Flow Publisher

Product OverviewBlindsided (def). Not knowing who or what is on your networkFlow Publisher brings Traffic Analysis to Every Corner of your NetworkKey Capabilities of WhatsUp Gold Flow Publisher include:

Uses Flow Monitor plug­in for advanced reporting and alertingWorks with any existing network devices and your Windows serversDevelops standard format flow records that you can easily understandDelivers accurate visibility with full flow captureSupports simple, manageable and cost­effective deployment

FeaturesFlow Publisher BasicsTraffic Analysis and Monitoring / Troubleshooting Capabilities (in conjunction withFlow Monitor)Reporting (in conjunction with Flow Monitor)Configuration and Management (in conjunction with Flow Monitor)

BenefitsFlow Publisher = Complete Network VisibilityDirect Benefits of Flow Publisher

FAQWhat is a Flow?What does Flow Publisher do?Does Flow Publisher have any prerequisites?How is Flow Publisher different from Flow Monitor?How will Flow Publisher data help me manage the network?What components are included with Flow Publisher?What flow data does Flow Publisher provide?How is Flow Publisher licensed?What kind of devices can be monitored by Flow Publisher?Can I use Flow Publisher with my existing flow­enabled devices?

System RequirementsFlow Publisher software requirementsFlow Publisher hardware requirements

Product Overview

You know your network better than anyone else. Yet when your users complain that webpages are taking too long to load, or a critical internal application is timing out, you’re often ata loss to explain why. After all, users are only focused on whether their business applicationsare working right, while you have to think about much more, including managing theinfrastructure that delivers those applications. So while you work hard to keep your networkand servers healthy and running at optimal capacity ­ that’s not enough for your businessusers or your management. It’s almost as if you are conversing in different languages. Andwhile you see the spikes in network traffic, you can’t pinpoint why and how they are affectingyour applications.

Blindsided (def). Not knowing who or what is onyour networkWith flow enabled network devices you can quickly see which users, applications, protocolsand traffic sources are generating traffic and consuming bandwidth. Maybe some users aredoing unexpected things – like streaming large files or doing backups during normal businesshours. Or maybe it’s something dangerous – like a virus spreading on your network. But youcan only see this on a flow­enabled network. What happens if you don’t have the luxury ofturning on flow monitoring across the network – simply because your devices don’t support itor the cost of upgrading to new infrastructure is not in your budget. You’re destined tomanage your network with only partial visibility.

Flow Publisher brings Traffic Analysis to EveryCorner of your NetworkWell, help is on the way. With WhatsUp Gold Flow Publisher, you can get unique insight andvisibility into your network traffic for every device – whether they natively support flowmonitoring or not. In short, Flow Publisher makes flow monitoring possible for every networksegment and for literally every device. By capturing raw traffic from the network andconverting it into standard NetFlow records, Flow Publisher puts you in complete control andconversing in a language your users understand.With Flow Publisher you can:

Turn on network traffic analysis for every device and every network segment Determine which users, applications or traffic sources are consuming bandwidth Require no costly upgrade of your devices to turn on application flow visibility Get alerted in real­time when monitored traffic parameters breach targeted thresholds Ensure business applications get the bandwidth they need Access over 40+ web and mobile reports for base­lining and analysis

Key Capabilities of WhatsUp Gold Flow Publisherinclude:

Uses Flow Monitor plug­in for advanced reporting and alertingWhatsUp Gold Flow Publisher acts as a network traffic flow information source for FlowMonitor and forwards processed NetFlow records to it. Flow Monitor acts as a standardcollector, as it does for other flow­enabled devices, and provides a comprehensive picture ofapplication flows across the entire network in one screen. All of Flow Monitor’s powerfulreporting, configurable thresholds, analysis and alerting capabilities are also available to FlowPublisher records ­ ensuring centralized management of application, host and user traffic.

Works with any existing network devices and your WindowsserversSince Flow Publisher captures and processes raw network traffic from any mirrored switchport, or network TAP (Test Access Point) or even a Windows host server – there is norequirement for changes or upgrades to existing device capabilities. While Flow Monitor canbe used to directly receive flow records from NetFlow, sFlow or J­Flow enabled devices,Flow Publisher seamlessly extends coverage to any non­flow enabled device. With FlowPublisher in place, the entire network can be managed with the same level of visibility.

Develops standard format flow records that you can easilyunderstandFlow Publisher outputs NetFlow v1, v5 and v9 compliant records enabling operations staff touse existing knowledge, skills and best practices that your business may already have inplace. With advanced analysis, real time alerting and historical trending available throughFlow Monitor – network managers can identify top conversation pairs, top senders andreceivers, failed connections per host and analyze breakdown of traffic from every monitorednetwork interface on any device.

Delivers accurate visibility with full flow capturePopular flow protocols like sFlow or J­Flow employ sampling techniques that reduce thegranularity of visibility and insight that flow data can provide. For example, flow sampling maycompletely miss occasional network congestion instances caused by intermittent andunpredictable user actions or malicious virus activity. With Flow Publisher, the full extent ofraw traffic is captured and processed into NetFlow compliant records – ensuring accurateand in­depth visibility into user, protocol, source and destination, and application activity onthe network.

Supports simple, manageable and cost­effective deploymentFlow Publisher is a small footprint application that can be installed on most Windows

systems, enabling cost­effective deployment. It can capture flows from remote network portsand from four different traffic sources simultaneously. For servers, Flow Publisher is installeddirectly on the target system. Further, Flow Publisher supports configurable ACL’s (accesscontrol list) for administration and management.

Features

Flow Publisher’s unique ability to capture and process raw traffic information from non­flowenabled devices or host systems, combined with the powerful analysis capabilities of FlowMonitor deliver the following features:

Flow Publisher Basics Simple, software only solution that can be deployed on any current Windows

operating system Capture of raw traffic flows from any of the following:

Port mirroring (SPAN or RAP) Network Test Access Points (TAP) Directly on Windows server platforms

Creates NetFlow v1, v5 or v9 compliant records from raw traffic Maps device MAC addresses to reported interfaces Provides options to log flows and commands ACL’s for access to administration and configuration Flow Publisher Management Console: Configuration and management of single or multiple agents Interface(s) from which to capture network traffic Mode and status for each interface in the probe (promiscuous or normal) Collector IP address to forward NetFlow records NetFlow version of flow data to send to a collector Local IP and port of the probe to forward flow records Active and Inactive timeout for flow record management SNMP index for the default input/output reported interface MAC Addresses to Interface

indices mapping

Traffic Analysis and Monitoring / TroubleshootingCapabilities (in conjunction with Flow Monitor)

Automatic classification of traffic by type and protocol in real­time Real­time identification of traffic flow patterns through the network Identification of traffic sources (top talkers) and destinations Identification of traffic destination by group, domain, top level domain (TLD), and

country

Pinpointing of internal and external traffic sources and destinations Conducting traffic identification and analysis for Quality of Service using ToS or

DSCP Grouping of flow data based on common parameters, including IP addresses by

domain, TLD or country Automatic identification of high traffic flows to un­monitored ports and highlighting of

those ports as candidates for monitoring Uncovers unauthorized applications, including file and music sharing Detection of failed connections

Reporting (in conjunction with Flow Monitor) Access to over 40 flow management reports via WhatsUp Gold web and mobile

access Automated rollup of flow data with hourly, daily, weekly, monthly and yearly views Displays flow information in custom formats Sorts and displays filtered reports by protocol, application, host, domain, TLD,

country, groups or type of service Integration of flow reports with WhatsUp Gold workspace reports Access to WHOIS information for sender and receiver reports Display traffic information by bytes, packets or flows

Configuration and Management (in conjunction withFlow Monitor)

Configuration of thresholds on multiple flow metrics via the Alert Center Configuration and management of flow data retention policies Configuration of flow logging levels Configurable support for non­standard ports and proprietary protocols Starting and stopping of flow services Setting of address resolution levels Access to flow database and service status, providing instant views of database

parameters and running flow services Backup and restoration of flow database Apply custom names to flow interfaces Notification of database status

Benefits

Flow Publisher = Complete Network Visibility

WhatsUp Gold’s new Flow Publisher extends flow monitoring visibility and analytics tonon­flow supporting devices and Windows host systems.

Direct Benefits of Flow Publisher Extends standardized network traffic analysis and application flow visibility across the

entire network Supports any switch, router or network device with Port Mirroring (SPAN/RAP

); network Test Access Point (TAP); or direct installation on Windows servers(standard or virtualized)

Converts raw traffic into standardized NetFlow v1, v5 or v9 compliant records Cost­effective installation and low overhead operation

As a small footprint, software­only solution it uses minimal CPU and memoryresources

Installs on any Windows based operating system and hardware Simple and flexible deployment model

Agents can be located anywhere in the network enabling both broad andpinpoint traffic analysis

Flow Publisher’s deployment doesn't require infrastructure upgrades ordowntime

Better insight and higher investment returns compared to legacy flow monitoringtechnologies

More information, improved manageability and lower costs compared toRMON or packet analysis solutions

With 100% raw traffic capture and processing it provides deeper visibility andinsight compared to sampled sFlow and J­Flow

Seamless integration with Flow Monitor and WhatsUp Gold Access to over 40+ configurable Flow Monitor web and mobile reports Configuration of thresholds and alerting on typical flow monitoring parameters

via the Alert Center See more benefits of the Flow Publisher & Flow Monitor combination (refer Flow

Monitor Datasheet)

FAQ

What is a Flow?A flow is a series of packets with a set of common characteristics sent between devices. Aspackets traverse a device, seven parameters are analyzed, if they all match exactly, then thissequence of packets is determined to be a flow. Flows are comprised of one of the IPprotocols (usually TCP or UDP) depending on the end system being accessed. For moregeneral information on flows and flow management, refer to our Flow Monitor FrequentlyAsked Questions.

What does Flow Publisher do?Flow Publisher collects raw traffic information from the network devices that are not nativelyflow­enabled and converts them into NetFlow v1, v5 or v9 compliant records. Flow Publisherthen forwards the NetFlow records to the WhatsUp Gold Flow Monitor collector for both realtime and historical reporting and alerting.

Does Flow Publisher have any prerequisites?Flow Publisher requires both the Flow Monitor plug­in and the WhatsUp Gold core product toprovide network traffic analysis, reporting and threshold monitoring and alerting. Dependingon how Flow Publisher is deployed, a Windows PC and available network interfaces mayalso be required.

How is Flow Publisher different from Flow Monitor?Flow Monitor collects, processes and reports on application traffic flows from devices in thenetwork that natively support one or more industry standard formats. Supported flow formatsin Flow Monitor include NetFlow v1, v5 and v9 (developed by Cisco); J­Flow (developed byJuniper Networks); and sFlow (RFC 3176 standard). The vast majority of hardwaremanufacturers support one of the flow formats.Flow Publisher complements Flow Monitor capabilities by extending application trafficmonitoring to devices and Windows servers that do not have any native flow capability.Together Flow Monitor and Flow Publisher provide deep and homogeneous insight intoapplication and user traffic and behavior analysis across all devices and segments in thenetwork.

How will Flow Publisher data help me manage thenetwork?The combined solution of Flow Publisher, Flow Monitor, and WhatsUp Gold analyze, report,and send alerts based on the performance of specific flow parameters for all network devicesand host systems – whether they are flow enabled or not. Thresholds used for alerting areconfigured through the Alert Center capability in WhatsUp Gold. Flow information helpsuncover which users, applications, or source/destination pairs are consuming your networkbandwidth.

What components are included with FlowPublisher?The WhatsUp Gold Flow Publisher includes two primary components – the Flow PublisherAgent and the Flow Publisher Configuration and Agent Management Console.The Flow Publisher agent is comprised of a number of sub­components – to process raw

network traffic from non­flow capable devices into NetFlow compliant records, and to forwardthem to the WhatsUp Gold Flow Monitor collector. The agent is installed on a Windowsbased computer and can be configured to support up to 4 interfaces. It can also be deployeddirectly on a server to track top talkers (users) and application traffic volumes.The Flow Publisher configuration and management interface is a Windows based programthat is used to dynamically configure a single or multiple probes either locally or remotely.The configuration and management interface needs the following information to be set:

Interface(s) from which to capture network traffic Mode and status for each interface in the probe (promiscuous or normal) Flow Monitor collector IP address to forward NetFlow records NetFlow version of flow data to send to a collector Local IP and port of the probe to forward flow records Active and inactive timeout for flow record management SNMP index for the default input/output reported interface MAC Addresses to interface indices mapping A configurable Access Control List for administration

What flow data does Flow Publisher provide?WhatsUp Gold Flow Publisher provides the same information into Flow Monitor for analysisand reporting as other NetFlow sources. This includes the following:

Protocol Application (port number) Conversations Sender host Receiver host Sender domain Receiver domain Sender top level domain (TLD) Receiver TLD Top sender country Top receiver country Type of service (ToS)

How is Flow Publisher licensed?The WhatsUp Gold Flow Publisher is licensed for each separate instance of softwareproduct installation on a Windows Server.

What kind of devices can be monitored by FlowPublisher?Flow Publisher can capture traffic information from any router, switch, or any other networkdevice that supports port mirroring (e.g. Cisco SPAN ports or 3Com RAP ports). It can alsoreceive traffic information from Network TAPs (Test Access Points). Flow Publisher can also

be installed on a Windows server and monitor application and user traffic originating or beingreceived by the server.

Can I use Flow Publisher with my existingflow­enabled devices?Flow Publisher works with your existing flow­enabled devices as well. In fact, popular formatslike sFlow only provide sampled flow data that may fail to accurately capture and diagnoseintermittent network issues arising from unauthorized application usage or even maliciousvirus activity. Using Flow Publisher, you would get complete traffic capture and analysis thatcan help you rapidly track down and resolve intermittent network issues as they happen.

System Requirements

Flow Publisher software requirements 32­bit and 64­bit support for the following OS versions: Windows XP Professional

SP3, Windows Server 2003 SP2 (or later), Windows Vista (SP2 recommended),Windows Server 2008 (SP2 recommended), Windows Server 2008 R2, or Windows7.

WinPcap version 3.1 or later. Download and install WinPcap on the server hosting theFlow Publisher.

Note: WhatsUp Flow Publisher was tested on WinPcap versions 3.1 to 4.1. WhatsUp Gold 16 or greater with Flow Monitor.

Flow Publisher hardware requirementsThe following are the hardware requirements for the Flow Publisher:

Recommended Required

Processor(s) Dual­core Single­core

Processorspeed

2 GHz or more 2 GHz

RAM 1 GB < 100 KB

Networkinterface cards(NIC)

1 Gbps (1+n) NICs, where nis the number of FlowPublisher capture devices.

100 Mbps Minimum of 1 NIC whencapturing local traffic on a server.Minimum of 2 NICs when capturing trafficcopied from a network device.

Video displayresolution

800 x 600 or higher 800 x 600