CA ehealth. Traffic Accountant and NetFlow Administration Guide. r6.1

Transcription

1 CA ehealth Traffic Accountant and NetFlow Administration Guide r6.1

2 This documentation and any related computer software help programs (hereinafter referred to as the Documentation ) is for the end user s informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the Documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the Product are permitted to have access to such copies. The right to print copies of the Documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION AS IS WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE. The use of any product referenced in the Documentation is governed by the end user s applicable license agreement. The manufacturer of this Documentation is CA. Provided with Restricted Rights. Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections , , and (c)(1) - (2) and DFARS Section (b)(3), as applicable, or their successors. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. Copyright 2008 CA. All rights reserved.

3 CA Product References This document may reference the following CA products: CA ehealth AdvantEDGE View CA ehealth Application Response CA ehealth Business Service Console (ehealth BSC) CA ehealth Distributed ehealth CA ehealth Fault Manager CA ehealth Live Health Application CA ehealth Response CA ehealth Service Availability CA ehealth SystemEDGE CA ehealth TrapEXPLODER CA ehealth Voice Quality Monitor (VQM) CA ehealth AIM for Apache CA ehealth AIM for Microsoft Exchange CA ehealth AIM for Microsoft IIS CA ehealth AIM for Microsoft SQL Server CA ehealth AIM for Oracle CA Insight AIM for CA ehealth CA Insight Database Performance Monitor for Distributed Databases (CA Insight DPM for Distributed Databases) CA ehealth Integration for Alcatel (ehealth - Alcatel) CA ehealth Integration for Cisco IP Solution Center (ehealth - Cisco ISC) CA ehealth Integration for Cisco WAN Manager (ehealth - Cisco WAN Manager) CA ehealth Integration for HP OpenView (ehealth - OpenView) CA ehealth Integration for Lucent (ehealth - Lucent) CA ehealth Integration for Netcool (ehealth - Netcool) CA ehealth Integration for Nortel Preside (ehealth - Nortel Preside) CA ehealth Integration for Nortel Shasta SCS GGSN (ehealth - Nortel GGSN) CA ehealth Integration for Psytechnics (ehealth - Psytechnics)

4 CA ehealth Integration for Starent PDSN (ehealth - Starent PDSN) CA SPECTRUM CA Unicenter Network and Systems Management (Unicenter NSM) CA etrust Identity and Access Management (etrust IAM) CA Embedded Entitlements Manager (CA EEM) Note: CA Embedded Entitlements Manager (CA EEM) is the new name for etrust IAM. This product will be rebranded throughout the documentation in a future release. CA XOsoft Replication Contact CA Contact Technical Support For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at Provide Feedback If you have comments or questions about CA product documentation, you can send a message to [email protected] (mailto:[email protected]). If you would like to provide feedback about CA product documentation, please complete our short customer survey, which is also available on the CA Support website.

5 Contents Chapter 1: Using ehealth to Monitor Traffic in Your Infrastructure 9 The Value of Traffic Data... 9 ehealth Traffic Data Collection Methods... 9 How ehealth Collects Traffic Data from Cisco-Enabled Devices How ehealth Collects Traffic from Cisco NetFlow Collectors How ehealth Collects Traffic Data from RMON2 Probes The Value of Traffic Accountant Reports How ehealth Identifies the Top Conversations Chapter 2: Installing and Configuring Traffic Accountant Components 17 Meet System Requirements Traffic Accountant Installation Considerations License Your Traffic Accountant System How to Configure the ehealth NetFlow Collector to Collect Data How ehealth Imports Conversation Data from the ehealth NetFlow Collector How to Configure the ehealth Import Poller to Collect NetFlow Data How ehealth Imports Conversation Data from Cisco NetFlow Collectors How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network How ehealth Collects Conversation Data from the RMON2 Conversations Poller How to Migrate RMON2 Configuration Data from an NPO System to ehealth Chapter 3: Managing Traffic Accountant 33 How to Import NetFlow Elements Automatically How to Terminate Polling of NetFlow Elements How to Terminate Polling of Probe Elements How to Assess the Status of the ehealth Database How to Prevent Traffic Accountant Resource Overutilization How to Manage the Growth of Your Traffic Accountant Database How to Reduce the Number of Hours That ehealth Retains Conversation Data How to Remove Unwanted Node or Node-Address Pairs from the Database How to Manage the Poller Message Files How to Manage the Conversations Rollup Scheduled Job How to Modify Configuration Information for Cisco NetFlow Collectors How to Switch the Data Collection Mode for the Import Poller How to Collect Bi-Directional Data with the Standard Import Poller How to Troubleshoot Problems with Your Cisco NetFlow Collector Contents 5

6 How to Troubleshoot Problems with Polled NetFlow Devices Chapter 4: Using Views and Groups 49 How to Organize Nodes and Autonomous Systems View Planning Organizational Views Probe Views Geographic Views Functional or System-Type Views Unassigned Nodes Group Create a Traffic Accountant View How ehealth Creates a Probe View Copy a Traffic Accountant View Import a Traffic Accountant View Export a Traffic Accountant View Rename a Traffic Accountant View Delete a Traffic Accountant View Create a Traffic Accountant Group Modify a Traffic Accountant Group Delete a Group Update Views Chapter 5: Traffic Accounting Reporting 67 Types of Traffic Accountant Reports Pie Charts Bar Charts Trend Charts Tabular Charts Report Center Traffic Accountant Reports Default Traffic Accountant Reports Aggregation Reports Run a Traffic Accountant Report through Report Center Schedule a Traffic Accountant Report Job through Report Center Quick Start Traffic Accountant Reports Run a Quick Start Report from the ehealth Console Run a Quick Start Report from the Web User Interface Standard Traffic Accountant Reports Run a Traffic Accountant Report from the ehealth Console Schedule a Traffic Accountant Report Job through the ehealth Console How to Customize a Standard Traffic Accountant Report Modify a Copy of a Standard Report Traffic Accountant and NetFlow Administration Guide

7 Rename a Report How to Configure the Node Name Display in Reports Automate the Process of Changing the Name Node Display in Reports How to Add Custom Applications to Traffic Accountant Reports How to Maintain ehealth Report Files Appendix A: Subnet Masks 111 IP Addresses, Subnets, and Subnet Masks Calculate the Subnet Mask Appendix B: Running a Dedicated Traffic Accountant ehealth System 113 Guidelines for Disabling Extraneous Processes Edit the Startup.cfg File Index 115 Contents 7

8

9 Chapter 1: Using ehealth to Monitor Traffic in Your Infrastructure This section contains the following topics: The Value of Traffic Data (see page 9) ehealth Traffic Data Collection Methods (see page 9) The Value of Traffic Accountant Reports (see page 14) The Value of Traffic Data Traffic data is any data that is sent from one node to another node within a network. A node is a device in your network that has a network address. When one node sends data to another node, the data transfer is called a conversation. Each conversation has a node pair (that is, a sending node and a receiving node). A conversation can be a request to determine whether a system is active (known as a ping), or it can be a file transfer operation, an e- mail message, or a request to a web server. Traffic data can also be data that is sent from one autonomous system to another autonomous system within a network. An autonomous system (AS) is a collection of networks under a common administration sharing a common routing strategy. Traffic data can be useful for planning and implementing network security, reconfiguration, growth, partnering, and provisioning. This type of data can help you to correlate network costs to the devices, subnetworks, external customers, internal users, and organizations or departments that use your network. ehealth Traffic Data Collection Methods ehealth Traffic Accountant includes the following product components that you can use to collect traffic data that is generated in your network: ehealth NetFlow Collector ehealth Import Poller Traffic Accountant RMON2 Conversations Poller Using ehealth to Monitor Traffic in Your Infrastructure 9

10 ehealth Traffic Data Collection Methods The ehealth NetFlow Collector collects node-to-node and AS-to-AS NetFlow traffic data directly from Cisco routers and switches in the network via a userdefined port. NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. The enhanced ehealth Import Poller collects NetFlow data by extracting data files from Cisco NetFlow Collectors that are installed throughout your infrastructure. To use either of these data collection methods, you must install Traffic Accountant on a dedicated, standalone ehealth system. To analyze the data, you can generate reports through the Report Center user interface. (You cannot generate reports on this data through the ehealth console or the Run Reports page of the ehealth Web user interface.) As an alternative method for monitoring NetFlow traffic, you can use the standard ehealth Import Poller to collect either node-to-node or AS-to-AS data from Cisco NetFlow Collectors in your network. If you have installed RMON2 probes throughout your infrastructure, you can use the Traffic Accountant RMON2 Conversations Poller to collect RMON2 traffic data from the probes. To use either of these data collection methods, you should install Traffic Accountant on a dedicated, standalone ehealth system. To analyze the data, you can generate reports through the ehealth console or the Run Reports page of the ehealth Web user interface. (You cannot generate reports on this data through the ehealth Report Center user interface.) How ehealth Collects Traffic Data from Cisco-Enabled Devices If you install the ehealth NetFlow Collector (ENFC) in your network, you can use it to capture end-to-end conversation data directly from Cisco NetFlowenabled devices in your network. This data provides details about the protocols and ports used, and the end nodes that are exchanging data. In addition, it can also include information on Multi-Protocol Label Switching (MPLS), Border Gateway Protocol (BGP), multicast, and AS-to-AS traffic. If you use the ENFC, you do not need to install a Cisco NetFlow Collector. The ENFC is a passive collector; it does not poll NetFlow devices at regular intervals to collect traffic data. Instead, it resides on the Traffic Accountant system and listens for UDP NetFlow data packets in a port. It waits until NetFlow interfaces send data, and then processes it. You can configure the ENFC to listen to specific ports and aggregate the data in a specific way. When you use the ehealth NetFlow Collector to collect conversation data, ehealth does the following: 1. Stores the raw NetFlow data in a database table. 2. Processes the data to obtain conversation data observed by NetFlow-enabled devices in your network. 10 Traffic Accountant and NetFlow Administration Guide

11 ehealth Traffic Data Collection Methods 3. Discovers each Cisco NetFlow interface that is sending data to the ENFC. 4. Creates a probe element for each NetFlow interface and stores it in the ehealth database. 5. Adds the conversation data for each device to the ehealth database. 6. Automatically receives more traffic data from each device at each interval. For instructions on configuring the ENFC to collect NetFlow data, see How to Configure the ehealth NetFlow Collector to Collect Data (see page 19). How ehealth Collects Traffic from Cisco NetFlow Collectors If you have installed one or more Cisco NetFlow Collectors in your network, you can install the ehealth Import Poller to import NetFlow traffic data from the collectors. Cisco NetFlow Collectors are workstations that collect and process the conversation data sent from Cisco routers and switches that exist in your network. By default, the enhanced ehealth Import Poller collects node-to-node and ASto-AS data simultaneously. However, if you configure the Import Poller to use standard data collection, you can collect only one type of data at one time. To collect both types of data using the standard ehealth Import Poller, you must install Traffic Accountant on two separate ehealth systems. When you use the ehealth Import Poller to retrieve conversation data, the following occurs: 1. Each Cisco NetFlow Collector filters and aggregates the conversation data that it collects from each device. 2. The collectors save the data as flat files in a directory on the NetFlow Collector workstation. 3. The ehealth Import Poller retrieves the data files from the Cisco NetFlow Collectors via File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), or Tectia SSH FTP. 4. The poller stores this data in the ehealth database. Important! If you run the poller in standard mode, you cannot collect nodeto-node and AS-to-AS data simultaneously. To do so, you must install ehealth Traffic Accountant on two separate ehealth systems. Using ehealth to Monitor Traffic in Your Infrastructure 11

12 ehealth Traffic Data Collection Methods To use the ehealth Import Poller, you need to configure it by running the setup program. As part of the configuration, you discover the NetFlow interfaces, and then ehealth saves them as NetFlow probe elements in the database. (If you have not already created a NetFlow scheduled job, you must discover the devices to enable ehealth to poll them.) Note: For instructions on using the ehealth Import Poller, see How to Configure the ehealth Import Poller to Collect NetFlow Data (see page 21). How ehealth Collects Traffic Data from RMON2 Probes If you install remote monitoring version 2 (RMON2) dialog probes in your network, you can use ehealth Traffic Accountant software to collect RMON2 traffic data. A probe is a device that contains RMON2 software that records information about network traffic conversations occurring between nodes on the network (as specified in the latest version of the management information base (MIB) specification, RMON, version). Although the information collected by each probe can vary, a probe typically identifies the address of the sending node, the address of the receiving node, the number of packets and bytes transmitted, and the protocol or application type of the data. 12 Traffic Accountant and NetFlow Administration Guide

13 ehealth Traffic Data Collection Methods Using Simple Network Management Protocol (SNMP) agents, ehealth searches particular ports for the IP addresses of the probes that you specify. After ehealth discovers each probe, it adds it the database as a probe element. A probe element is a single interface on a probe which behaves as a virtual probe. Some probes can have many interfaces, but a useful limit can only be determined by the amount of data that a probe sees. Traffic Accountant discovers probe interfaces, not probes. A probe element learns about the nodes around it by observing the conversations and reading the addresses of the node pairs. If a node does not send or receive any traffic, a probe element does not know that the node exists. The following illustration shows an example of two network segments, each with its own nodes and probe element. The darker lines represent conversations that occur between these nodes: NodeA and Node2 NodeC and NodeB Node1 and Node2 Probe elements see only the conversations that take place on the network segment where the probe element resides. Either one or both of the nodes must reside on or send data on the segment where the probe element resides. Using ehealth to Monitor Traffic in Your Infrastructure 13

14 The Value of Traffic Accountant Reports For example, Probe1 sees the conversations between NodeA and Node2, and NodeC and NodeB. Probe1 does not see the conversation between Node1 and Node2 because both of those nodes are on a different segment. Similarly, Probe2 sees the conversations between NodeA and Node2, and between Node1 and Node2. Probe2 does not see the conversation between NodeC and NodeB because those nodes are on a different segment. When ehealth retrieves conversation data from RMON2 probes, it follows this process: 1. Poll the probe elements to obtain the probe elements conversation data. 2. Filter out any conversation data that is below a defined minimum size or older than a user-defined date. 3. Save the conversations and top conversations in the database. The Value of Traffic Accountant Reports If you install ehealth Report Center, you can use the Report Center user interface to generate reports on the data that you collect using the ehealth NetFlow Collector or the enhanced ehealth Import Poller. To analyze the data that you collect using the standard ehealth Import Poller or the RMON2 Conversations Poller, however, you must generate reports through the ehealth console or the Run Reports page of the ehealth Web user interface. Traffic Accountant reports identify how nodes, autonomous systems, and applications use your network. You can use this information to analyze the network and address traffic problems. These reports can help you determine the following: The nodes or autonomous systems that use the network the most The nodes or autonomous systems that use specific nodes or autonomous systems Whether any unassigned nodes are accessing certain network resources The volume trends for a node or autonomous system, group of nodes or autonomous systems, or a network segment The applications that are used the most on the network by a certain node or autonomous system, or on a network segment Traffic usage patterns for cost-effective partnering 14 Traffic Accountant and NetFlow Administration Guide

15 The Value of Traffic Accountant Reports How ehealth Identifies the Top Conversations When you run a standard Traffic Accountant report from the ehealth console or the Run Reports page of the ehealth Web user interface, ehealth analyzes the data to determine which conversation records are the most accurate. The most accurate record of a conversation is the top conversation. ehealth uses the top conversations when you run Traffic Accountant reports from the ehealth console or the Web user interface for all probe elements or all NetFlow-enabled interfaces. Since different elements might have observed the same conversations, ehealth only analyzes the top conversations to avoid including redundant information in the reports. ehealth calculates the top conversations by comparing the data for each node or autonomous system pair as recorded by any probe or NetFlow element. If only one element observes the conversations between a node or autonomous system pair, ehealth automatically considers those records to be the top conversation records. When more than one element observes conversations between the same node or autonomous system pair, ehealth compares the total amount of conversation data for the node pair as observed by each element. ehealth chooses the element that has the largest amount of conversation data for the node or autonomous system pair. It considers all conversation records observed by that element for that node or autonomous system pair to be the top conversations. When you run a report for a specific element, ehealth uses the information returned by the element, regardless of whether the records are top conversations. Using ehealth to Monitor Traffic in Your Infrastructure 15

16

17 Chapter 2: Installing and Configuring Traffic Accountant Components This section contains the following topics: Meet System Requirements (see page 17) Traffic Accountant Installation Considerations (see page 18) License Your Traffic Accountant System (see page 18) How to Configure the ehealth NetFlow Collector to Collect Data (see page 19) How to Configure the ehealth Import Poller to Collect NetFlow Data (see page 21) How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network (see page 28) Meet System Requirements The standard ehealth installation program allows you to install Traffic Accountant as an optional component. CA does not support the collection of statistics data and conversations data on a single system. Because the volume of Traffic Accountant data can become quite large and consumes a large amount of data storage capacity, you should install it on a separate system that is dedicated to ehealth Traffic Accountant. To use ehealth s NetFlow data collection capabilities, you must install Traffic Accountant on a dedicated, standalone ehealth system, and the ehealth system platform must meet the system requirements for ehealth. Prior to installing Traffic Accountant, follow these steps to meet system requirements: 1. Review the Traffic Accountant Resource Requirements Document located on the Support web site to estimate the amount of memory and disk space required for a Traffic Accountant installation. 2. Access the ehealth Sizing Wizard on the ehealth product web site. Respond to the series of questions, wait for ehealth to calculate the system resources required to support your ehealth implementation, and note the requirements. 3. See the Cisco user documentation to confirm that your NetFlow Collectors, switches, and routers meet system requirements. Note: Most ehealth Import Poller performance impacts relate to the size of the files; that is, larger files take longer to process than smaller files that ehealth imports from the Cisco NetFlow Collectors. Installing and Configuring Traffic Accountant Components 17

18 Traffic Accountant Installation Considerations Traffic Accountant Installation Considerations Review the following considerations before you install or upgrade ehealth Traffic Accountant: Upgrading any ehealth system that is not a pristine Traffic Accountant system will cause installation problems. Report Center is required to generate reports about data collected by ehealth Netflow Collector and by the NetFlow import poller running in enhanced mode. You must run the Traffic Accountant-specific installation with the Traffic Accountant-specific LCF file. License Your Traffic Accountant System Before you can use any Traffic Accountant components to collect RMON2 or NetFlow conversation data, you must obtain authorized poller license keys for each device that you want to poll and also obtain a license for Traffic Accountant. Important! By default, the ehealth Import Poller runs in enhanced mode and collects AS-to-AS data and node-to-node data simultaneously from the Cisco NetFlow Collectors in your network. If you configure the ehealth Import Poller in standard mode and you want to collect node-to-node and AS-to-AS traffic statistics simultaneously, you must install two ehealth Traffic Accountant licenses on two separate ehealth systems. To add one or more ehealth licenses to your Traffic Accountant system 1. Log in to The Technical Support page appears. 2. Select the licensing tab. The Licensing page appears. 3. Click on the ehealth Network License Request Form, complete the fields, and click Submit. The Licensing department sends you a set of authorized product license keys for the designated ehealth system. 4. Create a backup copy of your license.dat file in the ehealth/lmgr directory. 5. Do the following: a. Open the license.dat file that resides in the ehealth/lmgr directory. b. Open the message that Licensing sent to you. 18 Traffic Accountant and NetFlow Administration Guide

19 How to Configure the ehealth NetFlow Collector to Collect Data 6. Copy and paste the keys from the message into the file to overwrite the existing entries with the contents from the message. Important! Be sure to copy only the license.dat portion of the message. If you inadvertently include the header information, the license will not function correctly. 7. Save the file and close it. 8. Do one of the following: On a Windows system, select Start, Control Panel, Administrative Tools, Services. On the Services page, select the FlexLM and ehealth server processes, right-click, and select Stop. After the processes stop, select the FlexLM and ehealth server processes again, right-click, and select Start. ehealth restarts the processes and enables your licenses. On a UNIX system, enter the following: cd ehealth/bin nhlmgr stop nhlmgr start ehealth restarts the license manager and enables your licenses. How to Configure the ehealth NetFlow Collector to Collect Data If you install Traffic Accountant and configure the ehealth NetFlow Collector (ENFC), you can collect data directly from Cisco routers and switches that are in your network. The ENFC supports Cisco routers up to version 9.0 and imports both node-to-node and AS -to-as data simultaneously. You can install one ENFC on each ehealth system that you have, and configure each one by running an interactive script from the ehealth console. If you install an ENFC, you do not need to install a Cisco NetFlow Collector in your network. To configure the ENFC 1. If you have not already done so, do the following: a. Install Traffic Accountant on each workstation that you designate as an ehealth system. For instructions, see the ehealth Installation Guide for your platform. b. Confirm that your ehealth system and Cisco devices meets system requirements. For instructions, see Meet System Requirements. (see page 17) c. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18). Installing and Configuring Traffic Accountant Components 19

20 How to Configure the ehealth NetFlow Collector to Collect Data 2. Log in to the ehealth system as the ehealth administrator. 3. In a terminal window, change to the ehealth installation directory. 4. If ehealth is installed on a UNIX system, use one of the following commands to source the appropriate ehealth resource file to set your environment: Shell Bourne C Korn Command. nethealthrc.sh source nethealthrc.csh. nethealthrc.ksh 5. Start ehealth by entering the following command: ehealth 6. In the ehealth console, select Setup, Configure, NetFlow to display the nhnetflowsetup window. 7. Select 1 to install the ENFC. 8. Specify the collection port (9991 is the default), and then press Enter. ehealth lists all predefined aggregators. 9. Select an aggregator by name or by index. 10. Select Y to activate it. 11. Enter 4 to save the aggregator setting to the ehealth database. 12. Configure additional aggregator by repeating Steps 8 through 11. How ehealth Imports Conversation Data from the ehealth NetFlow Collector The ENFC listens for UDP NetFlow data packets in the port that you specified during the installation. When NetFlow interfaces send data, the ENFC processes it and stores it in the database. After ehealth discovers the Cisco NetFlow interfaces and creates probe elements for them, it adds the conversation data for each device to the ehealth database. At each poll, ehealth automatically retrieves more traffic data from each device. The NetFlow Collection window in the OneClick for ehealth console displays the time of the next poll. Green bars indicate the number of ehealth elements that were polled successfully. The Errors bar graph displays red bars to indicate the number of elements that ehealth did not poll successfully. The NetFlow Collection window updates with each new poll. 20 Traffic Accountant and NetFlow Administration Guide

21 How to Configure the ehealth Import Poller to Collect NetFlow Data Each data file processed by the ENFC contains one interval. This interval is set within the ENFC and refers to the period within which it usually matches the NetFlow Collection interval value (the default is 15 minutes). A poll bar indicates the number of Cisco NetFlow-enabled router interfaces that had data for a given polling cycle. A separate poll bar represents each interval. To view error messages related to NetFlow-enabled devices, check the ehealth/log directory. How to Configure the ehealth Import Poller to Collect NetFlow Data If you install Traffic Accountant and have one or more Cisco NetFlow Collectors installed in your infrastructure, you can configure the ehealth Import Poller to collect NetFlow data from Cisco routers and switches that exist in your network. By default, the enhanced ehealth Import Poller collects node-to-node and AS-to-AS data simultaneously. The standard Import Poller allows you to collect only one type of data at one time. To collect both types of data using the standard Import Poller, you must install Traffic Accountant on two separate ehealth systems. Cisco NetFlow Collectors filter and process NetFlow data according to specific aggregation schemes. Since the standard ehealth Import Poller supports a subset of the available aggregation schemes, you must ensure that you configure your NetFlow Collectors with one of the following supported active aggregation schemes: DetailASMatrix or HostMatrixInterface if you are running ehealth Traffic Accountant in node-to-node mode ASMatrix if you are running ehealth Traffic Accountant in AS-to-AS mode Note: If you use a non-supported aggregation scheme, ehealth cannot provide conversation data. For information on setting an aggregation scheme on a NetFlow Collector, see the Cisco documentation on the Cisco Web site at The ehealth Import Poller ignores aggregations that contain unsupported fields. The following table lists all fields that are currently supported. Aggregation Field PROCESS_TIME ROUTER_ADDR ELEMENT_ID MACHINE_ID Value NOT NULL NUMBER(11) VARCHAR2(45 CHAR) NUMBER(11) NUMBER(11) Installing and Configuring Traffic Accountant Components 21

22 How to Configure the ehealth Import Poller to Collect NetFlow Data Aggregation Field SOURCE_ID UNIX_NSECS VERSION AGGREGATION_ID SRC_IP_ADDR SRC_IP_ADDR DST_IP_ADDR DST_PORT PROTOCOL TOS INPUT_IF_IDX OUTPUT_IF_IDX SRC_MASK DST_MASK FLOW_BYTES FLOW_PACKETS IP_NEXT_HOP SRC_AS DST_AS BGP_IP_NEXT_HOP IPV6_FLOW_LABEL PACKET_TYPE MPLS_TOP_LABEL_TYPE MPLS_TOP_LABEL_IP SRC_MAC DST_MAC SRC_VLAN DST_VLAN IP_VERSION DIRECTION Value NUMBER(11) NUMBER(11) NUMBER(2) NUMBER(11) VARCHAR2(45 CHAR) NUMBER(11) VARCHAR2(45 CHAR) NUMBER(11) NUMBER(3) NUMBER(5) NUMBER(11) NUMBER(11) NUMBER(3) NUMBER(3) NUMBER(38) NUMBER(38) VARCHAR2(45 CHAR) NUMBER(11) NUMBER(11) VARCHAR2(45 CHAR) NUMBER(8) NUMBER(11) NUMBER(5) VARCHAR2(45 CHAR) NUMBER(15) NUMBER(15) NUMBER(5) NUMBER(5) NUMBER(1) NUMBER(1) 22 Traffic Accountant and NetFlow Administration Guide

23 How to Configure the ehealth Import Poller to Collect NetFlow Data Aggregation Field MPLS_LABEL1 MPLS_LABEL2 MPLS_LABEL3 MPLS_LABEL4 MPLS_LABEL5 MPLS_LABEL6 MPLS_LABEL7 MPLS_LABEL8 MPLS_LABEL9 MPLS_LABEL10 SAMPLE_INTERVAL SAMPLEALG FLOW_SAMPLER_ID FLOW_SAMPLER_MODE RANDOM_INTERVAL IF_NAME IF_DESC SAMPLER_NAME FRAGMENT_OFFSET FORWARDING_STATUS TCP_FLAG FLOW_END FLOW_START MIN_PKT_LEN MAX_PKT_LEN MIN_TTL MAX_TTL FLOWS IPV4_IDENT Value NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(11) NUMBER(5) NUMBER(5) NUMBER(5) NUMBER(11) VARCHAR2(32 CHAR) VARCHAR2(255 CHAR) VARCHAR2(255 CHAR) NUMBER(5) NUMBER(3) NUMBER(3) NUMBER(11) NUMBER(11) NUMBER(5) NUMBER(5) NUMBER(3) NUMBER(3) NUMBER(38) NUMBER(5) Installing and Configuring Traffic Accountant Components 23

24 How to Configure the ehealth Import Poller to Collect NetFlow Data You can use the NetFlow Collector User Interface (NFUI) to display runtime configuration parameters, resource definitions, and statistics, as well as modify existing configuration parameters and define new configuration parameters. For detailed instructions, see your Cisco NetFlow user documentation for the NFUI. To configure the ehealth Import Poller to collect NetFlow data 1. If you have not already done so, do the following: a. Install one or more Cisco NetFlow Collectors within your network by following the instructions provided in your Cisco NetFlow installation documentation.if you have installed the ehealth NetFlow Collector already, you do not need to install a Cisco NetFlow Collector. For instructions, see How to Configure the ehealth NetFlow Collector to Collect Data (see page 19). Note: To collect NetFlow data on the network using the ehealth Import Poller, you must install one or more NetFlow Collectors within your infrastructure. You cannot use this poller unless you install these collectors. b. Install ehealth on each workstation that you designate as an ehealth system. For instructions, see the ehealth Installation Guide for your platform. c. Confirm that your Cisco NetFlow Collectors, ehealth system, and Cisco routers and switches all meet system requirements. For instructions, see Meet System Requirements (see page 17). d. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18). 2. Collect the following configuration information regarding your Cisco NetFlow Collector: a. Hostname of the NetFlow Collector system. b. IP address of the NetFlow Collector system (the setup procedure attempts to derive the IP address from the hostname of the NetFlow Collector system, so you may be able to accept the default). c. User name that ehealth can use to log in to the NetFlow Collector system (default is nhuser). d. Password for this user on the NetFlow Collector system. e. Full pathname of a directory on the NetFlow Collector system on which the NetFlow Collector software is installed (default is /opt/csconfc). 3. Log in to the ehealth system as the ehealth administrator. 4. In a terminal window, change to the ehealth installation directory. 24 Traffic Accountant and NetFlow Administration Guide

25 How to Configure the ehealth Import Poller to Collect NetFlow Data 5. If ehealth is installed on a UNIX system, use one of the following commands to source the appropriate ehealth resource file to set your environment: Shell Bourne C Korn Command. nethealthrc.sh source nethealthrc.csh. nethealthrc.ksh 6. Start ehealth by entering the following command: ehealth 7. In the ehealth console, select Setup, Configure, NetFlow to display the nhnetflowsetup window. 8. At the first prompt, enter 2 to install the ehealth Cisco NetFlow Import Poller. 9. At the next prompt, enter 1 to set up a new NetFlow Collector; then enter 1 to add a new collector. 10. At the next prompt, enter the hostname of the Cisco NetFlow Collector workstation to enable ehealth to locate this workstation on the network. One of the following occurs: If it locates the hostname, it obtains the workstation s IP address. If it cannot locate the workstation, it displays an error message indicating that the hostname does not respond to ping. Although the system cannot locate this workstation, you can still use the workstation name. Enter y at the prompt. If you enter n, the system prompts you again for the name of the host. 11. At the next prompt, enter the IP address of the NetFlow Collector and specify the type of FTP that you would like ehealth to use to access the NetFlow system. Do one of the following: If you select SFTP, create a login without a password on which you have configured the NetFlow Collector. Enter the following: $ ssh-keygen t rsa Installing and Configuring Traffic Accountant Components 25

26 How to Configure the ehealth Import Poller to Collect NetFlow Data Enter file in which to save the key (/ehealth/user/.ssh/id_rsa); then enter the same passphrase again. ehealth saves the login information in /ehealth/user/.ssh/id_rsa, and it saves your public key in /ehealth/user/.ssh/id_rsa.pub. Copy the public key to the Cisco NetFlow system by doing the following: $ ssh-copy-id i ~/.ssh/id_rsa.pub username@netflowmachine If you select FTP, specify a user name and password that ehealth can use to access the NetFlow Collector. If the nhnetflowsetup script cannot establish an FTP session with the NetFlow Collector workstation, you cannot import data from the NetFlow Collector. Check the user name and password for this NetFlow Collector, and enter the correct information when prompted. If this information is correct, you may have a network connectivity problem. Note: As an alternative, ehealth also supports Tectia SSH FTP. 12. Enter the pathname of the directory on the NetFlow Collector workstation in which NetFlow is installed. ehealth saves the settings. 13. Specify the type of data collection to use. By default, the Import Poller runs in enhanced mode and collect AS-to-AS data and node-to-node data simultaneously from the Cisco NetFlow Collectors in your network. Note: When you use enhanced data collection, you can generate Traffic Accountant reports through the Report Center user interface. 14. Enter the polling interval to specify how often (in minutes) ehealth collects information from the NetFlow Collectors. The default is 15 minutes. ehealth time-aligns the NetFlow data to the interval of the Conversations Poller. For example, if the Conversations Poller is 30 minutes, ehealth time aligns the data to the half hour. If the data is less than the conversations polling interval, ehealth stores the data to its internal cache for at least 30 minutes and then writes the data to the database. 15. Enter the maximum amount of time (in minutes) to allow a data extraction to finish before timing out. The default is 15 minutes. 16. Press Return. The nhnetflowsetup script saves all of the NetFlow Collector information. 17. To configure the Import Poller to import data from another NetFlow Collector, repeat Steps 9 through Traffic Accountant and NetFlow Administration Guide

27 How to Configure the ehealth Import Poller to Collect NetFlow Data 18. Use ehealth to discover probe elements for each NetFlow-enabled device interface that reports data to the NetFlow Collectors: a. Log in to the ehealth console. b. Select Setup, Import Elements, NetFlow. The NetFlow Import Elements dialog appears. c. Optionally, specify a Database Configuration Information (DCI) exclusion rules file to filter the ehealth probe elements prior to adding them to the ehealth database. Click Browse; then select the files. For instructions on creating a rules file, see the ehealth Administration Guide. d. In the NetFlow Import Elements dialog, click Discover. e. The Discovering dialog displays status messages under Discovery Results in the Discovering dialog. f. If polling does not begin, the circle in the Import Polling window (in the OneClickEH console) may be blue and the message Waiting for asynch import may appear. If this happens, stop and restart the ehealth server by selecting Tasks and Information, Setup, Server Controls in the left pane of the OneClickEH console. Note: You can stop the discover process at any time by clicking Stop Discovery. ehealth discards all elements listed under Discovery Results and closes the Discovering dialog. Once ehealth completes the discover process, the ehealth Import Poller should begin polling the probe elements at the next poll. How ehealth Imports Conversation Data from Cisco NetFlow Collectors After you configure the Import Poller to extract data files from each NetFlow Collector, you need to use ehealth to discover probe elements for each NetFlow-enabled device interface that has reported data to the NetFlow Collectors, and then save the probe elements in the ehealth database. After the ehealth Import Poller retrieves data files from the NetFlow Collectors in your network and imports them to the ehealth system, it aligns the data to the interval of the Conversations Poller. If the Conversations Poller is 30 minutes, ehealth time-aligns the data to the half hour. If the Cisco NetFlow samples are less than the conversation polling interval, it stores the data to its internal cache until it can be stored to the database. Installing and Configuring Traffic Accountant Components 27

28 How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network Each data file imported from the NetFlow Collector contains one interval. This interval is set within the NetFlow Collector and refers to the period within which the NetFlow Collector wrote the data to the file. For best performance, this interval value should usually match the Import Poller interval value (the default is 15 minutes). In the Import Polling window on the ehealth Status Summary page of the OneClick for ehealth console, green bars show the number of Cisco NetFlow-enabled router interfaces that had data for a given import polling cycle. A separate poll bar represents each interval. To view error messages related to NetFlow-enabled devices, check the ehealth/log directory. When the ehealth Import Poller begins polling for the first time (or after a long hiatus), it reads a backlog of data of up to eight hours. This creates an initial configuration that can be up to eight hours old. ehealth aggregates this data and saves it in the database. How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network If you install ehealth Traffic Accountant software and install probes within your network, you can use the RMON2 Conversations Poller to collect traffic data from the probe elements. Traffic Accountant discovers probe interfaces, not probes. A probe element is a single interface on a probe which behaves as a virtual probe. ehealth polls probe elements, collects information about the conversations that each probe element observed, and then stores this information in its database. To configure the ehealth Conversations Poller to collect RMON2 data 1. If you have not already done so, do the following: a. Install Traffic Accountant on each workstation that you designate as an ehealth system. For instructions, see the ehealth Installation Guide for your platform. b. Confirm that your ehealth system meets system requirements. For instructions, see Meet System Requirements (see page 17). c. Obtain license keys for Traffic Accountant and each probe element that you want to poll. For instructions, see License Your Traffic Accountant System (see page 18). 2. Install one or more probes within your network in areas that maximize the traffic coverage: Internal LANs Interfaces to WANs Subnets on which servers or other important systems reside 28 Traffic Accountant and NetFlow Administration Guide

29 How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network 3. Use the ehealth discover process to add each probe interface to the ehealth database. How ehealth Collects Conversation Data from the RMON2 Conversations Poller After you have discovered your probes and added them to your database, the ehealth Conversations Poller begins to poll them to collect information about the conversations that they observed, and then stores this data in its database. The Conversations Polling window in the OneClick for ehealth console displays information about the Conversations Poller, which uses Simple Network Management Protocol (SNMP) and SNMPv2 to poll discovered RMON2 probe elements for Traffic Accountant data. The window shows the time of the next poll, the number of Good Polls, and the number of Bad Polls. Like the Statistics Polling window, the bars change color to indicate the polling status. ehealth filters the data that it receives from a probe element and ignores information about conversations that are less than a defined minimum size. By default, ehealth does not save information for conversations that are less than 500 bytes per minute for the duration of the polling interval. Thus, if your polling interval is 30 minutes, ehealth does not save information for conversations that are 15,000 (500 x 30) bytes or less. The NH_POLL_DLG_BPM environment variable defines the minimum traffic filter size. To change the default setting of 500 bytes per minute, follow this general procedure. For specific instructions on adding environment variables to your system, see the ehealth Commands and Environment Variables Reference Guide. Important! If you lower or disable the filter size, you could cause a significant increase in your database disk space requirements. To change the default setting of NH_POLL_DLG_BPM, follow these steps 1. Stop the ehealth server. 2. Add this environment variable to your system. 3. Specify a value. If you set it to 0, the filter is disabled and ehealth saves all conversations in the database. 4. Restart the ehealth server. Installing and Configuring Traffic Accountant Components 29

30 How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network Each time that ehealth polls a probe element, it retrieves the data stored within it. A probe element captures information only for the conversations that occur on the network segment, ring, switch port, or interface where the probe is installed. If you have multiple probes in your network, more than one probe element could observe the same conversation. Change the Polling Interval ehealth uses the conversation data to determine which probe element is the best source of information for a node or autonomous system. It totals the byte count for each conversation for each node or autonomous system and compares the totals as recorded by each probe element. ehealth chooses the probe element with the largest byte count for a node or autonomous system as the best source of information for the node. Note: ehealth follows this process when it analyzes RMON2 conversation data that is collected by probes. It does not do so when analyzing data that is collected by the ehealth NetFlow Collector or the enhanced ehealth Import Poller. ehealth polls each probe element to collect data on every conversation that the probe element detected and stored, which can result in a tremendous amount of data being collected at each poll. Consequently, the polling interval for conversation data is longer than that for statistics. Probes vary in the amount of memory that they have, and thus the amount of conversation data that they can store. Use a polling interval that enables you to collect the data from the probes before data is lost due to device memory limitations, counters within the probe reset, or the probe s timeout being reached. 30 Traffic Accountant and NetFlow Administration Guide

31 How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network You should also use a polling interval that allows you to retrieve data from the probe element before it resets counters or discards data. This polling interval value determines the rate at which ehealth stores data in the database. In addition, the number of elements in your database and the amount of disk space available for the database might require you to use a polling interval other than the default. The default polling interval for conversation data is 30 minutes, but you can change it to 15, 30, 45, or 60 minutes. Note: If you discover that some probes do not behave at an optimum level with ehealth, consult with your probe vendor to resolve RMON2 configuration issues. For detailed instructions on the discover and polling processes, see the ehealth Administration Guide. To change the polling interval for conversation data 1. Log in to the OneClick for ehealth console. a. Enter the following in a web browser, where ehealthsystem is the specific name of the system on which ehealth is installed. If your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. ehealthsystem/oneclickeh The Connect to ehealthsystemname window appears. b. Specify the user name and password of an administrator who has permission to access OneClickEH; then click OK. The OneClick for ehealth page appears. c. Click Launch OneClick for ehealth. The File Download window appears. d. Click Run. The OneClickEH login window appears. 2. Log in to the ehealth server as an administrator who has permission to manage the pollers. The ehealth Status Summary window appears. 3. In the left pane of the console, click Tasks and Information, Setup, Poller Controls. The Poller Controls window appears. 4. From the Conversations list, select a different poll rate and click Apply. ehealth resets the poll interval and begins polling at that rate. Installing and Configuring Traffic Accountant Components 31

32 How to Configure the ehealth Conversations Poller to Collect RMON2 Data in Your Network How to Migrate RMON2 Configuration Data from an NPO System to ehealth If you use the Unicenter Network Systems Management (NSM) Network Performance Option (NPO) to collect RMON2 data from probes and other network devices that have been installed throughout your network, you can migrate the configuration data to your ehealth system to enable ehealth Traffic Accountant to report on it. For Traffic Accountant to be able to report on your NPO data, you need to run a command to migrate the configuration data from the NPO system (the system on which you are currently running the NPO collection server) to ehealth, and then run an ehealth discover based on that file. To migrate configuration data from an NPO system to ehealth 1. Generate a seed file that contains the current NPO configuration: a. Copy the Create_eHealth_seed.exe file from the ehealth/modules/npo directory on the ehealth system to the bin directory on the NPO system. b. On the NPO system, run the Create_eHealth_seed.exe command to create the ehealthseed.txt file. 2. Copy the ehealthseed.txt file from the NPO_DIR/log directory on your NPO system to the ehealth system. 3. Perform an interactive discovery based on the file, and then save the discover results to the ehealth database. 4. Allow ehealth to poll the resources, and then save the collected data to the ehealth database. For detailed instructions on discovering polling your resources, see the ehealth Administration Guide. 32 Traffic Accountant and NetFlow Administration Guide

33 Chapter 3: Managing Traffic Accountant This section contains the following topics: How to Import NetFlow Elements Automatically (see page 33) How to Terminate Polling of NetFlow Elements (see page 34) How to Terminate Polling of Probe Elements (see page 35) How to Assess the Status of the ehealth Database (see page 35) How to Prevent Traffic Accountant Resource Overutilization (see page 36) How to Manage the Growth of Your Traffic Accountant Database (see page 38) How to Modify Configuration Information for Cisco NetFlow Collectors (see page 42) How to Switch the Data Collection Mode for the Import Poller (see page 43) How to Collect Bi-Directional Data with the Standard Import Poller (see page 44) How to Troubleshoot Problems with Your Cisco NetFlow Collector (see page 45) How to Troubleshoot Problems with Polled NetFlow Devices (see page 46) How to Import NetFlow Elements Automatically To import NetFlow elements on a regular basis, you can use the job scheduler in the ehealth console to automate the process. To add a scheduled job to import elements 1. From the console, select Setup, Schedule Jobs. The Schedule Jobs dialog appears. 2. Select Add NetFlow from the torpedoing list next to the list of jobs. The Add Scheduled NetFlow Import Element dialog appears. 3. Schedule the process by specifying the day, date, and/or time. 4. (Optional) Exclude certain NetFlow elements from the discover search by specifying a DCI rules file. The file must be stored in the following directory: ehealth/modules/netflow/config. Important! If the file is not stored in that directory, the scheduled discovery will fail. 5. Click Schedule. The Add Scheduled NetFlow Import Element dialog closes, and the scheduled job appears in the job list in the Schedule Jobs dialog. Managing Traffic Accountant 33

34 How to Terminate Polling of NetFlow Elements How to Terminate Polling of NetFlow Elements You can prevent the ehealth Import Poller from importing data from all NetFlow-enabled devices in your network at one time, or you can turn off polling for selected devices. To stop importing all data 1. Log in to the OneClick for ehealth console. The OneClickEH login window appears. 2. Log in to the ehealth server as an administrator who has permission to manage the poller. The ehealth Status Summary window appears. 3. In the left pane, click Tasks and Information, Setup, Poller Controls. The Poller Controls window appears. 4. Select Polling Off and click Apply. ehealth turns off the pollers. To stop importing data for specific probe elements 1. Log in to the OneClick for ehealth console. The OneClickEH login window appears. 2. Log in to the ehealth server as an administrator who has permission to manage elements. The ehealth Status Summary window appears. 3. In the left pane, click Managed Resources, Elements. The Element table appears. 4. Select one or more probe elements, right-click, and select Edit Element. The Edit Elements window appears. 5. Select the Polling tab. The Polling window appears. 6. Select Mass Modify, select No next to Polling Enabled, and then click Apply. ehealth disables polling for the selected probe elements. 34 Traffic Accountant and NetFlow Administration Guide

35 How to Terminate Polling of Probe Elements How to Terminate Polling of Probe Elements By default, ehealth stops polling an RMON2 probe element after 1200 seconds (20 minutes) if it has not received a response. If this occurs, ehealth displays a message in the Conversations Polling window and saves any partial data it has received. If polling is continuously terminated early for the same probe element, ehealth may not update information about that probe element. You may want to determine why polls are not finishing for this probe. The NH_POLL_PROBE_TIME_LIMIT environment variable defines the number of seconds that ehealth waits before terminating polling. To change the default setting of 20 minutes, follow this general procedure. For specific instructions on adding environment variables to your system, see the ehealth Commands and Environment Variables Reference Guide. To change the default setting of NH_POLL_PROBE_TIME_LIMIT, follow these steps: 1. Stop the ehealth server. 2. Add this environment variable to your system. 3. Specify a value. If you set it to a value that is below 5 minutes, ehealth may stop polling probes that are slow but responding. 4. Restart the ehealth server. How to Assess the Status of the ehealth Database Near the end of each poll, ehealth stores data gathered by probe elements as conversation data. Over time, the database consumes more space. To ensure that ehealth can continue collecting data and generating reports, you must maintain sufficient disk space. ehealth provides summary information about the status of the entire database and specific information about conversation data. Resources become available when nodes, node address pairs, and conversations age out; processes that are consuming resources terminate; or the poller stops and restarts. To increase your resources so that ehealth can continue to process conversation data immediately, you could add more memory to the ehealth Traffic Accountant system, or move it to a system that has more memory. Note: Because the volume of Traffic Accountant data can become quite large and consumes a large amount of data storage capacity, you must install it on a separate system that is dedicated to ehealth Traffic Accountant. CA does not support the collection of statistics data and conversations data on a single system. Managing Traffic Accountant 35

36 How to Prevent Traffic Accountant Resource Overutilization To view the current status of the database 1. Log in to the OneClick for ehealth console. 2. Log in to the ehealth server as an administrator who has permission to view the System Information folder. The ehealth Status Summary window appears. 3. In the left pane, select Tasks and Information, System Information, Database Status. The Database Status window appears. 4. Review the Conversations section to determine the following: Number of probe elements in the ehealth database Number of nodes or autonomous systems observed by probe elements Size of the database for each type of conversation data Dates of the most recent database entries, and the first entries Date and time of the last Conversations Rollup scheduled job Note: If a poll occurs while the window is open, click Refresh to update the fields when the poll finishes. To obtain database status information, you can also run the nhdbstatus command. For instructions, see the ehealth Commands and Environment Variables Reference Guide. For detailed information about managing the database, see the ehealth Administration Guide. How to Prevent Traffic Accountant Resource Overutilization If you use ehealth Traffic Accountant to monitor unlimited numbers of nodes (for example, public Internet access points), you could encounter situations in which a large volume of conversation or NetFlow data is returned to the Traffic Accountant system during polling. This large volume can impact system performance by consuming the available resources. To guard against these performance impacts, you can prevent Traffic Accountant from becoming overloaded by enabling it to monitor the conversations and import polling times in conjunction with node and nodeaddress-pair lookup (that is, how long it takes Traffic Accountant to find a node within its cache memory). If it detects when polling times are slowing down due to insufficient resources, it can prevent new conversation data from being saved to the database, and will not create new nodes and node address pairs until resources become available or the poll duration falls below the threshold. 36 Traffic Accountant and NetFlow Administration Guide

37 How to Prevent Traffic Accountant Resource Overutilization To prevent Traffic Accountant resource overutilization, you can set threshold values for these two environment variables: NH_DLG_POLL_TIME_FIRST_WARNING_THRESHOLD Specify a value of 1% to 99%. The default is 90%, the point at which the Conversations Poller or Import Poller has polled 90% of your elements. The value of this variable must be less than the value of NH_DLG_POLL_TIME_SECOND_WARNING_ THRESHOLD. NH_DLG_POLL_TIME_SECOND_WARNING_THRESHOLD Specify a value of 1% to 99%. The default is 95%, the point at which the Conversations Poller or Import Poller has polled 95% of your elements. The value of this variable must be more than the value of NH_DLG_POLL_TIME_FIRST_WARNING_ THRESHOLD. Note: To disable the variables, set both values to 0. When you set these environment variables, ehealth follows this process: 1. During a poll, ehealth accumulates node and node address pair lookup times. 2. When the Conversations Poller or Import poller has reached 90% of the poll interval, the ehealth console displays a warning indicating that the poll may not finish in the interval specified. 3. When the poller has reached 95% of the poll interval, Traffic Accountant calculates the average node and node address pair lookup times and then compares them to those of the previous poll. For example, if the system is performing a 15-minute poll, and it has completed 90% of the poll (13.5 minutes), Traffic Accountant displays the first warning in the console. If the average lookup times increased, Traffic Accountant compares them to the averages of the five previous polls. If it detects a sharp increase in the average lookup time, it displays an error message in the OneClickEH console indicating that new conversation data will not be saved to the database until resources become available or the poll duration falls below the threshold. 4. During this time, Traffic Accountant cannot create nodes and node address pairs. It saves a record of the number of conversations that it discards during each conversation or import poll in a log file named trafficdropped.date.time.log within the ehealth/log directory. Managing Traffic Accountant 37

38 How to Manage the Growth of Your Traffic Accountant Database How to Manage the Growth of Your Traffic Accountant Database To control the growth of Traffic Accountant, ehealth automatically performs several maintenance tasks: Reviews all conversations to determine the last time that it observed a conversation. If a conversation is not seen in 24 hours, ehealth frees memory that is associated with the conversation, but it retains the data already stored in the database. Hides nodes or autonomous systems and node address pairs or autonomous system pairs that have not been referenced for a specified time period, and then removes them once it rolls data out of the database. (When nodes or autonomous systems are hidden, you can run reports on the data.) Controls the size of the conversations message log file. Rolls up conversation data every four hours. To proactively control the growth of Traffic Accountant data in your ehealth database, you can do the following 1. Reduce the number of hours that ehealth retains information on a conversation in memory by modifying the setting of the NH_DLG_TIME2KEEP environment variable. By default, ehealth ages out conversation data that is older than four hours. 2. Remove unused nodes or autonomous systems on a regular basis by managing the Cleanup Nodes scheduled system job. 3. Manage the size of the Conversations Poller message file. 4. Manage the Conversations Rollup scheduled job. How to Reduce the Number of Hours That ehealth Retains Conversation Data By default, ehealth ages out conversation data that is older than four hours. To control the size of the database, you can reduce the number of hours that ehealth retains information on a conversation in memory. To reduce the number of hours that ehealth retains information on a conversation in memory 1. Log in to the ehealth console as an administrator. 2. Stop the ehealth server. 38 Traffic Accountant and NetFlow Administration Guide

39 How to Manage the Growth of Your Traffic Accountant Database 3. Modify the setting of the NH_DLG_TIME2KEEP environment variable to a value that is less than 4 hours. Note: If you set this variable to 0 hours, the poller no longer ages out conversations from the poller cache. 4. Restart your ehealth server. For detailed instructions on setting environment variables, see the ehealth Commands and Environment Variables Reference Guide. How to Remove Unwanted Node or Node-Address Pairs from the Database By default, ehealth provides the Cleanup Nodes system job to remove node pairs and node-address pairs that are no longer needed, but it does not enable it. You can specify the frequency and the time, as well as whether ehealth should hide or remove the nodes or autonomous systems that have not been seen within a designated timespan. Once ehealth removes nodes or autonomous systems and node or autonomous system address pairs, you cannot access any conversations related to them in reports. To remove unwanted and unused node or node-address pairs from the database 1. Log in to the OneClick for ehealth console. 2. Log in to the ehealth server as an administrator who has permission to manage scheduled jobs. The ehealth Status Summary window appears. 3. In the left pane, select Tasks and Information, Job Scheduler, Scheduled Jobs. The Scheduled Jobs window appears. 4. Select the All tab. The console displays the list of jobs that are scheduled to run on your ehealth system. 5. Scroll through the list to locate Cleanup Nodes and double-click the name. The Edit Cleanup Nodes window appears. 6. Select the Schedule tab and do the following: a. Change the frequency with which the job runs. If you specify 31 as the day of the month, the job will only run on months that have 31 days. b. Change the time of day at which the job runs. Managing Traffic Accountant 39

40 How to Manage the Growth of Your Traffic Accountant Database 7. Select the Properties tab and do any of the following: a. Specify the number of hours that ehealth must not have seen the nodes or autonomous systems. b. Specify that ehealth should hide or remove the nodes or autonomous systems that have not been seen within a designated timespan (the default is 0). If you have set the NH_DLG_TIME2KEEP environment variable, specify the same value in this field. 8. Click OK. The Edit Cleanup Nodes window closes, and ehealth updates the parameters for the scheduled job. How to Manage the Poller Message Files By default, ehealth saves messages that the RMON2 Conversations Poller, the NetFlow Collector, and the Import Poller generate about polled conversations. the data is stored as ASCII files in the ehealth/log directory. If the Recent System Messages window on the Status Summary page does not display any messages concerning a poller, ehealth does not create the message file for it. By default, each file can reach a maximum size of 1 MB. Once a log file reaches the maximum size, ehealth moves it to a backup log file named filename.bak and overwrites the existing backup log file, if one exists. ehealth starts a new log file using the default filename. You can set the following environment variables to change the message filename, directory, and maximum file size: NH_POLL_LOG_FILE Specifies the location and/or name of the message log files. NH_POLL_LOG_SIZE Specifies the maximum size of the log files and backup files in bytes. For instructions on setting environment variables, see the ehealth Commands and Environment Variables Reference Guide. How to Manage the Conversations Rollup Scheduled Job The Conversations Rollup scheduled job logs information in the Conversations_Rollup.jobId.log file located in the log directory of your ehealth installation. ehealth rolls up two sets of conversation data: all conversations and top conversations. 40 Traffic Accountant and NetFlow Administration Guide

41 How to Manage the Growth of Your Traffic Accountant Database All conversation data is every conversation reported by every probe element. The database might have several entries for a conversation if more than one probe element reported it. Top conversation data is a single entry for every conversation, based on what ehealth calculates as the best data for that conversation. ehealth provides you with the ability to summarize the data for all conversations differently from the way in which it summarizes the data for top conversations. By default, ehealth rolls up conversation data every four hours. You can change this schedule to every eight or twelve hours. If you run reports mostly on nodes, autonomous systems, groups, or departments or to obtain cost allocations for network use you may want to retain more top conversation data. If you are running reports mostly at the network level or on individual segments, you may want to retain more of all conversation data. The following table presents the default rollups for conversation data. Data As-polled conversations Four-hour samples of all conversation data One-day samples of all conversation data One-week samples of all conversation data Four-hour samples of top conversation data One-day samples of top conversation data One-week samples of top conversation data Rollups 3 days 4 days 1 week 4 weeks 4 days 1 week 50 weeks To change the Conversations Rollup scheduled job 1. Log in to the OneClick for ehealth console. 2. Log in to the ehealth system as an administrator who has permission to manage scheduled jobs. The ehealth Status Summary window appears. Managing Traffic Accountant 41

42 How to Modify Configuration Information for Cisco NetFlow Collectors 3. In the left pane, select Tasks and Information, Job Scheduler, Scheduled Jobs. The Scheduled Jobs window appears. 4. Select the All tab. The console displays the list of jobs that are scheduled to run on your ehealth system. 5. Scroll through the list to locate Conversations Rollup and double-click the name. The Edit Conversations Rollup window appears. 6. Click the Schedule tab and do one or both of the following: Change the frequency of the rollup. Change the time of day at which the rollup occurs. 7. Click the Properties tab and do any of the following: Specify a number in the As-Polled field; then select either days or weeks from the adjacent list to specify how long to retain as-polled conversation data. Change the frequency for rolling up conversations Change the frequency for rolling up top conversations. 8. Click OK. The Edit Conversations Rollup window closes, and ehealth updates the parameters for the scheduled job. How to Modify Configuration Information for Cisco NetFlow Collectors When changes occur with your network management system (NMS) or routers, you can run the nhnetflowsetup script to update your configuration in the following ways: Add or delete Cisco NetFlow Collectors from the polling list. (Before you make any changes, you can use the script to list all Collectors from which the ehealth Import Poller is importing data.) Modify the user name and password information for a collector. Change the polling interval and extraction time limit for the ehealth system. To perform any of these tasks, select Setup, Import Elements, NetFlow in the ehealth console and follow the procedure How to Configure the ehealth Import Poller to Collect NetFlow Data (see page 21). 42 Traffic Accountant and NetFlow Administration Guide

43 How to Switch the Data Collection Mode for the Import Poller How to Switch the Data Collection Mode for the Import Poller When you use the ehealth Import Poller to collect NetFlow data, you can collect node-to-node data, AS-to-AS data, or both, depending on the way that you configure the poller: If you configure the ehealth Import Poller to use enhanced data collection, you can collect both types of data simultaneously. If you configure the ehealth Import Poller to run in standard mode, you must configure it to collect either node-to-node data or AS-to-AS data at one time. If you attempt to switch between the two modes, the ehealth system destroys all Traffic Accountant data. To change traffic collection modes, you must use the nhtadatapurge command. Note: Use caution when using the nhtadatapurge command. This utility destroys all Traffic Accountant data in the database. To switch modes 1. Stop the ehealth server by using the OneClickEH console, or enter the following command in a terminal window: nhserver stop 2. Run the nhtadatapurge command by entering the following at the command line: Important! This command destroys all Traffic Accountant data in the database. nhtadatapurge mode 3. For the mode value, specify AS (or as) to switch to AS-to-AS mode, or specify IP (or ip) to switch to node-to-node mode. ehealth deletes the existing Traffic Accountant data from the ehealth database and sets a switch to indicate that Traffic Accountant is in nodeto-node or AS-to-AS mode. 4. Restart ehealth by using the OneClickEH console, or enter the following in a terminal window: nhserver start Managing Traffic Accountant 43

44 How to Collect Bi-Directional Data with the Standard Import Poller How to Collect Bi-Directional Data with the Standard Import Poller By default, when you use the ehealth NetFlow Collector or the enhanced ehealth Import Poller to collect conversations data, ehealth automatically stores it as bi-directional data. However, when you run the ehealth Import Poller in standard mode, ehealth combines inbound and outbound data into one conversation between nodes or between autonomous systems. This is referred to as uni-directional data. You can save bi-directional data and obtain reports on inbound, outbound, or combined data, but keep in mind the following: Bi-directional data is available when you poll RMON2 probes in node-tonode mode and when you poll Cisco NetFlow elements in AS-to-AS mode. Bi-directional data is not available when polling Cisco NetFlow elements in node-to-node mode. Collecting bi-directional data doubles the size of the ehealth database, as well as the node or autonomous system address pair caches used by the Conversations Poller. If you use the standard ehealth Import Poller, it also doubles the size of the node or autonomous system address pair caches used by the Import Poller (for AS mode only). When specifying directionality, if you report on nodes or groups, ehealth applies the byte count to the originating node when you select Outbound, and applies it to the destination node when you select Inbound. If you report on applications for node partners, group partners, or applications, ehealth applies the traffic to a single entity: the node partners or application. To enable the standard ehealth Import Poller to collect bi-directional data, follow these steps 1. Log in to the ehealth system as an administrator. 2. Stop the ehealth server. 3. Add the NH_TA_DIRECTIONALITY environment variable to the system variable list for your system (not the user variable list). 4. Specify BI-DIRECTIONAL as the value. 5. Restart your server. 6. In the ehealth console or the ehealth Web user interface, run a Traffic Accountant report, and specify a node, group, or view as the subject of your report. 44 Traffic Accountant and NetFlow Administration Guide

45 How to Troubleshoot Problems with Your Cisco NetFlow Collector 7. Specify the type of traffic that ehealth should include when generating your report: If you select Inbound, ehealth includes only traffic that is incoming to the selected node, group, or view. If you select Outbound, ehealth includes only traffic that originates from the node, group, or view. If you select Total, ehealth includes traffic originating or terminating at the selected node, group, or view. Note: If you did not select a node, group, or view, you have selected a network-wide report. With a network-wide report, ehealth includes all traffic, regardless of the directionality options that you select. How to Troubleshoot Problems with Your Cisco NetFlow Collector Generally, you should consult your Cisco documentation when you encounter any problems with one or more of your Cisco NetFlow Collectors. To begin troubleshooting the problem, you can follow this procedure. To troubleshoot a Collector 1. If you have not already done so, review the configuration parameters that you specified in the setup script: a. Examine the NetFlow configuration. Locate the installnetflow#.log file in the ehealth/log/install directory, and review the setup settings that you specified. b. Check the contents of the error messages that nhnetflowsetup generates. c. In a terminal window, enter the following command: nhnetflowsetup d. Review the default parameters for the nhnetflowsetup installation. 2. Log on to the NetFlow Collector system. 3. Confirm that the NetFlow Collector is running by entering the following command, where /netflow_directory is the path to the directory in which the NetFlow Collector software is installed: /netflow_directory/bin/nfcollector status 4. Change to the directory /netflow_directory/logs. 5. Confirm that the system is creating log files. Managing Traffic Accountant 45

46 How to Troubleshoot Problems with Polled NetFlow Devices 6. Search for a file that resembles the following: filesreadytodaysdate. Display the contents of this file to ensure that it contains entries. The filesready file contains pointers to the data files available on the Collector. 7. Enter the command nfc.log and display the contents of the nfc.log file to ensure that errors do not exist. 8. Ensure that the Collector is configured properly. Enter the following command: /netflow_directory/config/nfconfig.file The file should contain an entry similar to the following: Thread DEASMATRIX Aggregation DetailASMatrix Period 15 Port 9991 State Active DataSetPath /opt/csconfc/data Compression yes Binary no MaxUsage 500 If the file does not contain such an entry, see the Cisco documentation for the NetFlow Collector on the Cisco Web site at for information on troubleshooting. How to Troubleshoot Problems with Polled NetFlow Devices During the import process, the Import Polling window displays a bar graph that shows indicate the number of records imported successfully (green poll bars) and those that were imported unsuccessfully (red poll bars). ehealth updates the poll bars with each import poll. If the Import Polling window does not change, some of your Cisco elements may be improperly configured. The element configuration process (discover) extracts data on Cisco NetFlowenabled devices from each collector. It then updates the ehealth database with probe information. If the NetFlow-enabled devices do not send the NetFlow data to the collectors, ehealth cannot extract the data files that it needs to analyze and add elements to the ehealth database. As a result, you may not be able to collect data for all elements. ehealth does not collect data when a Collector uses aggregation schemes that ehealth does not support. Note: Use the following procedure under the direction of Technical Support. 46 Traffic Accountant and NetFlow Administration Guide

47 How to Troubleshoot Problems with Polled NetFlow Devices To troubleshoot problems with NetFlow-enabled devices in the ehealth ehealth database 1. Check the following file for messages that might indicate problems with the element configuration resulting from collection errors: ehealth/log/pollerstatus/messages.import.log 2. Ensure that aggregation schemes are present in the collector. Enter the following command: nhiimportnetflow -configonly -verbos Note: This command resides in the ehealth/bin/sys directory. 3. Verify the following: Your collectors have been polled. Files were received from the polled collectors. The files are converted. New probe elements appear in the OneClick for ehealth console under Managed Resources. The nhconfig command has executed. 4. Check the Import Polling window on the ehealth Status Summary page. If the good (green) poll bars stop or become shorter in the Import Polling bar graph, ehealth has detected an error. 5. Check the following file for messages that might indicate that collections are not set up properly on the Collectors: ehealth/log/pollerstatus/messages.import.log 6. Examine the elements that appear in the OneClick for ehealth console under Managed Elements, Elements by Type, Multi-technology, Probes to determine whether Cisco NetFlow-enabled elements are listed. To find NetFlow-enabled devices, search for probe element names beginning with the word netflow. Managing Traffic Accountant 47

48

49 Chapter 4: Using Views and Groups This section contains the following topics: How to Organize Nodes and Autonomous Systems (see page 49) View Planning (see page 51) Create a Traffic Accountant View (see page 54) Create a Traffic Accountant Group (see page 61) How to Organize Nodes and Autonomous Systems You can organize the nodes or autonomous systems in your network into groups by creating a view. ehealth allows you to define any number of views to organize nodes or autonomous systems in different ways. For example, you could create a view of the following: All nodes in a department or company organization All nodes in a building All nodes located in the same city All nodes with the same type of network address All nodes in a subnet All nodes in a range of IP addresses In a view, you can define groups to organize related nodes or autonomous systems. For example, you can create groups of all nodes on the same floor of a building, all nodes that are the same type of device, or all nodes that are in the same department. Group names must be unique within a view. View names must be unique within your configuration. A node or autonomous system can belong to only one group in a view. Using Views and Groups 49

50 How to Organize Nodes and Autonomous Systems Using views and groups, you can further refine the focus of your Traffic Accountant reports. For example, for the network shown here, you could define a view named Boston that contains all nodes in the Boston office. The view Boston has two groups, Sales and Servers. The Sales group contains all nodes in the Sales department; Servers contains all nodes that act as servers in the Boston office. You can run Traffic Accountant reports for the view to obtain information about the nodes or autonomous systems in the view, the nodes or autonomous systems in a group, and the groups in the view. For example, you could run reports to learn the following: The groups that are the most active The nodes that are the most active in the Sales group The groups that communicated with a specific node The applications that a group or a view uses the most Unassigned nodes are all nodes or autonomous systems that are seen by the probe elements but that are not assigned to defined groups in a view. For example, in the view Boston shown in the illustration, Node1, Node2, and Node3 are unassigned nodes. You can create customized reports for views and include or exclude information for the unassigned nodes. You can also run a group report for the Unassigned Nodes group. As probe elements see new nodes and add them to the ehealth database, they automatically add them to the Unassigned Nodes group. Important! Working with the Unassigned Nodes group in a large system can have significant performance consequences. 50 Traffic Accountant and NetFlow Administration Guide

51 View Planning View Planning Views organize the nodes or autonomous systems in your network for reporting and analysis. Using views, you can focus reports on one or more groups of nodes or autonomous systems. You can obtain information about the total traffic for all nodes or autonomous systems in the view, or compare the groups of nodes or autonomous systems within a view. You can restrict reports to only the nodes or autonomous systems that are assigned to groups within a view. If a Traffic Accountant report that requires a view or a group, you cannot generate the report unless you define the view or group. Any report that requires a group also requires you to specify the view in which the group is defined. When you generate a standard reports for nodes or autonomous systems and probe elements, and you specify a view as an option, the report includes the name of the group to which the node or autonomous system is defined. When you do not specify a view, the reports show only the node name or address (or the AS number if you use AS-to-AS reporting). You can create any number of views to organize the nodes or autonomous systems in your network for reports. You might want to experiment by creating different views and groups and running reports to determine the information that each view provides. You can later delete any views that you do not want. Organizational Views An organizational view contains groups of nodes for each department in an organization. They enable you to run reports to compare the nodes in each department, as well as show how much each department uses the network. They are typically used with Cost Allocation reports, such as the Allocations by Department report. This report relates network costs to the departments in an organization. You can use organizational views for many other types of reports. Organizational views can help you to determine the following: Types of applications that each department uses Most popular applications for an organization Nodes that communicate with other nodes in a department Groups that communicate the most with a node, such as an Internet server Most active nodes in a department Using Views and Groups 51

52 View Planning Probe Views You can create views of the nodes or autonomous systems that the probe elements in your network observe. You can create a view of only one probe element or all probe elements. When you create a view for one probe element, the view has one group that contains all nodes or autonomous systems that the probe element has observed. When you create a view for all probe elements in your network, the view has a group for each probe element. ehealth determines which nodes or autonomous systems to assign to each group by calculating the best source of information for each node or autonomous system. You would typically use probe views with the standard reports in the probe category, which show information about the following: The most active nodes or autonomous systems that a probe element sees The largest conversations that a probe element sees The most popular applications that a probe element sees These reports obtain information about the nodes, or autonomous systems, and applications that are using a network line or segment. Geographic Views If your network is dispersed across the world, across the country, or across a campus, you can create a view and define groups for each geographic area of your network. You can run a report for the view to obtain information about all nodes or autonomous systems, and you can run a report for a group to focus on the traffic from one area of the network. You can use geographic views with the standard reports in the view or group category. These views show information about the following: The most common applications that a view or a group within a view uses The node-to-node or AS-to-AS conversations that occur The most active groups, and the most active nodes or autonomous systems in the view With a geographic view, these reports can show you which areas communicate the most, the most common applications in each area and view, and conversations that occur between the areas. 52 Traffic Accountant and NetFlow Administration Guide

53 View Planning Functional or System-Type Views You can create views to group nodes based on the functions that they provide (such as servers, printers, and other systems). You can run Traffic Accountant reports to obtain information about the traffic volume and use for those groups which can help you to determine who is using certain types of nodes or how much those nodes use the network. Similarly, if your network consists of various operating system platforms or devices from different manufacturers, you can create a view with groups for each type of system or device. You could use this view to obtain information about the traffic to the various groups of devices or which nodes communicate with various types of systems. You can use functional and system-type views with the standard reports in the view or group category. These views show information about the following: The most common applications that a view or a group within the view uses The node-to-node conversations that occur in the view The most active groups and nodes in the view With functional and system-type views, these reports can show you which systems or platforms communicate the most, the most common applications in each group and in the view, and the conversations that occur between the systems and platforms. Unassigned Nodes Group When you create a view, ehealth creates a list of all nodes or autonomous systems that are within the designated parameters of that group. When you create a view by selecting individual nodes or autonomous systems, ehealth creates the Unassigned Nodes group for all nodes or autonomous systems that you have not assigned to any group in the view. Note: If your database contains many nodes or autonomous systems, the Unassigned Nodes group can be very large. This may have an adverse effect on performance. If you set the NH_TA_RPT_INCLUDE_UNASSIGNED_NODES environment variable to yes, ehealth includes the traffic that occurs between unassigned nodes and does not create the Unassigned Nodes group. Using Views and Groups 53

54 Create a Traffic Accountant View You can use this group to do any of the following: Select nodes or autonomous systems to assign to groups that you create. Run reports on the Unassigned Nodes group to locate other nodes or autonomous systems that access nodes or autonomous systems and groups within the view. Create a collection of unauthorized nodes to determine whether unauthorized nodes are using nodes or groups in your network. The Unassigned Nodes group is not a defined group that you create. When you export a view, the export process saves each defined group and its nodes or autonomous systems, but it does not save the Unassigned Nodes group. When you import a view definition, ehealth reads in the view, each defined group, and the nodes or autonomous systems in each group. Create a Traffic Accountant View To organize the nodes or autonomous systems in your network for reporting and analysis, you can use views to focus reports on one or more groups of nodes or autonomous systems. To create a view, you must define the method for creating the view and then create the groups associated with that view. By defining your views based on the method that you used to create them, you can easily associate groups with that view. For example, network managers often use IP address ranges or a subnet and mask to organize network addresses into router groups. To create a view for one of those groups, you could define the view type as an IP address range and then specify the IP addresses for the groups. You can use the following methods to define a view: IP address range IP subnet and mask One probe element or all probe elements Individual nodes or autonomous systems You can also import view definitions or copy existing views. 54 Traffic Accountant and NetFlow Administration Guide

55 Create a Traffic Accountant View If you choose to create a view based on ip address range or subnet address and mask, you can use the NH_MAX_IP_ADDRS environment variable to specify the maximum number of IP addresses. For instructions, see the ehealth Commands and Environment Variables Reference Guide. On a userspecified basis, ehealth updates views created by IP address range or IP subnet and mask with any newly discovered nodes or autonomous systems that are located within that view s range or subnet and mask. Important! To create TA views, your web user account must have permission to manage Traffic Accountant views. As a security mechanism, ehealth applies this restriction when selecting probes for inclusion in IP and AS probe-based groups. To create a view 1. If you have not done so already, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as an administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. Right-click and select New View. 6. In the Create View window, specify a view name.you can specify a maximum of 32 single-byte characters or 16 double-byte characters using the letters A through Z and a through z, the numbers 0 through 9, dashes (-), periods(.), and underscores (_). Spaces are not permitted. If you use a combination of single-byte and double-byte characters, the total length cannot exceed 32 bytes. 7. From the View Type list, select the method that ehealth should use to associate nodes to the view; then click OK. The name of the new view appears in the Views list in the left pane. How ehealth Creates a Probe View You can create views for one probe element or all probe elements defined in the ehealth database. When you create a view, ehealth creates the view, a group within that view for each probe element, and the Unassigned Nodes group. The view name is the name of the probe element. ehealth names each group using the name of the probe element as defined in the ehealth database. The nodes or autonomous systems that ehealth places in each group depend on whether you create a view for one probe element or all probe elements. Using Views and Groups 55

56 Create a Traffic Accountant View You can also restrict the process to nodes that had conversations during specific times or on specific days or communicated using a particular application. When you create a view for one probe element, ehealth creates a view with one probe element group. If a probe element has not observed any traffic, ehealth does not create a group for it. The probe element group contains all nodes or autonomous systems that had conversations that were observed by the probe element. When you create a view for all probe elements, ehealth creates a group for each probe element. Each probe element group contains only those nodes or autonomous systems for which that probe element is the best source of information. If a probe element is not the best source for any nodes or autonomous systems, ehealth does not create a group for it. ehealth uses the conversation data to determine which probe element is the best source of information for a node or autonomous system. It totals the byte count for each conversation for each node or autonomous system and compares the totals as recorded by each probe element. ehealth chooses the probe element with the largest total byte count for a node or autonomous system as the best source of information for the node, as shown in the following example. This illustration shows a sample network configuration that contains three network segments with a probe on each segment. In the illustration, the arrows represent the following conversations that occurred: Node1 and Node2 exchanged 50,000 bytes Node3 and Node4 exchanged 300,000 bytes Node1 and Node4 exchanged 80,000 bytes 56 Traffic Accountant and NetFlow Administration Guide

57 Create a Traffic Accountant View The following table displays the data that ehealth received when it polled ProbeA. Conversation Bytes Node1 Node2 50,000 Node1 Node4 80,000 The following table displays the data that ehealth received when it polled ProbeB. Conversation Bytes Node3 Node4 300,000 Node1 Node4 80,000 The following table displays the data that ehealth received when it polled ProbeC. Conversation Bytes Node3 Node4 250,000 Node1 Node4 80,000 Although Node3 sent 300,000 bytes of data to Node4, ProbeC recorded only 250,000 bytes. The bytes might have been lost if the probe s counters reset. To create a view for all probe elements, ehealth determines that the probe element that recorded the largest number of bytes is the best source of information for the node. The following table presents the summary for Node1 for the conversations observed in this example. Node1 ProbeA ProbeB ProbeC Node1 - Node2 50, Node1 - Node4 80,000 80,000 80,000 Total Bytes: 130,000 80,000 80,000 Using Views and Groups 57

58 Create a Traffic Accountant View For Node1, ProbeA is the best source because it has the largest byte count of 130,000. The following table presents the summary for Node2 for the conversations observed in this example. Node2 ProbeA ProbeB ProbeC Node1 - Node2 50, Total Bytes: 50, For Node2, ProbeA is the best source because it has the largest byte count of 50,000. Probe elements are often the best source of information for nodes that reside on the same network segment. In this example, ProbeA is the best source for both Node1 and Node2, and it also shares the same network segment. A probe element that shares the same segment might not always be the best source of information for a node on that segment. If a probe element purges data before ehealth can poll it, its record of the total number of bytes sent and received by a node might be less than the total recorded by a probe element on another segment. ehealth assigns the probe element with the highest byte count totals as the best source of information for a node, despite the physical location of the probe. The following table presents the summary for Node4. For Node4, ProbeB is the best source, even though it is on another segment, because it has the largest byte count of 380,000. Node4 ProbeA ProbeB ProbeC Node1 Node4 80,000 80,000 80,000 Node3 Node4-300, ,000 Total Bytes: 80, , ,000 Copy a Traffic Accountant View When you copy a view, ehealth copies the groups associated with the original view. To create a new view by copying the current view 1. If you have not done so already, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 58 Traffic Accountant and NetFlow Administration Guide

59 Create a Traffic Accountant View 3. Log in to the ehealth server as an administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. Right-click the view name, and select Copy View. The Create View window appears. 6. Specify a view name. You cannot use the name of an existing view. You can specify a maximum of 32 single-byte characters or 16 double-byte characters using the letters A through Z and a through z, the numbers 0 through 9, dashes (-), periods(.), and underscores (_). If you use a combination of single-byte and double-byte characters, the total view name length cannot exceed 32 bytes. 7. Click OK. The Create View window closes, and the new view appears in the Views list. Import a Traffic Accountant View A view descriptor file is an ASCII text file that defines a view, each group in the view, and all nodes or autonomous systems in each group. Using the nhdcitodb command, you can import view definitions from view descriptor files. You can create the view descriptor file by using the comma-separated values (csv) format. You cannot use the DCI format. For more information about the format for view descriptor files, see the ehealth Integration Guide. When importing a view, keep in mind the following: If you used the name keyword in the.csv file and you import the definition of a view that already exists in your configuration, ehealth modifies the existing view to match the imported definition. The imported views do not affect any other views in your configuration. A renamed view is not a new view. If you use the dbid keyword, rename a view that was previously exported under a different name, and import the old view definition, ehealth renames the existing view to the imported (original) view name and updates the view with the imported view definition. To import a view 1. Log in to your ehealth system as an administrator, and open a command prompt window. Using Views and Groups 59

60 Create a Traffic Accountant View 2. Enter the following at the command line: nhdcitodb filename ehealth imports the view definition into the Traffic Accountant system. Export a Traffic Accountant View Using the ehealth command nhidbtodci, you can export the definition of one or more views to a view descriptor file. This file contains a definition for each node or autonomous system in the database, each view that you export, the groups in each view, and the node or autonomous system members of each group. It does not save the Unassigned Nodes group. You can create the view descriptor file by using the comma-separated values (csv) format. You cannot use the DCI format. You can view or modify the view descriptor file using any text editor. To export a view to a view descriptor file 1. Log in to your ehealth system as an administrator, and open a command prompt window. 2. Enter the following at the command line: nhdbtodci filename ehealth saves the specified views to a view descriptor file. Rename a Traffic Accountant View You can give your views more meaningful names by using the Rename View feature; however, you cannot use the name of an existing view. To rename a view 1. If you have not done so already, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as a web administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. In the left pane, select the view name. The Modify Properties window appears. 60 Traffic Accountant and NetFlow Administration Guide

61 Create a Traffic Accountant Group 6. Specify a new view name. You can specify a maximum of 32 single-byte characters or 16 double-byte characters using the letters A through Z and a through z, the numbers 0 through 9, dashes (-), periods(.), and underscores (_). If you use a combination of single-byte and double-byte characters, the total view name length cannot exceed 32 bytes. 7. Click Apply. The renamed view appears in the Views list. Delete a Traffic Accountant View If you determine that a view is no longer useful, you can delete it. To delete a view 1. If you have not done so already, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as a web administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. In the left pane, right-click the view name in the list, and select Delete View. 6. Click Yes in the confirmation window. ehealth removes the view from the list. Create a Traffic Accountant Group To streamline your Traffic Accountant reporting, you can associate any number of groups to your views, and assign nodes or autonomous systems to the groups. You can report on one or more groups of nodes or autonomous systems, and you can compare the groups of nodes or autonomous systems within a view. You can restrict reports to only the nodes or autonomous systems that are assigned to groups within a view. When creating groups, follow these guidelines: Each view that you create must have at least one named group. Group names within a view must be unique. Nodes or autonomous systems can belong to only one group in a given view. Using Views and Groups 61

62 Create a Traffic Accountant Group From the OneClick for ehealth console, you can create a group using the same method that you used to create the view to which you want to associate it: IP address range, subnet address and mask, probe, and individual nodes or autonomous systems. When you create groups by IP address range, ehealth assigns nodes to the group based on the existing nodes and a matching string that you specify. Important! To create a TA group, your web user account must have permission to manage Traffic Accountant views. As a security mechanism, ehealth applies this restriction when selecting probes for inclusion in IP and AS probe-based groups. To create a group 1. If you have not already done so, confirm that your web user account as permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as an administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. Select a view, right-click, and select New Group. The Create Group window appears. 6. Specify a group name. You can specify a maximum of 32 single-byte characters or 16 double-byte characters using the letters A through Z and a through z, the numbers 0 through 9, dashes (-), periods(.), and underscores (_). Spaces are not permitted. If you use a combination of single-byte and double-byte characters, the total length cannot exceed 32 bytes. 7. Do one of the following: If you are associating the group to a view based on an IP address range, specify a range of IP addresses and click OK. For detailed instructions on specifying the syntax of an IP address range, refer to the ehealth Resource Discovery Guide. If you are associating the group to a view based on individual nodes or autonomous systems, click OK. 62 Traffic Accountant and NetFlow Administration Guide

63 Create a Traffic Accountant Group If you are associating the group to a view based on an autonomous systems number range, do the following: Click OK. Select the group name from the list in the left pane of the console. Select the Autonomous Systems Not in a View tab. Select the autonomous systems that you want to assign to the new group. Right-click, and select Add Autonomous Systems to Group. ehealth adds them to the group. If you are associating the group to a view based on a subnet address and mask, specify the base IP address of your network and the subnet mask; then click OK. If you are associating the group to a view based on probes, do the following: In the Create Group window, select All or a specific probe element from the list. The probe element that you select becomes the name of the group. Choose the nodes or autonomous systems for the view. Select All to include all nodes or autonomous systems that the probe elements have seen during the specified interval, or select Top to include only the nodes or autonomous systems with the most traffic in the network. Specify the number of top nodes in the adjacent field. The default is 20. Specify one or more applications. If you specify a single application, the view includes only the nodes or autonomous systems that communicate using that specific application. Note: You can only select an application for a Nodes by Probe view. you cannot select an application for an Autonomous System Probe view. Define the time interval. For each value, use the date/time format that you specified during installation. ehealth includes in the group only the nodes that had conversations starting on or after the specified date. Define the time period. ehealth includes in the group only the nodes that had conversations before and including the specified date. Specify the hours and days that define the nodes or autonomous systems in the view. Click OK to add the new group. Using Views and Groups 63

64 Create a Traffic Accountant Group Modify a Traffic Accountant Group You can modify the specific properties of the groups that you create as well as rename them to give them more meaningful names. To modify a group 1. If you have not already done so, confirm that your web user account has permission to manage Traffic Accountant views. (To modify a TA group, your web user account must have permission to manage Traffic Accountant views. As a security mechanism, ehealth applies this restriction when selecting probes for inclusion in IP and AS probe-based groups.) 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as a web administrator who has permission to manage Traffic Accountant views. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. Select the group name and select the Properties tab. 6. Do one or more of the following: Specify a new name for the group, and then click OK. You can specify a maximum of 32 single-byte or 16 double-byte characters using the letters A through Z and a through z, the numbers 0 through 9, dashes (-), periods(.), and underscores (_). If the group is based on an IP address range, modify the IP range. If the group is based on a subnet address and mask, modify the subnet and the mask. If the group is based on nodes, select the Nodes Not in This View tab, select the nodes, right-click, and select Add Selected Nodes to Group. If the group is based on an AS number range, modify the AS number range. 7. Click Apply. Delete a Group You can delete any group that you created. To delete a group 1. If you have not already done so, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 64 Traffic Accountant and NetFlow Administration Guide

65 Create a Traffic Accountant Group 3. Log in to the ehealth server as a web administrator who has permission to manage Traffic Accountant views. Note: To manage TA views, your web user account must have access to All groups and group lists, or access to the groups or group lists that contain the TA probes. 4. In the left pane, select Tasks and Information, Managed Resources, Views. 5. In the left pane, right-click the group name and select Delete Group. 6. Click Yes in the confirmation window. ehealth removes the group from the list. Update Views When you create a view using an IP address range (or subnet address or mask), ehealth updates it automatically as a scheduled system job every Sunday at 11:00 p.m. ehealth updates the view with any newly discovered nodes that are located within a view s range or subnet and mask. This allows you to create the view first and build the nodes for it later. You can use the Scheduled Jobs feature in the OneClick for ehealth console to change the day, number of days, and time of day that ehealth updates the view. To change the Update Views scheduled job 1. If you have not already done so, confirm that your web user account has permission to manage Traffic Accountant views. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as an administrator who has permission to manage scheduled jobs. The ehealth Status Summary window appears. 4. In the left pane, select Tasks and Information, Job Scheduler, Scheduled Jobs. The Scheduled Jobs window appears. 5. Select the All tab. The console displays the list of jobs that are scheduled to run on your ehealth system. 6. Scroll through the list to locate Update Views and double-click the name. Using Views and Groups 65

66 Create a Traffic Accountant Group The Edit Update Views window appears. 7. Click the Schedule tab and do one or both of the following: Change the frequency with which the job runs. If you specify 31 as the day of the month, the job will only run on months that have 31 days. Change the time of day at which the job runs. 8. Click OK. The Edit Update Views window closes, and ehealth updates the parameters for the scheduled job. 66 Traffic Accountant and NetFlow Administration Guide

67 Chapter 5: Traffic Accounting Reporting This section contains the following topics: Types of Traffic Accountant Reports (see page 67) Report Center Traffic Accountant Reports (see page 72) Quick Start Traffic Accountant Reports (see page 80) Standard Traffic Accountant Reports (see page 86) How to Customize a Standard Traffic Accountant Report (see page 96) How to Configure the Node Name Display in Reports (see page 103) How to Add Custom Applications to Traffic Accountant Reports (see page 107) How to Maintain ehealth Report Files (see page 108) Types of Traffic Accountant Reports You can use Traffic Accountant reports to perform a variety of network management operations, including network troubleshooting, network planning, and analysis. These reports present traffic data in four formats: pie, bar, trend, and tabular. ehealth provides several types of traffic reports: Report Center Traffic Accountant reports analyze traffic data that you collect from NetFlow devices using the ehealth NetFlow Collector or the enhanced ehealth Import Poller. You generate these reports from the Report Center page of the Web user interface. With ehealth r 6.1, you must install Report Center when you install the ehealth product. Quick Start Traffic Accountant reports analyze traffic data that you collect using the standard ehealth Import Poller or the RMON2 Conversations Poller about a specific node or autonomous system or a specific probe element. You generate these reports from the ehealth console or from the Run Reports page of the ehealth Web user interface. Standard Traffic Accountant reports analyze traffic data that you collect using the standard ehealth Import Poller or the RMON2 Conversations Poller. These reports provide detailed information about typical traffic and volume for one or all nodes, a view, a group, or one or all probe elements, and you can schedule them to run automatically. You cannot change or delete them; however, you can use them as templates for customized reports. You generate these reports from the ehealth console. Traffic Accounting Reporting 67

68 Types of Traffic Accountant Reports Pie Charts A pie chart presents information for components as a percentage of a whole. For example, if you run a Node Partners for a Node report, and you select a pie chart format, the report would appear similar to the following: The pie chart shows the node partners for the specified node, and the percentage of the total volume for the node with each node partner. For example, of the specified node s total volume, 38% of that volume was conversations with Node1. When you customize a pie chart report, you can specify how many components to include. By default, pie charts can show a maximum of 11 distinct components. This sample shows seven nodes that contribute to the total volume. When a pie chart cannot display all components, ehealth combines the data for the remaining components and labels the component All others. Pie charts show how a total value is distributed to individual components. Pie charts can help you determine the following: The nodes that use the network the most The applications that the network segment uses the most The groups that use a node the most 68 Traffic Accountant and NetFlow Administration Guide

69 Types of Traffic Accountant Reports Bar Charts A bar chart shows how components compare on a scale and provides details about the totals. By default, bar charts show a maximum of 12 components; however, you can specify a maximum of 20 components. When a bar chart cannot display all components, ehealth combines the data for the remaining components and labels the component All others. By default, bar charts show the top 11 applications that the components used. When the components use more than 11 applications, ehealth combines the data for the remaining applications and labels the application All others. For example, if you ran a report to show the top nodes for a specified view in a bar chart, it would appear similar to the following: This sample shows you the top nodes for a specified view. The report also shows the top four applications used by the top nodes. The report combines the information for the additional applications and labels it as All others. You can use the Y-axis, which shows volume information, to estimate the amount of traffic for each node and each application. The following example shows how to calculate the Y-axis values on a bar chart that shows combinations of data. Traffic Accounting Reporting 69

70 Types of Traffic Accountant Reports You can use bar charts to obtain information about the top resources, such as nodes or groups, and which applications those nodes or groups use. They can help you identify the top nodes for a group, view, or network, and the applications that those nodes use. Trend Charts A trend chart shows you how rates change over time. ehealth uses trend charts for volume Trend reports to show how combinations of applications result in the volume trends for a resource. For example, if you request a report about the volume trend by node for a group, it would appear similar to the following: The trend chart shows how the traffic observed at each time increment combines as the total volume. By default, trend charts show up to 12 components, but you can specify that they show a maximum of 29 distinct components. When a trend chart cannot display all components, ehealth combines the data for the remaining components and labels it All others. 70 Traffic Accountant and NetFlow Administration Guide

71 Types of Traffic Accountant Reports You can use the Y-axis, which shows rate or volume information, to estimate the amount of traffic for each component. The following sample chart shows how to calculate the Y-axis values on a trend chart. Trend charts can help you identify the nodes that were using the network most heavily when the network became overloaded, the applications that are used the most by a group, and the peak volume for a group. Tabular Charts A tabular chart presents information in text-only tables. Tabular charts provide specific values for application and traffic volume. By default, they display a maximum of 50 components; however, you can specify any number of components to display. When a tabular chart cannot display all components, ehealth combines the data for the remaining components and labels it All others. For example, if you run a Node Partners report for a specific node and specify a tabular chart, the report would appear similar to the following: Traffic Accounting Reporting 71

72 Report Center Traffic Accountant Reports The tabular chart shows a summary of the node partners for the specified node. For each node partner, the tabular chart details the application data traffic, bytes, and packets information. Using this report, you can obtain specific information about conversations and traffic volume for a specified resource. This information could assist you in resolving security access problems with your network resources. Tabular charts can help you determine the nodes that communicated with a specific node, the details of each conversation, and the nodes that communicated with the web server on the network. Report Center Traffic Accountant Reports If you choose to run the enhanced ehealth Import Poller or if you install the ehealth NetFlow Collector in your network, you can use Report Center to run reports and analyze the end-to-end conversations data that you collect. With ehealth r 6.1, you must install Report Center when you install the ehealth product. The reports use three different chart formats: pie, bar, and tabular. For detailed instructions on using Report Center, see the ehealth Report Center User and Administration Guide. Default Traffic Accountant Reports The following table describes the default Traffic Accountant reports that you can generate through Report Center (by selecting Public Folders, ehealth Reporting, Traffic Accountant Reports). You can use these default report templates as is, or use the Report Studio and Query Studio features of Report Center to customize the reports to suit your reporting needs. Report Name Service Providers Detected by NetFlow Probe Purpose (Pie) Shows how much traffic is being sent to and received from service providers or clients. Traffic Allocations by Service Provider (Bar) Shows percentages of traffic (for a selected node group) being sent to and received from service providers or clients. Applications for All Nodes (Pie) Shows percentage of network traffic used by the top protocols in the network. 72 Traffic Accountant and NetFlow Administration Guide

73 Report Center Traffic Accountant Reports Report Name Group-to-Group Conversations Group-to-Group Conversations over MPLS VPN AS-to-AS Conversations by Service Provider Most Active AS-to-AS Conversations on a NetFlow Interface Most Active Nodes for Application MPLS Network Summary Node Partners of a Server Node Partners of a Service Provider Node-to-Node Conversations - All Nodes Service Provider Usage by Group Purpose Tabular) Shows groups that communicate with a specified group and the total traffic volume for each group partner. (Pie) Shows the groups that communicate the most with a specified group. (Bar) Identifies the groups that communicate with a selected node group over MPLS (VPN) and the amount of traffic. (Tabular) Shows traffic volume for autonomous systems seen by a NetFlow interface. (Tabular) Shows traffic volume for common source and destination autonomous systems and type of service as seen by a selected NetFlow interface. Tabular) Identifies the nodes that are using an application the most, and how much traffic they are sending and receiving. (Tabular) Provides packet and byte counts for traffic on an MPLS network. (Tabular) Shows the node partners that communicate most with a server and the subnet in which the node partners belong (and which applications are used by the node partners). (Tabular) Shows which nodes are using a particular service provider or which nodes are being used by a particular client. Tabular) Presents the most active conversations on the network and which applications/protocols each of those conversations used. (Tabular) Shows the Service Provider usage of the top groups of a selected view. Traffic Accounting Reporting 73

74 Report Center Traffic Accountant Reports Report Name Most Active AS-to-AS Conversations by Application Most Active Nodes for Group Purpose (Tabular) Shows traffic volume information for the most active conversations between pairs of autonomous systems. (Bar) Shows top nodes with the highest volume in the view. Calculates the top applications used in the view. Aggregation Reports The following table describes the default Aggregation reports that you can generate through Report Center (by selecting Public Folders, ehealth Reporting, Traffic Accountant Reports, Specific Aggregation Reports). This folder contains 31 sample tabular reports, one for each predefined aggregation scheme that you can configure when you set up the enhanced ehealth Import Poller or the ehealth NetFlow Collector in your network. Each report only includes the fields used by that specific aggregation scheme and the corresponding statistical values. You can use these default aggregation report templates as is, or use the Report Studio and Query Studio features of Report Center to customize the reports to suit your reporting needs. Report Name Aggregation Report (Generalized) Purpose (Tabular) Show traffic volume based upon a user-selected aggregation parameter. Note: This report template lists all aggregation schemes for which the TA system has collected data. If you do not know the specific aggregation scheme that the system is using, you can run this report by selecting a scheme from the list provided. ASHostMatrix Report (Tabular) Show traffic volume based upon ASHostMatrix aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, SRC_AS, DST_AS) 74 Traffic Accountant and NetFlow Administration Guide

75 Report Center Traffic Accountant Reports Report Name ASMatrix Report ASPort Report CallRecord Report DestNode Report DestPort Report DetailASMatrix Report DetailCallRecord Report DetailDestNode Report DetailHostMatrix Report Purpose (Tabular) Show traffic volume based upon ASMatrix aggregator (SRC_AS, DST_AS) (Tabular) Show traffic volume based upon ASPort aggregator (SRC_AS, DST_AS, L4_SRC_PORT, L4_DST_PORT, PROTOCOL) (Tabular) Show traffic volume based upon CallRecord aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL, SRC_TOS) (Tabular) Show traffic volume based upon DestNode aggregator (IPV4_DST_ADDR) Tabular) Show traffic volume based upon DestPort aggregator (IPV4_DST_ADDR) (Tabular) Show traffic volume based upon DetailASMatrix aggregator (IPV4_SRC_ADDR, L4_SRC_PORT, SRC_AS, DST_AS, INPUT_SNMP, OUTPUT_SNMP, L4_DST_PORT, PROTOCOL) (Tabular) Show traffic volume based upon DetailCallRecord aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, INPUT_SNMP, OUTPUT_SNMP, PROTOCOL, SRC_TOS) (Tabular) Show traffic volume based upon DetailDestNode aggregator (IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL) (Tabular) Show traffic volume based upon DetailHostMatrix aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL) Traffic Accounting Reporting 75

76 Report Center Traffic Accountant Reports Report Name DetailInterface Report DetailSourceNode Report HostMatrix Report HostMatrixInterface Report InterfaceMatrix Report Protocol Report RouterAS Report Router Dest Only Report RouterDstPrefix Report RouterFullFlow Report Purpose (Tabular) Show traffic volume based upon DetailInterface aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, INPUT_SNMP, OUTPUT_SNMP, IPV4_NEXT_HOP) (Tabular) Show traffic volume based upon DetailSourceNode aggregator (IPV4_SRC_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL) (Tabular) Show traffic volume based upon HostMatrix aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR) (Tabular) Show traffic volume based upon HostMatrixInterface aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, INPUT_SNMP, OUTPUT_SNMP, PROTOCOL) (Tabular) Show traffic volume based upon InterfaceMatrix aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, INPUT_SNMP, SRC_TOS) (Tabular) Show traffic volume based upon Protocol aggregator (PROTOCOL) (Tabular) Show traffic volume based upon RouterAS aggregator (SRC_AS, DST_AS, INPUT_SNMP, OUTPUT_SNMP) (Tabular) Show traffic volume based upon RouterDestOnly aggregator (IPV4_DST_ADDR, OUTPUT_SNMP, SRC_TOS) (Tabular) Show traffic volume based upon RouterDstPrefix aggregator (IPV4_DST_PREFIX, DST_MASK, OUTPUT_SNMP, DST_AS) (Tabular) Show traffic volume based upon RouterFullFlow aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, L4_SRC_PORT, L4_DST_PORT, PROTOCOL, SRC_TOS, INPUT_SNMP, OUTPUT_SNMP) 76 Traffic Accountant and NetFlow Administration Guide

77 Report Center Traffic Accountant Reports Report Name RouterPrefix Report RouterProtoPort Report RouterSrcDst Report RouterSrcPrefix Report RouterTosAS Report RouterTosDstPrefix Report RouterTosPrefix Report RouterTosProtoPort Report RouterToSrcPrefix Report Purpose (Tabular) Show traffic volume based upon RouterPrefix aggregator (IPV4_SRC_PREFIX, IPV4_DST_PREFIX, SRC_MASK, DST_MASK, INPUT_SNMP, OUTPUT_SNMP, SRC_AS, DST_AS) (Tabular) Show traffic volume based upon RouterProtoPort aggregator (L4_SRC_PORT, L4_DST_PORT, PROTOCOL) (Tabular) Show traffic volume based upon RouterSrcDst aggregator (IPV4_SRC_ADDR, IPV4_DST_ADDR, INPUT_SNMP, OUTPUT_SNMP, SRC_TOS (Tabular) Show traffic volume based upon RouterSrcPrefix aggregator (IPV4_SRC_PREFIX, SRC_MASK, INPUT_SNMP, SRC_AS) (Tabular) Show traffic volume based upon RouterTosAS aggregator (SRC_AS, DST_AS, INPUT_SNMP, OUTPUT_SNMP, SRC_TOS) (Tabular) Show traffic volume based upon RouterTosDstPrefix aggregator (IPV4_DST_PREFIX, DST_MASK, DST_AS, SRC_TOS) (Tabular) Show traffic volume based upon RouterTosPrefix aggregator (IPV4_SRC_PREFIX, IPV4_DST_PREFIX, SRC_MASK, DST_MASK, INPUT_SNMP, OUTPUT_SNMP, SRC_AS, DST_AS, SRC_TOS) (Tabular) Show traffic volume based upon RouterTosProtoPort aggregator (L4_SRC_PORT, L4_DST_PORT, PROTOCOL, INPUT_SNMP, OUTPUT_SNMP, SRC_TOS) (Tabular) Show traffic volume based upon RouterTosSrcPrefix aggregator (IPV4_SRC_PREFIX, SRC_MASK, SRC_AS, SRC_TOS) Traffic Accounting Reporting 77

78 Report Center Traffic Accountant Reports Report Name SourceNode Report SourcePort Report Purpose Tabular) Show traffic volume based upon SourceNode aggregator (IPV4_SRC_ADDR) (Tabular) Show traffic volume based upon SourcePort aggregator (L4_SRC_PORT) Run a Traffic Accountant Report through Report Center If you choose to install the ehealth NetFlow Collector (ENFC) in your network, or run the enhanced Import Poller, you can use ehealth Report Center to generate a set of reports that analyze the traffic data that you collect from the NetFlow devices within your network. With ehealth r 6.1, you must install Report Center when you install the ehealth product to be able to generate these reports. Important! Before you can use Report Center to run a Traffic Accountant report, your ehealth NetFlow Collector or Cisco NetFlow Collectors must be running for at least two hours. To run a Traffic Accountant report through Report Center 1. If you have not already done so, do one of the following: Install the Import Poller and configure it to run in enhanced mode, configure it to collect data from the Cisco NetFlow Collectors installed in your network, and discover the NetFlow Collectors as probe elements. Install the ehealth NetFlow Collector and configure it to collect data from the NetFlow-enabled devices in your network. (ehealth automatically discovers these elements as probes after you install and configure the ENFC.). 2. Log in to the OneClick for ehealth console. 3. Log in to your ehealth system as a web user who has permission to manage Traffic Accountant views and groups, and manage polling. 4. Allow ehealth to poll the EFC or the NetFlow Collectors for at least two hours. 5. From the ehealth Status Summary page, monitor the progress of the polls by viewing the NetFlow Collection or Import Polling windows. If the polling window indicates that problems have occurred, see How to Troubleshoot Problems with Polled NetFlow Devices (see page 46). 78 Traffic Accountant and NetFlow Administration Guide

79 Report Center Traffic Accountant Reports 6. If you have not already done so, organize your nodes and autonomous systems into views and groups. For some reports, you do not need to specify a view or group. For more information and instructions on planning views, see Chapter 4: Using Views and Groups. 7. Log in to the Web user interface as an administrator who has permission to do the following: manage Traffic Accountant views, run Traffic Accountant reports, and access the Report Center tab. The Administration page appears. 8. Select the Report Center tab. The screen displays the contents of the Public Folders. 9. Do one of the following: Select ehealth Reporting; then select Traffic Accountant Reports. The screen displays all of the Traffic Accountant report templates. Select ehealth Reporting, Traffic Accountant Reports, Specific Aggregation Reports. The screen displays all of the Aggregation report templates. 10. Select the name of the report from the list. The Prompt page appears. 11. In the Report Parameters section, select a view and group, if necessary, and a NetFlow interface. 12. In the Report Period section, specify the report period. 13. Click Finish. Schedule a Traffic Accountant Report Job through Report Center You can schedule your Traffic Accountant reports to run on a regular basis by using the Schedule feature of Report Center. To schedule a Traffic Accountant report through Report Center 1. Log in to the Web user interface as an administrator who has permission to do the following: manage Traffic Accountant views, run Traffic Accountant reports, and access the Report Center tab. The Administration page appears. 2. Select the Report Center tab. The screen displays the contents of the Public Folders. Traffic Accounting Reporting 79

80 Quick Start Traffic Accountant Reports 3. Select ehealth Reporting; then select Traffic Accountant Reports. The screen displays all of the available Traffic Accountant report templates. 4. Next to the report name, select the Schedule icon. The Schedule page appears. 5. Specify the frequency. As a best practice, do not select the No end date option. Schedules should have specific end dates so that you avoid the performance impact of many scheduled reports that continue to run even though users may no longer read them. 6. Click Options, specify the output format for the report, and specify the delivery method. 7. Deselect the checkbox under Prompt Values (scroll to the bottom of the page) so that the scheduled report does not wait indefinitely for user input. 8. Click OK. ehealth schedules the report to run at the scheduled time. Quick Start Traffic Accountant Reports ehealth provides a set of seven predefined Quick Start Traffic Accountant reports that you can use to quickly obtain the following traffic information about a specific node or autonomous system, a specific probe element, or the network: Most active nodes or autonomous systems Nodes or autonomous systems that communicated with a node or autonomous systems Applications that are used the most Conversations that occurred on the network The following table lists the reports included in the Quick Start Traffic Accountant report set. For detailed information about these reports, see the ehealth Help. 80 Traffic Accountant and NetFlow Administration Guide

81 Quick Start Traffic Accountant Reports Report Name Node - Conversations with Other Nodes report Node - Applications Seen report Description (Pie, Trend, Tabular) - Identifies the most active node partners for a particular node (which nodes communicated the most with a node). (Pie or Trend) - Identifies the most common applications used by a specific node. Probe - Top-Talkers Seen report (Pie, Trend, Bar, or Tabular) - Identifies the nodes that caused the most traffic as (on a network segment, ring, or interface) observed by a particular probe element. Probe - Applications Seen report Probe - Top Conversations report Network - Top-Talkers in Your Network report Network - Applications Used in Your Network report (Pie, Trend) - Identifies the most common applications used in the traffic (on a network segment, ring, or interface) observed by a probe element. (Trend, Bar, or Tabular) - Identifies the five largest conversation partners observed by a probe element (those that caused the most traffic, which applications were used, and the volume of each application). (Pie, Trend, Bar, or Tabular) - Identifies the nodes that caused the most traffic in your network. (Pie, Trend, Tabular) - Identifies the most common applications used in your network. Traffic Accounting Reporting 81

82 Quick Start Traffic Accountant Reports Run a Quick Start Report from the ehealth Console If you are using the standard ehealth Import Poller to either node-to-node or AS-to-AS data from Cisco NetFlow Collectors, or you are using the Traffic Accountant RMON2 Conversation Poller to collect RMON2 traffic data from probes, you can generate Quick Start Traffic Accountant reports from the ehealth console to analyze the collected data. These are the exact same reports that you can generate from the Run Reports page of the ehealth Web user interface. To run a Quick Start Traffic Accountant report 1. If you have not already done so, access OneClick for ehealth, log in to the ehealth server as a user who has permission to manage Traffic Accountant views, and then organize your nodes and autonomous systems into views and groups. For some reports, you do not need to specify a view or group. For more information and instructions on planning views, see Chapter 4: Using Views and Groups. 2. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 3. From the console, select Report, Run, Quick Start Traffic Accountant Report. The Quick Start Traffic Accountant Report dialog appears. 4. Under Report On, select a report to run. 5. For a node report, specify the name of a node in your network in the Node field or go to Step 6. This field applies only if you selected one of the node reports. 6. Click Browse to display the Choose Node dialog. If you run Traffic Accountant in AS-to-AS mode, nodes are listed by AS number. Select a node from the Nodes list; then click OK. By default, ehealth shows all nodes. You can reduce the number of nodes shown in the Nodes list by specifying a string in the Filter Nodes By field. You can use wildcards such as an asterisk (*) to match zero or more characters, or a question mark (?) to match any single character. If you specify a string without any wildcards, the filter displays the nodes that contain that string anywhere in the name. If you do not specify a string in the Filter Nodes By field, the Nodes list displays all nodes. 82 Traffic Accountant and NetFlow Administration Guide

83 Quick Start Traffic Accountant Reports 7. For a probe report, do one of the following: Select All next to Probe to include the conversations observed by all probe elements for the report interval. If more than one probe element observed a conversation, the report includes only the best record of the conversation. Select the option in the Probe field to run the report for a specific list of probe elements. If the field is empty, click Browse to display the Choose Probe dialog. Select a probe element by specifying the first few characters of a probe element name or address in the Search field, or click OK to use the selected probe element and close the Choose Probe dialog. 8. If you selected one or more specific probe elements, you can select Include redundant conversations to include all conversations observed by the probe elements. If more than one of the probe elements observed the same conversation, the report includes all records of the conversation. If you do not select this option, the report includes only the best record of a conversation observed by the probe elements. 9. Specify the applications to include in the report. 10. Specify the way in which you would like ehealth to display applications and report on them within the report. Under Application, do one of the following: Select Show application details to display all applications and report on them individually. Select Aggregate application details to display all multi-port applications and report on them as a single application. Select Hide application details to aggregate (total) all applications within the report. 11. Select a chart format next to Chart to use. If the chart format is not supported by the report, the option is not selectable. 12. Optionally, if you are generating a report that includes nodes in its output, specify the manner in which ehealth should display the nodes (by name, IP address, or both). 13. Specify the report interval. 14. Optionally, if you selected Show Report Time Zones in the Options dialog (by selecting Setup, Options on the ehealth console), select a time zone for the report. ehealth applies the Greenwich Mean Time (GMT) offset to the report period to show the data for the requested time range in the specified zone. Traffic Accounting Reporting 83

84 Quick Start Traffic Accountant Reports 15. If bi-directional data is available, specify the traffic flow directionality. Note: The Traffic Flow Directionality option appears in this dialog if you have set the NH_TA_DIRECTIONALITY environment variable to BI- DIRECTIONAL. However, if you have configured the standard Import Poller to run in node-to-node mode, ehealth collects uni-directional data for this report, regardless of the setting of the environment variable. For more information on this environment variable, see the ehealth Commands and Environment Variables Reference Guide. 16. Specify the output. For instructions on using the various report output options, see the ehealth Reports User and Administration Guide. 17. Click OK. The Quick Start Traffic Accountant Report dialog closes and ehealth runs the report. The Generating Report window displays the status of the report s progress. Run a Quick Start Report from the Web User Interface If you are using the standard ehealth Import Poller to collect node-to-node or AS-to-AS data from Cisco NetFlow Collectors, or you are using the Traffic Accountant RMON2 Conversation Poller to collect RMON2 traffic data from probes, you can generate Quick Start Traffic Accountant reports from the ehealth Web user interface to analyze the collected data. These are the exact same reports that you can generate from the ehealth console using the Quick Start Traffic Accountant Report dialog. To run a Quick Start Traffic Accountant report from the ehealth Web user interface 1. If you have not already done so, access OneClick for ehealth, log in to the ehealth server as a user who has permission to manage Traffic Accountant views, and then organize your nodes and autonomous systems into views and groups. For some reports, you do not need to specify a view or group. For more information and instructions on planning views, see the chapter, Using Views and Groups. 2. Launch the ehealth Web user interface by entering the following in a web browser, where ehealthsystem is the specific name of the system on which ehealth is installed. If your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. ehealthsystem The Welcome to ehealth page appears. 3. Click OK. The Connect to ehealthsystemname window appears. 84 Traffic Accountant and NetFlow Administration Guide

85 Quick Start Traffic Accountant Reports 4. Specify a user name and password of an administrator who has permission to view the Run Reports tab and generate Traffic Accountant reports; then click OK. The ehealth Web user interface appears. 5. Select the Run Reports tab. The Run Reports page appears. 6. Select the report template from the left pane of the Run Reports page under Traffic Accountant. The Run Traffic Accountant Report screen appears. 7. If you are generating a report on nodes, from the Nodes to report on list, select the node for which you want to run the report. 8. Use the Filter pattern field to reduce the number of nodes shown in the list. You can include a wildcard such as an asterisk (*) to match zero or more characters, or a question mark (?) to match a single character. If you do not include a wildcard, the filter displays nodes that contain that string anywhere in the name. For example if you specify a filter such as * and click Filter/Search, the filter displays only those nodes with names that start with Use the Search pattern field to find a node in the node list. 9. Click Update to display the latest list of observed nodes. 10. If you are reporting on a probe, select one or more probes for which you want to run the report. Otherwise, go to Step Optionally, if you selected more than one probe, select Include redundant conversations to include all conversations observed by all probes. If more than one probe saw the same conversation, the report will contain both records. If you do not select this option, the report shows only the top conversations. 12. Specify the following: Applications to include in the report, and the display and filter options Chart format Report interval and time zone Traffic flow directionality Note: The Traffic Flow Directionality option appears in this window if you have set the NH_TA_DIRECTIONALITY environment variable to BI- DIRECTIONAL. However, if you have configured the standard Import Poller to run in node-to-node mode, ehealth collects uni-directional data for this report, regardless of the setting of the environment variable. For more information on this environment variable, see the ehealth Commands and Environment Variables Reference Guide. Traffic Accounting Reporting 85

86 Standard Traffic Accountant Reports 13. Click Run Report. The web server processes the data for your Traffic Accountant report and displays it in your browser window. Standard Traffic Accountant Reports If you are using the standard ehealth Import Poller to collect node-to-node or AS-to-AS data from Cisco NetFlow Collectors, or you are using the Traffic Accountant RMON2 Conversation Poller to collect RMON2 traffic data from probes, you can generate a set of standard reports from the ehealth console to analyze the collected data. These reports provide more information about typical traffic and volume information for one or all nodes, a view, a group, and one or all probe elements than the Quick Start reports, and you can schedule them to run automatically. You cannot change or delete them; however, you can use them as templates for customized reports. The following table describes the categories of standard Traffic Accountant reports that are available. For detailed information about a particular report, see the ehealth Help. Category Description Reports Custom Note: This category contains the customized reports that you create. ehealth does not provide standard reports in the Custom category. Cost Allocation Relate network costs to departments and nodes, and show the nodes and groups that use the network. They can help you to distribute network costs based on the type of people who use the network. Allocations by Department report (pie) Shows percentage of the total network volume used by the top groups in a view. Group Activity Log report (tabular) Shows how much each node in a group used the network. Group Conversation Log report (tabular) Shows the groups that communicate with a specified group and the total traffic volume for each group partner. Node Conversation Log report (tabular) Shows the nodes that communicate with a specific node, the total traffic volume in bytes for each node partner, and the percentage of the specified node s total volume for each node partner. 86 Traffic Accountant and NetFlow Administration Guide

87 Standard Traffic Accountant Reports Category Description Reports Network Provide information about all conversations that were observed, the most active nodes, and the most popular applications used in the network. Applications for All Nodes report (pie) Shows the percentage of network traffic used by the top applications in the network. Node-to-Node Conversations for All Nodes report (tabular) Shows the top node partners that exchanged the most data in the network. The report lists the node partners, the applications that they used, and the byte and packet totals for the applications and the node partners. Top Nodes Among All Nodes report (bar) Shows the most active nodes in the network and the application volume for each node. Traffic Accounting Reporting 87

88 Standard Traffic Accountant Reports Category Description Reports Group Identify the applications that a group uses, the nodes in the group that communicate the most, and the other groups that communicate with a specific group. To use the group reports, you must define views and groups as described in the chapter, Using Views and Groups. Applications for Group report (volume trend) - Shows the applications in the group that are used most frequently. Group Partners for Group report (pie) Shows the groups that communicate the most with a specified group. The reports shows the percentage of the group s total traffic volume for the top group partners. Top Nodes for a Group report (bar) Shows the top nodes with the highest volume in the group. The report also calculates the top applications used in the group. Top Nodes for a Group report (trend) Shows the volume trend for the most active nodes in the group. The report displays a volume trend for the report interval by showing when the most active nodes were active, how much traffic they caused, and the cumulative traffic for the most active nodes in the group at that time. Subnet-to-Subnet Traffic report (tabular) Shows traffic data for a specific subnet group as seen by one or all probes that you have installed in your network. This data provides capacity planners with a key measurement of network workload. 88 Traffic Accountant and NetFlow Administration Guide

89 Standard Traffic Accountant Reports Category Description Reports Node Provide information about the node and group partners for a node, as well as the applications used by a node Applications for Node report (volume trend) Shows the applications used most by a node. The report shows the volume trend for each application that a node uses. Group Partners for Node report (pie) Shows the groups that communicate the most with a specified node. Node Partners for a Node report (volume trend) Shows the largest node partners for a specific node, when each node partner communicated with the node, and how much data was exchanged. Node Partners for a Server report (tabular) Shows the node partners that communicate the most with a server, the subnet in which the node partners belong, and which applications are used by the node partners. Traffic Accounting Reporting 89

90 Standard Traffic Accountant Reports Category Description Reports Probe Provides information about the largest conversations, most active nodes, and the most common applications observed by a probe element in your network Applications Seen by Probe report (volume trend) Shows the applications observed the most by a probe element, when the applications were used, and how much data the applications used. All Applications Seen by Probe report (tabular) Shows the mostused applications in order of highest volume, and the total volume in bytes and packets. If you specify more than one probe, this report shows separate charts per probe. All Conversations Seen for an Application (tabular) Shows all conversations seen by a probe for an application based on conversation partner. Top Conversations Seen by Probe report (tabular) Shows the top node partners that exchanged the most data as observed by one or all probe elements. Top Nodes Seen by Probe report (volume trend) Shows the most active nodes observed by a probe element, when they used the network, and how much traffic they used. All Nodes Using an Application report (tabular) Shows the nodes using an application and the amount of traffic generated in alphanumerical order by node. Most Active Nodes for Application report (tabular) Identifies the nodes that are using an application the most, and how much traffic they are sending and receiving. 90 Traffic Accountant and NetFlow Administration Guide

91 Standard Traffic Accountant Reports Category Description Reports Security View Presents information about which nodes are communicating with other networks. Presents information about views, including the most active nodes and groups in a view, the node-to-node conversations in a view, and the applications used by the nodes in a view. Web Traffic Audit report (tabular) Displays a record of the top conversations that used the World Wide Web (WWW) application. For each conversation, the report shows the node partners and the size of the conversation in bytes. The report also shows the percentage of the network web traffic that each conversation used. Applications for View report (pie) Shows the applications that are used the most in a view, and the percentage of network traffic for the top applications. Node-to-Node Conversations for a View report (tabular) Shows shows the top node partners that exchanged the most data in a view, the total bytes and packets, and the applications used. Top Groups for a View report (bar) Shows the top groups with the highest volume in a view, and calculates the top applications used by the groups. Top Nodes for a View report (bar) Shows the top nodes with the highest volume in the view, and calculates the top applications used in the view. Traffic Accounting Reporting 91

92 Standard Traffic Accountant Reports Run a Traffic Accountant Report from the ehealth Console You can run standard Traffic Accountant reports to analyze traffic data that the standard ehealth Import Poller or the Traffic Accountant RMON2 Conversation Poller has collected. You cannot run reports on NetFlow data that you have collected by using the enhanced ehealth Import Poller or the ehealth NetFlow Collector. For instructions on running reports on this data, see Run a Traffic Accountant Report through Report Center (see page 78). To run a Traffic Accountant report 1. If you have not already done so, access OneClick for ehealth, log in to the ehealth server as a user who has permission to manage Traffic Accountant views, and then organize your nodes and autonomous systems into views and groups. For some reports, you do not need to specify a view or group. For more information and instructions on planning views, see Chapter 4: Using Views and Groups. 2. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 3. Display the Traffic Accountant Report dialog by doing one of the following in the ehealth console: Select Reports, Run, Traffic Accountant. Click. The Traffic Accountant Report dialog appears. 4. Select a report category. The Description field provides a brief summary of the type of information that the report provides. 5. Select one of the available reports from the Report list for the selected category. 6. If bi-directional data is available, specify the traffic flow directionality. Note: This feature appears in the dialog if you have set the NH_TA_DIRECTIONALITY environment variable to BI-DIRECTIONAL. However, if you have configured the Import Poller to run in node-to-node mode, ehealth collects uni-directional data for this report, regardless of the setting of the environment variable. For more information, see the ehealth Commands and Environment Variables Reference Guide. 7. Specify the subject of the report. Only the subjects that apply to the report that you selected are enabled. 92 Traffic Accountant and NetFlow Administration Guide

93 Standard Traffic Accountant Reports 8. Select a view. You can create or modify views, or the groups within a view, by clicking Edit. For more information, see Chapter 4: Using Views and Groups. 9. Select a group for the report. To select a group, you must specify a view first. 10. Select a node by specifying the name or address of the node for the report in the Node field or click Browse to display the Choose Node dialog. If you run Traffic Accountant in AS-to-AS mode, nodes are listed by AS number. 11. Do one of the following and click OK: Select a node or autonomous system from the Nodes list. By default, ehealth displays all nodes or autonomous systems. You can reduce the nodes or autonomous systems shown by specifying a string in the Filter Nodes By field. Use wildcards such as an asterisk (*) to match zero or more characters, or a question mark (?) to match any single character. If you specify a string without any wildcards, the filter displays the nodes or autonomous system that contain that string in the name. If you do not specify a string in the Filter Nodes By field, the Nodes list displays all nodes or autonomous systems. The Choose Node dialog closes. 12. Select a probe. Next to Probe, do one of the following and click OK (Probe is always enabled so that you can run reports for the data observed by all probe elements or a specific probe element): Select All to include the conversations observed by all probe elements for the report interval. Select the option in the adjacent field to run the report for one or more specific probe elements. If the field is empty, click Browse to display the Choose Probe dialog. Select a probe element from the Probes list or specify the first few characters of the name or address in the Search field. 13. If you selected one or more specific probe elements in Step 12, select Include redundant conversations to include all conversations observed by all selected probe elements. If more than one of the probe elements observed the same conversation, the report includes all records of the conversation. If you do not select this option, the report includes only the best record of a conversation observed by the probe elements. 14. Specify the manner in which ehealth should display nodes in reports. You can display them by name, IP address, or both. Traffic Accounting Reporting 93

94 Standard Traffic Accountant Reports 15. Specify the report interval. For each value, use the format that you specified during installation. The report analyzes only those conversations that occurred after the specified start time on the specified start date and before the specified stop time on the specified stop date as shown in the following illustration: 16. Optionally, if you enabled the Show Report Time Zones option (by selecting Setup, Options in the ehealth console), select a time zone for the report. ehealth applies the GMT offset to the report period to show the data for the requested time range in the specified zone. 17. Specify the output. For instructions on using the various report output options, see the ehealth Reports User and Administration Guide. 18. Click OK. The Traffic Accountant Report dialog closes and ehealth runs the report. The Generating Traffic Accountant Report dialog displays the status of the report s progress. Schedule a Traffic Accountant Report Job through the ehealth Console From the ehealth console, you can schedule standard Traffic Accountant reports to run automatically. To schedule a Traffic Accountant report 1. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 2. Select Setup, Schedule Jobs. The Schedule Jobs dialog appears. 3. Select Add Traffic. The Add Scheduled Traffic Accountant Report dialog appears. 94 Traffic Accountant and NetFlow Administration Guide

95 Standard Traffic Accountant Reports 4. Select a category, report, and a subject by performing Steps 4 through 13 in the topic, Run a Traffic Accountant Report from the ehealth Console (see page 92). 5. Specify the schedule for the report (days, month, and time). If you specify 31, the job will only run on months that have 31 days. 6. If you enabled Show Report Time Zones in the Options dialog (by selecting Setup, Options in the ehealth console) and selected a time zone in the Add Scheduled Traffic Accountant dialog, the Schedule area of this dialog displays the selected time zone, the time in the zone, and the equivalent time on the ehealth system. 7. Select the time period for which you want to run the report. If you select Custom, specify the beginning date and time for the report in the from field, and specify the ending date and time for the report in the to field. Use the date and time format that you specified during installation. 8. Specify the manner in which ehealth should display nodes in the report (by name, IP address, or both). 9. Specify the output. For instructions on using the various report output options, see the ehealth Reports User and Administration Guide. 10. Click OK. The Add Scheduled Traffic Accountant Report dialog closes, and the new scheduled report appears in the list on the Schedule Jobs dialog. 11. In the Schedule Jobs dialog, click OK. ehealth saves the job. 12. Monitor the job status. Log in to the OneClick for ehealth console as a web user who has permission to manage scheduled jobs. From the console, you can modify the schedule or delete the job when it is no longer needed. However, to modify specific report parameters, you must use the ehealth console. For detailed instructions on managing your scheduled jobs using OneClickEH, see the ehealth Administration Guide. Traffic Accounting Reporting 95

96 How to Customize a Standard Traffic Accountant Report How to Customize a Standard Traffic Accountant Report Using the ehealth console, you can create customized reports to obtain information about your network that the standard reports do not offer. Also, you can copy a standard report and modify it to change the format or the report parameters. ehealth automatically assigns all customized reports to the Custom category. You can customize a Traffic Accountant report by creating a new customized report or by modifying a copy of an existing report (standard or customized). You typically create a new customized report to obtain information that is not available using the standard reports, or to use other available charts. The following table describes all of the charts that you can use to create customized reports. For detailed information about these reports, see the ehealth Help. Chart Name Group Partners Node Partners Node-to-Node Conversations Top Groups Top Nodes Total Volume Volume Trend by Application Volume Trend by Group Description (Pie and Tabular) Displays the largest group partners for a group or a node. (Pie and Tabular) Displays the most active node partners for a group or a node. (Bar, Trend, and Tabular) Lists the largest conversations that occur for all nodes, between the nodes in a view, and between the nodes in a group. (Pie and Bar) Displays the most active groups in a view. (Pie, Bar, and Tabular) Displays the most active nodes for all nodes, those in a view, and those in a group. The most active nodes are often referred to as the top talkers. These nodes send and receive the most information. (Pie) Displays the most common applications used by all nodes, a view, a group, or a node. (Trend) Displays the network volume for the most common applications used by the all nodes, a view, a group, or a node. (Trend) Displays the network volume for the most active groups in a view. 96 Traffic Accountant and NetFlow Administration Guide

97 How to Customize a Standard Traffic Accountant Report Chart Name Volume Trend by Node Description (Trend) Displays the network volume for the 11 most active nodes for all nodes, those in a view, or those in a group. To create a new customized report, follow these general steps: 1. Log in to the ehealth console as an administrator and access the Edit Traffic Accountant Report dialog. 2. Select New from the list next to the Report list, specify a name for the report. Accept the default settings, or specify a different subject type. 3. Select a different chart type to specify the type of information that the report should display. The chart types that are available depend on the subject type that you select, as illustrated in the following table. For a detailed description of each type, see the ehealth Help. 4. Optionally, click change the chart format, description, report titles and headings, report interval, and report period. 5. Click OK. Modify a Copy of a Standard Report You would typically modify a copy of a standard or any defined report to create your own report titles and headings, change the application filter options, change the chart type if the report supports multiple chart types, or run the report for specific hours and specific days. To modify a copy of a standard report 1. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 2. Access the Edit Traffic Accountant Report dialog and select a report category. 3. Select a report; then click Copy. 4. Specify the subject type and chart type. 5. Specify the title, located in the top-left corner of the report, in the Title 1 field. Traffic Accounting Reporting 97

98 How to Customize a Standard Traffic Accountant Report 6. Specify the subtitle, located below the title in the top-left corner of the report, in the Title 2 field. 7. Do the following under Chart Headings: Specify the heading, located in the center of the report page directly above the chart. Specify the subheading, located below the heading in the center of the report page. 8. Restrict the data in the Traffic Accountant report to specific hours and days. 9. Specify the traffic filter by doing one of the following: Next to Variable, specify how ehealth should display traffic volume. Next to Conversations, specify whether ehealth should display all traffic to or from the specified node, autonomous system, or group, or only the traffic sent between groups in a view. If you want to include the traffic sent to or from unassigned nodes, select Include unassigned nodes. 10. Specify the application filter: Click Browse next to the Application filter field. Optionally, filter the list by selecting Show all ports or Collapse multiports. Do one of the following; then click OK: Select one or more applications from the Applications list. Search for an application by specifying the first few characters of the name in the Search field. The list scrolls to the first application that matches the specified characters. The search is casesensitive. Under Application Options, specify the way in which you would like ehealth to display applications and report on them within the report. Specify the number of components nodes or groups to display. If you select Top, specify a value up to the maximum listed in this table: Chart Type Default Value Maximum Value Pie chart Bar chart Trend chart Tabular charts 50 No maximum 98 Traffic Accountant and NetFlow Administration Guide

99 How to Customize a Standard Traffic Accountant Report Note: If you select Exclude Others to omit the All Others component, the report shows the top components, but does not show an aggregate value for any additional ones. You cannot select this option for tabular reports. 11. Optionally, change the sort order of components in reports. 12. Optionally, specify the number of applications to show. 13. Click OK. ehealth saves your changes and closes the Edit Traffic Accountant Report dialog. Rename a Report You can change the name of a customized report. To change the name of a customized report 1. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 2. Display the Edit Traffic Accountant Report dialog by doing one of the following from the ehealth console: Select Reports, Customize, Traffic Accountant Report. Click Edit next to the Report list in the Traffic Accountant Report dialog. Click Edit next to the Report list in the Add Scheduled Traffic Accountant Report or Modify Scheduled Traffic Accountant Report dialog. The Edit Traffic Accountant Report dialog appears. 3. In the Edit Traffic Accountant Report dialog, do the following: a. Select (Custom) from the Category list. b. Select a report name. c. Click Rename. The Rename Customization dialog appears. 4. Specify the new name for the report in the New Name field, and click OK. The Rename Customization dialog closes and the new report name appears in the Report field of the Edit Traffic Accountant Report dialog. Traffic Accounting Reporting 99

100 How to Customize a Standard Traffic Accountant Report 5. Click OK. ehealth saves your changes and closes the Edit Traffic Accountant Report dialog. Example: Create a Customized Copy of a Standard Report This section describes the basic steps for customizing a standard report using the Edit Traffic Accountant Report dialog. In this example, you create a customized Allocations by Department report in bar chart format by showing data for each group in the department in packets. You also change the titles and headings of the report. The bar chart does not show the applications used by the groups. For a description of the standard Allocations by Department report, see Standard Traffic Accountant Reports on page (see page 86) 19 (see page 86). To create a customized copy of a standard report 1. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 2. Display the Edit Traffic Accountant Report dialog by doing one of the following from the ehealth console: Select Reports, Customize, Traffic Accountant Report. Click Edit next to the Report list in the Traffic Accountant Report dialog. Click Edit next to the Report list in the Add Scheduled Traffic Accountant Report or Modify Scheduled Traffic Accountant Report dialog. The Edit Traffic Accountant Report dialog appears. 3. In the Edit Traffic Accountant Report dialog, select Cost Allocation from the Category list. This is the category that contains the report that you want to copy. 4. Select Allocations By Department Pie Chart from the Report list. 5. Select Copy from the list next to the Report list. ehealth names the report copy_of_allocations By Department Pie Chart, and changes Category to Custom. 6. Optionally, rename the report. 100 Traffic Accountant and NetFlow Administration Guide

101 How to Customize a Standard Traffic Accountant Report 7. Optionally, change the chart options. Click Options to display the Chart Options dialog; then do the following: Select Bar under Chart type. Select Packets next to Variable under Traffic filter. Select Hide Application Details under Application Options. Click OK to save the new chart options and close the Chart Options dialog. 8. In the Edit Traffic Accountant Report dialog, change the report titles under Report Titles as follows: Specify Corporate Network in the Title 1 field. Specify Monthly Network Volume in the Title 2 field. 9. Change the headings under Chart Headings as follows: Specify Network Volume by Department in Packets in the Heading 1 field. Specify Monthly Network Cost $325,000 in the Heading 2 field. 10. Click OK. You can run the customized report for a view using the Traffic Accountant Report dialog. the following is a sample output. Traffic Accounting Reporting 101

102 How to Customize a Standard Traffic Accountant Report Delete a Customized Report You can only delete a customized report. You cannot delete a standard report. To delete a customized report 1. Log in to the ehealth console as an administrator. If you log in to ehealth remotely, and your ehealth system is configured to run in a High Availability environment, specify the shared hostname or shared IP address for your system rather than the specific ehealth system name. The ehealth console appears. 2. Display the Edit Traffic Accountant Report dialog by doing one of the following from the ehealth console: Select Reports, Customize, Traffic Accountant Report. Click Edit next to the Report list in the Traffic Accountant Report dialog. Click Edit next to the Report list in the Add Scheduled Traffic Accountant Report or Modify Scheduled Traffic Accountant Report dialog. The Edit Traffic Accountant Report dialog appears. 3. In the Edit Traffic Accountant dialog, do the following: a. Select (Custom) from the Category list in the Edit Traffic Accountant Report dialog. b. Select a report name from the Report field. c. Select Delete from the list next to the Report list. The Confirm Delete dialog appears. 4. Click Delete to delete the report. ehealth removes the report from the database. 102 Traffic Accountant and NetFlow Administration Guide

103 How to Configure the Node Name Display in Reports How to Configure the Node Name Display in Reports You can configure Traffic Accountant reports to show node names or company names instead of node addresses or autonomous system numbers. By default, standard Traffic Accountant reports show node addresses or AS numbers. When you run a Quick Start Traffic Accountant report, you can choose whether to display nodes in reports by name, IP address, or both by selecting the appropriate option under Node Options in the Run Quick Start Traffic Accountant dialog on the Run Report screen. When you select Node Name, ehealth displays the IP address of a node if it cannot find the name. When you select Both to configure a report to show node names and addresses, ehealth displays the address twice if it cannot find the node name. Traffic Accounting Reporting 103

104 How to Configure the Node Name Display in Reports The Traffic Accountant report on the top above shows node names. This report was configured to show node names only, ehealth displays the IP addresses of several nodes because it could not find their names. The report on the bottom above shows node addresses only. The third report below shows node names and addresses. ehealth displays the IP address of several nodes twice because it could not find their names. 104 Traffic Accountant and NetFlow Administration Guide

105 How to Configure the Node Name Display in Reports Automate the Process of Changing the Name Node Display in Reports As you add a node name to the ehealth database, ehealth can automatically replace the node s IP address with its system name as an ASCII text string. By default, ehealth provides a scheduled system job that runs the nhnamenodes command hourly. You can use OneClickEH to disable this job or change the frequency with which ehealth runs it. When using the Name Nodes scheduled system job, follow these guidelines: Before running the Name Nodes scheduled job for the first time, run the nhnamenodes command at the command line. If you have large numbers of nodes in your system or if the Domain Naming System (DNS) hookup is very slow, you can set the -retry and -timeout values to a minimum value of 1, or disable recursion by specifying the -norecurse argument. Keep in mind that the Name Nodes scheduled job does not name all nodes within the database. If you need to name other nodes or every node in the database, you must run the nhnamenodes utility manually at the command line. Schedule the Name Nodes system job in IP mode. Do not schedule it in AS mode. If you schedule a Name Nodes system job while you are in AS mode, ehealth will not consider it to be valid. To enable the nhnamenodes utility to function properly on a Windows system, you must identify the IP addresses of those hosts that are the DNS servers on the Traffic Accountant user s local network within a file. Store the list of servers in a file named resolv.conf in the following directory: drive:\winnt\system32\drivers\etc. This file is similar to the /etc/resolv.conf file found on a UNIX system. It has the following format: domain mycompany.com nameserver # DNS server 1 nameserver # DNS server 2 Note: If a Windows system does not have this resolv.conf file, the nhnamenodes utility will fail. You must include a comment (such as # DNS server 1) at the end of each line. To automate the process of configuring the name node display in reports 1. If you have not already done so, run nhnamenodes at the command line. For instructions, see the ehealth Commands and Environment Variables Reference Guide. 2. Log in to the OneClick for ehealth console. 3. Log in to the ehealth server as an administrator who has permission to manage scheduled jobs. The ehealth Status Summary window appears. Traffic Accounting Reporting 105

106 How to Configure the Node Name Display in Reports 4. In the left pane, select Tasks and Information, Job Scheduler, Scheduled Jobs. The Scheduled Jobs window appears. 5. Select the All tab. The console displays the list of jobs that are scheduled to run on your ehealth system. 6. Scroll through the list to locate Name Nodes and double-click the name. The Edit Name Nodes window appears. 7. Click the Schedule tab and change the frequency with which the job runs, and the time of day. 8. Click the Properties tab and do any of the following: Set the timeout and retries rates. Disable recursion. Specify the timeout rate (the amount of time (in seconds) that ehealth will wait for a name request to be filled). Specify the retries rate (the number of times that ehealth will attempt to look up a node s name before moving on to the next node). Disable recursion so that ehealth stops at the local tier of DNS servers when retrieving node names. 9. Click OK. Generate a List of Autonomous Systems for a Node The Edit Name Nodes window closes, and ehealth updates the parameters for the scheduled job. By specifying the -file argument with the nhnamenodes command, you can download an ASCII file that contains a list of autonomous system numbers (ASNs) for a node and the names of all registered ASNs. To use nhnamenodes to display a list of autonomous systems for a node 1. Using an Internet browser, go to the following URL: This browser displays a list of ASNs and the names of all registered ASNs. 106 Traffic Accountant and NetFlow Administration Guide

107 How to Add Custom Applications to Traffic Accountant Reports 2. Save this information to a file by doing the following: a. Select File, Save As. b. In the Save Web Page dialog, navigate to the appropriate directory. c. From the Save as type list, select Text File (*.txt). d. In the File Name field, enter asn.txt. e. Click Save. ehealth saves the file. 3. At the command line, enter the following: nhnamenodes -file asn.txt ehealth downloads a list of autonomous systems for that node. How to Add Custom Applications to Traffic Accountant Reports ehealth maintains tables that associate port or socket IDs to specific protocols or applications. When you report on traffic by application, ehealth creates a separate entry in a report for each unique application. If you have custom applications with port IDs, you can generate Traffic Accountant reports for them by specifying the applications and port ID mappings in the appropriate file listed in the following table. These files are located in the sys directory of the ehealth home directory. If you have multiple applications existing on multiple ports, you can group them together within the appropriate.usr file. Files decnetapplics.usr protocolsoverdll.usr protocolsoverip.usr socketsoveripx.usr tcpipports.usr tcpipprograms.usr Description Defines DECnet applications. Defines applications using the data link layer (DLL), such as Ethernet and link service access point (LSAP) applications. Defines applications using the IP protocol. Defines applications using Internetwork Packet Exchange (IPX) sockets. Defines TCP/IP, User Datagram Protocol (UDP) well-known ports. Defines applications using TCP/IP port numbers. Traffic Accounting Reporting 107

108 How to Maintain ehealth Report Files To add custom applications to Traffic Accountant reports 1. Change to the sys subdirectory in the ehealth home directory and doubleclick the appropriate.usr file. The file opens. 2. Edit the.usr file by doing the following. a. Add the port IDs and descriptions. If you have multiple applications existing on multiple ports, group them together by doing one of the following: Enter individual port numbers separated by commas (for example: 135, 1200, 1201). Enter a range of port numbers separated by a dash (for example: ). Enter a combination of both of these formats (for example: 135,1200,1201, ). b. Run the nhupdatedbprotocol command, as in the following example: nhupdatedbprotocol -t user ehealth updates the database. For specific instructions on running this command, see the ehealth Commands and Environment Variables Reference Guide. ehealth automatically adds the customized applications that you add to the.usr files to new databases that you created using the nhcreatedb command. For detailed instructions on editing the.usr files, see the ehealth Customizing Variables Administration Guide. How to Maintain ehealth Report Files When you save reports as ASCII, PDF, or PostScript files, or as files that users can view using a web browser, ehealth creates these files in the web and output directories of the ehealth directory. When you use PDF as the format for viewing reports on the screen, ehealth stores the PDF files in the tmp directory of the ehealth directory. To maintain disk space and clean up old files, ehealth automatically deletes the following report and temporary files: Report files saved in the ehealth/output directory older than 31 days Traffic Accountant web-based reports saved in the ehealth/web/output/views directory older than 31 days All files, including PDF files, saved in both the ehealth/tmp and ehealth/web/tmp directories older than four days 108 Traffic Accountant and NetFlow Administration Guide

109 How to Maintain ehealth Report Files ehealth provides a Delete Old Reports scheduled job that runs at 6:00 a.m. every day. You can modify this job to change the number of days that ehealth retains reports and temporary files as well as when the job runs. For more information about the Delete Old Reports job, see the ehealth Reports User and Administration Guide. Traffic Accounting Reporting 109

110

111 Appendix A: Subnet Masks This section contains the following topics: IP Addresses, Subnets, and Subnet Masks (see page 111) IP Addresses, Subnets, and Subnet Masks An IP address is a 32-bit number that uniquely identifies each system or device on the network. You use it to specify the sender or receiver in packets sent across the Internet or network. The address is partitioned into four groups of eight bits each (called octets). Since it is difficult to read addresses in binary notation, IP addresses are usually expressed as four decimal numbers, separated by periods. This is known as the dot address (for example ). IP addresses are organized into classes, which determine the number of nodes that are in a subnet. Subnetting refers to partitioning a network address space into separate, autonomous subnetworks, or network segments. A subnet mask is a special number which looks like a network address and determines the size of a specific subnetwork. A router uses the subnet mask to move packets along more quickly. When a packet arrives, the router knows which bits to look at (and which to ignore) by looking at a subnet mask. The mask is simply a screen of numbers that tells the router which part of the IP address to use. Using a mask prevents the router from having to process the entire 32-bit address; it simply uses the bits selected by the mask. Calculate the Subnet Mask To calculate your subnet mask, you must estimate the largest number of nodes that you expect to have in your network. To calculate the subnet mask 1. Determine the number of nodes that you currently have in your network; and, allowing for growth, estimate the largest number of nodes that you could potentially have on your network in the future. Subnet Masks 111

112 IP Addresses, Subnets, and Subnet Masks 2. The following table lists the number of nodes and the associated class and subnet octet. Find the value that you calculated in Step 1 or round up to the next highest value. Note the class and subnet octet for this value. Subnet Octet (decimal format) Class A Class B Class C , , ,142 1, ,286 2, ,048,574 4, ,097,150 8, ,388,606 16, ,388,606 32, ,777,214 65, The following table lists the class and its associated default subnet mask where X is the subnet octet defined in the following table. Use the class and the subnet octet that you determined in Step 2 to define your subnet mask. Network Class Class A Class B Class C Default Subnet Mask 255.X X X For example, you estimate that while you currently have 15,000 nodes, you anticipate that in the future you will have 25,000 nodes. Reviewing the data in the table provided in Step 2, you round up to 32, 766. This is Class B with a subnet octet value of 128. Reviewing the data provided in the table above, you determine that the default subnet mask format for Class B is X.0. Your subnet mask is, therefore, Traffic Accountant and NetFlow Administration Guide

113 Appendix B: Running a Dedicated Traffic Accountant ehealth System This section contains the following topics: Guidelines for Disabling Extraneous Processes (see page 113) Edit the Startup.cfg File (see page 113) Guidelines for Disabling Extraneous Processes If your ehealth system only runs Traffic Accountant (that is, you do not use your system for any other application, including a component of ehealth), you should edit the startup.cfg file after installing ehealth to disable extraneous processes that may consume virtual memory. By shutting off these processes, you can save 50 to 100 Mbytes of virtual memory. Before you attempt to disable extraneous processes, consider the following: You must be running Traffic Accountant as a standalone dedicated system. That is, your system cannot be running any other ehealth processes. You can disable all processes except nhipoller programs that have the following arguments: -import and -dlg. You can edit the startup.cfg file any time after you install ehealth. However, if you upgrade or reinstall, the system overwrites your changes. To preserve your changes, save a copy beforehand. To effect your changes, you must restart the ehealth server. Edit the Startup.cfg File Before you edit the startup.cfg file, you must stop the ehealth server. After modifying the file, you must restart the server to enable the changes. To edit the startup.cfg file 1. Enter the following command: nhserver stop 2. Quit the ehealth console if it is running. Running a Dedicated Traffic Accountant ehealth System 113

114 Edit the Startup.cfg File 3. Change directories to ehealth/sys and open the startup.cfg file (where ehealth is your ehealth home directory). 4. Within the file, scroll to a process that you want to disable. 5. Do one of the following: Look for an entry in the following format: disable no # Set this to yes to NOT run the service Change the word no to yes and insert a space before the first pound sign (#) as follows: disable yes #no # Set this to yes to NOT run the service You must insert a space before the pound (#) sign. Look for an entry in the following format: disable $(_isdistributedconsole) # Disable on Dist. Console Replace the dollar sign ($) string with yes and insert a space before the first pound sign (#) as follows: disable yes #$(_isdistributedconsole) # Disable on Dist. Console You must insert a space before the pound (#) sign. 6. Optionally, disable additional processes. 7. Save the file. 8. Restart the ehealth server. If you upgrade or reinstall ehealth, the system will overwrite any changes that you have made to the startup.cfg file. You must repeat this procedure to disable these processes again. 114 Traffic Accountant and NetFlow Administration Guide

115 Index A creating 97 creating 54, 55, 61 Add Scheduled Traffic Accountant Report 95 creating for probes 55 Add Scheduled Traffic Accountant Report dialog creating groups creating view for one or all 55 adding customized 97 Custom category 86 addresses, for a node 9 custom, adding to reports 108 addresses, using in reports 104 customized report 103 aging out 38 customizing 68, 69, 70 All Applications Seen by Probe report 86 customizing a copy of 101 All Applications Seen for an Application report 86 D all conversation data, rolling up 40 data analysis 12 Applications for All Nodes report 86 database, updating for protocols 108 applications seen by 80 defaults 109 Applications Seen by Probe report 86 defined 9, 52 applications used by 86 defining 29 applications used in 80, 86 definition 9, 49 applications used on 80, 86 deleting 61, 64, 103 AS-to-AS, concepts 9 deleting customized 103 B determining 15 directionality, specifying 44 bar 69 disabling ehealth processes 113 bar chart 69 disabling processes 113 best probe source 55 discovering 28 best source for information 55 displaying 82 best source of information 55 displaying in reports 93, 95 bi-directional data 44 C Edit Traffic Accountant Report 100, 101, 103 calculating 111 chart headings 98 Choose Node 82, 93 Edit Traffic Accountant Report dialog 100, 101, 103 estimating data 70 Choose Node dialog 82, 93 example of creating 101 Choose Probe 82 example of using 49 Choose Probe dialog 82 examples 49 Cleanup Nodes 38 examples of 9 comparing conversation records 15 excluding All others 98 components 98 exporting 60 Confirm Delete 103 exporting views 60 Confirm Delete dialog 103 conversations seen by multiple 29 F copying 58 filtering 29 copying a report 98 FlowCollector 11 copying views 58 for a node, list of 107 E Index 115

116 format 69, 70, 71 formats 68 functional views 53 G most active seen by probe 80 most common in network 80 Name Nodes 106 Generating Traffic Accountant Report 93 Name Nodes, scheduled system job 106 Generating Traffic Accountant Report dialog naming conventions Network - Applications Used in Your Network geographic 52 report 80 geographic views 52 Network - Top-Talkers in Your Network report Group Activity Log report group partners report 86 network addresses, for a node 9 groups 64 NH_DLG_POLL_TIME_FIRST_WARNING_THRES HOLD environment variable, 36 H NH_DLG_POLL_TIME_SECOND_WARNING_THR how ehealth filters data from 29 ESHOLD environment variable, 36 how it analyzes data 12 NH_DLG_TIME2KEEP 38 NH_MAX_IP_ADDRS 54 I NH_POLL_DLG_BPM 29 NH_POLL_DLG_BPM 29 importing 59 NH_POLL_LOG_FILE 40 importing views 59 NH_POLL_LOG_SIZE 40 including in reports 98 NH_POLL_PROBE_TIME_LIMIT 35 including unassigned nodes 98 NH_TA_DIRECTIONALITY 44 interpreting data 69 nhdbstatus 35 L nhdbstatus command 35 nhnamenodes command 106 largest conversations 86 nhupdatedbprotocol 108 largest conversations observed by 80, 86 nhupdatedbprotocol command 108 largest conversations on 86 Node - Applications Seen report 80 largest in network 86 Node - Conversations with Other Nodes report largest observed by probe 80, learning about nodes 12 Node Conversation Log report 86 location of 40 node pair 9 M Node-to-Node Conversations for a View report 86 maintenance cleanup 109 Node-to-Node Conversations for All Nodes methods to define 54 report 86 minimizing disk space 38 number 107 modifying copy of 98 monitoring use of 14 O most active in network 80, 86 observed by probes 12 most active in view 86 organizational views 51 most active nodes 86 organizing in groups using views 51, 54 most active nodes on 80 overutilization, detecting 36 Most Active Nodes for Application report 86 overview 11, 15, 49, 67, 80, 111 most active nodes in 80 most active nodes on 80 most active nodes or groups in 86 N 116 Traffic Accountant and NetFlow Administration Guide

117 P segments, probes seen 12 size of 40 pairs, for a conversation 9 startup.cfg file, editing 113 partners, for a node 80 system 53 pie 68 system views 53 pie chart 68 system, running dedicated 113 planning 51, 54 poll interval, setting 30 T poller, description 29 tabular 71 polling 29 tabular 71 polling interval 29 tabular chart 71 polling interval, setting 30 top conversations on 80 polling probes, example 29 Top Conversations Seen by Probe report 86 polling status 29 top conversations, determining 15 probe 52 Top Groups for a View report 86 Probe - Applications Seen report 80 Top Nodes for a View report 86 Probe - Top Conversations report 80 Top Nodes Seen by Probe report 86 Probe - Top-Talkers Seen report 80 top talkers, seen by probe 80 processes, disabling 113 top, determining 15 Q Traffic Accountant Report 93 Traffic Accountant Report dialog 93 Quick Start 80 Traffic Accountant reports 95 Quick Start Traffic Accountant Report 82 Traffic Accountant reports for 49 Quick Start Traffic Accountant Report dialog trend trend chart 70 R types 80 types of 49, 67 removing 38 Rename Customization 100 Rename Customization dialog 100 unassigned 49 renaming 60, 100 Unassigned Nodes 53 renaming customized 100 unidirectional data 44 report categories 86 usage per department 86 resource overutilization, detecting 36 usage per node 86 retrieving conversation data 29 usage, per node 86 retrieving data from 29 used by node 80, 86 retrieving from probes 29 used in network 86 rolling up 40 used the WWW 86 running 82, 93 uses for 69, 70, 71 S uses of 68 using 53 using IP address range 61 Schedule Jobs 95 using the information 9 Schedule Jobs dialog 95 using views 49 scheduling 95 scheduling reports 95 V Security category 86 seeing conversations on segments 12 View category 86 seen by probe 80 view descriptor files 59 segments, conversations seen 12 views 60, 61 U Index 117

118 W Web Traffic Audit report 86 window, Conversations Polling 29 World Wide Web Traffic Accountant and NetFlow Administration Guide