This documentation applies to NMS version 5.4. An online version of the software can be found here.
FlowFalcon reports enable you to monitor and report on flow technologies. SevOne NMS handles virtually all flow technologies. Flow technologies monitor data in layers 2 through 4 to provide visual details of over or under utilization of a network resource, application traffic, and port conversation activity. FlowFalcon reports display flow data from any router, switch, firewall, etc. that you enable to export flow data.
To access the FlowFalcon Reports page from the navigation bar, click the Applications menu and select FlowFalcon Reports.
The default FlowFalcon Reports page settings enable you to create a FlowFalcon report in two clicks. See the FlowFalcon Report Interactions section later in this chapter for direction to run FlowFalcon reports and how to manipulate reports after you get results.
To monitor your network's specific flow parameters, there are several prerequisites that you should consider.
The New Device page and the Edit Device page enable you to configure the SNMP plugin for devices that send flow data. SNMP is not required but if you omit this step, the FlowFalcon report provides less descriptive information because the name of the device and its interfaces are not resolved. To use the Response Time metric FlowFalcon views, select the Monitor NAM Data check box on the Edit Device page and configure NAM settings to enable a Cisco NAM device to send response time data to the FlowFalcon Reports page.
The Cluster Manager enables you to define FlowFalcon settings including the port number where SevOne NMS listens for flow data. The Advance FlowFalcon Views check box enables you to use Medianet metric FlowFalcon views and to use Response Time metric FlowFalcon views.
The Flow Interface Manager enables you to manage which flows to process.
The Flow Protocols and Services page enables you to edit or define new protocols or services from which to collect flow data.
The Flow Rules page enables you to define rules to process flow data based on device and interface.
The FlowFalcon View Editor enables you to create FlowFalcon views.
The Flow Template Status page enables you to view the fields SevOne NMS derives from flow devices that you can use in FlowFalcon views.
The MPLS Flow Mapping page enables you to upload your network's mapping files to map MPLS attributes to flow data to enable the presentation of MPLS data in FlowFalcon reports.
The Network Segment Manager enables you to group flows from a network segment to identify traffic that comes from different areas in your network.
The Object Mapping page enables you to map poll data from any plugin that monitors an object to a flow interface.
See the Enable Flow Technologies topic for how to enable routers to send flow data to SevOne NMS.
The FlowFalcon Reports page provides several sections of settings that enable you to define the data to appear in the FlowFalcon report. Each FlowFalcon report displays a stacked line graph, a pie chart, and a table of flow data. Some flow sources only provide incoming data. SevOne NMS uses flow data collected from other interfaces to determine the outgoing data. The more interfaces that export flow data on a device, the more accurate the determination.
The Sources section enables you to select the interfaces, device groups/device types, or object groups from which to present a FlowFalcon report. You cannot select a redundant source.
Click the Source Type drop-down.
Select Interfaces to create a report for flow data from the interfaces you allow on the Flow Interface Manager.
Click the Device drop-down and select a device. Select All Devices to define the report to contain all devices.
Click the Interface drop-down and select an interface. Select All Interfaces to define the report to contain all interfaces on the device you select.
Click the Direction drop-down and select whether to define the report to display the Incoming, Outgoing, or All Directions traffic.
Select Device Groups, then click the Device Group drop-down and select a device group/device type. Select All Device Groups to create a report for flow data from all device groups/device types.
Select Object Groups, then click the Object Group drop-down and select an object group.
Click Add Source to add the device, interface, and direction to the Sources to Graph list.
Repeat to add additional sources.
The Report Settings section enables you to select the view and to define the report settings for the report. FlowFalcon views enable you to define the flow template fields to display in the report. SevOne NMS provides starter set FlowFalcon views to enable you to create common FlowFalcon reports
Click the Metric drop-down. This field appears when you select the Advanced FlowFalcon Views check box on the Cluster Manager Cluster Settings tab.
Select Bandwidth to populate the Report View drop-down list with views that focus the report on the volume of traffic.
Select Medianet to populate the Report View drop-down list with views that focus the report on Cisco Medianet video statistics.
Select Response Time to populate the Report Views drop-down list with views that focus the report on the delays caused by various parts of the network. To use the Response Time metric views, select the Monitor NAM Data check box on the Edit Device page and configure the NAM settings to enable the Cisco NAM device to send response time data to FlowFalcon reports.
Click the Mode drop-down.
Select Aggregated to populate the Report View drop-down list with views that use aggregated flow data which stores the most relevant flow data for faster report creation.
Select Granular to populate the Report View drop-down list with views that use raw flow data to allow for more specificity in the result set at the tradeoff of longer report execution times and less historical data availability.
Click the Report View drop-down and select a view. The list of views is dependent on the selections you make from the Metrics drop-down and from the Mode drop-down. See the FlowFalcon Views topic to view the list of FlowFalcon views. If you do not see an applicable view, the Report View field caption provides access to the FlowFalcon View Editor where you can create custom views.
Click the Time Span drop-down and select a time span. Select Custom to display the Choose a Time Range pop-up that enables you to define a custom time span.
Click the Time Zone drop-down and select a time zone.
Click the Split Sources drop-down.
Select Nothing to combine all results from the same direction across the same interface to allow for greater detail in the result set.
Select Interfaces to separate flow data into individual interfaces.
Select Groups to separate flow data by device group/device type or object group depending on the source you select. This option appears when you select Device Groups or Object Groups in the Source section.
Click the Network Segment drop-down and select a network segment. This enables you to resolve IP addresses into segments and to roll up results from the same segment into a single result. The Network Segment field caption link provides to access the Network Segment Manager where you manage network segments.
Click the Show Remaining Traffic drop-down.
Select Yes to display flow data for the top <n> results individually in the pie chart and the stacked line graph plus a Remaining Traffic graph item that groups the flow for the remaining flow sources that meet your filter criteria. You define <n> results in the next step.
Select No to display only the top <n> results in the pie chart and the stacked line graph. Remaining Traffic continues to display in the table.
In the Results to Display field, enter the number of individual results to display in the report. The display includes the first 200 results to optimize browser performance. Export the report to a .csv format or to a .pdf format to view the full result set of more than 200 results. Filters enable you to narrow the scope of the request (see the Filters section below). You can also modify the Selected Sources list to limit the number of sources in the report (see the Sources section above).
FlowFalcon reports display a table of flow data that can include a variety of information that describe the flows. The Advanced Report Settings section enables you to select the data columns to include in the FlowFalcon report table.
Click Advanced Report Settings to display the advanced report settings controls.
In the Data Columns field, select the check box for each data column to include in the report table. You must select the check box for at least one data column. All columns are described at the end of this chapter.
Click the Sort Column drop-down and select the data column on which to sort the table in the FlowFalcon report. This drop-down list displays the data columns you select in the previous step. The data column you select in this step determines the data to display in the pie chart and the stacked line graph in the FlowFalcon report.
Click the Sort Order drop-down and select to sort data in either Ascending or Descending order.
The Resolution Settings section enables you to define domain name resolution settings.
Click Resolution Settings to display the resolution settings controls.
Click the DNS drop-down.
Select Display IP to display raw IP addresses.
Select Display DNS to display resolved domain names when possible.
Select Display Both to display both IP addresses and resolved domain names.
Click the Protocols drop-down.
Select Display Number to display raw protocol numbers.
Select Display Name to display resolved protocol names.
Select Display Both to display both numbers and resolved names.
Click the Ports drop-down.
Select Display Number to display raw port numbers.
Select Display Name to display resolved port names.
Select Show Both to display both numbers and resolved names.
Click the DSCP drop-down.
Select Display Number to display DSCP port numbers.
Select Display Name to display DSCP port names.
Select Display Both to display both numbers and resolved names.
Click the AS drop-down.
Select Display Number to display AS port numbers.
Select Display Name to display AS port names.
Select Display Both to display both numbers and resolved names.
The Display Settings section enables you to define display settings.
Click Display Settings to display the display settings controls.
Click the Granularity drop-down and select the interval between data points in the results. SevOne NMS is optimized to receive flows every one minute. If you configure the router to send flows at a different interval, this setting enables you to view the report at the granularity that matches the router flow timeout setting. A router flow cache setting other than one minute is not recommended.
Select Auto to use the highest applicable granularity for the best display and fastest load time based on the time span you select.
Select a predefined interval.
Select Custom to enter a custom granularity. There is no limit to this value, but if the granularity is too small for the time span, SevOne NMS adjusts the granularity.
Click the Data Units drop-down and select Bits for network oriented data or select Bytes for server oriented data.
Click the Display as Rates drop-down and select Yes to display the results as bits or bytes per second or select No to display the total number of either bits or bytes.
The Filters section enables you to limit the results that appear in the report. Each filter contains one or more rules. Each filter rule applies to a specific flow field. Filter rules for a field not in the view are ignored. This enables you to define filters independently from views.
When you apply a filter to a FlowFalcon report that uses an aggregated view, the Other Traffic and Total Traffic numbers may appear inaccurate due to how the data is aggregated and stored in pre-calculated buckets. If you do not receive the expected number of results after you apply a filter to an aggregated view, increase the number of aggregated results to store for each write interval on the Cluster Manager Cluster Settings tab (FlowFalcon Aggregation TopN).
To delete a filter, click the Filter drop-down and select the filter to delete. The rules list displays the rules for the filter you select. Click Delete Filter to delete the filter.
The filter Boolean expression works such that for each field, SevOne NMS creates a Boolean expression that consists of the negative rules and the positive rules. The negative rules are AND'd to form a sub-expression and the positive rules are OR'd to form a sub-expression. These sub-expressions are then AND'd to form the final expression for each field. Then, each field's composite expression is AND'd to other field expressions.
Perform the following steps to add a new filter.
Click the Filter drop-down and select a filter to copy or select New Filter.
Above the Rules list, click Add Rule to Filter to display the Add New Rule to the Filter pop-up.
On the pop-up, click the Field drop-down and select the field on which to define the rule. Fields that are in the view you select appear first in the drop-down list followed by all known fields from the flow data.
Click the Boolean drop-down and select Is to define the rule with the IS logic or select Is Not to define the rule with the IS NOT logic. For each filter, a data row displays if allowed by all IS NOT rules and any IS rule (if existent).
Click the Operator drop-down and select a comparison operator.
Mask - Flow data must match in the manner of IP address subnet masking.
Subnet - Flow data must be from the network segment you select from the Network Segment drop-down. You define network segments on the Network Segment Manager.
Click Save to save the rule.
Repeat these steps to add multiple rules to the filter.
After you add all rules to the new filter, click Save Filter as New above the rules list to display the Specify a Name for This Filter pop-up.
In the Filter Name field, enter the name of the new filter.
Click Save to save the new filter. The new filter now appears in the Filter drop-down list.
If you modify a filter when you edit a FlowFalcon report and you save the report before you save the filter, you create a new filter for that specific report with the current list of rules. This enables you to modify a filter for a specific report without altering the original filter.
However, if you modify a filter and you save the filter before you save the report, you update the filter and you update any other existing uses of that filter.
In other words:
If you edit a FlowFalcon report and click Save Filter, you save the changes to the original filter.
If you do not click Save Filter, you copy the changes to a new filter that is specific to the report.
Perform the following steps to edit a filter.
Click the Filter drop-down and select the filter to edit.
Click Add Filter Item to display the Add New Rule to the Filter pop-up.
Click the Field drop-down and select a field.
Click the Boolean drop-down and select Is or select Is Not.
Click the Operator drop-down and select a comparison operator.
Click Save on the Add New Rule to Filter pop-up to save the rule.
Click to delete the rules you select from the list.
After you edit the list of rules, click one of the following buttons above the rules list.
Click Save Filter as New to create a new filter without overwriting the filter you select from the Filter drop-down list. The Specify a Name for This Filter pop-up appears to enable you to enter the name for the new filter.
Click Save Filter to overwrite the filter you select from the Filter drop-down with the updates you make to the filter.
A FlowFalcon report displays a pie chart, a stacked line graph, and a table. The pie chart and the stacked line graph display up to 16 colors to represent the top 16 results for the data you select as the Sort Column in the Advanced Report Settings section. The table displays up to 200 results. Detach the report to a .csv format or .pdf format to display more than 200 results. The following sections provide instructions for how to get FlowFalcon report results and how to manipulate and navigate the report to display the exact data you need.
You can get a FlowFalcon report using the default FlowFalcon Reports page settings in two clicks. To get specific FlowFalcon report results, you can either perform the steps in the Define FlowFalcon Reports section before you run the report or you can run the report and then drill down to the specific information.
At the top of the FlowFalcon Reports page, the Sources section displays All Devices, All Interfaces, and All Directions. Click Add Source to add all devices, all interfaces, and all directions to the Sources to Graph list.
Below the Filters section on the FlowFalcon Reports page, click Get Results.
When the FlowFalcon view provides flow direction, and indicate the traffic flow direction. The source port and the destination port are evaluated. The low port (non-zero) is considered the Application and the high port is considered the Client. The IP addresses follow the port numbers.
Example: For a flow: Source 1.1.1.1 port 34333 to destination 2.2.2.2 port 80.
When you create a report that uses the Application field and the Client field, the host appears in a single column, which enables better aggregations of conversations. 80 becomes the Application port because it is the lower port number and 34333 becomes the Client port. With the Application field and the Client field the same report appears as follows.
You can also add the Application Direction field to display each direction of the conversation.
|
The following icons appear in the FlowFalcon Reports page title bar to enable you to export FlowFalcon reports.
- Click to export the summary data from the table to a .csv format.
- Click to export all granular data points in the graph to a .csv format.
- Click to export the report to a .pdf format.
- Click to add the FlowFalcon report as an attachment in a report on a new browser tab. You can modify reports to add other attachments and you can save reports to the Report Manager. Report workflows enable you to designate reports to be your favorite reports and to define one report to appear as your custom dashboard.
The bottom rows of the FlowFalcon report table contain rows for Remaining Traffic and Total Traffic.
The Remaining Traffic row displays the total of all interfaces that are not part of the top <n> results (where <n> is the number you enter in the Results field in the Report Settings section above). If there are fewer results than the number you enter in the Report Settings section, the Remaining Traffic row does not appear.
The Total Traffic row displays the total of all interfaces in the report, regardless of whether the source appear listed individually in the list or not.
The Graph Other setting in the Report Settings section enables you to include the remaining and total traffic in the pie chart and stacked line graph. Click the Graph Other drop-down and select Yes to display a gray slice in the pie graph and a gray line in the stacked line chart that represents the remaining traffic.
Example: Run a FlowFalcon report that contains 100 results. In the Report Settings, Graph Other is set to No and Results is set to 100. The report displays the first ten results in the graph and the first 100 results in the table. The table contains a row for Remaining Traffic after the 100th result. Change the Graph Other setting to Yes and click Get Results. The graph updates to display the same data as before plus a new dark gray pie slice and a stack graph row to represent the 90 unselected rows and the Remaining Traffic.
FlowFalcon reports depict the total rate of flows for each device/interface/direction after duplicating flows that lack directional information. NetFlow v5 only exports information about the incoming interface so SevOne NMS duplicates the flow statistics for v5 NetFlow to enable you to run reports for outgoing flows on devices that use v5 NetFlow. If your network only uses v5 NetFlow, the FlowFalcon report flow rate should be double the actual rate of flows that arrive at the collector. The flow rate in FlowFalcon reports is different from the flow rate that displays on the Flow Interface Manager that uses a different calculation for flow data.
Some column definitions change when you select Split Nothing in the Split Sources field.
Column Name |
Split Interfaces/Split Groups |
Split Nothing |
Data Columns |
||
BANDWIDTH |
||
Average Link Utilization |
Bandwidth divided by the total bandwidth available for that record (same as "% of Available"). |
Bandwidth used divided by the number of records rolled up into that record. |
Bandwidth |
Total amount of traffic. |
Total amount of traffic. |
Bandwidth (% of Available) |
Bandwidth divided by the total bandwidth available for that record. |
Bandwidth divided by the total bandwidth available for all records rolled up into that record. |
Bandwidth (% of Total Available) |
Bandwidth divided by the total bandwidth available for all records with the same unique field set. |
Bandwidth divided by the total bandwidth available for all records rolled up into that record. (When rolled up, this statistic is the same as "% of Available" rolled up.) |
Bandwidth (% of Total Used) |
Bandwidth divided by the total bandwidth used for all records with the same unique field set. |
Bandwidth divided by the total bandwidth used in the entire report. |
FLOWS |
||
Flows |
Total number of flows. |
Total number of flows. |
Flows (% of Total) |
Flows divided by the total number of flows in report. |
Flows divided by the total number of flows in the entire report. |
MEDIANET Views |
||
Packet Loss |
The number of packets lost. |
The number of packets lost. |
Interarrival Jitter |
The amount of jitter upon arrival. |
The amount of jitter upon arrival. |
RTT |
Round trip time. |
Round trip time. |
MULTICAST BANDWIDTH Granular Views |
||
Average Link Utilization |
Bandwidth divided by the total bandwidth available for that record (Same as "% of Available"). |
Bandwidth used divided by the number of records rolled up into that record. |
Bandwidth |
Total amount of traffic. |
Total amount of traffic. |
Bandwidth (% of Available) |
Bandwidth divided by the total bandwidth available for that record. |
Bandwidth divided by the total bandwidth available for all records rolled up into that record. |
Bandwidth (% of Total Available) |
Bandwidth divided by the total bandwidth available for all records with the same unique field set. |
Bandwidth divided by the total bandwidth available for all records rolled up. (When rolled up, same as "% of Available" rolled up.) |
Bandwidth (% of Total Used) |
Bandwidth divided by the total bandwidth used for all records with the same unique field set. |
Bandwidth divided by the total bandwidth used in the entire report. |
MULTICAST PACKETS Granular Views |
||
Packets |
Total number of packets. |
Total number of packets. |
Packets (% of Total) |
Packets divided by the total number of packets in the entire report. |
Packets divided by the total number of packets in the entire report. |
PACKETS |
||
Packets |
Total number of packets. |
Total number of packets. |
Packets (% of Total) |
Packets divided by the total # of packets in the report. |
Packets divided by the total number of packets in the entire report. |
RESPONSE TIMES Views |
||
Application Delay |
|
|
Network Delay |
|
|
Total Delay |
|
|