Review: Crannog Software NetFlow Tracker

NetFlow Tracker mines information from routers and switches to give detailed traffic analysis.

Crannog Software's NetFlow Tracker is an application that collects and interprets a huge amount of data from any IOS-based Cisco router or switch, providing detailed, real-time information about the traffic those devices are handling.

NetFlow is a standard component of Cisco's IOS operating system. It can tell administrators the source and destination address of every packet processed, along with port, protocol and class of service details - much like an RMON probe, but with no need for additional hardware. And because it has been used as the basis of a new IETF standard, called IPFix (IP Flow Information eXport), NetFlow has now been widely adopted by other manufacturers.

This means the Tracker application can also retrieve traffic information from Enterasys, Huawei, Juniper and other IPFix-compatible networking devices, again without the need for additional hardware other than a server on which to host the Crannog software.

That server will need plenty of fast disk space to hold the collected data, with a Raid setup recommended for large production networks. No database engine is required, however, as an implementation of the popular MySQL application that can be deployed on either Windows, Linux or Solaris is included as part of the package.

The hardest part of installing and configuring the software is turning on the NetFlow/IPFix export on devices to be monitored (exports are set per interface), though Crannog provides detailed information on the initial adjustments that need to be made. The application itself is very straightforward, with a Java GUI accessible from a browser that is quite easy to master.

A high-level view of the exported data shows the devices being monitored, leaving administrators to drill down through the interfaces on those devices to find the information required. It is possible to resolve source and destination IP addresses and display URLs on most of the on-screen reports, for example.

The time range display features simple point-and-click tools to zoom in and out, and a choice between graphical charts and spreadsheet-like tabular reports. Custom report filters can be defined and data exported in CSV format for analysis using other applications.

One drawback of the original NetFlow Tracker product was a limit of 14 days' storage due to the default one-minute sampling interval. The latest V2.0 release features an optional Advanced Services Module (ASM) that extends this, however, with a choice of six storage levels for long-term trend analysis, though the amount of detail kept is reduced the longer the information is stored.

We were given access to a live deployment at an Irish university and were impressed both with the amount of information collected and the tools provided to handle it. Tracker's responsiveness is excellent even when, as in our case, the server is accessed remotely over an internet connection.

How the data collected by NetFlow Tracker is interpreted is, of course, down to individual organisations. We could see its usefulness in isolating faults, capacity planning and general network and security monitoring.

NetFlow Tracker is aimed squarely at network support staff, though interface changes to make it more user-friendly are in the pipeline. Those wanting high level management reports might look at the NetFlow Monitor application as an alternative.