There's a wealth of information available from Cisco routers and switches in terms of traffic flows, which applications are in use, and bandwidth utilisation, but it's not information that you can practicably get directly from the hardware itself. Crannog's NetFlow Tracker software allows you to report on all of this information in an easy-to-use graphical format, and you can export the data into other reporting platforms if you have them.

NetFlow, which is a function of Cisco IOS and CatOS, used to be a switching mechanism. Now it's used to report on traffic flows, detailing source and destination addresses, ports, QoS values and other parameters (see RTFM: NetFlow). You can use this information to get information on top talkers, which applications are on your network, and what traffic levels are like, without needing to deploy remote hardware probes.

You need something to turn this raw data into useable information though, and that's where NetFlow Tracker comes in. Designed to run on a Windows platform (although a Linux version is in the offing), it takes the data from your network equipment, and provides you a real-time display of what's going on.

Platform requirements
Crannog recommends a dedicated server for Tracker, as it can be quite resource-intensive, but a Pentium 3 with 512MB RAM should be sufficient for modest networks. Tracker uses MySQL to provide its database services, and advises that there's likely to be conflict between the way it configures it and other applications that also rely on MySQL: another reason to keep Tracker separate from anything else. Designed as a real-time, troubleshooting tool, rather than for historical capacity planning, Tracker stores data for up to a week, although you can save any of its reports in CSV format to create your own graphs and reports, archive information, or feed the data into another systems management platform.

Installation is extremely easy, and the user manual even includes the information you need to configure your Cisco kit to produce and export NetFlow records. You do need to tune the way the routers report flows, by setting the flow timer down to one minute to match how Tracker processes the data, otherwise you'll get the same flows reported multiple times and seem to be pushing a lot more data through your network interfaces than you actually are.

Tracker automatically (once you've set SNMP strings up properly) learns about your network devices and interfaces and presents you with a screen listing all devices: all you need to do is click on the one you're interested in, and you'll instantly start to see per-interface utilisation stats.

You can browse into Tracker (the whole thing's web front-ended) from any PC on your network, and can set up login protection to restrict access either for configuration, or for all access.

Reporting facilities
The top-level interface stats show percentage utilisation, traffic rate (bps) and packet rate. From the graph displayed, you select the time period you're interested in and with a right-click of the mouse, select from a couple of dozen of criteria the parameters you want to focus in on. For example source or destination address, conversations, port numbers, ToS or DSCP values, autonomous system numbers, or incoming/outgoing interfaces.

Talking of interfaces, when you enable NetFlow on a router, you do so on a per-interface level. NetFlow itself only reports on ingress traffic, so to allow Tracker to provide you with egress stats also, you'll need to make sure you set up NetFlow on all interfaces, so that it can pick up the outgoing interface information on the other ports to give you a more complete picture of what's going on.

You can keep zooming in through other parameter selections to focus on the traffic you're interested in: alternatively, there is a Filter Editor in Tracker that lets you build a report to look specifically at any of the NetFlow-supported parameters. You choose the time period you want to investigate, select which areas you're interested in (IP address, ToS, ports and applications etc), and also have the ability to then filter on any of these, so you just get presented with the pertinent information, which makes it a lot easier to see what's going on if you're looking for something specific in a busy network. Once the report is displayed, in either graphical or tabular format, you can re-edit filters, or print or save the information for later.

Crannog's NetFlow product family also includes NetFlow Monitor, which is aimed at providing higher-level trending information, while Tracker provides more in-depth technical detail. While Monitor is positioned at second level network support users who need a quick picture of what the network's up to, Tracker is more suited to third-level support users, who need more detailed troubleshooting and analysis tools. If you want to use both you should download NetFlow Repeater to allow the data to be shared, since you can't install both Tracker and Monitor on the same platform.


If you don't mind writing and customising your own NetFlow analysers you can, no doubt, do this cheaper but for ease of use Tracker takes some beating - and it's considerably cheaper than some of the other NetFlow-aware applications, such as Concord's eHealth or InfoVista.