Staying away from the website monitoring topic for a bit, I wanted to touch on a tool that I mentioned in an earlier post - NetFlow.

Netflow really isn’t a tool - it’s a protocol that has a series of tools associated with it. But those tools place a lot of power in your hands as a network administrator.

Netflow isn’t something for everyone. Be warned now, if you aren’t an IT person than I might be going over your head with this one. Anyway, Netflow is something that exists in higher end routers and some switches, such as Cisco and Juniper. Their smaller models frequently have Netflow as an option but not always. And many smaller routers don’t support Netflow at all. Same goes for smaller managed switches. And I guarantee that unmanaged switches don’t support it either.

With that out of the way, why should you want to use Netflow?

Well, the best explanation is that it allows you to see what people are doing on your network. Not in the same way as a product like Websense that shows you what websites people are using, but more along the lines of what kind of traffic your network is being used for.

Here is a quick example.

You are running a network with several smaller offices scattered around, connected to your main office with an MPLS network. You are monitoring the load on your network links with MRTG/RRDTool, like all good and handy network admins. You have noticed however that you are getting a large amount of traffic that is spiking your network and causing issues a couple of times a day.

Now, having MRTG/RRDTool that is properly configured allows you to see that you have a spike, and where the spike is, but it doesn’t give you much more information than that.

That is where having Netflow running on your network can help. If you have the same routers that are feeding bandwidth usage to MRTG/RRDTool running as Netflow exporters, then those routers will be sending a stream of data to a specific server configured as a Netflow collector that includes flow information. Flow information, as included in Netflow, is a stream of info about each network connection that is being made through that router. The actual data in the connection isn’t included in Netflow, but you do get the IP addresses for the computers at each end of the flow, the ports, protocols and amount of data in the flow.

This flow information, when gathered by the Netflow connector and interpreted by something like FlowCU or Flow Viewer, allows you to see beyond the data that MRTG/RRDTool collects and helps you identify exactly what the spike in traffic is. For instance, it could be a specific computer on the network that is downloading updates every couple hours, or someone using Skype, or Bit Torrent. Or a video conference that you didn’t know about.

Netflow isn’t a panacea for all your network troubleshooting, but it does really help you focus on the systems that are causing your spike in bandwidth, which in turn can really help you figure out how to resolve the issue and improve your network performance.

In an upcoming post I’ll go over a simple configuration of Netflow using Flow Viewer and the CactiEZ platform.

Until then, I hope your systems are all up and running.