How to analyze Cisco NetFlow with FREE tool

NetFlow is a network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. It’s proprietary and supported by platforms other than IOS, such as Juniper routers or FreeBSD and OpenBSD. Cisco routers that have the Netflow feature enabled generate netflow records; these are exported from the router in User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP) packets and collected using a netflow collector. Other vendors provide similar features for their routers but with different names Jflow or cflowd from Juniper Networks, NetStream from Huawei Technology or Cflowd from Alcatel-Lucent. Since my knowledge is mainly in Cisco’s devices area, I will focus on Netflow. A NetFlow record can contain a wide variety of information about the traffic in a given flow, like Version number, Sequence number, Input and output interface indices, Number of bytes and packets observed in the flow, Source & destination IP addresses, Source and destination port numbers, IP protocol, ToS and other… By analyzing flow data, a picture of traffic flow and traffic volume in a network can be built. Cisco Netflow have multiple version from which v5 is the most used at the moment being.

After this brief explanation of what is Netflow, let’s focus on the topic of this article. Lately I was searching for a tool that can analyze NetFlow flow and return to me an acceptable picture of what’s going on in the network. There are a lot in the market and I tried many of them, which offers free trials (maybe someday I will write some reviews about them), but for now I was really searching for something without any cost involving as it was for my private use.

The NetFlow analyzer software that I was looking for, should  be able to:
1. Display graphical format of traffic (graphs, picture…)
2. Allow me to analyze as many devices / interfaces I want
3. Allow to export some reports based on the network activity collected
4. …and the most important for me, to be FREE

As I said before, I tried some tools, with great capabilities (e.g. NetFlow Analyzer from ManageEngine) but they were having limitations that disturbed me (e.g. limitation to only 2 interfaces on the tool from ManageEngine).¬† Searching, I arrived to Scrutinizer NetFlow Analyzer produced by Plixer International. This tool offers exactly what I was searching for, and it is free. Now the ugly part (there is always a part like this…) is that the tool is keeping all information for 24 hours. The good part is that you can export logs on a daily basis (24 hours). E.g I had to monitor traffic for some device for 72 hours, so daily I have exported the logs and the end of the monitoring period I compared all the data. Well, it’s not so nice this limitation of 24 hours. I would prefer 48 or 72 hours, because usually this is the minimum time for monitoring a connection, device or interface. If you buy a license all this limitations are removed. As I said from begining I was searching something for private use…so, this tool was perfect for me. Anyway I believe big companies can afford to buy this tool if they test it and see that fit with their needs.

Anyway, skipping over this 24 hours limitation, the tool give you the ability to gather information from as much devices / interfaces as you want. The reports are presented in nice graphical format, with lots of details. You can download Scrutinizer NetFlow Analyzer from their site, by clicking here. On the download page, you will have the possibility to download the free version (with 24 hours limitation) or the trial version which will give you all features for a certain limited period of time. For the trial version you have to complete a form and they will issue you a trial license.

For an example how to do a basic netflow configuration on a Cisco router and how to operate Scrutinizer Netflow Analyzer please see the presentation below. For the test environment I used an old Cisco 2600 router and my notebook with Scrutinizer Netflow Analyzer installed.

Please note before watching this presentation: is not affiliated in any way with Plixer International and ManageEngine and this is not a “pay per post” article. I just wanted to share with you something that I belive it can be useful.

scrutinizer netflow analyzer