(1) I double-clicked the server icon on the desktop, but the web browser didn’t open server administration page, why?

The server administration is web-based. When double-clicking the desktop icon, it opens http://localhost in your web browser, which means the default port number is 80. Fail to see the administration page, it’s because the default port #80 has been engaged by other web applications. And nChronos will try to use port 81 (1 increment at a time). So you can try this URL in your browser: http://localhost:81. If port 81 is unavailable, try 82.

(2) What’s the difference between Administration port and Communication port under Basic Settings?

The administration port is used for the web browser to open nChronos Administration portal pages. The communication port is open for nChronos console to connect to the server.

(3) Is the communication between nChronos server and nChronos console encrypted?

Yes, the connections between nChronos server and console are encrypted by private encryption algorithm, which secures data transmissions and minimizes the length of data.

(4) I cannot connect to my nChronos server, what should I do?

First you need to make sure the server is up and running, and then check if you use the same communication port number as specified on the server (by default port # 3,000). Then you need to check your account and password.

(5) I don’t see any statistics in the views except “Please select a time span on the trend chart.”

You need to click-n-drag on the trend chart to select a time slice. When a time span specified, the views will show data among that time period only.

(6) How do I drill-down?

Please follow these steps to drill-down: check the items you need to drill-down in any view (except the Summary view) > right-click to open context menu > hover cursor on Drill Down > select a sub statistics type.

(7) I finished the configurations of the Email Options to alert me anomalies, but I never get an email, why?

This is because only the email server with port number 25 is supported. Therefore, you need to make sure the mail server accepts connections from port 25, and the port number is set 25 in Alarm Options.

(8) How can I download the packets on nChronos server to my local host?

In any view, check the items that you want to download the packets of them, right-click and choose Download Packets from the context menu. Then specify a local folder and file name to save the packets, and click Start button.

Note that you are not suggested to check too many items and download packets from a remote server because they may take a large volume of traffic and take a long time.

Product Version: Colasoft nChronos 3.0

Intended Audience:

• nChronos Standard users (including Evaluation users)

  nChronos Free users

In last chapter we’ve learned:

1. The user interface and components of the stat view
2. How to perform drill-down analysis among the views

Continue with our discussion on drill-down analysis that conversation (transport layer of OSI) is the deepest layer that nChronos goes, and, you may wonder, what if we need take one more step forward down to the packet level. So in this chapter we’ll see how to download the packets (remember that all packets are saved on the server now) to a local file. And then we can use common network analysis tools to look into the packets.

Before we jump into doing this we need to understand that the packets are on the server and we are probably using nChronos console to view the traffic analysis stats on our laptop. This means the server and console talk through network or even the Internet. Given that the server has been monitoring the network for a long time and there might be hundred gigabytes of packet volume stored on the server, it definitely not a good idea to download such huge volume of packets to our laptop through the network. Also this could be devastating to the server because it requires lots of CPU power to do this job and it dramatically affects the analysis performance (we shouldn’t forget that when we download packets, the server is still capturing, analyzing and storing the packets). We should also pay attention to this even when the console and server installed on the same machine.

Well, don’t be overwhelmed that we can still use packet download function. It’s just that we’d better not to download a big sum of packets. We should always use the drill-down feature to narrow down the time range, IP addresses counts and packet counts that we need to download to desktop. For example, we need to check all packets that related with the email server only between 23:00 – 23:15 PM yesterday. So here we know we should first locate the time range, from 23:00 – 23:15 PM yesterday night, and then we can go to the IP Address view, and find the email server’s IP. Then we check the checkbox of this IP, right-click on it and we have two options on the context-menu: Download Packets and Analyze Packets.

Download Packets

Download packets will retrieve the packets of the checked items on the server and send them to a packet file on our desktop. When we click the menu item, we see a new window showing the time range and filters which are the conditions to narrow down the packet range. Then select the file path and file name. We can see that nChronos is able to save the packets in two types of packet file formats; .rawpkt is Colasoft packet format and the popular Wireshark .pcap format. Lastly click Start to start downloading process. Downloading done, we can use analysis tools like Colasoft Capsa or Wireshark to load and analyze the packets.

Analyze Packets

Downloading packets to a local file and then running another analyzer to load the file takes too many clicks, don’t you think? Don’t be surprised that nChronos console has a professional network analyzer software provided by Colasoft, nChronos Network Analyzer, which is installed together with the console program. We save lots of click if we use Analyzer Packets function. It automatically downloads the packets to nChronos Network Analyzer’s buffer and starts analyzing. It’s a powerful yet free analyzer with all features that the commercial editions have.

Product Version: Colasoft nChronos 3.0

Target Audience:

• nChronos Standard users (including Evaluation users)
• nChronos Free users

In last chapter we’ve learned:

• What is trend chart and how to move trend chart
• How to select a specific time span on trend chart

From last chapter we understand that we first come to the trend chart and then select a time range we are interested in. Then we can have many types of traffic statistics on the analysis views below the trend chart. Go to User Interface Introduction chapter to see the introduction of each view. Each view has its own mission to provide a specific type of statistics. For example, the IP Address tab provides a list of the traffic statistics on all IP addresses of our selected time period on trend chart. In this view, we can see the top talkers of their traffic volume of bytes (sent/received), packet count (sent/received) and we can see their Geo location, etc.

Though the views provide different types of stats they have something in common, like short-cut buttons and context menus.

Short-cut Buttons

All views have some short-cut buttons above the column headers, each with different buttons. The functions of the short-cut buttons are listed below:

Button	Name	Function
	Export	Save all statistic records into a csv file.
	Drill-down	Drill-down to next level on your selected items.
	Record rows	Set the number of the records to be displayed in the view.
	Download packets	Download the packets related to your selected objects to a packet file.
	Analyze packets	Retrieve packets from the server and download them to the built-in analyzer.

Context Menu

If we right-click in the views, we will see a context menu with the following functions:

Search Items with Keywords

By default only the first 1,000 statistic items are showing in the views and sometimes a thousand items are still too many to find a specific item. In most of the views there is a search box. We can simply type in a keyword to search the item we want to locate no matter the keyword is in which column. For example, we can find an application by typing in its name and only the applications containing that keyword will be displayed on the screen.

Manage Columns

When we select a time span on the trend chart, the statistic views will retrieve columns of data from the server of than time span. These statistics enables us to sort, order and compare to help us when analyzing the network. Also we can choose to hide the columns that we don’t need. By default, only the necessary columns are displayed in the views and only the first 1,000 records of each column are showing under the columns. There are some abbreviations and conventions used in the column headers. The list below describes all the column abbreviations and conventions:

To hide or show a column, do one of the following:

• Right-click on the column header area, and then check or uncheck column title.
• Right-click on the statistic item in the view, and choose Columns > column title.

The statistic items are sortable. We can click on all column headers to rearrange and resort the items in descending order or ascending order.

Drill-down Analysis

Now we’ve learnt the basic function, the buttons, context-menus and other components of each view. And we can start our real analysis right away. Once again, let’s go over again to remember the process of doing an analysis. First, we connect to an nChronos server, open a monitoring link. Set the time window for the trend chart, select a time period, and then look down to the views.

First we come to the Summary view, which gives us overall stats of the time window (left-side of the view). If we select a time period on the trend chart, the summary of the selection will be shown on the right side of the Summary view. Then we can come to other views, and use them to drill-down analysis. For example, in the Application view, there is a BitTorrent item and we want to know which IPs had bittorrent communications during the selected time period. We can double-click the bittorrent protocol item, and a new sub-view shows on the right side. In the sub-view, we can see the IPs that involved the bittorrent traffic. So by this way, we can drill-down to the conversation level (transport layer of OSI) which shows us the port number of the TCP and UDP conversations. And this is the deepest level that nChronos can get, what if we want to go down to packet level analysis? We are going to talk about downloading packets on nChronos server to our desktop in next chapter

Product Version: Colasoft nChronos 3.0

Intended Audience:

• nChronos Standard users (including Evaluation users)
• nChronos Free users

In last chapter we’ve learned:

• What are the components of nChronos Console
• The description and use of each statistic view

When we are familiar with the user interface of the console program we can move on and focus on how to use the program. The trend chart is the place where we start our journey. The biggest advantage of this retrospective network analysis product is that we can either have a long term or short term view on our network running status, and we can choose to look into a specific period of time.

By default the trend chart show traffic stats of past 4 minutes and we can see the traffic utilization, packet count, and traffic volume of each second. If we change the window size to 10-day, each scale on the trend chart represents one hour, and the statistics are the sum of each hour. The bigger the window size value, the more resources are required on the server to retrieve and analyze the statistic data.

Move Trend Chart

We can move the trend chart backwards or forwards to see traffic trends. We can do as following to move the time on trend chart:

• Move the cursor to the bottom of the trend chart, the cursor reshapes as a hand. Press and move left or right to slide the time window.
• We can also manually specify the accurate time range by clicking icon (upper left corner of the time window), and inputting accurate time value in either the start time or end time textbox, and the other one will be worked out automatically.

Looking at the icon area, we still have other icons.  First Time Window icon () moves to the first time window, Last Time Window icon () moves to the last time window, and Auto-refresh icon () enables trend chart to refresh automatically, and click it again to cancel auto-refresh.

Select Time Span on Trend Chart

The trend chart shows stats of a settled time length, 4-min, 20-min to 10-day. We click and drag on the trend chart to specify a time period of any smaller size and have a closer look into stats of that time period. Once we select a time span on the trend chart, the views down below the trend chart will automatically retrieve the statistics on that period.

To select a time span:

• Click and drag, back or forth, on the trend chart to specify a time span.

Besides, when a time span is selected, you can move the time span. To move the time span:

• Move the cursor a little above the chart top area, the cursor displays as a hand, Press and left or right to move the time span.

So now we can understand the time concepts of trend chart and time span. The trend chart can show stats from 4 minutes to as long as 10 days. And we can select a small portion of time range on the trend chart, and the views down below will give us stats only on that selected time range.

Product Version: Colasoft nChronos 3.0

Intended Audience:

• nChronos Standard users (including Evaluation users)

  nChronos Free users

In last tutorial we’ve learned:

1. How to connect to a nChronos server from console
2. How to troubleshoot connection error issues

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

In this chapter we’ll take a look at the user interface of nChronos Console. nChronos Console is the component that we use to view network analysis stats, perform drill-down analysis and also manage server settings, etc. So we use nChronos Console more often that the server program. When we run the console program first we come to the Start Page, where we can find the latest official news, product documents, learning resources and the contact info. If we add a server connection (more details on last chapter) on the Server Explorer (left-side panel), we can connect to the server, and it opens the stats view. The view contains a trend chart and several stats views.

Packet File Explorer

In last chapter we’ve learnt what Server Explorer is. If you look down under this panel, you can find there is something called Packet File Explorer. This is another important function that not only monitoring real-time traffic traveling through your network by nChronos server, nChronos console has the ability to analyze the packet files (also known as trace files). nChronos console supports to open  the packet files generated by Colasoft portable network analyzer – Colasoft Capsa (also the packets downloaded from nChronos Server), and .cap and .pcap files by Wireshark. This is useful when we have a large sized packet file, and we just need to concentrate on a part of the packet file. We use nChronos console to open the file and lock down to the specific time period and analyze into the packets of that period.

So it means we can analyze traffic either from real-time capture, or also from packet files. And we use same experience to analyze them with the following given views.

The Trend Chart (Time Window)

The trend chart and the time window are the same thing. With the trend charts, we are able to have a graphical view of traffic trends. It helps us identify when the traffic drops and when climbs more visually than just numbers, and then we can focus on the abnormal time period to see what happened during that period closely. So it’s often the starting point where we start out retrospective and drill-down analysis. By default, the time window shows the traffic trend of past four minutes. When we change or move the time window, the chart refreshes automatically. We can zoom in to time unit of second and zoom out to hour, which means if we have a 4-minute time window we can view traffic stats of every second, while 10-day window shows stats of each hour.

If we are interested in looking into a specific time period, we can click and drag to select a time span on the trend chart to view traffic statistics of that period. By selecting a time span on the trend chart, the views down below displays only the statistics of that time period, it helps us focus on only that small slice of time. For example, we are reported that users cannot access the webserver at about 7:00 AM to 7:15 AM, and we need to figure out the causes of this downtime. Now we can connect to nChronos server, and rewind back to the time window of that period, select time period between 7:00 – 7:15. And the views will refresh to show the traffic statistics between those 15 minutes. Next we can analyze by using the drill-down feature to focus on the webserver address, and check if its data link layer, Internet layer, and its TCP transports are stable.

Statistic Views

There are several views below the trend chart which display types of statistics in different tabs. They work together with trend charts and time span selection to reduce statistic data volumes and let us focus on analyzing and drill-down to look into network issues. The views are described below:

1. Summary view: overall summary statistics of alarms, total traffic, inbound traffic, outbound traffic, IP and non-IP traffic and TCP packets statistics. If you select a time span on the trend chart, the summary statistics of this time span are displayed on the right side.
2. Application view: traffic statistics of network applications, such as TCP, HTTP, POP3, etc.
3. IP Address view: traffic statistics based on every IP address, including bytes, packets, pps, etc.
4. Physical Address view: traffic statistics based on every MAC address, including bytes, packets, pps, etc.
5. IP Conversation view: traffic statistics on IP address pairs. You can know which nodes are communicating and their connection statistics.
6. Physical Conversation view: traffic statistics on MAC address pairs.
7. TCP Conversation view: statistics, on the transport layer, of the IP addresses and ports, including packets sent and received, conversation duration, Bps etc.
8. UDP Conversation view: statistics, another important transport layer protocol, of the IP addresses and ports, including packets sent and received, conversation duration, Bps etc.
9. Alarm Log view: the log records of the alarm trigger and release records.

The views above mentioned, except the Summary view, will have records displayed only when you select a time span on the trend chart. And when you change the selection of the time span, the statistics on the views will refresh automatically. And you can select records in the views and right-click to select drill-down analysis, by this way, you are able to focus on specific network objects and find the source of what you want.

So far, we can see that nChronos console user interface is clear and simple to understand. The Free and commercial editions have the same look and we are going to talk about how to use the console program in next chapter.

Product Version: Colasoft nChronos 3.0

Target Audience:

• nChronos Standard users (including Evaluation users)
• nChronos Free users

In last tutorial we’ve learned:

1. What is Network Link on nChronos Server
2. How to start a link monitoring mission

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

From this chapter on we’ll move our focus to nChronos Console program because the server’s mission is to monitor and analyze the traffic and we don’t need to change the settings now and often on it. nChronos console is the software component that we use to view the analysis statistics and conduct in-depth analysis, etc. nChronos console is able to interactive with the server, such as retrieving analysis stats from the server and sending operation commands to manage the server, etc.

nChronos Server Network Connection Setup

We can install nChronos Console and Server software on same machine if we just want to know how they work. But that’s not how they designed to make the most out of their remote and distributive advantages. If to install them on different machines we need to make sure they can communicate to each other smoothly.

1. Both the server and console machines can communicate on the network. Note that if you use nChronos server to capture packets from a switch’s mirror port, your server might not be able to communicate on the network. If that’s the case you need to add an additional network card and connect it to a normal port of the switch to communicate with nChronos console.
2. The firewall on the server needs open the TCP port number that the console can use to connect to the server. The default port number is TCP #3,000.

Then we can use nChronos console to try our first connection to nChronos server. Run nChronos Console and follow the instructions bellow to establish a connection with the server.

1. Double-click nChronos Console icon on the desktop to run the program.
2. Click Click to add server link on the left-side Server Explorer panel.
3. Enter the IP address of the nChronos server.
4. Enter port number.
5. Enter account name and password. This user name and password can be the one you use to login the server’s administration portal. It’s the admin account.
6. Enter a label for this server (can be ignored) and click Save.
7. Double-click the server name or right-click and choose Connect from the context menu on the Server Explorer.
8. Double-click the network link name to view analysis statistic on the right panel.

If we’ve followed nChronos Server Network Connection Setup to make sure the server is connected to the network we should be able to connect to the server successfully. But if it turns out to be any error while trying to connect to the server, we can do the following step to troubleshoot the connectivity.

1. Username or password error: it means the server can be connected but the account isn’t correct to login. We should check entries of step #4 and #5.
2. Unable to connect to the server: check the IP address entry in step #3 and retry. If it fails, try a PING test to see if your machine’s able to talk to the server. Then check firewall setup of the server machine.

Connect to nChronos Server from the Internet

There is also a requirement of connecting to the server from the Internet. For example, there is an nChronos server implemented in your network, and you want to check your network status from your home. We know we can’t access the private IP address from the internet. So we can use our preferred methods to help us access nChronos server from the Internet. We can either use a VPN connection, or assign the server with a public IP address, and so on. If you still have issues with connecting to your nChronos server, please feel free to contact our support or leave a comment below.

Product Version: Colasoft nChronos 3.0

Target Audience:

• nChronos Standard users (including Evaluationusers)nChronos Free users

In last tutorial we’ve learned:

1. What are the components of Colasoft nChronos
2. How and where to install nChronos Server and Console software
3. How to initialize nChronos Server
4. How to login and activate nChronos Server

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If you have doubts about them, you are recommended to go back to take a look at last chapter first, or you can turn to us for help on your specific case.

In this chapter we’ll learn how to start a monitoring mission. First we should take a look at this term – Network Link. A network link is defined as a logical link which collects network packets from one or multiple NICs then analyze all of them. If it’s hard to understand we can easily think network link as Project. Depending on different editions, higher edition enables you to use one nChronos server to monitor traffic from multiple NICs in one link, while basic edition (such as nChronos Free) only supports capture traffic from a single NIC, which means you can’t use nChronos Free to capture both inbound and outbound traffic on a normal 4-port network tap because they have two monitor ports, one for inbound packets and another for outbound. Now let’s see how to create a network link to start an analysis mission.

1. Click Network Link on the left panel.
2. Click Add New Link button on the right side.
3. Enter link name, such as Core Switch.
4. Choose the traffic source type (where to capture traffic). If nChronos server is connected with a standard tap, you’ll need two NICs to separately capture the inbound and outbound packets from two of the monitor ports of the tap. But if to capture from an aggregation tap or switch’s SPAN, we need only one capture NIC. Note that we don’t mention another NIC that we’ll use if we want to remotely use nChronos Console to connect the server, so it requires additional NIC.
5. Click Next, select the adapters that we want to use for packet capture.
6. Check Calculate inbound & outbound traffic volume option. This option checked, we can see the inbound and outbound statistics on the charts of nChronos console; otherwise, we can only get total utilization or output there. So this is always the option that we should keep it checked.
7. Enter the IP segment value to identify your Intranet IP addresses. This textbox is used to help nChronos server identify which IPs are our local hosts and what traffic are internal traffic. The IPs not included in our inputs will be recognized as foreign hosts.
8. Check Calculate inbound & outbound utilization. This option has almost the same meaning as the option in item 6. We’d better keep it check either.
9. Enter Inbound Bandwidth and Outbound Bandwidth. If we want to see bandwidth chart on nChronos console, we need to define what our bandwidths are, inbound and outbound. For example, in our 1,000M LAN, we have both 1,000 Mbps uplink and 1,000 Mbps downlink. So we input 1000 in both of the textbox. Be careful of the values because the utilization that nChronos works out is based on these two values. If it’s a 100 Mbps network, and we mistype in 1000, the utilization will be 10 times small that what it should be.
10. Click Save to finish settings.
11. The last step, click Start button to start the link monitoring session.

Now the link is running and capturing packets from the NIC we choose. Every captured packet will be analyzed and stored to hard disk, and analysis statistics are also saved on the server. Now we can close the web browser and the monitoring mission will run continuously and there is no worry that the capture will be stopped accidently because nChronos server is able to automatically recover when it finds a link status goes down abnormally. And even rebooting the server, nChronos server will also automatically recover to continue packet capture.

Product Version: Colasoft nChronos 3.0

Target Audience:

• nChronos Standard users (including Evaluation users)
• nChronos Free users

In last tutorial we’ve already learnt:

• How to get Colasoft nChronos download link and Serial Number (Commercial and Evaluation/Free users)
• What are the system requirements for Colasoft nChronos
• On which device should we connect nChronos Server to capture network packets on the network

Before heading into this chapter, please make sure you’ve fully got the answers to these questions. If not, you are recommended to go back to take a look at last chapter again, or you can turn to us for help on your specific cases.

Install nChronos Server & Console Software

We are glad to see that you’ve finally come to the decision to implement nChronos on your network setting to give it a try. The installation process is as simple as all software. As you know nChronos consists of two components – nChronos Server and nChronos Console, so it’s for the best to install them on different machines to get its full potentials (why? Answers on last chapter).

nChronos Server program is a stand-alone component for packet capturing and analysis, so we’ll first install this program. And it’s as simple as install all other normal software, read the license, choose a folder, click OK buttons all the way to finish.

Then install nChronos Console software as usual on another machine.

Initialize nChronos Server

The server doesn’t have a software interface; it can only be accessed and managed with a web browser. Next step is to initialize the server program. To initialize the server software, double-click the server icon on the desktop and it opens the web browser. If it leads to an error page on your web browser, please find the answer on FAQ #1. You need to take three steps to initialize the server software.

Step 1 Create Administrator Account

This is to setup an administrator account for the server. In case you lose your password and someone else uses your password to make changes on your server, please make sure you keep your password securely.

Step 2 Basic Settings

First part is to set two port numbers. nChronos Server not only runs a web service to allow you use a web browser to manage it but also to interact with nChronos Console. So it has two individual ports, a web browser goes through server management port to manage and configure the service, and nChronos Console talks to server with Console communication port. If no special requirements, you’d better to keep these port numbers by default.

And the second part is to choose the hard drive disk to store the packet data and also the stats data. When we start a link monitoring in nChronos Server, it saves the packets and also analyzes them simultaneously and finally saves the analysis stats to hard disk. The packet data file requires more free space than the statistic data, and in a heavy-loaded network, it’s suggested to use RAID to store the packets (if you are using nChronos Free, add a 2TB hard drive is enough). The statistic data requires at least 5GB of free space and the packet data requires 10GB minimal.

Important notice: these two types of data are suggested not to store on a same physical hard drive (not just logical volumes). It’s because nChronos server writes two types of data to your hard disk at the same time, if you keep the data on a same hard drive, it’ll dramatically reduce the write performance and it results in packet lose and insufficient analysis performance.

Step 3 Finish

Well, this step in fact doesn’t require you do anything. Just check the previous settings and click Done button if all are correct. The server program will automatically restart when you click the Done button.

Login and Activate nChronos Server

If everything goes ok, now we come to the server administrator portal login screen, and use the user name and password to pass the login screen. Because now the browser talks to the server with standard HTTP, so for the security of the server we recommend no to access the server administrator portal from other machines through network, especially through the Internet.

Now we logged in the server administration portal, and since this is the first installation we should activate the system. All editions of nChronos (including nChronos Free) require activation before we can really use the program to monitor network traffic. Only the server program requires activation while the console doesn’t. If we use nChronos Console to connect to an inactivated nChronos Server, we see an error message noting that the server isn’t activated. We need a serial number to active the server program (where to get serial number?).

Now go through System Information (on left-panel) > Activate. Read the Privacy Statement, and click Next. Then enter your serial number. Here you have two choices to activate nChronos Server through Internet or manual offline activation.

• Activate product over the Internet (recommend): It is very quick and easy, the activation process will only take a few seconds with a couple of clicks. You are recommended to use this method if you have Internet access.
• Activate by fax or email: If you select to activate product manually, it will need more time to finish. Please send us via email or fax the Serial Number and Machine Number. After receiving your request, we will get back to you with an Activation Number. Enter the Activation Number into the textbox as required; your product will be activated immediately.

Activation Errors

If you meet any errors when activating nChronos Server, you get an error code. You can contact our support by emailing
support@colasoft.com
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.

If you’ve ever experienced the frustration of trying to identify exactly which workstation is clogging up your network with torrent downloads, then examining NetFlow data on your network could help you out. NetFlow can help admins find out exactly what kind of traffic is on the network, and who is consuming all your precious bandwidth.

We’ve pulled together a few free tools that collect and analyze NetFlow data. We’ve tried to find tools that are truly free, and not just time-limited evaluation versions. Though not time-limited, most of the tools are feature-limited versions of products from the software makers. Don’t let that discourage you though. All of these software packages are well worth downloading, even with the limitations.

But before we get to the tools, a brief overview of NetFlow is in order.

What is NetFlow/J-Flow/sFlow?

NetFlow data is generated by network devices like routers and firewalls. Flow data will generally contain details like source and destination IP addresses, port numbers, protocols, and more.

The term “NetFlow” is proprietary to Cisco, but other vendors have their own versions of “Flow.” For instance, Juniper calls it “J-Flow”, and several vendors, including HP and Fortinet, use “sFlow.”

Implementation details vary from vendor to vendor, but most flavors of xFlow produce the same sort of data. In this article, we’ll refer to all xFlow variants as NetFlow to keep things simple, but be aware that not all tools support the same flavors of Flow.

How to Enable NetFlow

Before you can use one of the free flow analyzers, NetFlow must be enabled on the devices you want to monitor.  Don’t worry, it’s not hard. The steps to enabling NetFlow vary from device to device and there’s a wealth of information on the web to get you started.

For Cisco devices, start with the Cisco Netflow Configuration Guide.

Other vendors, like Juniper, usually have their own configuration resources too.

And, most of the vendors below have much more concise sets of instructions – for instance Solarwinds, Plixer, ManageEngine and PRTG all have useful guides to help you out.

Now, on to the free tools!

Free NetFlow Tool #1: ManageEngine NetFlow Analyzer Professional

ManageEngine offers a full-featured, free version of their NetFlow Analyzer Professional software. The free version displays detailed source/destination data, as well as ports used, and applications detected. It also generates helpful charts that make it easy to visualize the data.

Limitations: Monitors only two interfaces. But, for the first 30-days it can monitor unlimited interfaces.

Download ManageEngine NetFlow Analyzer

Free NetFlow Tool #2: SolarWinds NetFlow Traffic Analyzer

The SolarWinds NetFlow Traffic Analyzer is another great tool from a company with a history of making reliable network monitoring software. Data can be sorted, displayed, and charted in different ways – such as conversations, and endpoints.

Limitations: Monitor only a single NetFlow interface, and keeps 60 minutes worth of data.

Download SolarWinds Netflow Traffic Analyzer

Free NetFlow Tool #3: ntop

“ntop” is an open-source NetFlow analyzer and packet capture product.  It took a little more effort to get up and running than some of the other software, but is a great open-source alternative. The data is analyzed and presented in a clear and logical way, even though it doesn’t have all the visual bells and whistles of some other products.

Limitations: None if you download and compile it yourself – source code can compile on Linux or Windows. But if you want an executable binary file, then you’re limited to capturing 2000 packets, unless you register (erm, donate).

Download ntop

Free NetFlow Tool #4: Paessler PRTG

PRTG is a full network monitoring system. The free version includes a NetFlow sensor, in addition to many other features like reporting, alarming, and SNMP monitoring. The free version can monitor up to 10 sensors at no cost.

Paessler also makes some useful NetFlow testing tools available, like the NetFlow tester, and NetFlow Generator.

Limitations: Limited to 10 sensors (or 20 if you display the PRTG graphic on your website)

Download Paessler PRTG

Free NetFlow Tool #5: Plixer International Scrutinizer NetFlow and sFlow Analyzer

Scrutinizer is another comprehensive NetFlow analyzer. The download was surprisingly large – a hefty 322 MB compared to 44 MB for PRTG and a lightweight 20MB for SolarWinds. There were numerous tutorials and videos included in the product, so that could have been part of the reason for the bulk. But, it also is a very comprehensive tool that provides detailed traffic analysis.

Limitations: Provides only 24 hours worth of data. Unlimited data and more advanced reporting and alarming is available with the add-on “Flow Analytics” package.

Download Plixer Scrutinzer NetFlow & sFlow Analyzer

We tried out all of these products, and were impressed by each and every one. If you’re looking for a way to manage your bandwidth more efficiently, then enable NetFlow on your network and download one of these analyzers. It’s worth it even if only to have a close peek into what kind of data really is flowing over your network.

Product Version: Colasoft nChronos 3.0

Target Audience:

1. nChronos Standard edition users (including Evaluation users)
2. nChronos Free edition users

Welcome to the first chapter. Before we really start to learn how to use this powerful program, here we’ll first discuss in details about all the basics before we can implement the system into our network, like how to get installation files and serial number, what are the hardware and software requirements and the most important thing – where to implement the system in order to capture all network packets (or the packets we are interested in) on network.

Get Installation Files and Serial Number

First let’s start with how to get the installation package and the serial number that we use to activate the program. nChronos has two editions, Standard edition and Free edition.  The standard edition is a commercial edition so a commercial customer always evaluates the product first as an evaluation user. Let’s see how different users get their installation and serial number.

1. Commercial customers: you’ll receive an email containing software download links (including server and console software) and also serial number that you’ll use to activate the server after your purchasing. (If you’ve installed server programs on your server for testing purposes and upgrade to the commercial, you DON’T need to reinstall any of the server and console programs, but just use the commercial serial number to activate the server program once again.)
2. Evaluation Users: if you want to evaluation the Standard edition before purchasing a commercial edition, you can apply for an evaluation. Fill the application form to apply an evaluation and the download link and serial number will be sent to your email box in a confirmation email.
3. Free Users: the same as Evaluation users, you need to use the application form to register a free serial number, and the download link and free serial number will be sent to your email box. (If you’ve downloaded the installation files from other download sites, you still need to use this application form to get a free serial number.)

Didn’t receive a confirmation email? For evaluation and free users if you happen not to receive the confirmation email please 1) try again with the application form, 2) try with a different email address, and 3) report to our support by emailing
support@colasoft.com

Prepare Server & Console Machines

Ok now, the installation files and server numbers are ready. Let’s see what hardware and software we need. First we take about hardware. Colasoft nChronos is able to capture packets in a heavy-loaded 1,000 Mbps network environment. And unlike the products of this kind (they always come with a hardware box), Colasoft nChronos only consists of two pieces of software programs (nChronos Server and nChronos Console) so you need to prepare hardware by yourself to set them up and running. So in a final implementation environment, a high-performance server machine, and mass storage hard drivers (Raid) are required. There are two machines required, one to install nChronos Server and another for nChronos Console (the console doesn’t require a powerful machine, just an average laptop or desktop is enough). Read the pages below to learn the system requirements for different editions.

1. Standard edition: System Requirements
2. Free edition: System Requirements

As you can see the Standard edition supports up to 16TB of data storage, so you’ll need to set up Raid for data storage.

“Wait, I don’t have competitive hardware, and I don’t want to invest in new hardware right now before I purchase it.” Just want to test nChronos or use the Free edition right now? Well, of course you can test the system with any of your machine. That’s because if you only want to monitor your internet usage, the bandwidth load isn’t heavy and nChronos is able to handle them without a problem. The hardware we suggested on the system requirements pages is designed for the full load of 1000Mbps, which isn’t the case for most of the companies that they can’t use the full bandwidth. So just try any machine as you like.

Can I install nChronos Server and Console programs on the same machine? It’s also acceptable but just not recommended. That’s because the server program requires lots of system resources to capture and analyze packets and if we have a console program on the server machine, it requires additional resources to run the console program. So in a word, it still depends on your traffic volume and your requirements on performance.

Decide Where to Capture Packets

Let’s have some basics on packet analysis tech. To be brief, Colasoft nChronos captures packets from a NIC (those packets come from the connected cable) and analyzes them to show you what the machines are transmitting. All these work are done without the notice of the monitored hosts in your network. So capture all packets is the first step to understand your network communication pattern and of course you need to capture on the right device, because you can’t just install nChronos Server on a system like other software and then capture packets from other machines.

Please move on to – Capture Environment Setup – which illustrate several network settings to show you that to which networking device you should connect nChronos Server so you get all packets to and from the Internet. If you have different types of network setting please contact our support for guidance or leave a comment below.

Recommended Readings:

Packet sniffing basics: If you want to know more additional information on how the networking devices (promiscuous mode, hub, managed switch and network tap, etc.) please read – Where to Capture Packet on a Network.