMP Redirect flows fr
337. ssion The session configuration in NetFlow Analyzer allows you to link the profiles and sessions using the web interface In order to configure a session do the following Navigate to Medianet gt Settings gt Add Sessions Specify the session name you want to create Select the IP address of the router you have configured as the Initiator Select the parameter you have configured from the drop down list Select the path you have configured from the drop down list Select the Flow you have configured from the dropdown list Click save session to save the session created WEO ON CoN a 62 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition 6 Starting a Mediatrace Session The start session configuration allows you to schedule a mediatrace session to begin when you want to start collecting the data The session performs according to the profiles it is associated with If the Cisco Mediatrace session is designed to collect performance monitoring metrics it goes out to enable the Performance Monitor when the session begins NetFlow Analyzer allows you to start a session using the using the web interface In order to start a session do the following Navigate to Medianet gt Settings gt Add Sessions gt start session Select the router IP you have configured as the initiator Select the session name Mention the start time of the session i e the time when you want the session to begin Mention Life of the se
338. ssion i e the time duration you want the created session to be active Click start session to start the data collection OPO CON 63 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Medianet Reports Medianet Metrics This section lets you view reports on Medianet metrics The data is presented as an easy to understand charts and graphs The reports are generated individually for each of the session selected The reports are generated based on the metrics each session is associated with The broad category of metrics are given below Common Metrics for Each Responder System Metrics TCP Profile System Metrics RTP Profile System Metrics INTF Profile System Metrics CPU Profile System Metrics MEMORY Profile Metrics for Mediatrace Request Summary from Initiator Number of Hops Responded Number of Hops with Valid Data Number of Hops with Error Number of hops with no data record Last Route Change Timestamp Common Metrics for Each Responder Metrics Collection Status Reachability address Ingress Interface Egress Interface Hostname Mediatrace Hop Count Perf Monitor Metrics TCP Profile IP Packet Drop Count IP Byte Count IP Packet Count Media Byte Count TCP Connect Round Trip Delay TCP Lost Event Count Perf Monitor Metrics RTP Profile IP Packet Drop Count IP Byte Count IP Packet Count Media Byte Count Media Packet Count RTP Interarrival Jitter Average RTP Packets Lost
339. st people worldwide we are offering support for IPV6 format only at raw data level The raw data collected for top ten applications source and destination for the past two hours can be viewed in IPV6 format You can also view the raw data of Troubleshoot Reports in IPV6 format 75 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Top Hosts The Source tab shows the top source hosts contributing to traffic in the selected time period The default view shows the Top SourcelN Report The Destination tab shows the top destination hosts contributing to traffic in the selected time period The default view shows the Top DestinationIN Report Choose between IN and OUT to display the top hosts in incoming or outgoing traffic Ey When you drill down from an IP group traffic is unidirectional and hence the IN and OUT options are not available The Time Period box lets you choose between options available in the drop down as per your requirement The From and To boxes let you choose custom time periods for the graphs Use the icon to select the date and time easily The time period for these graphs is based on the current system time Once you select the desired date and time click the Show button to display the appropriate source or destination traffic report The default report view shows the IP addresses of the hosts Click the Resolve DNS link to see the corresponding DNS values Click the Show
340. string needs to be set on the source router The write community is used to configure the IPSLA on the device while the read community is used by NetFlow Analyzer to gather performance data from the router 2 Why am getting Source router SNMP write community may be wrong error message NetFlow Analyzer uses SNMP to gather data from the Cisco IP SLA agent This error is displayed when wrong SNMP read write community string is configured for the Source router of the VoIP Monitor in NetFlow Analyzer To configure the correct SNMP write community string in NetFlow Analyzer go to the snapshot page of the source router and change the SNMP credentials by clicking on the Click here to change corresponding to the Passwords field In the pop up enter the appropriate credentials and submit it After successfully submitting the correct SNMP credentials try to add the VoIP Monitor again for the Source device Modules gt VoIP Monitor gt Settings 3 Why should the SLA Responder be enabled on the destination device Enabling the IP SLAs Responder provides the details of packet loss statistics on the device sending IP SLAs operations IP SLAs Responder is enabled on the target router rtr responder before configuring a Jitter operation 4 Why are the VoIP metrics shown as zero or Not available in NetFlow Analyzer You will see zero or not available values when data is not collected for the monitored metrics This can be either
341. t IN 3072 IP Header Suspect Problem Flows Bad 3073 Required Option Missing 3074 Bad Length touching or Flows exceeding the Upper Limit and none of the following derived problems gets satisfied Generally indicates some local or remote implementation error ie invalid datagrams ICMP Parameter 1 ICMP Parameter Problem flows from multiple source hosts to fewer DoS Problem Inflood destination hosts exceeding Minimum Convergence and Minimum Flux Flash Rate at the destination end Crowd 2 ICMP Parameter Problem flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the 212 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class destination end ICMP Parameter 1 ICMP Parameter Problem flows from fewer source hosts to multiple DoS Problem Outflood destination hosts exceeding Minimum Divergence and Minimum Flux Flash Rate at the source end Crowd 2 ICMP Parameter Problem Flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end ICMP Parameter 1 ICMP Parameter Problem flows from single multiple source hosts to Scans Problem Host Scan multiple destination hosts on a single destination port exceeding Probes Minimum Horizontal Span at the destination end 2 ICMP Parameter Problem flows from single multiple sourc
342. t Why is that aPon gt NOD NBAR Which features are not supported by NBAR Any restrictions on where we can configure NBAR What Does NBAR Performance Depend On Is performance dependent on the number of interfaces that NBAR is enabled on Does the link speed of the interface s that NBAR is enabled am able to issue the command ip nbar protocol discovery on the router and see the results But NFA says my router does not support NBAR Why 6 How do verify whether my router supports CISCO NBAR PROTOCOL DISCOVERY MIB Powe Ne a v9 1 What is NetFlow Version 9 2 What is the memory impact on the router 3 Receiving non V5 V7 V9 packets from the following devices Click here for further details What does this mean 4 Is version 9 backward compatible 5 What is the performance impact of V9 6 What are the restrictions for V9 230 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition 7 How do configure NetFlow Version 9 Technical Information How is traffic information stored in the NetFlow Analyzer database How do reset the admin password How are ports assigned as applications in NetFlow Analyzer Do have to reinstall NetFlow Analyzer when moving to the fully paid version How many users can access the application simultaneously NetFlow Analyzer logs out after a period of inactivity How do avoid that How to create DBInfo log file Why the inter
343. t as 16384 You can specify a port in the range of 16384 32766 Simulated VoIP Codec The VolP jitter codec decides the type of traffic that VoIP Monitor simulates over your network Operation Frequency The operation frequency is the frequency with which QoS metrics are collected by the IP SLA agent on your network to determine performance Operation Timeout The operation timeout is time to wait for the response from the responder destination device in msecs Type of service The Type of Service octet allows you to set precedence levels for VoIP traffic of the IP SLA operations MOS Advantage Factor The advantage factor is a measure on a scale of 0 to 20 of the willingness of your VoIP network users to trade call quality for convenience Defining Thresholds for the monitored parameters You can define a threshold template so that the VoIP performance parameters can be better suit your company SLA s Service Level Agreements Alerts are triggered based on the thresholds configured so that you can take corrective actions in time Here are the steps to define a threshold template 1 Goto Modules and click VoIP Monitors 2 Go to Settings gt Threshold Template 3 Configure the following values MOS Threshold Configure the MOS threshold by specifying the upper and lower MOS range values in the range of 1 to 5 Jitter Threshold Configure the jitter threshold in msecs with upper and lower threshold limits The range is f
344. tFlow Analyzer generates traffic graphs as soon as Netflow data is received The Traffic tab shows real time traffic graphs for incoming and outgoing traffic Depending on which link was clicked you can see traffic graphs for an interface or IP group The Traffic reports are displayed based on Volume of traffic Speed Bandwidth utilization and number of packets received sent by a specific resource The graph and the data points can be viewed as 1 or 5 or 15 mins average by selecting from the top right EY The Packets tab shows the number of actual packets of traffic data received This information is included in exported Netflow data The Traffic IN Details and the Traffic OUT Details show sampled values of traffic generated over the selected time period The Packets tab shows the number of actual packets of traffic data received This information is included in exported Netflow data Time Filters The default graph is for the Last Day You can choose to see hour based data in the traffic graphs for daily and weekly reports To do this first select the Last Day Report or Last Week Report option in the top time selection bar When the respective traffic graph is displayed the table below the graph includes the icon next to the Category label Click the icon to specify the hourly time interval for which you want to see traffic graphs Click the Show button to set the filter and see hour based values in the traffic graph as well as t
345. tabase applications like Oracle MySql MS Gol in to one group called the DataBase group Initially when no application groups have been created a message to that effect is displayed The Application Group report can be viewed on the Application tab for each interface Adding an Application Group Follow the steps below to add a new application group 1 Click the Add button to proceed to the Add Group Screen 2 Enter the Group Name and the Group Description eg DataBase Group Contains the Oracle DB and MySql DB 3 Choose the applications from the list of applications in the left pane o Select an application by clicking on it o Use the gt gt button to include the selected application to the right pane Selected Applications list o Add as many applications as you want to this group 4 Click on update for the application group to be created with the list of applications you had selected You may create additional Application Groups by clicking on the Add button and following the above steps Modifying an Application Group Select the Application Group you wish to modify and click on the Modify button possible to change the application group name Once you are done click the Save button to save your changes Ee You can only change the Application Group description and the list of selected applications It is not Deleting an Application Group Select the application group you want to delete and click on the Delete button
346. tance of MySQL Changing the Default MySQL Port 1 Edit the mysql ds xml file present in the lt NetFlowAnalyzer_Home gt server default deploy directory 2 Change the port number in the following line to the desired port number lt connection url gt jdbc mysql localhost 13310 netflow lt connection url gt 3 Save the file and restart the server 16 Zoho Corporation Em ManageEngine NetFlow Analyzer Professional Edition Installing and Uninstalling NetFlow Analyzer is available for Windows and Linux platforms For information on supported versions and other specifications look up System Requirements Installing NetFlow Analyzer Windows The Windows download for NetFlow Analyzer is available as an EXE file at http www netflowanalyzer com download html Download the EXE file to your local machine and double click it to start installation Follow the instructions as they appear on screen to successfully install NetFlow Analyzer on to your machine Linux The Linux download for NetFlow Analyzer is available as a BIN file at http www netflowanalyzer com download htm 1 Download the BIN file and assign execute permission using the command chmod ais lt file_name gt bin where lt file_name gt is the name of the downloaded BIN file 2 Execute the following command lt file_name gt bin During installation if you get an error message stating that the temp folder does not have F enough space try executi
347. te at the destination end 2 Short TCP Fin_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end DoS Flash Crowd Short TCP Fin_Ack Outflood 1 Short TCP Fin_Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Fin_Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd Short TCP Fin_Ack Port Scan 1 Short TCP Fin_Ack flows from single multiple source hosts to single destination host on multiple destination ports exceeding Minimum Vertical Span at the destination end 2 Short TCP Fin_Ack flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Scans Probes Short TCP Fin_Ack Host Scan Short TCP Fin_Ack Diagonal Scan 1 Short TCP Fin_Ack flows from single multiple source hosts to multiple destination hosts on a single destination port exceeding Minimum Horizontal Span at the destination end 2 Short TCP Fin_Ack flows from single multiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination e
348. teyou specify in the Bill generation date option Incase you select the billing plan as monthly the bill will be generated on a monthly basis on the date you specify in the Bill generation date option Bill Enter the date on which you want the bill to be generated either on monthly basis or Generation quartely basis Date optional fields Other fields are mandatory 120 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Associated To This has the list of Routers interfaces and IP groups You can select the interfaces and or the IP groups that is associated with this plan ey Once an Interface IP Group is added to one bill plan the specific interface IP Groups does not get displayed while creating other bill plans Email ID To Send Reports Enter the mail ID IDs to which the generated Bill report needs to be sent Multiple mail IDs should be separated by comma Example for the 95th Percentile calculation IN amp OUT MERGE inbound 0 139 0 653 0 201 0 116 0 084 0 032 0 047 0 185 0 198 0 203 0 276 0 370 0 971 0 233 0 218 0 182 0 169 0 126 0 131 0 157 outbound 1 347 1 435 1 229 0 523 0 438 0 231 0 347 0 689 0 940 1 248 1 385 1 427 3 988 1 265 1 221 1 013 0 992 0 874 0 896 1 002 Inbound and Outbound merge 0 139 0 653 0 201 0 116 0 084 0 032 0 047 0 185 0 198 0 203 0 276 0 370 0 971 0 233 0 218 0 182 0 169 0 126 0 131 0 157 1 347 1 435 1 229 0 523 0
349. th other Wide Area Application Engines WAEs in your network to optimize TCP traffic over your network When client and server applications attempt to communicate with each other the network intercepts and redirects this traffic to the WAEs so that they can act on behalf of the client application and the destination server The WAEs examine the traffic and use built in application policies to determine whether to optimize the traffic or allow it to pass through your network unoptimized Configuring WAAS The WAAS Module can be configures using Product Settings option in the Admin tab e Click Admin tab e Select Product Settings e Select WAAS Settings Now you are ready to configure the WAAS Module WAAS Central Manager Cisco WAAS is centrally managed by a function called the Cisco WAAS Central Manager that runs on Cisco WAE Appliances The Cisco WAAS Central Manager can be accessed from a web browser therefore managing these devices is possible from anywhere in the world Access to the Cisco WAAS Central Manager is secured and encrypted with Secure Sockets Layer SSL and users can be authenticated through a local database or a third party authentication service In NetFlow Analyzer the WAAS manager can be configured using the WAAS Settings page In the WAAS Settings enter the details of the WAAS Central Manager you want to configure The NetFlow Analyzer WAAS module supports all versions of the WAAS Central Manager
350. th the respective traffic usage will appear You can click on the country of your choice from the list and view the top ten bandwidth users in terms of their IP addresses You can Click to update which is besides Geo locations to update the IP locations database If the IP locations table is up to date then an IP Locations Database is already up to date message will pop up Else the database will be updated NOTE When you click to update for the first time you might get the following msg The Geo Location Database file could not be downloaded Please check whether the proxy settings are correct here Otherwise please download the file from here and unzip under NetFlow Home directory If so please check your proxy settings and then download again At the bottom of the page a chart which shows the traffic usage of different countries will be displayed Each country would be displayed according to their traffic usage 258 Zoho Corporation
351. the NFA server Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear in the home page When this happens NetFlow Analyzer will 232 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition stamp the flows based on the system time of the NetFlow Analyzer server In case you see this please ensure the following on the router 1 Check if the time zone and the offset in Hours and Minutes for the time zone is set properly E g PST 8 00 for PST or EST 5 00 for EST You can check this by logging into the router going into the configure terminal and typing show running config You can set the clock time zone and offset using the command clock timezone zone hours minutes E g clock timezone PST 8 00 2 After checking the time zone check if the correct time is set on your router You can check this by logging into the router and typing show clock You can set the clock time using the command clock set hh mm ss date month year A sample clock set 17 00 00 27 March 2007 There is no queueing mechanism done on heavy periods Reporting 1 The graphs are empty Graphs will be empty if there is no data available If you have just installed NetFlow Analyzer wait for at least ten minutes to start seeing graphs If you still see an empty graph it means no data has been received by NetFlow Analyzer Check your router settings in that cas
352. the destination end hosts ports endpoints Scans Probes Short TCP Rst_Ack Grid Scan Short TCP Rst_Ack flows from single multiple source hosts to multiple destination hosts on multiple destination ports exceeding Minimum Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the destination end Scans Probes Short TCP Rst_Ack Port Scan Reverse 1 Short TCP Rst_Ack flows from single source host to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span at the source end 2 Short TCP Rst_Ack flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Scans Probes Zoho Corporation 197 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end Short TCP Rst_Ack Host Scan Reverse 1 Short TCP Rst_Ack flows from multiple source hosts to single multiple destination hosts using a single source port exceeding Minimum Horizontal Span at the source end 2 Short TCP Rst_Ack flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end Scans Probes Short TCP Rst_Ack Diagonal Scan Reverse Short TCP Rst_Ack
353. the interfaces IP EY groups are unmanaged deleted bill is generated for the interface or IP groups at that instant If you modify the cost in the bill plan It will be effected from the next billing cycle and NOT at that instant Deleting Bill Plan Deleting a bill plan will lead to deletions of all the reports generated by the particular bill plan Reports Generated Reports can be viewed by clicking the Report tab on top Available plans You can view all the plans or any one plan by selecting the suitable option from the drop down box By default the report page shows only the recent report of all the bill plans If you want to view all the generated reports for a particular bill plan select the bill plan from the drop down box next to available plans The reports are arranged with the most recent report on top Show details By clicking on show details a pop up window opens wherein you can view a speed time graph This shows all the bills generated for the particular interface The report in can be generated in PDF format by clicking on PDF and you can view the data at 5 minutes interval by clicking on the Data points 124 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition NBAR NBAR Reporting What is NBAR NBAR Network Based Application Recognition is an intelligent classification engine in Cisco IOS Software that can recognize a wide variety of applications like Web based and client s
354. the interfaces on the router have NBAR enabled on them Click on Check all Status at the top of the window to know the NBAR support status of all the interfaces under various routers At the end of the status check a message is displayed at the bottom of the window of each router pane If NBAR has been enabled on the interfaces then the message Success NBAR status of the interfaces updated is displayed If the Check Status operation didnt succeed due to SNMP error or Request Time Out then the message SNMP Error NBAR status of the interfaces not updated is displayed Also NBAR support is displayed as Yes or Unknown under the router name as the case may be Inthe right pane the status of each interface is shown under NBAR Status If NBAR is enabled on all interfaces then the status is shown as Enabled against each of the interfaces in that router 4 Select the interfaces you want NBAR to be enabled on which are currently not enabled 5 Click on Enable NBAR 6 If NBAR is enabled on the interface then the status will be displayed as Enabled against each of the selected interfaces If NBAR cannot be enabled on the interface then the status will be displayed in red Unknown or Disabled How do disable NBAR Disabling NBAR can be done in two ways e Disabling on the device e Disabling from the NetFlow Analyzer user interface 126 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Di
355. tination end Malformed ICMP 1 Malformed ICMP flows from multiple source hosts to single multiple Scans Host destination hosts using a single source port exceeding Minimum Probes Scan Reverse Horizontal Span at the source end 2 Malformed ICMP flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end ICMP Datagram ICMP Datagram Conversion Error Flows with Dst Port value Suspect Conversion Error equals 7936 Datagram Conversion Error ie for valid datagrams Flows Flows touching or exceeding the Upper Limit and none of the following derived problems gets satisfied ICMP Datagram 1 ICMP Datagram Conversion Error flows from multiple source hosts to DoS Conversion Error fewer destination hosts exceeding Minimum Convergence and Flash Inflood Minimum Flux Rate at the destination end Crowd 2 ICMP Datagram Conversion Error flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end ICMP Datagram 1 ICMP Datagram Conversion Error flows from fewer source hosts to DoS Conversion Error multiple destination hosts exceeding Minimum Divergence and Flash Outflood Minimum Flux Rate at the source end Crowd 2 ICMP Datagram Conversion Error flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux 218 Zoho Corpo
356. tion an alert is generated When an alert is generated you can also send an email to one more people or send an SNMP trap to a manager application The Alert Profile Management option lets you create new alert profiles and manage existing ones Modify or Delete The Alert Profiles page lists all existing alert profiles along with the number of alerts generated for each profile The application comes loaded with a preconfigured alert that can trigger an email alert when a link goes down or when there are no flows for more than 15 minutes The various columns displayed in the Alert Profiles page are described in the table below Column Description Name The name of the alert profile when it was created Click on the alert profile s name to see more information about the alert profile Description Descriptive information entered for this alert profile to help other operators understand why it was created Category The category defines to what type of alert an alert profile belongs to The pre loaded and pre configured Link Down alert belongs to the Link Status category All other alerts created by the user fall under the Utilization category Status This lists whether an alert profile is currently enabled or disabled Click the Enabled icon Enabled Disabled to disable an alert profile When this is done alerts will no longer be generated for that alert profile Click the Disabled icon to enable the alert The Link Stat
357. tiple source hosts to multiple destination hosts on fewer destination ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the destination end TCP Null Diagonal TCP Null flows from single multiple source hosts to multiple destination Scans Scan hosts where the number of distinct destination hosts is equal to the Probes number of distinct destination ports which is also equal to the number of destination end points exceeding Minimum Diagonal Span at the destination end hosts ports endpoints TCP Null Grid TCP Null flowsfrom single multiple source hosts to multiple destination Scans Scan hosts on multiple destination ports exceeding Minimum Vertical Span Probes or Minimum Horizontal Span and Minimum Occupancy at the destination end TCP Null Port 1 TCP Null flows from single source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span at Probes the source end 2 TCP Null flows from fewer source hosts to single multiple destination hosts using multiple source ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Null Host 1 TCP Null flows from multiple source hosts to single multiple Scans 202 lt gt E ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Scan Reverse destination hos
358. to Router snapshot page click on Action tab and select Add VoIP Monitor Enter the Monitor Name and Destination IP Click Submit to create the monitor or Click Advanced button to go to Create New VoIP Monitor page and follow the steps from b to d given under Step 3 To edit any of the configuration details go to the respective template make the changes and save the details When you create a new monitor the updated values take effect When the configuration is complete the router starts collecting the data at the specified frequency 60 seconds default value NetFlow Analyzer updates this statistics collected data every hour and the reports are generated after one hour of configuration Go through the FAQs section to understand QoS parameters 157 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Configuring call settings and threshold template Defining Call Settings Define a template with the required VoIP settings to be used for monitoring performance The VoIP template comes with pre populated default values Incase you would like to effect some changes to the values before initiating monitoring make the changes as follows 1 Goto Modulesand click VoIP Monitors 2 Go to Settings gt Call Settings 3 Configure the following parameters Destination Port Specify the VoIP UDP port to which VoIP Monitor sends simulated traffic to generate performance metrics The default port number is se
359. ts using a single source port exceeding Minimum Probes Horizontal Span at the source end 2 TCP Null flows from multiple source hosts to single multiple destination hosts using fewer source ports exceeding Minimum Horizontal Span Minimum Occupancy and Minimum Aspect Ratio at the source end TCP Null Diagonal TCP Null flows from multiple source hosts to single multiple destination Scans Scan Reverse hosts where the number of distinct source hosts is equal to the number Probes of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints TCP Null Grid TCP Null flows from multiple source host to single multiple destination Scans Scan Reverse hosts using multiple source ports exceeding Minimum Vertical Span or Probes Minimum Horizontal Span and Minimum Occupancy at the source end TCP Rst Violations TCP Flows with TCP Flags value equals 4 R touching or Suspect exceeding the Upper Limit and none of the following derived Flows problems gets satisfied TCP Rst Attack TCP Rst Flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd TCP Rst Inflood TCP Rst Flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd TCP Rst Outflood 1 TCP Rst Flows from f
360. ttings are then displayed beside the Filter link Click the zi icon at any time to clear the filter settings and display all interfaces on the Dashboard again By clicking on the Select Period the required time period for which the traffic details need to be seen can be selected from the drop down Reports corresponsing to the chosen time period is shown in the Dashboard View The purpose of icons and buttons in the Router List is explained below Icon Button Purpose k Click this icon or on the router name to view the interfaces corresponding to the router Ka Click this icon to hide the interfaces corresponding to the router d Click this icon to change the display name of the device its SNMP community string or its SNMP port You can also choose to get the Interface Name details from one of 3 fields after Router Name these IfName or IfAlias Click this icon before the interface name to change the display name of the interface or its a link speed in bps You can also set the SNMP parameters of the router corresponding to an after Interface interface by clicking the link present in the Note included below the settings You can also Name provide the V9 sampling rate for the particular interface is 1 by default which is taken ainto account for flow calculation Click this link to troubleshoot an interface You can troubleshoot only one interface at a time Note Troubleshooting results are shown directly
361. uch bandwidth does each monitor occupy The bandwidth occupied depends on the codec selected Look at the above table for reference Zoho Corporation 161 e ManageEngine NetFlow Analyzer Professional Edition WAN RTT Monitor Monitoring WAN Round Trip Time using NetFlow Analyzer The WAN Round Trip Time monitoring feature in NetFlow Analyzer is an add on module and requires license to run The WAN RTT monitor is used to monitor WAN availability Latency and Quality of Service Alerts are triggered when the set thresholds are violated enabling the administrators to attend to the fault in no time The WAN RTT Monitor uses Cisco IOS IP Service Level Agreements SLAs to monitor latency between two locations therefore either of the location monitored using WAN RTT monitor should have the Cisco router IOS version 12 4 or later with the IPSLA agent The IPSLA agent enabled location will act as the source while the destination can be any IP in the other location 1 Getting Started The WAN Round Trip Time RTT Monitor of NetFlow Analyzer is an add on tool that monitors latency between two locations The WAN RTT monitor measures round trip time and helps resolve poor WAN performance It is also helpful in monitoring Quality of Service QoS across WAN links provided by your Internet service provider ISP and alerts are generated when the set threshold limits are violated 1 1 The WAN Monitor Dashboard The WAN Monitor Dashboard
362. uee 245 Migrating NetFlow Analyzer from MySQL to MSSQL Database nnneeeeeeeeneeen eresse 248 APPENDIX Geer ee ENEAN E KAKAN TERESE 251 Working with TEE 252 SNMP Trap Forwarding Deere erm ert re ee ee re ee ne ee eee rene eee eee eee 254 DatabaSe Bam UD E 255 eltren DEE 256 EE ee 257 ISO Locations ree E E tenis TR AEE 258 4 Zoho Corporation ManageEngine NetFlow Analyzer Professional Edition Introduction ManageEngine NetFlow Analyzer is a web based bandwidth monitoring tool that performs in depth traffic analysis using data exported from NetFlow Netstream cflowd J Flow sFlow IPFIX flows This data provides granular details about network traffic that has passed through an interface NetFlow Analyzer processes this information to show you what applications are using bandwidth who is using them and when Extensive graphs and reports make this information easy to analyze and also help accelerate the troubleshooting process This User Guide will help you install NetFlow Analyzer and get familiar with the user interface If you are unable to find the information you are looking for in this document please let us know at netflowanalyzer support manageengine com Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition What s New in this Release New Features in Release 9 7 Feature Description IP SLA Video We now support IP SLA vid
363. umber of distinct source hosts is equal to Probes Scan Reverse the number of distinct source ports which is also equal to the number of source end points exceeding Minimum Diagonal Span at the source end hosts ports endpoints Short TCP Short TCP Syn_Ack Flows from multiple source host to single multiple Scans Syn_Ack Grid destination hosts using multiple source ports exceeding Minimum Probes Scan Reverse Vertical Span or Minimum Horizontal Span and Minimum Occupancy at the source end Excess Empty TCP TCP Flows without any payload ie BytePerPacket exactly 40 Suspect Packets octets bytes with TCP FLAGS value IN 25 27 29 31 touching Flows or exceeding the Upper Limit and none of the following derived problems gets satisfied Empty TCP Attack Empty TCP flows from multiple source hosts to fewer destination hosts DoS exceeding Minimum Convergence and Minimum Flux Rate at the Flash destination end Crowd Empty TCP Inflood Empty TCP flows from single multiple source hosts to single multiple DoS destination hosts exceeding Minimum Flux Rate at the destination end Flash Crowd Empty TCP 1 Empty TCP Flows without any payload i e BytePerPacket exactly DoS Outflood 40 octets bytes from fewer source hosts to multiple destination hosts Flash exceeding Minimum Divergence and Minimum Flux Rate at the source Crowd destination hosts exceeding Minimum Flux Rate at the source end Scans Probes Empty TCP Host Scan
364. unique user name for the user This name will be used to log in to the NetFlow Analyzer web client Password Enter a password for this user The password should be at least 6 characters Retype long and all characters are allowed Password Access Select the Access Level for the user Remember that access levels will be Level available depending on your own access permissions For example if you have logged in as an Administrator all three access levels will be available in the Access Level options box Available Select the device groups to assign to this user and move them to the Selected Groups 148 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Groups Available IP_ Select the IP groups to assign to this user and move them to the Selected IP Groups Groups Click on the user name at any time on the User Management page to view the corresponding user name access level and assigned device groups and IP groups Changing User Passwords Only an Administrator user can reset the password of any other user To assign a new password to a user click on the amp icon or the Assign New link Enter a new password confirm it and click the Update button for the new password to take effect If you have logged in as an Admin user you can change your own password in the same way as described Es above If you have logged in as an Operator user or a Guest user you
365. ur duration 46 Zoho Corporation e ManageEngine NetFlow Analyzer Professional Edition Dashboard view Dashboard can also be created by operator and guest privilege users Configuring the dashboard The dashboard can be customized by users to display widgets of their own choice To create a new dashboard view click on Actions on the top right In the dropdown click on new dashboard Fill in the Information Title Description Name The name of the dashboard view Description Describe this view for easy reference and understanding No of columns the user wants to be displayed in this dashboard view It can be 1 2 or 3 And No of columns the the numbers below with gives the width of the page allocated to the particular column Widgets Select the widgets that needs to be displayed in the dashboard Widgets Select the required widgets from the list on the right It consists the four critical parameters one needs to monitor 1 Device This lets the user monitor the top N devices interfaces by speed volume and other listed parameters The N can be either 5 or 10 and can be configured in the dashboard view after creating the dashboard 2 Interface This lets the user monitor the top N source destination conversation application and many more by IN OUT for a particular interface which can be configured in the dashboard view after creating the dashboard 3 Interface
366. uration mode to verify whether NetFlow export has been configured correctly Command Purpose show ip flow export Shows the current NetFlow configuration show ip cache flow lj These commands summarize the active flows and give an indication of how much show ip cache NetFlow data the device is exporting verbose flow A Sample Device Configuration The following is a set of commands issued on a router to enable NetFlow version 5 on the FastEthernet 0 1 interface and export to the machine 192 168 9 101 on port 9996 router enable Password router configure terminal router 2621 config interface FastEthernet 0 1 router 2621 config if ip route cache flow router 2621 config if exit router 2621 config ip flow export destination 192 168 9 101 9996 router 2621 config ip flow export source FastEthernet 0 1 router 2621 config ip flow export version 5 router 2621 config tip flow cache timeout active 1 router 2621 config tip flow cache timeout inactive 15 router 2621 config snmp server ifindex persist router 2621 config biz router write router show ip flow export router show ip cache flow repeat these commands to enable NetFlow for each interface Please note that NetFlow data export has to be enabled on all interfaces of a router in order to see accurate IN and OUT traffic Suppose you have a router with interface A and B Since NetFlow by default is done
367. us alert becomes enabled only after the mail server settings have been set Last Hour Alerts Lists the number of alerts generated for this alert profile in the last one hour Colors are used to represent the number of alerts generated with each severity level Red Critical Orange Major Yellow Warning and White All Click on each color to see the list of alerts enerated with that severity All Alerts Lists the total number of alerts generated for this alert profile Colors are used to represent the number of alerts generated with each severity level Red Critical Orange Major Yellow Warning and White All Click on each color to see the list of alerts generated with that severity Clear Click the icon to clear all alerts generated for this alert profile 110 Zoho Corporation K e ManageEngine NetFlow Analyzer Professional Edition Alerts List The Alerts List is displayed when you click on any color against an alert profile in the Alert Profiles page or from any link in the Generated Alerts box on the left pane The list shows the alerts that were generated with the respective severity along with the device that generated the alert the time the alert was generated and an option to view more details about the alert Click the Details link in the View column against an alert to view detailed information about the alert The pop up that opens up shows the traffic graph outlining traffic
368. ustom Selection Option in Device Reports New Features in Release 8 6 In the device report custom selection of devices and time period enabled The latest release of NetFlow Analyzer 8 6 can be downloaded from the website at http www netflowanalyzer com download html Zoho Corporation E ManageEngine NetFlow Analyzer Professional Edition Feature Description Capacity Planning Report You can use these reports to see the growth in network traffic for user defined period of time Report Profiles You can create profiles with various reports as per your choice Top Sites Selection box for list of application Compare report include 95th percetile This gives a list of applications and the various sites visited through these applications This gives you an easy access to application specific conversations You can see the 95th percentile data in the compare reports Standard deviation values have been added in this report Compare report should include 1 5 15 min reports Now you can select 1 5 15 minutes average in which you want the reports to be viewed in compare reports Resolve NATED Addresses in ASA reports The IP addresses will be resolved and displayed Resizeable columns In the conversation tabs the width of the columns can be resized as per your convenience Configures CBQoS automatically for first 20 routers As soon as you add devices the first
369. ved problems gets satisfied 1 Short TCP Ack flows from multiple source hosts to fewer destination hosts exceeding Minimum Convergence and Minimum Flux Rate at the destination end 2 Short TCP Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the destination end Suspect Flows DoS Flash Crowd Short TCP Ack Outflood 1 Short TCP Ack flows from fewer source hosts to multiple destination hosts exceeding Minimum Divergence and Minimum Flux Rate at the source end 2 Short TCP Ack flows from single multiple source hosts to single multiple destination hosts exceeding Minimum Flux Rate at the source end DoS Flash Crowd Short TCP Ack 1 Short TCP Ack flows from single multiple source hosts to single Scans Zoho Corporation 190 e ManageEngine NetFlow Analyzer Professional Edition Problem Name Description Class Port Scan destination host on multiple destination ports exceeding Minimum Probes Vertical Span at the destination end 2 Short TCP Ack flows from single multiple source hosts to fewer destination hosts on multiple destination ports exceeding Minimum Vertical Span Minimum Occupancy and Minimum Aspect Ratio at the destination end Short TCP Ack 1 Short TCP Ack flows from single multiple source hosts to multiple Scans Host Scan destination hosts on a single destination port ex
370. ww force10networks com Extreme Networks switch 1 Please refer to the following documentation for configuring sFlow on Extreme Networks switch http www extremenetworks com libraries whitepapers W PsFlow_1247 pdf For enabling sFlow on the port use the following command This has to be repeated for all the ports extreme enable sflow port 2 For more information on Extreme Network devices refer to www extremenetworks com 42 Zoho Corporation K me ManageEngine NetFlow Analyzer Professional Edition Hewlett Packard ProCurve switches hp enable Password hp configure terminal hp sflow 1 sampling A1 A2 A2 256 sflow 1 sampling lt modules gt lt sampling rate gt hp sflow 1 destination 192 168 0 2 9996 The above commands work only on latest HP devices sFlow can be enabled on some of the HP switches only through SNMP We provide two script files for enabling and disabling sFlow on HP switch The script files SFlowEnable bat SFlowEnable sh and SFlowDisable bat SFlowDisable sh are present under lt NFA_HOME s gt troubleshooting folder For enabling sFlow you need to provide the below command SFlowEnable bat switchlp snmpPort snmpWriteCommunity collecorIP collectorPort samplingRate An example SFlowEnable bat Hp2824 161 private 192 168 3 1 9996 256 For disabling sFlow you need to provide the below command SFlowDisable bat switchlp snmpPort snmpWriteCommunity An
371. y Analytics Module Security Analytics Dashboard The Security Analytics Dashboard gives you a quick view of the security events in the network It has four different reporting options that displays the top problem classes top algorithm types top problems and top resources along with their graphical representations They are Security Posture report Displays the top problem classes and their respective problems It also lists the number of events and unique resources involved for each problem Click on the problem name to go to the problem analysis tab The event distribution for each problem is represented as a pie chart and the number of resources involved for each problem is represented as a bar graph The time distribution graph is a multi line graph that represents the number of events problems and resources involved for a specific problem class over a given time period Dashboards Interface View Autonomous System View WAAS Reports Problem Glossary Security Posture Offenders amp Targets Problem Analysis Resource Analysis Show Filter Flows Processed 220 Top Classesa Show All Hide All Scans Probes Problem Events Resources Time Distribution MeEvents Resources WProblems GiShort TCP Ack Port Scan GIICMP Network Unreachable Hast OICP Xmas Port Scan DICH Rst Port Scan GIICP Urg Port Scan Reverse DICP Urg Port Scan ICP Fin Port Scan MICE Rst Port Scan Reverse ICP Syn Fin Port Scan Reverse 29 OF Tim
372. yzer Drill down to a specific interface on the traffic tab and you will have the Capacity Planning option Capacity Planning Report The capacity planning report provides you traffic patterns based on volume speed utilization and packets The reports can be generated for any selected time period from last hour to last quarter and you can also customize the selected time period to suit your requirement Using business hour and weekend filters the reports can be generated only for the required time period The capacity planning report can be exported as pdf CSV and email Billing Generates on demand billing based on volume and speed utilized by specific interface for the selected time period 1 Minute Average The graph gives you traffic IN and Traffic OUT on an one minute average The report also displays the 95th percentile value for both IN and OUT traffic The table below the graph provide Total amount of Traffic IN and OUT along with the Min Max and Average values It also calculates and displays Standard Deviation and 95th percentile value for the total amount of IN and OUT traffic The graph displays the traffic deviation from the average amount of daily traffic Average Use Daily The graph displays daily average use of bandwidth for the selected time period You can view the Traffic IN and OUT details for the selected time period Data Points This table provides individual data points for Traffic IN and OUT The data point
Download Pdf Manuals
Related Search