Table of contents

• Overview
• Key features
  • Custom traffic categorization
  • Graphs and Table reports
  • Clickable graphs
  • Ad hoc query tool
  • Netflow exporter and interface discovery and normalization
  • Flexible data aggregation
  • Netflow-embedded timestamps
  • Flow-tools back-end
  • Perl!
• Uses of this application that may not be immediately apparent
  • Quality-of-Service (QoS)
  • Security forensics
  • Profiling WAN acceleration (WAAS, WAFS, etc)
  • Capacity planning
  • Tracking IT migrations
  • Route monitoring
• Limitations and comparison with other packages
• History and author

Overview

In its simplest form, Netflow data is categorized and tracked for every router/switch interface. The user selects one or more interfaces and can view the average or peak traffic utilization for each category over the past hour, day, week, etc. There are sample screenshots later in this document. The user can also generate ad hoc reports on the flow data over any time period to explore all aspects of the traffic, such as a top talkers IP address report or a raw flow chronology.

Sourceforge.net project site for Webview Netflow Reporter (or go straight to downloads)

Key features

• Custom traffic categorization (classification). Traffic categories are defined using an ACL-like syntax modeled on Cisco IOS. The predefined categories work fine, but Webview is far more useful with custom categories that match your network's unique traffic patterns -- Email, ERP, backup, Internet proxies (or lack thereof), etc.

  Within an ACL, each line can pass or fail based on any combination of:

  • IP address / mask
  • port number (TCP/UDP)
  • TCP flags
  • ICMP type and code
  • BGP ASN (if configured as an export option)
  • IP Type-of-Service (DSCP, IP precedence or a simple number)
  • next-hop IP / mask
  • exporter IP / mask
  • input or output interface
  • Number of packets or bytes
  • Duration of flow
  • Average bytes per second or packets per second
  • Average packet size
  • The success of another ACL within the past n seconds

  The accuracy of fields in the Netflow accounting stream depend on the Netflow version in use and the idiosyncrasies of the platform generating the export (e.g., Cisco IOS routers are generally pretty good, but Cisco Catalyst 45000 and 6500 switches leave out the TCP flags and infer the input interface). Below are several ACL examples.

  simple:

  ip access-list extended HTTP
   permit tcp any any eq 80 reverse
   permit tcp any any eq 443 reverse
  

  complex:

  ip host-list @local
  	10.0.0.0/8
  	172.16.0.0/12
  	192.168.0.0/16
  
  ip access-list extended Internet_HTTP
   deny tcp host @local host @local
   permit tcp host @local any eq 80 reverse
   permit tcp host @local any eq 443 reverse
  

  specific:

  ip host-list @SAP 10.1.2.15 10.1.3.15
  
  ip access-list extended Columbus_SAP_on_backup_path
   permit ip any FastEthernet0/0 host @SAP reverse exporter Rtr3
  

  routing-table derived:

  ip access-list extended YouTube
   permit ip any 36561 any reverse   # YouTube is BGP ASN 36561
  

  flow-derived:

  ip access-list extended IPT_g711
   permit udp any gt 1023 any gt 1023 dscp ef kbps range 76 84 seconds gt 1
   # g.711 should be ~80 kbps of high-port UDP for 1+ seconds
  

  heuristic:

  ip access-list extended EPM
   permit tcp any ge 1024 any eq 135
   
  dynamic EPM flow %MSRPC timeout 1
  
  ip access-list extended MS_RPC
   permit tcp any any eq 135 reverse
   permit tcp host $srcip ge 1024 host $dstip ge 1024 flow %MSRPC reverse
  

  Categories are grouped together to create an ordered "view" which is then applied to one or more exporting devices. Multiple views can be used on the same device (e.g., it's common to have aggregate, summary, and detailed views of the same data). The number of categories in a view is unlimited, but try to sort them from most to least common. One Webview installatoin had over 150 categories defined.

  For more info on the ACL syntax, data rendering, and other configuration options, please read the PDF documentation.

• Graphs and Table reports. Webview uses Flowscan-style "butterfly" graphs showing categories stacked in order of their volume, with input below the axis and output above. E.g.,
  

  This butterfly view may seem confusing at first, but it's a very practical way to display many traffic categories while clearly differentiating input and output. Simpler single-axis graphs can also be generated for input traffic, output traffic, or the combined input+output (yeech!). Pie charts can be generated by Netusage, a companion program discussed later.

  Typically, data is maintained using a resolution of one minute, since this is the lowest active flow cache timeout setting on simple Netflow routers. This lets one, for example, zoom in fairly good detail. Here is the previous graph zoomed in on the range from 08:00 - 10:00:

  

  Note: If sub-minute resolution is needed, Cisco's new Flexible Netflow feature supports an active flow cache timeout of as little as a second. Such a low value tremendously increases the amount of flow data and the CPU and disk required to store and graph it, but it produces amazingly precise graphs.

  You're not limited to breaking an interface out by traffic categories. The following graph instead has the single traffic category "TSM" (disk backup) broken out by interfaces named "MPLS/cle", "MPLS/wau", etc.

  

  In addition to traffic volume, Webview also reports on flows, packets, and concurrently active IPs. For example, you might be interested to know what the average bandwidth need is per active user of a certain application. The following report shows that each user of "Internet_HTTP" needs about ~30 Kbps when measured over a business week (8am - 5pm, Monday - Friday):

  			Maximum bps		Average bps
  Date	Interface	Category	In	Out	In	Out
  Mon Apr 14 2008	LAN/apl	Internet_HTTP	27,049	154,515	3,979	23,660
  Tue Apr 15 2008	LAN/apl	Internet_HTTP	62,212	122,788	6,778	18,697
  Wed Apr 16 2008	LAN/apl	Internet_HTTP	46,705	235,215	4,974	24,456
  Thu Apr 17 2008	LAN/apl	Internet_HTTP	46,584	312,958	5,161	30,668
  Fri Apr 18 2008	LAN/apl	Internet_HTTP	23,755	213,472	4,880	45,318

  The graphing engine is very flexible. In fact, it may be too flexible given how cluttered the graphing form is:

  

• Clickable graphs. People seem to go ga-ga over this handy feature, and I'm not sure why more commercial packages don't have it. Basically, if you're looking at a graph and see something interesting, you can click on it to find out more.
  

  Leads to this...

  

  This view goes after the raw flow data, which is generally kept for at least 4-8 weeks (depending on available disk space).

• Ad hoc query tool. As the previous report shows, there's a nice GUI for exploring and reporting on the raw flow data. It's called the Ad Hoc Query Tool (aka Webview Flow Reporter), and many believe it's the most useful feature of Webview. In reality, it's just a front-end for flow-tools' excellent flow-report utility (and can run standalone without the graphing engine if you like).

  The raw flow data available for reporting goes back in time as far as disk space allows. Most small to medium enterprises find that 30 GB is adequate for a month of data. Larger networks can use many terabytes.

  Filtering options:

  • Protocol: TCP, UDP, ICMP, VPN, Other
  • ToS / DSCP / precedence / ECN
  • TCP/UDP port number
  • IP address or subnet
  • User-defined traffic category (using the Cisco ACL syntax described earlier)
  • Interfaces (names, descriptions, multiple router interfaces allowed)
  • Logical expressions allowed (OR and AND NOT)

  Reporting options:

  • Raw flow -- all available Netflow v5 fields such as IPs, ports, human-readable interfaces, TCP flags, DSCP, ECN, start time, duration, BGP ASNs, route masks, etc). Here is an example of full detail.
  • Src/Dst IP -- top-talkers/listeners
  • Conversations -- top src/dst IP pairs
  • Flows -- top src/dst TCP/UDP pairs (i.e., with port numbers)
  • Port -- top TCP/UDP port numbers
  • Custom -- the above reports are just the common defaults. Any flow-tools report can be added.

  Other options:

  • Output: Excel, CSV, ASCII, or HTML table
  • Input: one or more time-stamped raw flow input file(s). Multiple flow directories are allowed.
  • DNS: fast and non-blocking (never delays a report more than 5 seconds).
  • Sorting: bytes/packets/flows/peers. Peers is a count of an IP's connection peers and is great for finding out who is the chattiest -- e.g., malware attempting to spread, DNS servers being hammered, etc.

  Note: The usefulness of being able to report on the raw flow data can not be overstated! Many Netflow software packages aggregate the data or drop fields that don't fit their Netflow monitoring paradigm. But with an interface to the raw data, the user has unlimited options for investigating this data.

• Netflow exporter and interface discovery and normalization. Network management tool maintenance shouldn't be a chore. Adding a new device to Webview is as simple as configuring Netflow export on the device itself. Webview will see it and use SNMP to load the interfaces and descriptions. SNMP ifIndex changes are not a problem, although it's always best to configure Cisco devices with snmp-server ifindex persist. There is no limit to the number of exporters, and some Webview installations have hundreds.

  Interfaces can also be aggregated and renamed. For example, say you had four routers:

  Rtr1 Ethernet0/0  "Cleveland LAN"
  Rtr1 Serial0/0    "Cleveland MPLS T1"
  
  Rtr2 Gig0/0       "Columbus LAN primary"
  Rtr2 Gig0/1       "Columbus LAN backup"
  Rtr2 Multilink1   "Columbus MPLS 3xT1"
  
  Rtr3 Fast0/0      "Columbus LAN"
  Rtr3 Tunnel1      "Columbus MPLS VPN backup"
  
  Rtr4 Fast0/0      "Indianapolis LAN"
  Rtr4 Serial0/0.3  "Indianapolis Frame-relay T1"
  

  You could access the graphs by going to a specific router and interface. But, you can also create aliases based on a regular expression. For example, with these aliases:

  '(\S+) LAN'						'LAN $1'
  '(\S+) (MPLS|Frame-relay|ATM|Direct|Tunnel) (\S+)	'WAN $1'
  

  ... the Webview GUI would display these options for graphing:

  Alias displayed in the GUI	Interfaces used in reports
  LAN Cleveland	Rtr1, Ethernet0/0
  LAN Columbus	Rtr2 Gig0/0 and Gig0/1 and Rtr3 Fast0/0
  LAN Indianapolis	Rtr4 Fast0/0
  WAN Cleveland	Rtr1, Serial0/0
  WAN Columbus	Rtr2, Multilink1 and Rtr3, Tunnel1
  WAN Indianapolis	Rtr4, Serial0/0.3

  The beauty of this approach is that GUI interface is stable and easy-to-navigate, even though the underlying network routers and interfaces may change frequently. It also lets multiple interfaces be easily aggregated together.

• Flexible data aggregation. The simplest and most common way to configure Webview is to define traffic categories and track them by router interface. Then, you begin exporting Netflow from one or more routers in your network that you want visibility into. This approach works well for the vast majority of users of this product.

  However, for those who don't fit this mold, Webview has full support for processing and visualizing Netflow data:

  • by subnet gleaned from the exporting router's routing table
  • by subnet / CIDR block defined by hand
  • by source/destination IP address
  • by source/destination BGP ASN
  • by IP next-hop
  • according to a ACL

  The subnet tracking very useful when Netflow data is not available for a portion of the network. For example, perhaps Netflow is collected only from the head-end routers of an full-mesh MPLS WAN. In this case, tracking Netflow stats by subnet can provide an excellent inferred view of each remote site.

• Netflow-embedded timestamps This is a subtle but important point. Many Netflow analysis packages assume that flows are received at the collector in real time and that they each fit within a single sample interval (typically 1, 5, or 15 minutes). Webview can do that, of course. But, if the network is properly configured for Network Time Protocol (NTP), then Webview can instead use the timestamps embedded within each Netflow record. Thus, there are three separate methods for tallying flows:
  • tally the flow based on when it was received by the collector
  • tally the flow based on the start, end, or middle timestamp of the flow
  • distribute the flow evenly over the duration of the flow. This nicely handles flows that are long or straddle a sample interval. E.g., a four minute flow that starts at 07:58:00 and ends at 08:01:59

  This last approach has several advantages:

  • sample sizes can be smaller than the capture file duration. The Step in webview is the size of each sample interval, and it can be set anywhere from 1 second up to the capture file size (normally 5 minutes). In practice, 60-second samples provide an excellent balance between CPU/storage and being able to see full impact of traffic spikes.
  • flows can be delayed. Even in a simple network, a collector won't receive a Netflow packet until several seconds after the flow finished. In a complex network with multiple collectors, it might take minutes or hours for the flow to be gathered at a central point for processing.
  • flows can be replayed. E.g., if you change the rendering configuration, it's easy to replay the last month of data through the new configuration.
  • an aggressive active flow timeout is unnecessary (i.e., 'ip flow-cache timeout active 1'). In fact, webview can be configured to handle the default timeout of 60 minutes, and the graphs will look just as good as with a 1-minute timeout.
  • it guarantees consistent, accurate reporting, even on time-challenged virtual machines. Some VM's seem to have problems with their real-time clocks, leading to "5-minute" flow files that contain anywhere from 3 to 8 minutes of data. That's no problem when the timestamps are used.

• Flow-tools back-end. Mark Fullmer's flow-tools (http://www.splintered.net/sw/flow-tools/) is a great industrial-grade open source Netflow collector that can capture and normalize high volumes of Netflow v1/5/7 reliably and it has the supporting tools to manipulate that data. Rumor has it that Cisco's own Netflow collector includes parts of flow-tools.

  Netflow v9 and multicast listening is supported with Damien Miller's flowd (http://www.mindrot.org/projects/flowd/). A script is included to convert the flowd-receieved Netflow v9 data into flow-tools format for report processing (see limitations below).

• Perl! Okay, this may not be a feature. In fact, the need to optimize flow processing has led this to be some of the worst-looking Perl code you may have ever seen (the entire main flow processor is compiled on-the-fly). Despite this, processing rates of ~20k flows per second can be expected on relatively modern hardware, and ~5k flows per second is common on VMs. With proper setup, Webview can leverage multiple CPUs and/or servers for higher performance.

  In the field, this software has proven capable:

  • on networks with actual WAN throughput of over 1 Gbps
  • on data center switches with over 10 Gbps of actual LAN throughput
  • with hundreds of exporters
  • with over 150 custom traffic categories

Uses of this application that may not be immediately apparent

• Quality-of-Service (QoS). Netflow does not measure jitter or voice quality, but it's excellent for proving that your network's DSCP markings are consistent and that traffic volumes match expectations. For example, here is a graph showing both properly and improperly tagged G.729 traffic:
  

  Ignore the downward spikes (these were voice probes from NetIQ) and focus on the small ~25 Kbps purple and red rectangles between 19:20 to 20:20. These show that a G.729 flow was being marked in one direction but not the other. A click on the purple untagged area reveals the faulty endpoints. A further raw flow report will show the DSCP's:

  

  In this case, one direction of the VoIP conversation is properly marked as DSCP EF, but the other direction isn't.

  Netflow reports can also shine a light on jitter/quality measurement from sources like Cisco's IP Service Level Agreement (IP SLA, formerly SAA or RTR). For example, in this QoS validation analysis, the first two graphs show round-trip time (RTT) and jitter for voice and data traffic on a given WAN link as reported by IP SLA. The third graph shows the Netflow traffic utilization. The big Netflow spikes correlate to increased jitter and RTT's on the data traffic, but the VoIP traffic remains immune. The final table shows that the traffic causing the spike is properly being marked as DSCP CS1, which is used for scavenger "less-than-best-effort" service. This analysis took about an hour to do and it proves that VoIP is not impacted by non-VoIP traffic and that network spikes are properly being marked as scavenger. Are you sure that's true in your network?

  Note: the /www/ipsla directory of Webview includes an IP SLA monitoring daemon and reporter. If you don't have any other product for IP SLA (e.g., Cacti, NetIQ), then this one works pretty well.

• Security forensics. The ad hoc query tool is a great forensic analysis tool. In particular, the raw flow reports are chronologically accurate and can have millisecond accuracy. It's like a sniffer trace, but it's always running and there are no headaches of setting up monitor ports, setting up a collector, and moving around multi-megabyte capture files. Granted, Netflow doesn't show you payload, but it does let you scan through millions of packets in seconds and quickly figure out approximately what happened and when.

  A Webview user at an ISP penned the article Mining Netflow on this topic in Information Security, Jan 2006. He uses it daily to root out zombies and malware on his customer's machines. Talk about great ISP service!

  Another Webview user had a SQL worm outbreak that evaded their antivirus systems (the worm was brand new but the attack vector was known and unpatched). They only detected the worm when their network started crashing. At that point, sniffers could only tell you who was currently infected. Luckily, Netflow forensics with Webview was able to show that the infection began over 24 hours earlier when a SQL administrator plugged in his laptop infected with W32.Toxbot.B, which then received orders from a rogue machine in the UK to unleash the worm upon the network.

  Netflow forensic analysis with Webview can also reveal a lot about Internet usage behavior. ISP's have used it to answer questions from the domestic (a father wondering just what the #@$! his son was downloading) to the felonious (child enticement, kidnapping, threatening "anonymous" emails, etc). Netflow is not CALEA "compliant", but it is a cost-effective way for network operators who are under the CALEA radar to responsibly address these questions if/when they come up.

• Profiling WAN acceleration (WAAS, WAFS, etc). Many enterprises are deploying WAN accelerators to speed their traffic along.

  Most WAN accelerators tunnel all optimized traffic, which makes it nearly invisible to Netflow on the WAN router. However, the pre-optimized traffic is available from WAN router Netflow if WCCP is used to redirect traffic to the accelerator (example). The pre-optimized traffic may also be available as Netflow from the WAN accelerator itself.

  Cisco and modern Riverbed and Expand products all support transparent acceleration which preserves the IP header of each connection (example). In these cases, Webview is able to report on both pre- and post-optimization traffic per category.

• Capacity planning.

  <soapbox>
  It's amazing that many enterprises still use 5 or 15 minute sample intervals and magic numbers like "60%" to manage their WAN capacity. If you love your network users, please set all your bandwidth monitoring tools to use one minute samples This author was working for a large retail client who had widespread reports of their point-of-sale app randomly failing. The network admin insisted the WAN links were fine. His proof was a graph of 5-minute samples that showed an average utilization of under 25%. Within a few minutes of turning on Netflow, it was clear that the actual traffic level was closer to 10% except for a Microsoft replication job that was pegging the link for a solid two minutes every quarter hour. D'oh!

  In the well-run enterprise, capacity planning goes far beyond a macro-level view of traffic in/out an interface. Real capacity planning is about understanding how individual applications behave when faced with debilitating congestion, and that requires a micro-level view that takes QoS policies into account. It's also about understanding difficult-to-control sources of congestion, such as unsolicited Internet traffic, flash crowding on full-mesh MPLS WAN's, and VoIP return-to-service after power outages. And, most importantly, it's about understanding human tolerance and monitoring to that level (e.g., how long until the user clicks the refresh button, restarts their Citrix session, or reboots their PC?).
  </soapbox>

  That said, Webview does a pretty OK job at capacity planning. It can track long periods of both bandwidth:

  

  and active users:

  

  There is also an optional module called Netusage that extracts business-day data for each element and has a simplified, "manager-friendly" web interface, complete with simple line/pie graphs and easy to read reports. It also stores its data in MySQL, making the data more accessible by tools like Excel and Access.

• Tracking IT migrations. One non-obvious use of Webview is to generate reports on IT migration projects. For example, tracking users as they convert from one version of Exchange to another, or from one set of network switches to another.

  Webview can help empower you to strut into a migration status meeting with an armful of graphs and reports based on real-world data that show percentage complete, stragglers, etc. The project managers will be amazed and wonder how the network guy was able to get such wonderful data.

• Route monitoring. When Netflow is exported directly from a router, it includes subnet information gleaned from the routing tables. Webview includes an optional utility called routeMon which maintains a MySQL table containing the exporter, interface, destination route, and byte count from the previous day.

  This information could be tremendously powerful and it's just waiting for the right problem to solve. But, unfortunately, the predominant network management paradigm is to ignore the routing table and instead of focus on managing elements. Thus far, this collected route data has mainly been useful for examining duplicate routes and ensuring that they are intended or not. E.g., in the below report, the duplicate routes are different paths to the same remote office.

  

Limitations and comparison with other packages

• It cannot easily generate ad hoc graphs because Webview's paradigm is to predefine categories and continually graph them. For example, you can't use the web interface to choose some arbitrary filtering criteria and generate a graph of it over the past week. NFSen and FlowViewer both seem to have this capability. Webview can do it, of course, but it currently requires some behind-the-scenes CLI work by an admin.
• Limited support for Netflow v9/Flexible Netflow/IPFIX. The flow-tools package on which Webview relies supports only Netflow v1/5/7 over unicast. As a workaround, Webview includes a patched flowd collector and rotation script which supports Netflow v9, but only for Netflow v5 compatible fields (i.e., no IPv6 or MPLS tags). This workaround also can be used to support multicast listening. With this workaround, many of Flexible Netflow's benefits can be utilized (e.g., one-second graph precision and VPN support).
• It's not pretty. As the quality of this web page can attest, the author is not a web or UI designer. Please don't be turned off by the gray-on-darker gray theme or the lack of "skins." Although it looks clunky, the interface is fast and functional. And any report can be hyperlinked so you can plug it into a more user-friendly portal that you design yourself.
• It's not real-time. Some packages display real-time views of flow being received. Webview is always at least 5 or 10 minutes behind.
• It's not designed for those mostly interested in peering (institutions or service providers). It certainly can be used in those environments, but Webview's main focus is the enterprise with its powerful categorization. You may want to check out pmacct or FlowScan instead.
• The web interface is probably not secure. It has sanity checks and form validation checks, but the code was not written with security in mind. It's not advised to expose it to the Internet or untrusted external parties unless it is front-ended by a portal.
• It's not for Windows. Sorry. You can certainly install it on a Linux VM running under the free VMPlayer for Windows.

History and author