User Guide - Statseeker Version 3.x

The Traffic Analyzer

Purpose of this Guide

To provide a basic understanding of the Traffic Analyzer.

If you require more information than is supplied in this guide, please contact our Customer Support Team at csm@statseeker.com.

Index

What is the Traffic Analyzer?

The Traffic Analyzer is a consolidated tool for reporting on:

  • NetFlow (V5, V7, V9);
  • sFlow;
  • LAN Traffic on LAN segments locally connected to the server;
  • LAN Traffic on LAN segments that are connected to Statseeker Remote Network Appliances (RNAs).

The Traffic Analyzer reports on data gathered by Statseeker Traffic Collectors.

What is a Traffic Collector?

A Traffic Collector is a Statseeker application that resides on the Statseeker server and/or on a Statseeker Remote Network Appliance (RNA).

Traffic Collectors build conversation matrix tables and dump these tables to a highly compressed file every five minutes. The tables are then downloaded by the Statseeker server and processed into a central historical database.

A Traffic Collector is automatically started for every:

  • Network interface on the Statseeker server;
  • Network interface of every deployed Statseeker RNA;
  • Configured NetFlow and sFlow.

Traffic Collectors can decode 802.1q VLAN packets.

No historical data is stored on the remote devices and the server regularly prunes historical data after a user defined period of time (default of 90 days).

To deploy "Remote" Traffic Collectors, you must first deploy an RNA. The Traffic Collectors will be automatically downloaded to each RNA at boot time.

What is a Remote Network Appliance?

The Remote Network Appliance (RNA) is a platform on which "Remote" Statseeker applications such as LAN Traffic collectors are deployed.

The architecture is based around a bootable USB flash drive which turns any PC connected to the network into a remote platform within minutes. The RNA operates entirely in RAM, therefore any PC can be turned into an RNA without affecting its local operating system.

Your Statseeker license permits you to install and deploy an Unlimited Number of RNAs and RNA applications across your network infrastructure.

When RNAs are deployed the Statseeker server:

  • Communicates with the RNAs via HTTP and can operate through proxies;
  • Regularly polls all enabled RNAs;
  • Synchronizes the system time of each RNA to within one second;
  • Automatically updates older RNA flash versions;
  • Downloads all applications and configuration files to each RNA;
  • Monitors the health and logfiles of each RNA.

RNA Hardware Requirements:
  • CPU: 1GHz;
  • RAM: 128M;
  • NIC: PCI Ethernet card (Maximum of 8);
  • USB flash drive.
Note:   The PC BIOS must be configured to boot from a USB Device as its first boot device.

How to Deploy an RNA.

  1. Create an RNA flash drive;
  2. Configure the RNA;
  3. Add the RNA to the Statseeker server configuration.

  1. Creating an RNA Flash Drive

    2. Notes and Tips:
    • The "Create RNA USB Flash" utility works by scanning the bus twice and installing on the new device found on the second scan. Make sure the USB flash drive is unplugged when starting the utility and only plug it in when prompted;
    • All data on the USB flash drive will be lost;
    • Ignore all messages except for the "WARNING: ABOUT TO ERASE ALL DATA ON DEVICE" message.

    To create an RNA USB Flash Drive run ssadmin :
    1. Login to the server's console as "root";
    2. Run ssadmin (Make sure the USB flash drive is NOT inserted);
    3. Select menu Option 10 in ssadmin to "Create RNA USB Flash";
    4. When prompted, insert USB flash drive;
    5. After the USB flash drive has been detected press Enter;
    6. Continue to erase data and create flash drive.

  2. Configure an RNA

    3. Note:   The PC BIOS must be configured to boot from a USB Device as its first boot device.

    1. Boot a PC with the RNA flash drive;
    2. Switch to the configuration menu (Alt-F2);
    3. Select menu Option 3 Edit Config;
    4. You will be prompted for:
      • IP Address;
      • Subnet mask;
      • Default gateway.
    5. Select menu Option 1 Reboot the PC with the RNA flash drive for the new IP configuration to take effect.

  3. Add an RNA to the Statseeker Server Configuration
    1. Go to Administration Tool> Traffic Analyzer> Remote Network Appliance> Add;
    2. Fill in the required fields and click the Save button.
      • RNA Name (allowable characters are a-z, A-Z, 0-9, and underscore);
      • Title (allowable characters are a-z, A-Z, 0-9, underscore and space);
      • Details (allowable characters are a-z, A-Z, 0-9, underscore and space);
      • IP Address;
      • Mode (enabled or disabled);
      • Via Proxy (enable if deploying an RNA on the outside of a firewall and all communications are only possible via your HTTP proxy);
      • Rate Limit (Allows you to limit the data transfer rate of all RNA client/server communications);
      • Interface descriptions 0 to 7 (allowable characters are a-z, A-Z, 0-9, underscore and space). A short description of what network the interface is connected.
    3. The newly added RNA will appear in the list. It may take a few minutes for the RNA to change status.

Duplicating the RNA Flash Drive

To duplicate the RNA flash drive:

  1. Boot a PC with an RNA flash drive;
  2. Switch to the configuration menu (Alt-F2);
  3. Select menu Option 5 Copy drive and follow the prompts. This will read the current drive image into memory, then ask you to insert a target flash drive. The diskcopy program will write the drive image and then verify it;
  4. Once a drive has been successfully copied, you will be asked to enter a new IP configuration;
  5. When you are finished copying flash drives, re-insert the original flash drive into the PC.

How to Deploy Traffic Collectors

  1. Where to Connect Traffic Collectors

    2. Traffic Collectors for NetFlow and sFlow will use the first interface on the RNA and should be connected to a non-mirrored switch port:

    Traffic Collectors for LAN Traffic should be deployed as follows:

    Port mirroring

    VLAN mirroring

    Note:  Many of the newer switches do not allow packets to be transmitted on the mirrored interface, therefore the RNA will need to be fitted with at least two network interfaces (i.e. one to monitor and the other to talk to the network).

  2. How to Configure Traffic Collectors

    3. To configure a Traffic Collector for NetFlow or sFlow:

    1. Go to: Administration Tool> Traffic Analyzer> Flows:
    2. Select the appropriate RNA;
    3. Specify a Port number;
    4. Specify a Label;
    5. Press "Save";
    6. Configure the device to send NetFlow or sFlow to the specified port number on the Traffic Collector.

    Traffic Collectors for LAN Traffic do not require configuration.

Getting Started with the Traffic Analyzer

The Traffic Analyzer is one consolidated reporting tool used for accessing and reporting on Netflow, sFlow and LAN Traffic data, and is accessed form Network Infrastructure Monitor - Advanced Console> Report List> General> Traffic Analyzer.

The Traffic Analyzer consists of four easy to use sections:
  • Report List;
  • Traffic Collector: A list of every deployed Traffic Collector: (NetFlow, sFlow and LAN Traffic);
  • Time Filter;
  • General Filters.

Notes and Tips:

  • To run a report select a Time Filter, a Traffic Collector and then click on the report;
  • Use the Reset button in the bottom right corner of the Traffic Analyzer console to reset / clear the filters;
  • Use meaningful names for each Traffic Collector e.g. Netflow_New_York_Router_1 ;
  • Go to Administration Tool> Traffic Analyzer> General to set:
    • Keep History For: Number of days (Default is 90 days);
    • Password: For Real Time LAN Traffic Analyzer.
  • To label protocols using custom port numbers go to Administration Tool> Traffic Analyzer> Protocols:
    • Select the Enabled check box;
    • Specify the type of protocol, either ‘udp’ or ‘tcp’;
    • Enter a port number;
    • Either enter an IP address to label conversations coming from a specific host on this port number or leave this field as default for all conversations, regardless of their IP address;
    • Enter a Label (used for reporting);
    • Select ‘Save’;
    • Select ‘Apply' to accept changes.

  • To configure Statseeker to accept a NetFlow feed go to Administration Tool> Traffic Analyzer> Flows:

    • Enabled - will be selected by default;
    • RNA (LOCAL) will be selected by default;
    • Enter a unique Port Number – this is used to open up a UDP port on the Statseeker server to accept a NetFlow feed;
    • Enter a Label – the label is the name of the NetFlow feed that will be used for reporting;
    • Select ‘Save’ – Statseeker is now configured to accept a NetFlow feed.

    The example below shows a NetFlow feed to be received from Melbourne-Router1 on UDP Port 9002.

Realtime LAN Traffic Analyzer

The realtime LAN Traffic Analyzer uses a terminal user interface to display realtime LAN statistics. All commands are listed on the initial help screen.

The LAN Traffic Analyzer supports a limited number of terminal emulators including:

  • vt100;
  • vt200;
  • vt220;
  • xterm.

Note:Before using the realtime LAN Traffic Analyzer you must set the password via Administration Tool> Traffic Analyzer> General.

To utilize the realtime LAN Traffic Analyzer, telnet to the RNA with the following command:

>telnet   ipaddress   portnumber

ipaddress: is the IP address of the RNA or Statseeker Server

portnumber: is 30000 for the first interface, 30001 for the second interface ...

The Display Modes consists of the following options:

  • IP nodes: (Source IP, Source MAC, Total packets, Total bytes, Packets / sec, Bytes / sec);
  • IP conversations: (Source IP, Destination IP, Total packets, Total bytes, Packets / sec, Bytes / sec);
  • MAC nodes: (Source MAC, Source IP, Total packets, Total bytes, Packets / sec, Bytes / sec);
  • Total protocol counts: (Protocols, Total packets, Total bytes, Packets / sec, Bytes / sec);
  • Undefined TCP/UDP ports: (Port number, TCP/UDP, IP Address);
  • Alerts: (Duplicate IP Addresses, Possible Routers).

Undefined Protocols

To define a previously undefined protocol:

  1. Go to: Administration Tool> Traffic Analyzer> Protocols;
  2. Tick the Enabled box;
  3. Select the protocol Type;
  4. Specify a Port number;
  5. Specify an IP Address;
  6. Specify a Label;
  7. Press "Save";
  8. Press "Apply".

Once a protocol is added it will take a few moments to migrate to the remote device/s.

All subsequent traffic collected will be tagged as the new protocol. Old data will not be renamed.

To establish which port number a device is using, connect to the Traffic Analyzer by telneting to it on port 30000 or 30001 (second interface).

Use the "?" menu selection to display the undefined TCP/UDP ports in use.

© 1998-2012 Statseeker Pty Ltd. All rights reserved.