is anyone aware of a good netflow analyser that can effectively combine multiple streams into a single application view? For example, I have 5 servers each running 5 services. rather than having to correlate 25 netflow items, I'd like to initially just see a single result representing the entire clustered services those boxes are providing, and then be able to drill down to per ip or per port data if need be. I've looked at scrutinizer, Solarwinds, Fluke, ManageEngine but not found anything that does what I would perceive to be a relatively simple thing.
anyone know of that killer app?
i am not sure if this is what you are looking for (so you have to decide yourself if it is good ;-) ) but here is a link to
Cisco Performance Visibility Manager
which is afaik an OEM of
both can be used to centralize the view on several collectors
I am not sure if it still is available but years ago this capability and the ability to aggregrate flows in any way you want was supported by Concord traffic accountant.
In addition to Cisco's Netflow Analyzer there are a few open source tools including Netflow analyser from Adventnet, Flow Tools, and Caligare Flow Inspector
yes, i'm aware of most of them, but none allow collections of multiple ip:port combinations into summaries of traffic. helpdesks don't care that 10.2.3.4:443, 10.2.4.5:80 and 10.2.5.6:1521 are generating lots of traffic, they want to know that Fooware the clustered application is generating lots of traffic...
In typical Cisco style i can't found out anythign useful about the Cisco NetFlow Collector at all... just that it exists and is apparently good. according to them.
Adventnet Netflow is decent (we use it), but their support is pretty bad. Crannog is supposed to be pretty good too, but its missing the eye candy most people want to see. Solarwinds makes a Netflow product, but it's part of the Orion suite so it may not be cost effective.
the AdventNet one is the closest i've found. we'd intend to use it in conjunction with OpManager, but that's a pile of proverbial in my opinion. AdventNet is the only one i've found that will let me do ip:port level distinctions. netqos is the only other one i've any hope for, but am not sure either way right now.
I've also been trying out the whole orion suite, the core of which i'm currently keen on, but their netflow stuff is just appalling i think, not least as you must license directly in line with the main product. i want to monitor netflwo from my main cisco routers only? sorry guv, that's $17,000 becuase you also are monitoring 2000 other unrelated devices! I spoke to the product manager there and he claims to have seen the ligth from what i want from netflow... won't hold my breath though.
You only have to license the number of interfaces you will monitor with Netflow, not all the elements. Netflow has a different license than Orion. You could also look at Solarwinds Toolset which has Netflow monitoring and it works really well.
"The way our licensing work is that you either have NetFlow capabilities or you don't, and the pricing is a function of which Orion you buy."
- *Denny C. LeCompte
**SolarWinds,* Sr. Product Manager
do they not know their own licensing model?
NetQoS ReporterAnalyzer has the following Application Mapping feature that might fulfill what you're looking for. If a specific application can't be summerized neatly into one subnet or a continuous port range, just add more line entries all mapped to the same port.
yeah that's certainly much more like it. I *think* we actually had a guy from Netqos come here and give us their spiel. what soon came to light and left us very confused would be that netqos actually has literally nothing to do with qos at all... strange name.
is this something you are generally using? you're able to get decent graphs of clustered app 1 vs 2 vs 3 over a wan link, not just port level stats?
Netflow runs 24/7 and we view it 'when there an issue'. We use Adventnet, but I also have the SW Toolset on my laptop and use that exclusively at customer sites. It's great for quickly viewing whats going on or for a short time period. Adventnet works well for longer term trending (assuming it stays running).
you can use Caligare Flow Inspector and their forwarding feature. You can create normal collectors (one for one device) and the special collector (i.e. TotalSum) and forward all netflow exports to the special collector (menu Options->Forwarding). Any statistic is made under selected collector, so if you want to see any traffic that was transferred through your network you will see this traffic in the "totalsum" collector. If you want to exclude any traffic from totalsum you can use the Options->Filtering feature. It is great software. We are using this software for three years and every next version is better.