# NetFlow Analyzer FAQ ## General Product Information 1. **What is NetFlow Analyzer?** [NetFlow Analyzer](https://www.manageengine.com/products/netflow/) is a web-based bandwidth monitoring and traffic analysis tool that uses Cisco NetFlow®, sFlow®, cflowd®, jFlow®, IPFIX®, NetStream® and Cisco NBAR® to provide detailed reports on network traffic. NetFlow Analyzer helps IT administrators answer the who, what, when, where, and how of bandwidth usage. 2. **What is an interface?** Interface refers to both Layer 3 physical and logical ports on your switching or routing devices. 3. **What is NetFlow?** [Cisco® NetFlow](https://www.manageengine.com/products/netflow/cisco-netflow.html) technology is an embedded feature within Cisco IOS devices. [NetFlow data records](https://www.manageengine.com/products/netflow/cisco-netflow.html#stats) consist of information about source and destination addresses, along with the protocols and ports used in the end-to-end conversation. [NetFlow Analyzer](https://www.manageengine.com/products/netflow/netflow-monitoring.html) uses this information to generate graphs and reports on traffic patterns and bandwidth utilization. 4. **What are the different versions of NetFlow available?** So far 5 versions of NetFlow have been released. Version 1 is the original version, while version 5 is the standard and most common NetFlow version deployed. Version 7 was released specifically for Catalyst 6500 and 7600 Series switches. It is similar to version 5, but does not include information on AS, interface, TCP flag, and TOS. NetFlow version 8 was introduced to reduce resource usage, and includes a choice of eleven aggregation schemes. Version 9, the most recent version, is a flexible, extensible format with support for MPLS, Multicast, and more. NetFlow Analyzer currently supports NetFlow versions 5, 7 and 9. 5. **How is NetFlow different from traffic analyzers like MRTG™?** MRTG and other such equivalent tools provide information that is limited to interface statistics. Such tools cannot give application-level details such as hosts, protocols, and conversations, which are an inherent part of IP traffic. [NetFlow traffic statistics](https://www.manageengine.com/products/netflow/cisco-netflow.html#stats) are much more detailed, offering in-depth and fine-grained bandwidth analysis. 6. **Is Cisco the only vendor supporting NetFlow?** NetFlow technology was invented by Cisco, and Cisco IOS devices offer [NetFlow compatibility](https://www.manageengine.com/products/netflow/help/appendix/netflow-ios-versions.html). There may be other vendors offering NetFlow support on their devices. However, NetFlow Analyzer has been tested to support NetFlow-enabled Cisco devices only. ## License Information 1. **What is the difference between the Free Edition and Essential Edition?** The **[Free Edition](https://www.manageengine.com/products/netflow/download.html#diff)** of NetFlow Analyzer can report on NetFlow data from a maximum of 2 routing interfaces, whereas the **[Essential Edition](https://www.manageengine.com/products/netflow/download.html#diff)** can report on NetFlow data from a maximum of **n** interfaces (where **n** is the number of interfaces you have purchased). There is no other difference between the two editions with respect to features or functionality. 2. **Is a trial version of NetFlow Analyzer available for evaluation?** Yes. A 30-day free trial version of NetFlow Analyzer can be downloaded [here](https://www.manageengine.com/products/netflow/download.html). 3. **Does the trial version have any restrictions?** The [trial version](https://www.manageengine.com/products/netflow/download.html#trial) is a fully functional version of NetFlow Analyzer, with no functional limitations. The trial version is available for download [here](https://www.manageengine.com/products/netflow/download.html). 4. **Do I have to reinstall NetFlow Analyzer when moving to the Essential Edition?** No. You do not have to reinstall or shut down the server. You just need to [enter the new license file](https://www.manageengine.com/products/netflow/help/installation/licensing-netflow-analyzer.html) in the Upgrade License box in the top pane of the NetFlow Analyzer web client. 5. **How many users can access NetFlow Analyzer simultaneously?** This depends only on the [capacity of the server](https://www.manageengine.com/products/netflow/help/system-requirements-netflow.html) on which NetFlow Analyzer is installed. The NetFlow Analyzer license does not limit the number of users accessing the application at any time. ## Installation 1. **When I try to access the web interface, another web server comes up. How does this happen?** During installation, NetFlow Analyzer checks if the selected port is in use by another application. If at that time, the other web server was down, it will not get detected. Either disable the other web server, change its server port, or change the NetFlow Analyzer web server port. 2. **How can I change the MySQL port in NetFlow Analyzer from 13310 to another port?** Edit the `mysql-ds.xml` file in the `/server/default/deploy` directory. Change the port number in the line: ``` jdbc:mysql://localhost:13310/netflow ``` to the desired port number, save the file, and restart the server. 3. **Can I install and run NetFlow Analyzer as a root user?** NetFlow Analyzer can be installed and started as a root user, but all file permissions will be modified and later you cannot start the server as any other user. 4. **Is a database backup necessary, or does NetFlow Analyzer take care of this? (or) How to back-up data in NetFlow Analyzer?** NetFlow Analyzer includes a database backup utility that you can use to make a backup of the database. There are 2 ways of backup: 1. You can execute the script `backupdb.bat` / `backupdb.sh` which can be found under `/adventnet/me/netflow/troubleshooting`. This will create a backup of the database in a zip format. When you want to restore, you have to extract the zip to the `/adventnet/me/netflow` directory. This is a slow process. 2. Stop NetFlow Analyzer service and copy both the Mysql and data folders under `$NETFLOW_HOME/` folder. In both the above processes the version of NFA should be the same. 5. **How do I update patch in Linux?** Please use the command: ``` sh UpdateManager.sh -c ``` and follow the instructions to upgrade NetFlow Analyzer. ## Router Configuration 1. **Why can't I add a router to NetFlow Analyzer?** NetFlow Analyzer does not choose which routers or interfaces to monitor. Devices are auto-discovered. All you need to do is set up your interfaces to send NetFlow data to the specified port on NetFlow Analyzer. Once NetFlow Analyzer starts receiving NetFlow data, you can see the device and its interfaces listed on the Interface View. 2. **My router has been set up to export NetFlow data, but I still don't see it on the Dashboard.** There are a number of things you can check here: - Check if NetFlow is enabled on the device, and that it has started sending flows. - Check if your router is exporting NetFlow data to the port on which NetFlow Analyzer is listening. - Check if the router is exporting NetFlow version 5/7/9 data. 3. **I've deleted a router and all its interfaces through the License Management page but it still comes up on the Dashboard.** This happens because NetFlow packets are still being received from that router. Unless you configure the router itself to stop exporting NetFlow data to NetFlow Analyzer it will reappear on the Dashboard. 4. **What's the difference between unmanaging and deleting an interface? (or) When do I unmanage a device and when do I delete it from the License Management page?** If you need to temporarily stop monitoring a router/interface, unmanage it from License Management. In this case, the router/interface is still shown under License Management. If you need to permanently stop monitoring a router/interface, disable NetFlow exports from the interface/router and then delete it from License Management. In this case, the router/interface is not displayed on any of the client screens unless new flows are sent from it. 5. **How to Configure SNMP community in router?** For configuring SNMP, follow the steps below: 1. Logon to the router. 2. Enter into the global configuration mode. 3. Type the command **snmp-server community public RO** (to set public as Read-Only community). 4. Press Ctrl and Z. 5. Type the command `write mem`. 6. **How do I set the router time in SYNC with the NFA server?** Whenever the time difference between the NetFlow Analyzer Server and the router is above 10 minutes a warning icon will appear on the home page. When this happens, NetFlow Analyzer will stamp the flows based on the system time of the NetFlow Analyzer server. Ensure the following on the router: 1. Check if the time zone and the offset (in Hours and Minutes) for the time zone is set properly (e.g., PST -8 00 or EST -5 00). Use `show running-config` and set with: ``` clock timezone zone hours [minutes] ``` Example: ``` clock timezone PST -8 00 ``` 2. Check if the correct time is set using: ``` show clock ``` Set time using: ``` clock set hh:mm:ss month date year ``` ## Reporting 1. **The graphs are empty. Why?** Graphs will be empty if there is no data available. If you have just installed NetFlow Analyzer, wait for at least ten minutes to start seeing graphs. If you still see an empty graph, it means no data has been received by NetFlow Analyzer. Check your router settings. 2. **What is Aggregate data and Raw data? How to set Raw data storage period?** NetFlow Analyzer maintains the top 'n' flows for every ten-minute slot as aggregated data. The record count determines this 'n' value (default is 100). This can be changed in Settings. Raw data (all flows—not just top n) can be stored for up to one month. - Aggregated data is stored in 5 levels of tables: 10 Min, Hourly, 6 Hour, 24 Hour and Weekly tables. - Raw data is stored in dynamically created tables. Use `MetaTable` and `RawMetaTable` to determine relevant data tables. 3. **Some applications are labeled as "TCP_App" or similar. What is that?** It means NetFlow Analyzer has not recognized the application (port and protocol not mapped). Once added under Application Mapping, they will be recognized. 4. **Why are only the top 5 or 10 values shown in the reports? What if I want more detail?** NetFlow Analyzer shows the top 50 results by default. You can see up to 100 results by changing the Record Count value in the Settings page. 5. **The graphs show only IN traffic for an interface. Why?** NetFlow traffic accounting is ingress by default. Enable NetFlow on all interfaces through which traffic flows to see both IN and OUT traffic. 6. **Why are some interfaces labeled as IfIndex2, IfIndex3, etc.?** This occurs if the device/interface has not responded to SNMP requests. NetFlow Analyzer uses port 161 and the `public` community string by default. Update SNMP settings in the Dashboard or under Settings. 7. **Why does total bandwidth usage decrease depending on report granularity?** Older data is aggregated into less granular formats (e.g., 10-minute data aggregated into hourly data). Spikes may not appear in older reports because rates are averaged over longer periods. Example: ``` 10:00 -> volume 100MB, avg rate 1,333 Kbits/s 10:10 -> volume 1MB, avg rate 13.3 Kbits/s ... ``` Aggregated hourly: ``` 10:00 -> volume 105MB, avg rate 233 Kbits/s ``` The spike is averaged out, reducing visible peak bandwidth. ## NBAR 1. **Which features are not supported by NBAR?** - More than 24 concurrent URL, HOST, or MIME matches - Matching beyond first 400 bytes in URL - Non-IP traffic - Multicast and non-CEF switching modes - Fragmented packets - Pipelined persistent HTTP requests - URL/HOST/MIME classification with secure HTTP - Asymmetric flows with stateful protocols - Traffic originating from/destined to the router running NBAR 2. **Any restrictions on where NBAR can be configured?** Cannot configure on: - Fast EtherChannel - Tunneling/encryption interfaces - VLANs (supported in later IOS with software switching only) - Dialer interfaces - Multilink PPP 3. **What does NBAR performance depend on?** - Router configuration (protocols matched, regex complexity) - Traffic profile (number of flows, duration, stateful matches) 4. **Is performance dependent on number of interfaces or link speed?** No. It depends on packet inspection depth and packet count. 5. **Why does NFA say router does not support NBAR?** Older IOS supports NBAR discovery but not CISCO-NBAR-PROTOCOL-DISCOVERY-MIB required for SNMP-based collection. 6. **How to verify CISCO-NBAR-PROTOCOL-DISCOVERY-MIB support?** - Check Cisco MIB support: http://tools.cisco.com/ITDIT/MIBS/AdvancedSearch?MibSel=250073 - Run: ``` show snmp mib | include cnpd ``` ## V9 1. **What is NetFlow Version 9?** A flexible, extensible template-based export format supporting NAT, MPLS, BGP next hop, Multicast, etc. 2. **What is memory impact on router?** Memory depends on template flowset structures; impact is not very high. 3. **What does "Receiving non V5/V7/V9 packets..." mean?** It means unsupported NetFlow versions are being received. Configure routers to export only version 5/7/9. 4. **Is version 9 backward compatible?** No. It is not backward compatible with versions 5 or 8. 5. **Performance impact of V9?** Slight decrease due to template management overhead. 6. **What are restrictions for V9?** Required for exporting data from technologies like Multicast, DoS, IPv6, BGP next hop. 7. **How to configure NetFlow Version 9?** Refer: http://www.cisco.com/en/US/docs/ios/12_3/feature/gde/nfv9expf.html#wp1069837 ## Technical Information 1. **How is traffic information stored?** NetFlow Analyzer stores traffic information differently for each report. ![storage](https://www.manageengine.com/products/netflow/images/nfa6_data_strg_spec.gif) 2. **How are ports assigned as applications?** Matching order: - Smaller port → configured ports - Larger port → configured ports - Smaller port → port ranges - Larger port → port ranges If unmatched: - `_App` (e.g., TCP_App) - `Unknown_App` if protocol unrecognized ![ ](https://www.manageengine.com/products/netflow/images/note.gif) A single flow can be categorized as a single application only. Exact port matches take precedence. 3. **Do I have to reinstall when moving to fully paid version?** No. Just enter the new license file. 4. **How many users can access simultaneously?** Depends on server capacity. No license restriction. 5. **How to avoid logout due to inactivity?** Modify: ``` 30 ``` In: ``` /AdventNet/ME/NetFlow/server/default/conf/web.xml ``` Restart server after change. 6. **How to create DBInfo log file?** 1. Ensure NFA is running. 2. Navigate to `/Troubleshooting` directory. 3. Execute `DBInfo.sh` / `DBInfo.bat`. This creates `Info.log`. Send to: [netflowanalyzer-support@manageengine.com](mailto:netflowanalyzer-support@manageengine.com) 7. **Advantages of multiple NetFlow Listener Ports?** Enhances flow handling rates. Configure up to 5 ports separated by commas under Settings → NetFlow Settings. 8. **What information to send to support?** - Run `logziputil.bat` / `logziputil.sh` - Send `.err` file under `Mysql\data` - Send machine configuration 9. **How to migrate NFA to different machine?** - Same build number required - No cross-platform migration - Stop service - Copy `MySql` and `Data` folders - Install on new server - Replace folders - Copy `AdventnetLicense.xml` if needed 10. **How to improve NFA performance?** Refer: http://forums.manageengine.com/NetFlow-Analyzer 11. **Why router time not in SYNC?** - Verify time using `show clock` - Set using `clock set` - Set timezone using `clock timezone` - Reduce IP group complexity - Use "All interfaces" where appropriate 12. **How do I buy NetFlow Analyzer?** - [ManageEngine Online Store](https://www.manageengine.com/products/netflow/store.html) - [Find a reseller](https://www.manageengine.com/pace/find-reseller.html) - http://www.netflowanalyzer.com/ ## Enterprise Edition 1. **Why use NetFlow Analyzer Enterprise Edition?** - Handles 10,000+ interfaces - Several million flows per minute - Targeted for large distributed enterprises - Scalable architecture - Secure HTTPS data transfer 2. **Difference between Essential and Enterprise Edition?** See: https://www.manageengine.com/products/netflow/netflow-analyzer-editions.html 3. **What is a Central Server?** - Centralized web console - Manages Probes - Receives and stores data 4. **What is a Probe?** - Deployed near routers - Collects and processes NetFlow data - Compresses and sends to Central Server 5. **Interfaces/flow rate per Probe?** - ~2000 interfaces - Up to 8000 flows/second Refer: https://www.manageengine.com/products/netflow/help/system-requirements-netflow.html 6. **Probes per Central Server?** Unlimited (based on sizing guide). 7. **How does Probe contact Central Server?** One-way HTTPS communication (Probe → Central Server). 8. **Where to configure SNMP parameters?** During installation or via Settings → NetFlow Settings. Individual router settings via "Set SNMP parameters". 9. **What if connection between Probe and Central Server is down?** Probe holds data and sends when connection is restored. 10. **How frequently does Probe contact Central Server?** - Data Sync: Every 10 minutes - Configuration Sync: Every 1 minute - Real-time notifications: Immediate 11. **Does Probe send NetFlow data to Central Server?** No. Raw, historical, and one-minute traffic files are not sent. 12. **How secure is data?** Secure HTTPS. Uses Java keytool-generated SSL certificates: http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html 13. **Why "Probe incompatible with Central Server" message?** - Central Server reinitialized - Probe deleted from Central Server 14. **Bandwidth usage between Probe & Central Server?** View under "Probe Details" in Central Server web client. 15. **What is shown in Probe Dashboard?** Top 10 interfaces by default. Customizable to Top 10/20/30 or selected interfaces. 16. **How to move Central Server?** - Stop service - Run BackupDB - Install on new machine - Same time zone - Restore backup - Update Probe settings 17. **How to move Probe?** - Stop Probe - Copy `Probe.txt` - Update Central Server details - Start and confirm same Probe 18. **What if behind proxy?** Configure proxy in Probe installation or Settings. NAT Central Server if required. 19. **Is migration between editions supported?** No migration between Professional/Essential and Enterprise editions. 20. **What is licensing based on?** Based on flow rate. Above 10,000 flows/second requires additional Probe.