Documentation forSecurity Event Manager

Collect and view NetFlow and sFlow data in SEM

This section describes how to enable and view NetFlow and sFlow data. The Flow utilities are available from Monitor view, the Explore > nDepth view, and the Explore > Utilities view.

About the Flow explorer

Flow explorer performs flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. Use this explorer to analyze the volume of data (in bytes or packets) transferring to or from an IP address or port number on your network.

For example, if an unknown IP address displays at the top of the Flow explorer’s activity list, you can select a bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to identify the IP address and why it is transmitting so much data.

SEM supports Flow exports from both NetFlow and sFlow devices. Use the Flow explorer on the SEM Console to view graphs, charts, and grids, as well as:

  • Top Talkers by Internet Assigned Numbers Authority (IANA)-based Protocol
  • Top Talkers by Port
  • Top Talkers by Source/Destination Address
  • Top Talkers by Total Bytes
  • Top Talkers by Total Packets

See the manufacturer specifications to configure your devices to send Flow data to SEM. SEM supports data on the 2100/UDP for NetFlow devices and 6343/UDP for sFlow devices.

Enable Flow collection and analysis in SEM

  1. Open the CMC command line. See Log in to the SEM CMC command line interface for steps.

  2. At the cmc> prompt, enter service.

  3. At the cmc::service> prompt, enter enableflow.

  4. To confirm your entry, enter y.

    The Manager service on SEM automatically restarts.

  5. At the prompt, enter n and follow the prompts to select the Flow collector and enable Flow Analysis for Flow data collected on another system.

    Otherwise, enter y.

  6. To return to the cmc> prompt, enter exit, and then press Enter.

  7. To log out of SEM, enter exit, and then press Enter.

View Flow data on the SEM Console

  1. Open the SEM legacy Flash console. See Log in to the SEM web console for steps.

  2. On the SEM menu bar, click Monitor.

  3. From the Explore drop-down list, select Flow.

    The Flow Explorer presents data in graph, chart, or grid formats.