Documentation forSolarWinds

NetFlow Realtime tool

The NetFlow Realtime tool in ETS for the Desktop provides a granular view of your network traffic. You can see the most recent 5 to 60 minutes of flow data broken out by applications, conversation, domains, endpoints, and protocols. You can use NetFlow Realtime to explore exactly how your bandwidth is being used and who is using it.

Open the NetFlow Realtime tool

  • To launch the tool from the Toolset Launch Pad, locate the NetFlow Realtime tool and click Launch.

  • You can add the tool to a tab in the Workspace Studio, and access it from there.

  • To launch the tool from the Windows Start menu:

    1. Click Start > All > SolarWinds Engineer's Toolset.

    2. Right-click NetFlow Realtime, click More, and click Run as administrator.

Capture NetFlow data

Before you can begin analyzing data exported by your NetFlow-enabled routers and switches, you must capture the flows. Complete the following tasks before you attempt to monitor data with NetFlow Realtime.

Prepare to capture data

  1. Modify the configuration of your NetFlow device to ensure it is exporting NetFlow data.

    Due to the large number of different routers and switches that can export NetFlow data, consult your Cisco device documentation for instructions to enable NetFlow data export. A technical reference is available on the SolarWinds website. For more information, see Enable NetFlow and NetFlow Data Export on Cisco Catalyst Switches.

  2. Ensure you know the listening port for NetFlow data.

    This port is part of the configuration of the NetFlow device.

  3. Ensure you know the IP address or host name of the NetFlow device.

  4. Ensure you know the community string or SNMP version 3 credentials.

Capture data

  1. In the Listen on port field, specify the listening port for exported NetFlow data.

  2. Click Add NetFlow Device , and then specify the following information on the NetFlow Device Credentials window.

    • IP address or host name of the NetFlow device
    • Community string or SNMPv3 credentials.

  3. Click Test, and then review the Credentials Test window.

  4. Make any necessary adjustments to your values on the NetFlow Device Credentials window, and then click OK.

If NetFlow Realtime is able to communicate with NetFlow data, a green check mark is displayed in the Sending NetFlow column of the NetFlow Analyzer user interface.

Store NetFlow data

NetFlow Realtime stores up to 60 minutes of captured NetFlow data in Microsoft Access-readable capture files. You can modify the location of capture files by changing the path displayed in the Capture file field of the NetFlow Realtime user interface.

Analyze NetFlow data

NetFlow Realtime offers up to 60 minutes of traffic to analyze. See the following groups.

Applications

Applications enable you to see all the traffic passing through based on the application. Applications use specific ports to send data. This mapping between port, application, and traffic is used to create the specific data points. The number of applications listed in the tree changes based on the Top XX value. Click the top node, Applications, to view an inclusive graph.

  • Expand this category to display a list of all applications in the NetFlow data being received.

  • Select an application in this list to display the distribution of traffic utilization of all the nodes that are utilizing the selected application or port.

  • Map unknown ports to application names by right-clicking on the port and then clicking Map Port.
Conversations

Enables you to see traffic based on source and destination IP address, source and destination port, and the protocol. These five data points, grouped together and matched, create a single conversation. For example, a conversation between 1.1.10.10 and google.com is defined by 1.1.10.10, google.com, port 80 (HTTP) on both IP addresses, and the TCP protocol.

  • Click an IP address in the tree to see all the other IP addresses or domains with which this IP address is in communication.

  • Click the top node, Conversations, to see an inclusive graph of your highest-traffic conversations.
Domains Enables you to see all traffic in a domain. The domain consists of all resolveable IP addresses using reverse DNS, to that domain. Clicking a domain or IP address in the tree provides a view of all the other domains or IP addresses with which this domain is in communication. Clicking the top node, Domains, provides an inclusive graph of all the domains on which traffic is being detected.
Endpoints

Allows you to select specific IP addresses (hosts) and view all the data transmitted and received by that host.

  • Click the top node, Endpoints, to see an inclusive graph. This view does not separate data by application (port) or protocol, but provides an overview of your highest traffic producers.

  • Expand this category to list all nodes. The entries will typically display the host name of the node if reverse DNS resolution is successful, otherwise the IP address will be displayed.
  • Select an endpoint to display the traffic utilization distribution of all nodes that transmitted to and from the selected node.
Protocols

Displays all the traffic that matches a specific protocol, for example, TCP or UDP.

  • Click a specific protocol to see the individual applications the protocol uses to traverse the specified interface.

  • Click the top node, Protocols, to see an inclusive graph of all traffic produced split into protocols.

Start Flow capture

  1. Click the interface through which NetFlow data is flowing to analyze, and then click Start Flow Capture.

  2. Review the information displayed in the analysis graphs.

  • The tree view can be expanded to reveal individual applications, conversations, domains, endpoints, and protocols. Tree views are dynamic; changing based on time period and the selected Top ## number.

  • The refresh rate is in seconds.

Define applications and modify port definitions

NetFlow Realtime uses the port assigned to an application to define the application.

  1. Click the NetFlow data interface to analyze, and then click Start Flow Capture.

  2. Click Tools > Application Mappings.

  3. To add a new Application definition:

    1. Click Add Application .

    2. Provide the information on the Add new window, and then click OK.

    3. Ensure the spreadsheet of applications, protocols, and ports is correct, and then click OK.

  4. To edit the definition of a port or Application:

    1. Click Edit Application .

    2. Modify the fields on the Edit window, and then click OK.

    3. Ensure the spreadsheet of applications, protocols, and ports is correct, and then click OK.