IT pros have access to a range of tools in their monitoring toolbox. There are the humble but readily available command line options like ping, traceroute, and netstat; the versatile SNMP protocol that gives just-in-time messages via trap, or robust as-needed data via polling; all the way up to complex RPC or WMI queries, which can pull performance monitor counters, eventlog data, and more.
NetFlow™ outshines them all. No other tool can tell you that the bandwidth of a particular circuit is not only maxed out, but what application (http, SQL queries, authentication traffic, etc.) and which specific systems are involved in that bandwidth overload.
Case in point: I was contracted to set up monitoring for a school system, and the system I installed included NetFlow, but only from the core router that connected the school system to the Internet. In addition, my monitoring could only see the edge router in each school, but nothing beyond that.
One day I received a call from one of the elementary school principals who complained that the Internet kept going down. When I asked how often, he replied, “intermittently.” This didn’t give me a whole lot to go on.
I dug in using SNMP data first, and quickly saw that (unlike most of the times someone tells me “the Internet is down”), his WAN circuit was maxing out several times each day, for about 20-30 minutes at a time.
From there I switched to NetFlow. Matching up the timestamps, I could see that 10 devices (I couldn’t tell which ones because, remember, I was ONLY monitoring the edge router), were connecting to YouTube. Using an online lookup, I noted that the MAC addresses were assigned to Apple, Inc.
I called the principal back to tell him what I had found. After checking his master schedule, he discovered exactly what the issue was: the school had recently received a donation of 10 iPads, and the art teacher was using them to teach the kids how to record and upload videos to YouTube. That was the reason the WAN circuit was maxing out!
Without Netflow, this troubleshooting exercise might have taken hours or days, if it was possible at all.
Hopefully you can see why NetFlow is more than just useful. IT pros consider it an essential tool for daily, routine troubleshooting. But Netflow isn’t the easiest thing to set up, especially for server admins who have inherited a network, or even for network pros who’ve never had to do this before.
That example shows why this guide is so useful. We explain all the variations of NetFlow so you know what you have. We also go over the commands to configure NetFlow and verify that it’s working.
Hopefully this will give you a leg up on the next network issue that comes with an unexpected call from a client.