Friday, May 27, 2011

NetFlow without Cisco Gear

It turns out you can get NetFlow data without having a Cisco device (or with a Cisco device that doesn't support NetFlow).  I had seen and dealt with nProbe before, but wasn't aware that it also runs on Windows.

SPANs are fairly ubiquitous on most switches.  Even if you can't do a SPAN, taps are fairly cheap and add minimal amounts of latency when inserted inline.  If i'm not mistaken, you can even setup rules so that certain subnets appear as if connected through its own interface.

The funny thing is that NetQoS doesn't have an article explaining the simple steps to get it working.  I found this on SolarWinds' social networking site thwack.com:
http://thwack.com/blogs/orion-product-team-blog/archive/2009/11/10/orion-nta-and-nprobe-analyzing-bandwidth-hogs-without-flow-capable-network-equipment/
  1. Download and install nProbe on a Windows (or Linux) server: Download an evaluation version of nProbe and install it on a server.  As noted in the diagram above, you'll need a server with two NICs - one to connect to the span port of the switch and the other to export flows to the Orion NTA server. The eval version of nProbe supports 2,000 flows export, so you’ll eventually need to purchase a copy.  It’s around $100. 
  2. Enable port spanning or port mirroring on your Managed Switch: Configure port mirroring or port spanning on your managed switch to the port that the server running nProbe is connected.  This will allow nProbe to see all traffic flowing through the switch.  You’ll need to consult your switch documentation for how to configure port mirroring or port spanning. If possible, consider only spanning the ports of interest to reduce the amount of flow data collected.
  3. Add the nProbe server to Orion: Add the server running nProbe to Orion, including all interfaces
    Add the server interfaces as monitored NetFlow Sources.  Go to NTA settings and enable “Allow monitoring of flows from unmanaged interfaces”
  4. Configure nProbe to export flows to Orion NTA
Open command prompt on nProbe server and navigate to C:\Program Files\nProbe-Win32>
Run nProbe from CLI using the options listed below:
             nprobe
                 /c - output to console.  This is the easiest method, especially for a demo situation, because you can review the debug messages.
                 -n <Orion NTA server address>:<port>  - IP address and port that should receive the flow records.  Use 2055 for port.
                 -b 1 - modest level of reporting
                  -i  <interface> - generally 1 on Windows; en0/eth0 on Linux; en0 for Ethernet on OSX, en1 for wireless
                 -u <in-index> - sets the ingress interface for all flows (use 1).
                 -Q <out-index> - sets the egress interface for all flows (use 2).
          E.g. nprobe /c -i 1 -n 10.199.15.50:2055 -b 1 -u 1 -Q 65539
NOTE:  It’s important the ingress (-u) and egress (-Q) interface indexes be set to the server interfaces being managed in Orion. NTA will drop flows from interfaces that are not managed in Orion.  You can see the interface index for the server interfaces in Orion by drilling down to their respective interface details view. So, if your nProbe server had two interfaces being monitored in Orion NTA, you would just set the option –u to the index of one of them and the –Q switch to the index of the other.   See nProbe documentation for other command line options.