Problems with 3rd party NetFlow products

[mooseracing]

I'm trying a few free ones (PacketTrap, Scruntinzer and some others) and I sware they duping the flow data.

Yet I can go to our Cacti server and it is always less than any of the Netflow softwares. Cacti is using SNMP.


For example Scrutinizer Top Convo's chart goes like this:
Destination then %used

Public IP 22.14%
Private Internal IP1 22.13%
Public IP 18.88%
Private Internal IP2 18.87%
etc....

Every top talker is followed or preceded by our Public IP and nearly the same percentage used. So in the end our total traffic graphs are sometimes double or more of our real bandwidth capabilities.


Also when using AdventNet ManageEngine NetFlow Analyzer in the traffic graphs it puts our Public IP using around 50%, then list all the private internal IP's below that each at smaller percentage, but basically adding the Public IP and all th ePrivates together end up a little over or near 100%


Am I missing something somewhere? I can't seem to get decent support from any of the companies suign their trial product, or they reply with the canned answers that are no help.

Or other suggestions for a Netflow tool. I really liked the AdvenntNet tool and it's free for monitoring 2 interfaces which is fine for our 1811.

 

[yinan]

WireShark can watch all traffic for free. The only caveat is the switch has to support port mirroring.

 

[Nothinman]

Is the router doing PAT? If so it's probably reporting both flows, internally with the private IP and externally with it's IP. I'm not 100% sure but don't you enable NetFlow per-interface? If so, how about just enabling it on the inside and seeing if the data looks correct?

 

[mooseracing]

WireShark can watch all traffic for free. The only caveat is the switch has to support port mirroring.

Have you seen NetFlow organization and how simple it is layed out. Wireshark is a pain in the ass to sit and watch 60 PC's then try to sort out who is using the most bandwidth or a given period . Netflow with Database's is nice as well, it has help me sell cases that we need bandwidth upgrades before we run into issues. It's nice to see graphed data for previous months or quarters of the year or previous year as well. I use wireshark only when I have conenctivity problems.

Originally posted by: Nothinman
Is the router doing PAT? If so it's probably reporting both flows, internally with the private IP and externally with it's IP. I'm not 100% sure but don't you enable NetFlow per-interface? If so, how about just enabling it on the inside and seeing if the data looks correct?

PAT?

Yea, it is enabled on both FE-0 (main WAN) FE-1(backup WAN) and our VLAN which is all internal traffic.