Utilities | IPNET

Free Netflow Analyzer software

For today, I put together a list with the software that I’m using when I’m testing network behavior in the lab. The software below is free, with some restrictions but is perfect to use it when you need a quick solution to monitor your network with Netflow, sFlow or jFlow.

All the proposed software have commercial version, so if you like then and you consider one for your company please get in touch with the company that develop them for more information about licenses.

sFlowTrend

Free, graphical network monitoring tool. sFlowTrend makes use of the popular sFlow standard to generate real-time displays of the top users and applications making use of network bandwidth.

Some features:

Quickly understand who is using the network and what they are doing.
Enforce corporate acceptable network use policies.
Rapidly identify the cause of any problems or abnormal traffic.
Understand trends in usage and accurately target upgrades.
Generate management reports on current and historical performance.

sFlowTrend is written in Java and will run on most platforms.

Download sFlowTrend.

Solarwinds Netflow Analyzer

Solarwinds Real-Time NetFlow Analyzer captures and analyzes NetFlow data in real time to show you exactly what types of traffic are on your network, where that traffic is coming from, and where it is going. It displays inbound and outbound traffic separately for granular analysis that makes problem diagnosis quick and easy. You can view the historical NetFlow data broken out by application, conversation, domain, endpoint, and protocol. That way you know exactly how your bandwidth is being used and by whom.
Features:

Investigate, troubleshoot, and quickly remediate network slowdowns
Easily identify which users, devices, and applications are consuming the most bandwidth
Isolate inbound and outbound traffic by conversation, application, domain, endpoint, and protocol
Personalize NetFlow data displays to view traffic by specified time periods (up to 60 minutes) and by traffic type
Customize refresh rates and display units for NetFlow traffic

Drawback for this free version is that it can record only up to 60 minutes, than you have to restart software to record again.

Available only for Windows platforms.

Download Solarwinds Netflow Analyzer

ManageEngine Netflow Analyzer

ManageEngine NetFlow Analyzer is a, web based (no hardware probes), bandwidth monitoring, network forensics and network traffic analysis tool that has been optimizing thousands of networks across varied industries for peak performance and helping them to put their bandwidth for a better use. NetFlow Analyzer is a NetFlow, sFlow, JFLow (and more) collector, analyzer and reporting engine integrated together.

Features:

Real-time visibility into top applications and talkers in the network.
Detection of unauthorized WAN traffic.
Identify virus, worms and DoS attacks in real-time.
Understand the history of security violations with alert reports.
Recognize applications that use dynamic ports by performing a deep-packet inspection using Cisco NBAR.
Real time reports with 1 minute granularity.
Aggregated data stored for ever for historic reports
Ability to view reports in different granularity – 10 min, hourly, daily, weekly, monthly, and custom time period.

The bad aspect is that you can use it only for 30 days. Then you have to buy it. There is a trick, that if you reinstall the product you can use it again for 30 days. I advice to use this trick just for personal use or for testing purpose.

Available for Linux and Windows.

Download ManageEngine Netflow Analyzer

Plixer Scrutinizer

Plixer Scrutinizer captures Cisco NetFlow, sFlow and other flow technologies and uses that data to monitor the overall network health. Reports on which hosts, applications, protocols that are consuming network bandwidth.

Custom NetFlow Reports allow you to filter (include/exclude) in on exactly the information you need. They can be saved and run again later.

Features:

Adds several additional traffic analysis Report Types (e.g. Flows, Flow Volume, NBAR Support, etc.).
Report on Top Applications, Conversations, Flows, Protocols, Domains, Countries, Subnets, etc., across dozens of routers and switches.
Any saved report in Scrutinizer can be configured with a threshold to trigger an alarm.
DNS resolution becomes automated and a constant process.
Network traffic reporting and alarming on the internal network: SYN, NULL, FIN, XMAS Scans, RST/ACK worms, P2P, ICMP Unreachable, illegal IP addresses, excessive Multicast traffic, known compromised Internet hosts and more.

The bad part is that it drops the database after 24 hours. Still you can save the databases before this are dropped by the free version of Scrutinizer.

Available for Windows platforms.

Download Plixer Scrutinizer

Do you have any other alternatives that can help network engineer test their environment? Feel free to suggest in the comments form and if they are good I will add them to this post.

Great tool for testing QoS implementation

After my last post, some readers were asking what tool did I used for testing the QoS and how satisfied I’m with it.

The name of the tool is Packgen. According to its developer developers, “Packgen is a simple network packet generator handling diffserv markers, useful for testing network bandwidth and QoS.” It support features like:
– Network packet flows generation with given bandwidth (packets sent at each time interval depending on the bandwidth to produce and the size of the packets to generate);
– UDP and TCP flows;
– DSCP marking;
– Log generation which gives the possibility to compute statistics on the flows (to come later).

The main difference between IPerf (which is also a great testing tool, especially for bandwidth, jitter, packet loss tests…) and Packgen, is that the last one support diffserv marking natively. Of course you can achieve the same results with IPerf, with and ACL and inbound marking of the packets matched in the access-list, but with Packgen this is straight forward.

I had a little issue when downloading this tool, as the first result in Google search engine directed me to a page with no download link: http://packgen.rubyforge.org. This contains all the needed information about features, installation and how to use it (actually one of the best README that I ever saw for such tools), but no suggestion where to download the package. I search a little bit and you can download it from this official link.

To install this tool, you need to have Ruby on your system and then just run from inside the unpacked Packgen folder:

ruby ./setup.rb

Now some words about how to use it. From my post about AutoQoS, you can see that you need at least one client and one server. This 2 devices, use different files with Packgen (Don’t worry as the files come in the source package and if not, it’s very easy to create them).
First the server file, called listen.yml (if you create it, you can give whatever name you want) looks like this:

LISTEN:

udp:
–
ports: !ruby/range 17000..17002
tcp:
–
ports: !ruby/range 5002..5004

As you can see, there are 2 sections defined for UDP and TCP traffic. Then with “!ruby/range” you define a range where the server will listen. However, you can also simply use an Integer port number.

Then on the client side, there is file called sent.yml:

SEND:

udp:
–
name: Voice
host: 10.10.10.100:17000
bandwidth: 700Kb
packet_size: 252B
dscp: ef
from..to: !ruby/range 0.0..60.0
–
name: Video
host: 10.10.10.100:5002
bandwidth: 2.8Mb
packet_size: 750B
dscp: cs4
from..to: !ruby/range 10.0..60.0
tcp:
–
name: Best Effort
host: 10.10.10.100:5002
bandwidth: 3.2Mb
packet_size: 1KB
from..to: !ruby/range 20.0..60.0
–
name: Background
host: 10.10.10.100:5002
bandwidth: 3.2Mb
packet_size: 1KB
dscp: cs1
from..to: !ruby/range 30.0..60.0

Here it’s a little bit more complex, but still human readable. This file also have 2 sections for UDP and TCP traffic, with the following paramters being defined:

-name: I believe it say everything
-host: ServerIP:port
-bandwidth: bandwidth to simulate
-packet size: packet in size in B, KB
-dscp: value
-from..to: !ruby/range: time intervals

After everything is defined, you just have to run Packgen to test.
On Server side first:

packgen -i listen.yml

Then on Client side:

packgen -i sent.yml

Optional you can add the -l file option, which will log the traffic send:

1258663872.6248 SEND dest=10.10.10.100:16385
1258663882.62591 SEND dest=10.10.10.100:5001
1258663895.65219 SEND dest=10.10.10.100:5002
1258663905.66876 SEND dest=10.10.10.100:5003
1258663933.72797 STOP dest=10.10.10.100:16385

or received:

1258663869.80496 LISTEN port=16384 proto=udp
1258663869.81079 LISTEN port=16385 proto=udp
1258663869.81441 LISTEN port=5002 proto=tcp
1258663869.81506 LISTEN port=5003 proto=tcp
1258663872.5886 RECV sent_at=1258663872.64102 flow=0 size=252 id=6
1258663872.58893 RECV sent_at=1258663872.64613 flow=0 size=252 id=7
1258663872.58903 RECV sent_at=1258663872.64719 flow=0 size=252 id=8
1258663872.58915 RECV sent_at=1258663872.65052 flow=0 size=252 id=9
1258663872.58924 RECV sent_at=1258663872.6742 flow=0 size=252 id=10

The configuration files and logs excerpt were from my AutoQos test. If you have any issues with using it, please contact me, or just check in details the documentation from developers site.

Draw network diagrams with Visio under Mac or Linux

Maybe one of the biggest loss of mine when I switched from PC to Mac, was the Microsoft Visio is not available for any other platform than Windows OS. Now, I’m not a big fan of Microsoft products, but I have to admit that they have some good products, and one of this is Visio. Like it or not, more than 75% of the network diagrams that I get are in VSD format, which we all know (or we should) is a closed proprietary format and cannot be imported in any other products until now.

I have no problem in drawing new diagrams in NeoOffice (as example) but, what should I do with the ones that I receive and I have to modify. Of course that before I use the solution below, I tried others like ConceptDraw or Omnigraffle, which are also good products and which promise that they can import a format called VDX in which Visio can export diagrams. I don’t know if only for me but most VDX files exported from Visio, looked not so nice when opened in another product. Lines where not aligned, some objects where moved, and so on. The final draw was looking nice, but not as expected and ready to work on it. And then again, I cannot call, e-mail everybody that send me a Visio diagram and say “well, you see, cannot you just export it to VDX…” so that I can check. It’s not professional and it’s a headache. On the other hand I really like my Mac, so I struggled my brains to find a solution.

The easiest one, it’s to have on a Mac or Linux, dual boot or a virtual Windows OS with Visio installed on it. Called me a freak, but I didn’t invest in a Mac to havea Windows running on it. In not saying anything about Linux which is open source and see Windows as it’s worst nightmare.

I decided to use something called Application Virtualization, which can deliver on your screen only the user interface of the software that you open. The solution is not new and I’m not the “genius” who think of it, but it’s the best that fit me as I can open any software (in our case Visio) over any network (including Internet) and compared with remote desktop solutions, proved to be more faster. What do you need for this to work properly?

First, you need a Windows Server OS available somewhere online, if you plan to have access to this applications when you are on the move. There are multiple solution. You can host one yourself at home if you have a 24/7 running machine (you can run it even on a virtual machine), maybe you have access to one at your company or maybe you can afford a VPS. As you don’t need so much power take the cheapest VPS with Windows Server (I saw some starting at 18$ / month). OK, this are some ideas, the important thing is to have one available.

Next, you need this Windows Server to have IIS and Terminal Services enabled as this is mandatory for the next step.

This step was the hard part. I needed some Application Virtualization software capable to stream application to any environment (mac, linux, windows) and to have affordable price or , unexpected, free. I found some out there in the Internet, but mostly were able to stream virtual application only to Windows platforms or they where doing something else that Application Virtualization. One product that immediately appeared was XenApp from Citrix. I used this in the past, and I know that it is reliable good product. But you can get it as trial only for 30 days and it was quite hard for me to achieve a working installation. Well, I’m not an expert in Citrix applications, so I assume that this is my fault, otherwise a great product but not for me.

I keeped searching and I found the X2 products webpage.

When I saw there Free download, I was thinking immediately about Trial free download. I was right, the download of the product has a trial of 30 days. But then digging a little bit deeper, I saw that after this 30 days, you can still use the product free of charge, the only limitation is that you have to stick to 3 concurrent connections and one server (so you cannot use the LoadBalancer feature). I don’t care about LoadBalancer as I only have one server, and anyhow I’m the only person using it. The 3 concurrent connections is enough for 1-2 users with decent usage. I think is fair that if you use this for your productive environment and want more support and resources to pay for them.

I registered, got the free license immediately and started installation on a VPS with Windows 2003 Server. The installation was quite easy and configuration as well due to existing documentation their site. Just read and follow the instructions and you will end with a working software.

After the installation is finished, all you have to do is to provision the software that you want to be able to access over the network, directly on your screen. Also if you want to have the full virtualized desktop, X2 is capable to provide this.

Since a short screencast can show more than 1000 words, please have a look below, where I’ll try to show you the major benefits of this software and how you can manage it to obtain the desired result:

I know that this is not the easiest way to do it, and maybe some of you just prefer to use a virtual machine or dual boot, but as I said this fits most to me and maybe you can use the same solution to solve your problems with other Windows based software, not only Visio. Regarding Visio, the best would be that Microsoft open the VSD format or release a Mac version. For Linux, I don’t think that they even consider such a possibility.

Routing + QoS + Security all free for you and your small business

OK, you catch me as this is not from Cisco, but is related to networking and security, so I believe it fit in the idea of this blog. What I’m talking about here?! Well, let’s assume that you are the IT guy of one small business or even your home network, and like all of us, you want what’s the best for your network. With today’s key words (even I don’t understand why) like saving, cost reduction, zero budget for new deployments no manager will approve new hardware to be bought. And to be fair enough why would you like to buy an expensive Cisco 6500 if you have 50 PCs in your network and some servers? Cisco and other brands in the same line are good, actually very good, and money worth spending to have them, but only if they are really required. Continuing on this idea, somebody asked me to find a solution for his small to medium business as he has a small user network and some servers. Of course he wanted all the possible features and security but without investing too much, or if possible nothing. To keep everything into this limits, I had the idea to use a Linux box with 3 NICs and a bunch of software for achieving the other features like QoS, routing and so on. But I found something better to manage and to maintain over the time.

The product is called Untangle and I found out to be perfect for my solution and maybe for yours if you want to give it a try. Among the other good features that it has integrated, you will see that this is a FREE product. Of course nothing is just white and black, and if you want some features you have to pay for them. Anyway I managed to do everything without paying anything. Untangle can be installed on a dedicated machine or as an application in Windows. Installing on Windows is …how can I say…useless, at least from my point of view. I mean who put the trust of his network gateway on a Windows machine?! As a dedicated machine is one of the best solutions that I tested.

As explained on the Untangle documentation, this solution can be installed on any regular Intel / AMD machine with some decent configuration. If you want to keep this solution for a longer time and logs I would recommend something dual core with 2 GB of memory and at least 80GB hard-disk capacity. The minimum requirements from the developers would be a 800Mhz processor with 512KB of memory and 20GB hard-drive, if you plan to run this for a network with less than 50 stations. The process is very simple, you download an image, burn it on a disc and then install it. If you ever installed another OS, you will handle this for sure.

The new device can be deployed as a router or as a transparent bridge:
On my private installation I deployed it as a router, as I wanted this to be the main gateway and to separate the LAN from the DMZ area. After you configure the basic stuff, you may want to choose what services you will use on this machine. Everything is modular. You have a virtual rack in which you insert free or paid applications. Maybe you are wondering which are the free applications. Here is the list: Web Filter, Virus Blocker, Spam Blocker, Ad Blocker, Attack Blocker, Phish Blocker, Spyware Blocker, Firewall, Routing & QoS, Intrusion Prevention, Protocol Control, OpenVPN, Reports. This covers most of my basics needs for a small network. If you want advanced features like WAN Load Balancer, WAN Failover or Remote Access Portal than you have to buy this applications. Of course I would preferred to have this also for free, but as I said in other articles, nothing is 100% free on this world.

Every module is than configured in a graphical interface with easy to understand and follow menus. You can choose what to activate, what traffic to be inspected, what packets to be subject of QoS and may more. One thing before you proceed to test this. By routing please don’t understand Dynamic Routing Protocol or other advanced features. Like I said before this solution is for small to medium sites which does not have to support complex routing environment. However it does support basic routing and it can be installed as a router. Regarding the support you get for this product there is good forum and also a Wiki page

Below I prepared a small gallery with screenshots from Untangle. The screenshots are copyrighted to Untangle.com and can be found on there site together with a some nice video presentations of the product.

Please be aware that this site is not affiliated in any way with Untangle.com. The opinion presented here represent my own experience with Untagle product.

[nggallery id=16]

Wireshark’s most useful display filters

Now and then, especially when you expect less, the network crashes or encounter an issue and then you had to troubleshoot. Sometime the problem is right there, you can see it and it’s easy to fix, but in other cases you’ll have to put an eye in the packets that are traveling through it and search deeper for the solution. When it comes to network sniffing or packet capturing or whatever you want to call it, I believe that the name Wireshark (formerly Ethereal) ring a bell in your head.

Wireshark is one of the world’s foremost network protocol analyzer, and is the de facto standard across many industries and educational institutions. Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998. Some features of Wireshark:
– Deep inspection of hundreds of protocols, with more being added all the time
– Live capture and offline analysis
– Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
– Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
– Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
– Capture files compressed with gzip can be decompressed on the fly
– Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platfrom)
– Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2

Wireshark is extremely useful when it comes to network troubleshooting as it capture the packets and you can have a detail look into them checking if everything is OK in parameters, message, format and so on. The problem is that if you capture the packets traveling through a backbone router you will end having huge file ( yes, even up to 1G if you capture long enough) and a lot packets details in it. From this tons of information maybe you are interested in only a minor part like BGP traffic or a certain IP source and destination. Here is the part where Wireshark filters come into play.

There are 2 type of Wireshark filters:

– DISPLAY FILTERS – after you capture a lot of information, they help you to visualize only the packets that you are interested in
– CAPTURE FILTERS – from the beginning you know what is the interest for you and capture only those packets

I would recommed to use the Capture filters, when you know what are you looking for and you run the capture for more than couple of hours in a heavy traffic environment. This will help you stay in a reasonable amount on information being captured and file size.
If you run the packet capture for less time, like one or two hours, and you are not very sure what are you looking for, then I recommend to capture all the traffic and then use Display filters to visualize only the information that you are searching for.

For today I put together a list with the most useful Wireshark display filters. I compiled this list based on my personal experience and on my friends and colleagues advices. If you think that something is missing, or you are using a Display filter that might be useful for others please feel free to add it to a Comment to this topic and I will update the list. In one of the future posts I will show you how to capture the traffic and apply some of this filters.

DISPLAY FILTER	EXPLANATION	EXAMPLE
eth.addr	source or destination mac-address	eth.addr == 00:1a:6b:ce:fc:bb
eth.src	source mac-address	eth.src == 00:1a:6b:ce:fc:bb
eth.dst	destination mac-address	eth.dst == 00:1a:6b:ce:fc:bb
arp.dst.hw_mac	target mac-address	arp.dst.hw_mac == 00:1a:6b:ce:fc:bb
arp.dst.proto_ipv4	target IPv4 address	arp.dst.proto_ipv4 == 10.10.10.10
arp.src.hw_mac	sender mac-address	arp.src.hw_mac == 00:1a:6b:ce:fc:bb
arp.src.proto_ipv4	sender IPv4 address	arp.src.proto_ipv4 == 10.10.10.10
vlan.id	vlan ID	vlan.id == 16
ip.addr	source or destination IPv4 address	ip.addr == 10.10.10.10
ip.dst	destination IPv4 address	ip.addr == 10.10.10.10
ip.src	source IPv4 address	ip.src == 10.10.10.10
ip.proto	IP protocol (decimal)	ip.proto == 1
ipv6.addr	source or destination IPv6 address	ipv6.addr == 2001::5
ipv6.src	source IPv6 address	ipv6.addr == 2001::5
ipv6.dst	destination IPv6 address	ipv6.dst == 2001::5
tcp.port	source or destination TCP port	tcp.port == 20
tcp.dstport	destination TCP port	tcp.dstport == 80
tcp.srcport	source TCP port	tcp.srcport == 60234
udp.port	source or destination UDP port	udp.port == 513
udp.dstport	destination UDP port	udp.dstport == 513
udp.srcport	source UDP port	udp.srcport == 40000
fr.dlci	Frame-Relay DLCI number	fr.dlci == 112
icmp.type	ICMP type code (decimal)	icmp.type == 8
vtp.vlan_info.vlan_name	VLAN name	vtp.vlan_info.vlan_name == TEST
bgp.originator_id	BGP id (IPv4 address)	bgp.originator_id == 192.168.10.15
bgp.next_hop	BGP Next Hop (IPv4 address)	bgp.next_hop == 192.168.10.15
rip.ip	RIP IPv4 address	rip.ip == 200.0.2.0
ospf.advrouter	OSPF advertising router ID	ospf.advrouter == 192.168.170.8
eigrp.as	EIGRP autonomous system number	eigrp.as == 100
hsrp.virt_ip	HSRP virtual IP address	hsrp.virt_ip == 192.168.23.250
vrrp.ip_addr	VRRP virtual IP address	vrrp.ip_addr == 192.168.23.250
zebra.dest4	ZEBRA destination IPv4 address	zebra.dest4 == 10.10.10.10
wlan.addr	source or destination MAC address	wlan.addr == 00:1a:6b:ce:fc:bb
wlan.sa	source MAC address	wlan.sa == 00:1a:6b:ce:fc:bb
wlan.da	destination MAC address	wlan.da == 00:1a:6b:ce:fc:bb

Materials that helped me for this post:
http://packetlife.net/static/cheatsheets/wireshark-display-filters.pdf – thanks Jeremy Stretch
http://www.wireshark.org/docs/dfref/ – here you can find the full list of filters – thanks developers of Wireshark