Author: Neftaly Malatjie

In this section, the popular tools for network traffic flow monitoring and analysis are described. The tools generate the graph or function as the visualization tools, which provide the summarization and classification of network flow information. These tools generally use captured flow information from other flow collectors such as “FlowScan” (uses data from “cflowd”) and “PRTG” (supports all three data acquisition methods). In table 2.3, it also shows other free NetFlow-like grapher tools with the main features, operating system compatibility, and input/ output. “AutoFocus” and “Fluxoscope” are other two popular tools for network traffic flow monitoring and analysis.

We also listed other free network traffic flow monitoring and analysis tools in table 2.4 with their main features, operating system compatibility, input AND output, and primary functionalities for flow collector. Some tools also include the report generator features. Since there are a lot of free NetFlow monitoring and analysis tools, a list of available tools with the brief definition and the software link information are made in Appendix 7 (Table 7.1).

For commercial network traffic flow monitoring and analysis tools, table 2.5 shows commercial NetFlow reporting products by [Cisco, NetFlow06a]. Most products are used primarily for traffic and security analysis. All companies’ targets are enterprise users. “AdventNet” and “Crannog Software” are considered to be in lower price range and both of them support only Windows. Only “Cisco NetFlow Collector” and “HP” support Solaris and Linux. The rest of them support either Linux or Windows except “Arbor Networks” for BSD only and “Micromuse” for Solaris. One more observation is that if the operating system is Solaris, only NetFlow data can be used.

“FlowScan” [D. Plonka, 2000] is visualization tool used to generate a report in HTML format. “FlowScan” is a pack of Perl script modules, which bind a flow collection engine, high performance database, and visualization tool together. Instead of cflowd’s “arts++” data aggregation features, “FlowScan” uses RRDtool to store numerical time-series data. RRDtool and RRGrapher modules are used to create an output such as graphs of IP traffic in GIF (Graphic Interchange Format) or PNG (Portable Network Graphics) format.

“FlowScan” uses “cflowd” as a flow collector and “cflowd” components used by “FlowScan” are the “cflowdmux” and “cflowd” programs. “cflowdmux” receives UDP NetFlow data from routers and passes them to “cflowd”, which writes them to storage disks. Another module called “flowscan” (not “FlowScan”) does the central processing in the system such as loading and executing report modules. The report module is a Perl module derived from the “FlowScan” class (FlowScan.pm). Another module called “flowdumper” is the utility module used to examine the raw flows manually.

“FlowScan” provides an extra feature dealing with buffer management due to the very high traffic and flood-based DOS attack. It also supports a stateful inspection by the use of heuristics. By analyzing flow information, “FlowScan” can track the state of application session or series of sessions. As a result, “FlowScan” can classify the stateful traffic such as Napster application or passive mode of FTP file transfers. [D. Plonka, 2000]

Figure 2.2: Screen snapshot of FlowScan [D. Plonka, 2000]

Next, Paessler Router Traffic Grapher (PRTG) [PRTG06] is a very powerful and low cost tool (starting from $100) for monitoring and bandwidth use for Windows. PRTG provides both free (with three sensors and academic and personal use) and commercial versions. This tool supports all three data acquisition methods: NetFlow-like, SNMP (Not only the bandwidth usage but also CPU usage, disk usage, and temperatures can be monitored.) and packet sniffer (running on promiscuous mode). The administrators can use either Window interface or web interface to configure and monitor the sensors and create reports.

Figure 2.3: Screen snapshot of PRTG 

“AutoFocus” is a traffic analysis and visualization tool. “AutoFocus” analyzes the traffic pattern and provides both textual reports (measured in bytes, packets and flows) and time series plots. The extra feature is that it generates the report with traffic cluster aggregation of the mix of traffic. The traffic mix is defined using the source and destination IP address, source and destination ports and protocol field. RRDtool is used to produce time series plots of the traffic mix. “AutoFocus” can produce reports and plots for various time periods ranging from weeks to half hour intervals. It also supports the user filter. “AutoFocus” supports two types of input: packet header traces and NetFlow data. The flow sampled with both inputs can be applied, but “AutoFocus” only compensates for the sampling in the reports that measure the traffic in bytes and packets, and not for the traffic in flows. [Cristian Estan et all., 2003]

Figure 2.4: Screen snapshot of Autofocus [http://ial.ucsd.edu/AutoFocus/]

“Fluxoscope” (formerly NetFlow listener) is an aggregation and analysis software written in Common Lisp. The main feature provides not only the various types of graphical and textual reports, an interactive Web-based tool, but also the NetFlow accounting processor with an SNMP agent, which can be used to access statistics on the processing of accounting data. It can support multiple NetFlow accounting streams.

A “Listener” module in “Fluxoscope” is used to collect accounting data sent. It provides an aggregation functions to all flows and splits them into time slices, and finally periodically writes data out to files. Like general NetFlow collector, “listener” is better placed near the routers to reduce load and to avoid the data loss. “Data collection and maintenance module” periodically accesses the files that are generated by the “Listener”. It also makes a copy of them to the central storage. It supports the data compression and the data over the long period can be summed up. Finally, “Data analysis module” analyzes the data from the central storage in order to generate several kinds of reports, such as tabular data and graphical representations for network monitoring and long-term traffic analysis purpose. [S. Leinen, 2000]

Figure 2.5:Screen snapshot of Fluxoscope [S. Leinen, 2000]

Table 2.3: Free NetFlow Grapher tools

Table 2.4: Free NetFlow monitoring and analysis tools

*based on RRDtool files

Table 2.5: Commercial NetFlow Reporting Products [Cisco, NetFlow06b]

Congratulations on completing this programme.  We sincerely hope you enjoyed the programme and that the learning experience was enriching.

The fact that you have attended training, however, is not sufficient evidence of your competence for us to award you a certificate and the credits attached to this programme. You are required to undergo assessment in order to prove your competence to achieve credits leading to a national qualification.

Being Declared Competent Entails:

Competence is the ability to perform whole work roles, to the standards expected in employment, in a real working environment.

There are three levels of competence:

• Foundational competence: an understanding of what you do and why.
• Practical competence: the ability to perform a set of tasks in an authentic context.
• Reflexive competence: the ability to adapt to changed circumstances appropriately and responsibly, and to explain the reason behind the action.

To receive a certificate of competence and be awarded credits, you are required to provide evidence of your competence by compiling a portfolio of evidence, which will be assessed by a Services SETA accredited assessor.

You Have to Submit a Portfolio of Evidence

A portfolio of evidence is a structured collection of evidence that reflects your efforts, progress and achievement in a specific learning area, and demonstrates your competence.

The Assessment of Your Competence

Assessment of competence is a process of making judgments about an individual’s competence through matching evidence collected to the appropriate national standards. The evidence in your portfolio should closely reflect the outcomes and assessment criteria of the unit standards of the learning programme for which you are being assessed.

To determine a candidate’s knowledge and ability to apply the skills before and during the learning programme, formative assessments are done to determine the learner’s progress towards full competence. This normally guides the learner towards a successful summative (final) assessment to which both the assessor and the candidate only agree when they both feel the candidate is ready.

Should it happen that a candidate is deemed not yet competent upon a summative assessment, that candidate will be allowed to be re-assessed. The candidate can, however, only be allowed two reassessments.

When learners have to undergo re-assessment, the following conditions will apply:

• Specific feedback will be given so that candidates can concentrate on only those areas in which they were assessed as not yet competent.
• Re-assessment will take place in the same situation or context and under the same conditions as the original assessment.
• Only the specific outcomes that were not achieved will be re-assessed.
• Candidates who are repeatedly unsuccessful will be given guidance on other possible and more suitable learning avenues.
• In order for your assessor to assess your competence, your portfolio should provide evidence of both your knowledge and skills, and of how you applied your knowledge and skills in a variety of contexts.

This Candidate’s Assessment Portfolio directs you in the activities that need to be completed so that your competence can be assessed and so that you can be awarded the credits attached to the programme.

A backup audit can be as simple as a self-administered checklist or as elaborate as a week’s long project by outside consultants costing hundreds of thousands of dollars. Regardless of its level of complexity and cost, the purpose of the backup audit is the same: To identify and help fix potential problems with an enterprise’s backup systems and procedures.

A backup audit examines the entire backup process looking for weaknesses, inefficiencies and single points of failure. Typically, it includes testing both backup and restore operations and compares existing ways of handling backups against industry-standard best practices.

Self assessments, such as the one on the Tao of Backup Web site, are a useful place to start. They are quick, inexpensive and will reveal areas that need more work.

A large number of companies from local consultants to national specialists such as System Source to more general data processing consultants can conduct backup audits. If you decide to go with an outside company to do your audit, you need to decide how much auditing your company needs and choose an auditor appropriately. Of course, the more elaborate the audit, the more it will cost, and the longer it will take. However if the audit is performed appropriately, the more comprehensive the audit, the more specific — and useful — the recommendations.

Generally, an outside audit will produce a variety of deliverables, from a logical network diagram to specific recommendations on everything from data security to where to store backup tapes and how to label them. A really comprehensive audit will include services such as recreating your network at the consultant’s facility and using your backups to completely restore the system.

Because you’re entrusting critical data to a third party, due diligence is required to ensure that the backup provider you choose is reliable and financially secure. Otherwise, you might end up with a company that has sloppy data-protection habits or goes out of business.

Key Points

• Ask for references: When shopping for a provider, ask to speak with one or two customers who have used that provider.
• Ask for specifics about each provider’s storage facilities.
• Discuss pricing. Are there additional charges to the base price? Will the company notify you if you are nearing your allotted storage capacity, and how much do they charge if you exceed that capacity?
• If you hold sensitive, health-related data about your users, clients, patrons, or community members, you may want to consider whether you need to comply with privacy regulations for data related to federal HIPAA rules. Learn more about the topic from our article,

The following are some other important questions to ask:

• Has the provider built its own data centre, or do they co-locate with a third-party provider?
• What redundancy have they built into their system to ensure that your data will always be available? For instance, do they make backups of your backup?
• Will your information be kept on hard disk or moved to tape? How do they secure physical access to the equipment where data is stored?
• Will your data be stored in a secure facility?
• Who has network access to the machines that store your data?
• Does the backup provider automatically encrypt your data? (Some services recommend that you encrypt your own data before backup.)
• Does the provider offer a guarantee or insurance of a successful recovery?

These questions will help you avoid unpleasant surprises and ensure that copies of your critical information are secure and available.