User Guide - Statseeker Version 3.x

NetFlow

Purpose of this Guide

How to report on NetFlow.

Index

• Configure Statseeker to Accept a NetFlow Feed
• NetFlow Data Storage
• Introduction to the Traffic Analyzer
• Example 1 - Report on Top Talkers
• Example 2 - Report on all Conversations to and from a Particular IP Address
• Example 3 - Report on Hosts that have had the Most Conversations
• Example 4 - Report on the Most Used Protocols
• Example 5 - Report on Which Host Used a Particular Protocol

Configure Statseeker to Accept a NetFlow Feed

Note: Statseeker currently accepts NetFlow Version 5, 7 and 9.

1. Log into Statseeker as the Administrator;
2. Go to Administration Tool> Traffic Analyzer> Flows. This will list previously created NetFlow feeds;

3. Enabled - will be selected by default;
4. RNA (LOCAL) will be selected by default;

   The RNA (Statseeker’s Remote Network Appliance) exists on the Statseeker server OR can be deployed remotely to:

   1. See every conversation the Statseeker server can see on the local LAN (default setting);
   2. Run a LAN Analyzer;
   3. Accept a NetFlow feed from a remote appliance.

   Note: Forwarding NetFlow traffic to RNA (LOCAL) on the Statseeker server is the preferred method for NetFlow collection as it does not require deployment of appliances.

5. Enter a Port Number – this is used to open up a UDP port on the Statseeker server to accept a NetFlow feed;

   Note: Every NetFlow feed that is configured MUST use a unique port number.

6. Enter a Label – the label is the name of the NetFlow feed that will be used for reporting. Commonly, Users will enter the name of the Router sending the flow;
7. Select ‘Save’ – Statseeker is now configured to accept a NetFlow feed;

The example below shows a NetFlow feed to be received from Melbourne-Router1 on UDP Port 9002.

NetFlow Data Storage

Statseeker is designed to store data for a limited time period. The default is 90 days and can be customized by the Statseeker Administrator.

To do this:

1. Go to Administration Tool> Traffic Analyzer> General;
2. Adjust the ‘Keep History For x days’ value to the number required.

Note: The only limitation on data storage is the hard drive capacity of the Statseeker server.

To monitor the current storage being used by NetFlow:

1. Go to the Network Infrastructure Monitor> Report List> General> Configuration Details report;
2. The last row of this report is labelled ‘ltm’ which stands for Lan Traffic Monitor and is the file system used by NetFlow.

Note: NetFlow data is compressed overnight. If a User reduces the number of days the data is stored, data pruning will occur during the nightly compression process.

Introduction to the Traffic Analyzer

To access Statseeker’s NetFlow reporting go to the Network Infrastructure Monitor> Report List> General> Traffic Analyzer.

The Traffic Analyzer consists of four main sections:

1. Report List;
2. Traffic Collector – a list of all of the configured traffic collectors, including:
   1. NetFlow collectors;
   2. LAN Analyzers configured by default on the LOCAL interfaces of the Statseeker server; and
   3. Any other configured LAN Analyzers.

   Note: Only one Traffic Collector can be reported on at a time.

3. Time Filter – Used to report on the NetFlow data in any Time range and interval;
4. General Options – Filters that can be applied to the reports.

Example 1 - Report on Top Talkers

1. Select a Time Filter;
2. Select a NetFlow feed from the Traffic Collector list;
3. Run the Conversations report – this report will use the default sort of ‘Bytes’ to proactively rank every conversation to see who were the top talkers.

Example 2 - Report on all Conversations to and from a Particular IP Address

1. Under General Options click within the Address field then hover over the ‘?’. This will display help documentation for the many options available whilst allowing text to be input at the same time;
2. Select a Time Filter;
3. Select a NetFlow feed from the Traffic Collector list;
4. Run a Conversations report.

In the example below the User runs a report where a specific IP address is filtered to be included (inc) as either the source or destination (either) of all conversations within the report.

Example 3 - Report on Hosts that have had the Most Conversations

1. In General Options set the Sort criteria to Conversations;
2. Select a Time Filter;
3. Select a NetFlow feed from the Traffic Collector list;
4. Run a Node Conversations report.

Example 4 - Report on the Most Used Protocols

1. Select a Time Filter;
2. Select a NetFlow feed from the Traffic Collector list;
3. Run a Protocols report - this report will use the default Sort of ‘Bytes’ to proactively rank every protocol to see which one was most used.

Example 5 - Report on Which Host Used a Particular Protocol

1. Under General Options click within the Protocol field then hover over the ‘?’. This will display help documentation for the many options available whilst allowing text to be input at the same time;
2. Select a Time Filter;
3. Select a NetFlow feed from the Traffic Collector list;
4. Run a Conversations report.

The example below shows a report where a specific protocol is filtered to be included (inc) so that all conversations using that protocol can be displayed.