Skip to main content

who is using your network? a netflow demo…

my friends at jalasoft sent me this little gem below. i’ve known about their product for a number of years. while i personally have never had the opportunity to use them, it’s impressive to see how much it has matured. if you’re using opsmgr 2012 and xian network manager, check out what you can do with netflow.


How to Know Who Is Using Your Network in Operations Manager

Jalasoft Inc.
March 2013

So you’re monitoring your network with Operations Manager 2012, but how do you know exactly who is actually using your network? How do you prevent misusage of your valuable network resources and internet access? In most cases, people are always most interested in finding out who is using the network. With Xian Network Manager 2012 this can be easily accomplished thanks to its built in NetFlow traffic analyzer. Below, we will explain how you can easily configure this feature if you have Xian NM 2012 installed.

 

 

1. Add a Netflow device

If you do not yet have a flow device available in Xian NM, you will need to add one. This is very easy. First, open the Xian Network Manager Console, next click on Device in the menu, select Flow and click.clip_image002[4]

In the Rule Wizard that appears on the screen, go directly to Parameters and click on the Add Button. Now fill in the name and the IP Address of the Netflow enabled device. Verify that the device is enabled and if it is sending the Netflow packets to the machine where Xian NM is installed.

Now you can click on OK and then on Finish. A default policy template is automatically added by default, you can opt to remove this option in the Policy Template Tab. Furthermore, below we will show you how to create your own filter and set up an appropriate rule.

 

 

2. Create the Netflow filter

Next we will create a simple filter that aggregates the Netflow records to local IP Addresses. This means that it will create objects that consist on the active local IP Addresses and their corresponding traffic. In order to accomplish this you go to the Filter Tab of the Flow Device Properties. Here you click on ‘Add ‘.

clip_image004

Figure 1, The parameters tab in the ‘Add filter wizard’

Under the parameters tab you provide a clear name and description. Then you click on Next.

clip_image006

Figure 2, The Aggregation tab in ‘Add filter wizard’

In the add filter wizard, you have to decide the criteria for aggregating our grouping up the Netflow records. For example, perhaps you would like to see the performance data grouped by Destination IP, Port, and Protocol etc. This is also important if you want to send out an alert if any counter goes over a threshold.

To be able to keep track of the incoming traffic, we suggest to group up data by destination IP. This is done in order to see the total traffic downloaded by each local IP address.

clip_image008

Figure 3, The Filter tab in ‘Add filter wizard’

To prevent unwanted data from being analyzed you can set up a selection under the ‘Filters’ tab, as shown in figure 3. For the Download by local IP Addresses, we are going to filter the source on only Public network IP addresses and the destination IP addresses on Private networks. Ports, protocols and ToS, will be set on all options to be able to capture all traffic.

Now click ‘Finish’ and the filter is set up. All that is missing is to enable to filter in a Rule.

 

 

3. Add the rule and define the threshold type

In order to have data arriving in Operations Manager you will need to set up a rule in Xian Network Manager. Within the rule settings you can define thresholds, intervals, severity and other settings. To start, go to the ‘Active rules’ tab in the device properties of your Netflow device. Next you add a rule. For our example we will pick the ‘bytes per second’ rule.

clip_image010

Figure 4, filter selection in the ‘Add rule wizard’

First you have to select the filter that you want to apply as a base for the rule in the ‘Filter’ tab. Here we will use the filter we just created to monitor the traffic going to local IP addresses.

clip_image012

Figure 5, setting up thresholds in the ‘Add rule wizard’

 

Thresholds

Now you need to decide which is the proper threshold for the rule. Since there are no elements discovered yet (this will occur once the rule is running) you cannot set up specific per element thresholds.

There are three types of thresholds; Manual, Automatic and Dynamic thresholds. If you opt for manual, you will need to personally setup the upper and lower threshold. An automatic threshold only requires you telling Xian how many points it will use to calculate a manual threshold. Finally the dynamic threshold gives you the option of being alerted when traffic has sudden big changes.

Since we don’t have a clear idea of the type of traffic, we are going to select the Automatic thresholds and set it to calculate the threshold in 24 data points.

Schedule

In this part you indicate how often you want the rule to be executed and send performance data and if needed, alerts, to Operations Manager. Note that an interval that is too low (under 5 minutes) might cause performance issues on Operations Manager or SQL Server.

clip_image014

Figure 6, Setting up Device Update in the ‘Add rule wizard’

Device Update

Lastly, you have to point out what needs to be done when new elements appear. This is important since it is possible that during the time the rule is running new elements (IP addresses) are discovered. In this case, we set Xian NM up to discover new elements through automatic threshold, but note this will only work during the period of calculation, after this the rule will apply default settings and a manual activation of the recalculation is needed.

clip_image016

Figure 7, Active rules tab in the Device properties of a Netflow device.

Now you can see the rule appearing in the Active Rule tab in the Device Properties window. First, it will be on calculating mode, this will last until a threshold has been calculated. However, performance data is already sent to Operations Manager.

 

 

4. Check all in Operations Manager

clip_image018

Figure 8, the Netflow dashboard in Operations Manager

If you go to Operations Manager you will be able to see all the performance data and alerts under the Xian Network Manager section. Additionally, you can create your own dashboards like the one shown above in Figure 8.

Also, you have the option to execute reports in the Reporting section and schedule them as you are used to with other Operations Manager report.

 

 

What else can you do?

This is just an example of how you can keep an eye on your environment’s network traffic, but you can probably imagine other scenarios. In a very similar way, you can analyze protocol traffic, active ports, visited websites, or even very specific ones like who is the top user of a specific SQL server.

Comments

Popular posts from this blog

using preloadpkgonsite.exe to stage compressed copies to child site distribution points

UPDATE: john marcum sent me a kind email to let me know about a problem he ran into with preloadpkgonsite.exe in the new SCCM Toolkit V2 where under certain conditions, packages will not uncompress.  if you are using the v2 toolkit, PLEASE read this blog post before proceeding.   here’s a scenario that came up on the mssms@lists.myitforum.com mailing list. when confronted with a situation of large packages and wan links, it’s generally best to get the data to the other location without going over the wire. in this case, 75gb. :/ the “how” you get the files there is really not the most important thing to worry about. once they’re there and moved to the appropriate location, preloadpkgonsite.exe is required to install the compressed source files. once done, a status message goes back to the parent server which should stop the upstream server from copying the package source files over the wan to the child site. anyway, if it’s a relatively small amount of packages, you can

How to Identify Applications Using Your Domain Controller

Problem Everyone has been through it. We've all had to retire or replace a domain controller at some point in our checkered collective experiences. While AD provides very intelligent high availability, some applications are just plain dumb. They do not observe site awareness or participate in locating a domain controller. All they want is the name or IP of one domain controller which gets hardcoded in a configuration file somewhere, deeply embedded in some file folder or setting that you are never going to find. How do you look at a DC and decide which applications might be doing it? Packet trace? Logs? Shut it down and wait for screaming? It seems very tedious and nearly impossible. Potential Solution Obviously I wouldn't even bother posting this if I hadn't run across something interesting. :) I ran across something in draftcalled Domain Controller Isolation. Since it's in draft, I don't know that it's published yet. HOWEVER, the concept is based off

sccm: content hash fails to match

back in 2008, I wrote up a little thing about how distribution manager fails to send a package to a distribution point . even though a lot of what I wrote that for was the failure of packages to get delivered to child sites, the result was pretty much the same. when the client tries to run the advertisement with an old package, the result was a failure because of content mismatch. I went through an ordeal recently capturing these exact kinds of failures and corrected quite a number of problems with these packages. the resulting blog post is my effort to capture how these problems were resolved. if nothing else, it's a basic checklist of things you can use.   DETECTION status messages take a look at your status messages. this has to be the easiest way to determine where these problems exist. unfortunately, it requires that a client is already experiencing problems. there are client logs you can examine as well such as cas, but I wasn't even sure I was going to have enough m