Notice below I filed on the domain ‘last.fm’.

Network traffic monitoring of audio streams is best done by looking at the traffic coming from different domains.

I filtered on the last.fm domain by running a host to host report.  It made me realize that it can be tough to monitor radio streaming by looking for a specific host because each time you listen to a new song, the stream comes from a new unique host.

If you don’t have NetFlow or IPFIX capable router or switch, consider contacting a nprobe reseller. The nProbe or nBox is generally placed off of a spanned or mirrored port of the switch.

Although the 2nd trend looks like the 1st, notice the colors don’t change in the 1st trend.  Make sure your NetFlow and IPFIX reporting tool has a domain report.

Being a NetFlow and IPFIX reporting company, we have plenty of customers addressing this issue almost on a daily basis.  Some of the network acceptable use policy questions that come up include:

• What should this document contain?
• What warnings should be given out?
• Who should perform the monitoring?
• How will the traffic be monitored?

As many network administrators have learned, blocking sites often doesn’t work due to anonymous proxy sites and certain individuals (i.e. upper management) who request access to blocked sites.  This blog will give you some great ideas that you can use to update your existing policy.

What should this document contain
For schools, I feel the Network acceptable use policy at Chapel Hill put in several sentences that are important for most educational facilities:

• “The use of the University Network is a revocable privilege.”
  I think that sums it up quite nicely.   Network access is not a right!
• “Users agree to comply with this AUP and other applicable University policies which may be implemented from time to time, as well as all federal, state, and local laws and regulations.”
  This a great sentence because it basically says the school can change its mind at anytime and that it is the students responsibility to be aware of the changes.
• “Each User is expected to be considerate of the needs of other Users by making every reasonable effort not to impede the ability of others to use the University Network and show restraint in the consumption of shared resources.”
  In other words, don’t use tools like BitTorrent that allow you hog and steal bandwidth from others trying to use the same internet connection.
• “Users may not attempt to disguise their identity, the identity of their account or the machine that they are using.”
  This is another way of saying, don’t use anonymous proxies to hide who you are.
• “The University reserves the right to review and/or monitor any transmissions sent or received through the University Network.”
  Translation: we can and will monitor everything you do!

I suggest you read the whole thing as it also includes the basics regarding things like dissemination of pornography, unlawful communications (e.g. cyberstalking, obscentities, etc.).  Kudos to UNC.edu for a well written Network Acceptable use Policy.

Here is what shouldn’t be in your Network Acceptable Use Policy “The use of the network must be used for the purposes of furthering the mission of xxxx corporation.“ On the surface it sounds like an all encompassing good idea but, now we could be preventing people from emailing spouses and friends. Allowing employees to take care of a little personal business often allows them to stay focused on work, knowing that their personal life is in order.

Schools and companies should also review my post on monitoring social networking traffic as it covers what network users can and can’t do with these sites.  Users claiming “Freedom of Speech” doesn’t always work.  If you search the web you will come up with a Network acceptable use policy template that can be customized to meet your unique needs.

What Warnings should be given out
If you have ever dealt with our legal system, you know that you must have a paper trail prior to taking corrective action. UNC lays out what ‘may’ happen:
1. restricted access or loss of access to the University Network;
2. disciplinary actions against personnel and students associated with the University,
3. termination and/or expulsion from the University, and
4. civil and/or criminal liability.

Depending on the venue, the above may be bit too vague. Subjective consequences can lead to loop holes if an issue should escalate to litigation.  Some businesses or schools may want to consider something like the following:

• 1st Violation: verbal warning and notification to manager
• 2nd Violation: written warning and notification to manager
• 3rd Violation: written warning and notification to manager
• 4th Violation: termination

A clear escalation of consequences could avoid expensive legal fees.

Who Should Perform the Monitoring
In most organizations, the IT team does the monitoring.  In smaller companies the IT manager calls the individuals perpetrating the violation directly.  In larger organizations the violation and culprit details are sent off to HR and that is the last the IT team hears about it.  In one policy I read “Interpretation and enforcement of this Policy is the responsibility of the Chief Technical Officer (CTO).”

Whichever strategy is taken, confidentiality is important.  We don’t want to embarrass anyone especially if the evidence and our suspicious end up being wrong.  False accusations can lead to unwanted attrition.

How will the Traffic be Monitored
There are a several different approaches to monitoring what users are doing on the network.  Squid is a popular solution that can track and log internet activity however it lacks insight into internal traffic.  My preference of course is NetFlow or IPFIX collection and reporting.  Even though flow reporting provides limited details, we can still determine certain activities due to the behavior of the application in use even if the communication randomly chooses ports.

Cisco NBAR, SonicWALL Application Recognition, Exinda NBAR and other companies are now performing deep application inspection to correctly identify the actual application.  Even tough applications to identify such as Skype and BitTorrent can be detected with these new NetFlow and IPFIX technologies.

Determining web sites however is a problem with most NetFlow exports.  The DNS name of an IP address to determine the web site, can’t depended on in NetFlow Domain Reporting.  A typical Cisco router today does not have the ability to export URL details however, this may change in the future.  The nBox and SonicWALL appliances already export IPFIX with URL details which has been the coup de grâce for many network administrators looking for further details on filtered traffic.  With the URL, we can filter on domains reliably and then drill in to find out who is hitting them and causing the excessive traffic as well as how frequently.

Your network acceptable use policy probably already includes many of the above details.  Personally I’m a fan of not blocking anything and encouraging employees to be responsible with the companies internet connection and IT resources.  If the consequences are clear and enforced, most responsible people will play by the rules.

Why have Both?
ToS is an 8 bit field that includes DSCP which is a 6 bit field. This being said, I could not find a Flexible NetFlow document that would make reference to both however, I know Cisco sometimes supports both in the same export.

Be aware that Cisco NetFlow v5 and traditional NetFlow v9 only export ToS. I’m sure you are aware that FnF is an extension of NetFlow v9 and supports both ToS and / or DSCP depending on the implementation.

* Cisco NBAR (requires FnF) for example, it will export both ToS = ipClassOfService (5) and DSCP ipDiffServCodePoint (195). See below.

* Cisco Performance Monitoring for Medianets (requires FnF) for example, it only allows for the export of DSCP ipDiffServCodePoint (195).
* The nBox exports ToS (5) even when exporting IPFIX however, it may export DSCP (195). I need to check.

Why did this Happen?

Cisco is a big company. My guess is that communication doesn’t always occur on every field that an engineer wants to export. Lets hope it is easy for them to address. In the mean time, what can you do?

Look for a Flexible NetFlow Reporting  solution that supports reporting on either but, you need to be using our beta release. See below.

Join NetFlow Developments on Linkedin to stay on top of issues like this.

This new PF_RING 4.7.0 includes 10 Gbit DNA driver (Direct NIC Access) support at both RX and TX. This means low-end Linux servers can now manipulate packets at 10 Gbit wire speeds with the help of a 10Gbit ethernet card. With this speed you can process traffic as well as capture it at ease.

Luca Deri has tested this on a VM with only one core dedicated. Silicom displayed it’s support by providing Luca with the PE10G2SPi-SR Dual Port Fiber 10Gbit adapter card. You might be surprised at the results on ntop.org. Stay tuned for any further releases from ntop.

It probably depends on the network. Colleges and universities, for example, will likely be one of the areas where iCloud traffic will show up the most in network traffic monitoring practices. Although I’m not familiar yet with the transport layer port(s) that this technology will use, I’m sure we will be monitoring iCloud traffic with NetFlow or IPFIX by running reports on top domains. With our NetFlow traffic analyzer we can set global thresholds on individual iCloud data streams and trigger events for hosts transmitting excessive traffic to iCloud.com. We can then throttle iCloud traffic.

With iPhone market share currently at 25% and growing, other vendors like Blackberry could follow suit with their own ‘Blackcloud’ service. Who knows, but should this become a trend, iCloud network traffic volumes may become a serious concern. What can be done?

Beyond monitoring iCloud traffic, many hardware implementations export URL information with IPFIX, which may give us deeper insight into the nature of iCloud data. Even if connections use HTTPS, our NetFlow and IPFIX reporting tool will likely provide detail on the volume of iTouch Vs. iPhone traffic and allow administrators to disseminate deeper NetFlow details, such as MAC addresses and user names.

~ Jon Mills
Follow Me on Twitter

• Fields-   Example Data
• Client-   192.168.1.92
• Server-   www.ravica.com
• Protocol-   HTTPS
• Method-   GET
• URL-   /img/screenshots/nbox-m.jpg
• HTTPReturnCode-   200
• Location-   http://www.ravica.com/about/index.php
• Referer-   Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us)
• UserAgent-   AppleWebKit/533.21.1 (KHTML, like Gecko)
• ContentType-   Version/5.0.5 Safari/533.21.1 image/png
• Bytes-   76281
• BeginTime-   1307007397.970
• EndTime-   1307007398.624
• Flow Hash-   1142612386
• Cookie-   51510
• Terminator-   C
• ApplLatency-   0.159

A few things to keep in mind when using this for network traffic monitoring: This will only decode your traffic, so you need to have your own private key. Also, it is only available on Unix right now.

If you have questions on the above, please give us a call and we’ll have you get setup with your NetFlow collector.  This deep traffic insight will take your network traffic analysis to another level, but remember your netflow or IPFIX analyzer must be setup to report on this data.

Luckily for the rest of us, the NetFlow data that gets exported from the nBox is a little bit different. In addition to what NetFlow normally provides in network traffic details, nBox exports include email addresses, HTTP URLs, Latency, VoIP Jitter and more. There is one caveat; at this time, Scrutinizer NetFlow & sFlow Analyzer is the only NetFlow reporting tool that can properly display these extra data fields. So you will want to make sure to look into Plixer’s product offering to take advantage of these advanced features.

Michael Patterson of Plixer International and Luca Deri of nTop.org have devised an excellent whitepaper describing, in detail, the methods behind determining network latency using NetFlow from your nBox.

So, whether your slowness issues are caused by Application Latency, Client Delay or Server Delay, the combination of Scrutinizer and nBox can be a valuable suite for network administrators that need the extra visibility into application and network performance. In addition, these details can also be quite helpful when monitoring cloud services. Just ask any marketing or sales rep how frustrating it can be when their connection to Salesforce.com is crawling right along. Why waste hours troubleshooting a network issue that isn’t an issue with the network? Conversely, why should an application be blamed when it’s clearly database transactions are being poorly routed?

Let us know if you’ve had success with using nBox data to pinpoint slowdowns. We’d love to hear your stories!

~ Jon Mills
Follow Me On Twitter

VoIP Details include:

• SSRC
• Codec
• Jitter
• Packet Loss
• Caller ID
• Details on both RTP and SIP

Below are a few screen shots of these new reports, which are based on the nProbe’s IPFIX exports. IPFIX is the proposed standard for NetFlow.

If you are looking for an nProbe demo, give us a call. We can provide many of the above details on your Cisco medianet, as well using their new Performance Monitoring NetFlow exports.

~ Mike Allen

nProbe creator, Luca Deri, says in a recent blog post, “nProbe 6.3.x has been successfully tested against all the available implementations including Vermont, SiLK, nfdump/IPFIX (Cesnet). nProbe has passed all the IPFIX interoperability tests as both probe (over SCTP, UDP, and TCP) and collector (UDP), dissecting both IPv4 and IPv6 traffic, and also converting NetFlow-Lite flows into IPFIX flows.”

Above is a picture of Luca at the event. That’s him just right from the middle, between Benoit Claise from Cisco (a joint creator of NetFlow / IPFIX) and Jiri Novotni of Invea-Tech.

This news speaks volumes about the level of commitment that Luca and the rest of the nProbe team have made to complying with the various network performance monitoring standards in the industry.

Jon Mills
Follow Me On Twitter

Once you’ve completed the video, make sure to visit our friends at Plixer to learn more about configuring the Windows nProbe to send NetFlow.

Jon Mills
Follow Me on Twitter