Observer Analyzer : Observer Analyzer : Decodes : Decoding network traffic : Decoding NetFlow or sFlow streams
Decoding NetFlow or sFlow streams
If you set up a standard probe instance (non-NetFlow or non-sFlow) to monitor a segment that includes NetFlow or sFlow reporting streams, these packets are treated as any “other” network traffic.
Observer’s statistical displays, such as Top Talkers, do not include the data reported through NetFlow/sFlow.
Therefore, to force Observer to recognize and interpret the NetFlow/sFlow data and update statistical displays accordingly, complete the following steps:
1. Click the File tab, and click Options > Fallback Instance.
2. Choose the probe instance with the settings you want to use to decode the buffer file. For more details about why this important, see Opening files from unknown locations.
3. On the Home tab, in the Capture group, click Configuration > Packet Capture.
4. Click the Decode button. The Decode and Analysis window appears.
5. Click the Decode tab, then choose Tools > Process NetFlow or sFlow data. The Select Data Source window appears.
6. Choose the data source you want to process.
7. Change your ToS/QoS settings if necessary.
8. Click OK.
 
A temporary post-filter buffer is created in memory that interprets the NetFlow or sFlow statistics and updates Observer’s statistical displays accordingly.
 
Configuring a NetFlow device
To configure a NetFlow device to work with Observer, you must first set up a cache on the router or switch to hold statistics for each interface (i.e. device port) being monitored, then define the IP address and UDP port of the collector (i.e., Observer or probe). On a Cisco router running IOS, the commands look like this:
1. Define which interfaces to monitor:
Router1#config t
Router1(config)#int ser0/0
Router1(config-if)#ip route-cache flow
[Repeat for each interface being monitored]
2. Define the IP address and UDP port of the collector:
Router1#config t
Router1(config)#ip flow-export version 9
Router1(config)#ip flow-export destination 192.168.1.12 9996
 
 
Configuring an sFlow device
To configure an sFlow device to work with Observer, you must define the collector IP address and UDP port, and optionally configure a polling interval and sampling rate (although in most cases the default interval and sampling rate are appropriate). Here is what the commands might look like on a Foundry Layer 3 switch:
1. Define which interfaces to monitor:
Switch1#config t
Switch1(config)#sflow enable
Switch1(config)#interface ethernet 1/1 to 1/8
Switch1(config-mif-1/1-1/8)# sflow forwarding
2. Define the IP address and UDP port of the collector:
Switch1#config t
Switch1(config)#sflow destination 10.10.10.1 9099
Specifying a UDP port is optional; the default is 6343. In most cases, the default polling interval and sampling rate are appropriate, but if you need to adjust them, use the sFlow polling-interval and sFlow sample commands:
Switch1#config t
Switch1(config)#sflow poll-interval 120
Switch1(config)#sflow sample 30
 
This would cause the device to push sFlow data to the target collector every 120 seconds, with a sampling rate of 1 packet in 30.