Advertisement
Capturing Other NetFlow Packets
As mentioned earlier, the NetFlow Analyzer can also capture NetFlow packets that are being sent to other
devices, analyze the packets and display the NetFlow statistics. To capture and analyze NetFlow packets,
create and enabled an Advanced Filter on the NetFlow Capture Analysis Module. This is done by creating a
new filter, setting it from "Simple" to "Advanced". Next, select an Advanced Analysis Module node, and
pick the NetFlow Analyzer from the list. When the NetFlow Filter is being used, packets captured by the
adapter are not displyaed. Instead, packets representing the statistics from the NetFlow packets are
displayed. This can be a little confusing at first since the Packets Received value at the top of the Capture
Window will show the number of packets captured, while the Packets Filtered value will show the number
of packets from the NetFlow statistics. Without any other filters enabled, the NetFlow Analyzer will
capture and analyze all of the NetFlow packets on the port specified by the NetFlow port option. To target
specific NetFlow packets simply add other filters.
Interface Statistics
Most routers have multiple interfaces, and NetFlow can report on any and/or all of them. The OmniPeek
NetFlow Analyzer displays the interface for each packet in the packet list, and the interface statistics in the
Summary Statistics. In turn, the Interface Statistics can be triggered on and graphed. Below are some
screenshots of each:
NetFlow Versions
This version of the NetFlow Analyzer supports NetFlow versions 5, 9, and templates 256 and 257. If you
are using other versions of NetFlow, and would like us to add support, please send us a trace file of the
NetFlow packets.
Beta Notice
This version of the NetFlow Analyzer is a beta. We are excited about this innovative new tool and look
forward to your feedback.
Limitations
Ah, but yes, there are limitations. The magic used by the NetFlow Analyzer to display NetFlow statistics in
OmniPeek, is to collect the NetFlow data and create fake packets that are inserted into and processed by
OmniPeek. For the most part, this works great. Features like Nodes, Protocols, Conversations, and Peer
Map, and many of the Summary Statistics are accurate and useful. However, if you are so inclined to look
at the packets, you will see that they are a facsimile of the real thing. They are real enough to generate
useful statistics, but they are not meant to be analyzed. Because the packets are also generated based on
the NetFlow data, the exact timestamp of the real packets is not known, and is generated using an algorithm
to separate the timestamps of the packets evenly over the interval represented by each NetFlow record.
Advertisement
