ADVANTECH Router App Net Flow Pfix User Guide

: June 15, 2024
: Advantech

Table of Contents

ADVANTECH Router App Net Flow Pfix
Product Information
Usage Instructions
Used symbols
Changelog
Description of the module
Configuration
Information
Usage Instructions
Engine ID Interoperability
Related Documents
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

ADVANTECH Router App Net Flow Pfix

ADVANTECH-Router-App-NetFlow-Pfix-PRODUCT

Product Information

Specifications

Manufacturer: Advantech Czech s.r.o.
Address: Sokolska 71, 562 04 Usti nad Orlici, Czech Republic
Document No.: APP-0085-EN
Revision Date: 19th October, 2023

Description of the Module

The NetFlow/IPFIX module is a router app developed by Advantech Czech s.r.o. It is not included in the standard router firmware and needs to be uploaded separately.
The module is designed for monitoring network traffic. It works by collecting IP traffic information using a probe installed on NetFlow-enabled routers.
This information is then submitted to a NetFlow collector and analyzer for further analysis.

Web Interface

Once the module is installed, you can access its web interface by clicking on the module name on the Router apps page of your router’s web interface. The web interface consists of a menu with different sections:

Configuration

The Configuration section allows you to configure various settings of the NetFlow/IPFIX router app. To access the configuration settings, click on the “Global” item in the main menu of the module’s web interface. The configurable items include:

Enable Probe: This option starts submitting the NetFlow information to a remote collector (if defined) or to the local collector (if enabled).
Protocol: This option allows you to choose the protocol to be used for NetFlow information submission. You can select from NetFlow v5, NetFlow v9, or IPFIX (NetFlow v10).
Engine ID: This option allows you to set the Observation Domain ID (for IPFIX), Source ID (for NetFlow v9), or Engine ID (for NetFlow v5). This helps the collector to distinguish between multiple exporters. For more information, refer to the section on Engine ID Interoperability.

Information

The Information section provides details about the module and its licenses. You can access this section by clicking on the “Information” item in the main menu of the module’s web interface.

Usage Instructions

Collected Information

The NetFlow/IPFIX module collects IP traffic information from the router’s probe. This includes details such as source and destination IP addresses, packet counts, byte counts, and protocol information.

Retrieval of Stored Information

To retrieve the stored information, you need to access the NetFlow collector and analyzer to which the module submits the data. The collector and analyzer will provide tools and reports for analyzing and visualizing the collected information.

Engine ID Interoperability

The Engine ID setting in the configuration allows you to specify a unique identifier for your exporter. This is useful when you have multiple exporters sending data to the same collector.
By setting different Engine IDs, the collector can differentiate between the data received from different exporters.

Traffic Timeouts

The module does not provide specific information about traffic timeouts. Please refer to the related documents or contact Advantech Czech s.r.o. for more details.

Related Documents

For more information and detailed instructions, please refer to the following documents:
Configuration Manual
Other related documentation provided by Advantech Czech s.r.o.

FAQ

Q: Who is the manufacturer of NetFlow/IPFIX?

A: The manufacturer of NetFlow/IPFIX is Advantech Czech s.r.o.

Q: What is the purpose of NetFlow/IPFIX?

A: NetFlow/IPFIX is designed for monitoring network traffic by collecting IP traffic information from NetFlow-enabled routers and submitting it to a NetFlow collector and analyzer.

Q: How can I access the configuration settings of the module?

A: To access the configuration settings, click on the “Global” item in the main menu of the module’s web interface.

Q: What is the Engine ID setting used for?

A: The Engine ID setting allows you to specify a unique identifier for your exporter, helping the collector to distinguish between multiple exporters.
© 2023 Advantech Czech s.r.o. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photography, recording, or any information storage and retrieval system without written consent.
Information in this manual is subject to change without notice, and it does not represent a commitment on the part of Advantech.
Advantech Czech s.r.o. shall not be liable for incidental or consequential damages resulting from the furnishing, performance, or use of this manual.
All brand names used in this manual are the registered trademarks of their respective owners. The use of trademarks or other designations in this publication is for reference purposes only and does not constitute an endorsement by the trademark holder.

Used symbols

Danger – Information regarding user safety or potential damage to the router.
Attention – Problems that can arise in specific situations.
Information – Useful tips or information of special interest.
Example – Example of function, command or script.

Changelog

NetFlow/IPFIX Changelog

v1.0.0 (2020-04-15)
- First release.
v1.1.0 (2020-10-01)
- Updated CSS and HTML code to match firmware 6.2.0+.

Description of the module

Router app NetFlow/IPFIX is not contained in the standard router firmware. Uploading of this router app is described in the Configuration manual (see Chapter Related Documents).
Router app NetFlow/IPFIX is determined for monitoring network traffic. NetFlow enabled routers have a probe that collects IP traffic information and submits them to a NetFlow collector and analyzer.

This router app contains:

NetFlow probe that can submit information to compatible Network collector and analyzer, e. g. the httsp://www.paessler.com/prtg.
NetFlow collector that stores the collected information to a file. It can also receive and store NetFlow traffic from other devices.

Web Interface

Once the installation of the module is complete, the module’s GUI can be invoked by clicking the module name on the Router apps page of router’s web interface.
Left part of this GUI contains menu with Configuration menu section and Information menu section.
Customization menu section contains only the Return item, which switches back from the module’s web page to the router’s web configuration pages. The main menu of module’s GUI is shown on Figure 2.

Configuration

Global

All NetFlow/IPFIX router app settings can be configured by clicking on the Global item in the main menu of module web interface. An overview of configurable items is given below.

Item	Description
Enable Probe	Start sumbitting the NetFlow information to a Remote Col- lector

(when defined), or to the Local Collector (when en- abled).
Protocol| Protocol to be used: NetFlow v5 , Netflow v9 , IPFIX (Net- Flow v10)
Engine ID| Observation Domain ID (on IPFIX, Source Id on NetFlow v9, or Engine Id on NetFlow v5) value. This may help your collector to distinguish between multiple exporters. See also section on Engine ID Interoperability.
Item| Description
---|---
Sampler| (empty) : submit every observed flow; deterministic : submit each N-th observed flow; random : select randomly one out of N flows; hash : select hash-randomly one out of N flows.
Sampleer Rate| The value of N.
Inactive Traffic Timeout| Submit flow after it’s inactive for 15 seconds. Default value is 15.
Active Traffic Timeout| Submit flow after it’s active for 1800 seconds (30 minutes). Default value is 1800. See also section on traffic timeouts.
Remote Collector| IP address of a NetFlow collector or analyzer, where to sub- mit the collected NetFlow traffic information. Port is op- tional, default 2055. Detination can contain a comma sep- arated list of multiple IP addresses (and ports) to mirror the NetFlow to two or more collectors/analyzers.
Enable Local Collector| Start receiving NetFlow information from the local Probe (when enabled) or from a remote probe.
Storage Interval| Specifies the time interval in seconds to rotate files. The default value is 300s (5min).
Storage Expiration| Sets the max life time for files in the directory. A value of 0 disables the max lifetime limit.
Store Interface SNMP Numbers| Check to store SNMP index of the input/output interface (%in, %out) in addition to the standard set of information, see below.
Store Next Hop IP Address| Check to store IP address of the next hop of outbound traffic (%nh).
Store Exporting IP Address| Check to store IP address of the exporting router (%ra).
Store Exporting Engine ID| Check to store Engine ID of the exporting router (%eng).
Store Flow Reception Time| Check to store timestamp when the flow info was received (%tr).

Table 1: Configuration items description

Information

licenses Summarizes Open-Source Software (OSS) licenses used by this module

Usage Instructions

The NetFlow data should not be sent over WAN, unless VPN is used. The data are not inherently encrypted or obfuscated, so an unauthorized person may intercept and view the information.

Collected Information

The following standard set of information are always sent by the probe and stored by the collector:

Timestamp when the traffic was first seen (%ts) and last seen (%te), using clock of the probe
Number of bytes (%byt) and packets (%pkt)
Protocol used (%pr)
TOS (%tos)
TCP flags (%flg)
Source IP address (%sa, %sap) and port (%sp)
Destination IP address (%da, %dap) and port (%dp)
ICMP type (%it)

The following are also sent, but stored only upon request (see config above):

SNMP index of the input/output interface (%in, %out)
IP address of the next hop of outbound traffic (%nh)
IP address (%ra) and Engine ID (%eng) of the exporting router (probe)
Timestamp when the flow info was received (%tr), using clock of the collector
The value in brackets (%xx) indicates the formatter to be used with nfdump to display this value (see next chapter).

Retrieval of Stored Information

Data are stored in /tmp/netflow/nfcapd.yyyymmddHHMM, where yyyymmddHHMM is the creation time. The directory also includes the .nfstat file, which is used to monitor the expiration time.
Do not alter this file. To configure expiration use the admin GUI.
The files can be read using the nfdump command. nfdump [options] [filter]

Display UDP packets sent by 192.168.88.100:

nfdump -r nfcapd.202006011625 ‘proto udp and src ip 192.168.88.100’
- Display all flows between 16:25 and 17:25, aggregating bidirectional flows (-B):
nfdump -R /tmp/netflow/nfcapd.202006011625:nfcapd.202006011725 -B
- Display Engine Type/ID, source address+port and destination address+por for all flows:
nfdump -r /tmp/netflow/nfcapd.202006011625 -o “fmt:%eng %sap %dap”

Engine ID Interoperability

Netflow v5 defines two 8-bit identifiers: Engine Type and Engine ID. Probe on Advantech routers sends only Engine ID (0..255). The Engine Type will always be zero (0). Hence, a flow sent with Engine ID = 513 (0x201) will be received as Engine Type/ID = 0/1.
Netflow v9 defines one 32-bit identifier. Probe on Advantech routers can send any 32-bit number, how-ever other manufacturers (e.g. Cisco) split the identifier into two reserved bytes, followed by Engine Type and Engine ID. The receiver follows the same approach.
Hence, a flow sent with Engine ID = 513 (0x201) will be received as Engine Type/ID = 2/1.
IPFIX defines one 32-bit identifier. Probe on Advantech routers can send any 32-bit number, but the local collector does not store this value yet. Hence any flow will be received as Engine Type/ID = 0/0.
Recommendation: If you want to store Engine ID in the local collector, check Store Exporting Engine ID in the configuration, use Engine ID < 256 and avoid using the IPFIX protocol.
Traffic Timeouts
The probe exports whole flows, i.e. all packets that belong together. If no packets are observed for a given period (Inactive Traffic Timeout), the flow is considered as complete and the probe sends traffic information to the collector.
Information about a file transfer will thus appear in the collector once the transfer is completed, which may take a significant amount of time. If the transmission is active for too long (Active Traffic Timeout) it will appear as multiple shorter flows.
For example, with a 30 minutes active traffic timeout, a 45 minutes communication will show as two flows: one 30 min and one 15 min.

Traffic Timeouts

The probe exports whole flows, i.e. all packets that belong together. If no packets are observed for a given period (Inactive Traffic Timeout), the flow is considered as complete and the probe sends traffic information to the collector.
Information about a file transfer will thus appear in the collector once the transfer is completed, which may take a significant amount of time. If the transmission is active for too long (Active Traffic Timeout) it will appear as multiple shorter flows. For example, with a 30 minutes active traffic timeout, a 45 minutes communication will show as two flows: one 30 min and one 15 min.

You can obtain product-related documents on Engineering Portal at icr.advantech.cz address.
To get your router’s Quick Start Guide, User Manual, Configuration Manual, or Firmware go to the Router Models page, find the required model, and switch to the Manuals or Firmware tab, respectively.
The Router Apps installation packages and manuals are available on the Router Apps page.
For the Development Documents, go to the DevZone page.