RzKFlow is a network analysis and reporting tool. It collects and processes IP flow records reported from routers or switches with NetFlow version 5 support. RzKFlow reduces the volume of NetFlow data through aggregation and stores data in web pages and/or CSV files. RzKFlow calculates communication matrices of IP-addresses, IP-addresses with IP-services, router hardware interfaces and autonomous systems.
Service providers may utilize this information for accounting and billing purposes. Enterprise customers may utilize the information for departmental chargeback or cost allocation for resource utilization.
RzKFlow is a 32 bit software for Windows 9x/me, Windows NT, Windows2000 and WindowsXP. The software needs a network board with a NDIS interface.
Uninstallation:
Close the application if it is currently running. Click the Windows "Start" button, and select "Settings", then "Control Panel". Double-click the "Add/Remove Programs item". Proceed by double-clicking the line corresponding to RzKFlow and follow the instructions. Note that some files (i.e. the ini file), are created by the application and will not be deleted for your convenience in case you wish to refer to them at a later date. Delete these files manually if you do not want them.
If you want to use RzkFlow for permanent processing of NetFlow data, you will have to purchase a licence from RzK. The software will check the existence of a licence file on startup. If you already have purchased a licence you will find the licence file on your installation disk (File RZKFLOW.SNP or NCW.SNP).
There are three ways to activate the licence code:
The licence determines the number of flows the software will be able to process simultaneously and the maximum size of the communication matrices to store. Upgrading to a higher licence is always possible by only paying the price difference.
If no licence is found RzkFlow will stop sampling of data after 20 minutes and you have to restart the sampling process manually.
Course:
1. RzKFlow uses the RzK NDIS interface to receive flow records. If you have
installed more than one NDIS interface in your PC first of all you have to
choose the appropriate interface. (Menu: File -> Network
Configuration). It is not possible to use a dial up network interface.
For a detailed description of the network interface and IP configuration
dialogue click here.
2. RzKFlow can listen to all or only to selected routers or switches sending NetFlow data. Please open the configuration menu (Menu: File -> Configuration) and select the register card Filter.
The easiest way is to tell RzKFlow to "learn" all NetFlow clients automatically.
If a NetFlow packet from a router of switch is received the source IP address
of that device is inserted into the list of clients. If you want RzKFlow
to monitor only specified NetFlow agents than you have to uncheck the auto.learn
function and insert the client IP address(es) manually by editing the address
and then inserting it with the
button.
3. RzKFlow can ignore the UDP port used in the NetFlow packets or it can accept only packets with a specified UDP-port. In the first case the different clients sending NetFlow data to RzKFlow can use different ports.
If you know the port number which you have configured with the "ip flow-export [ip-address] [port] " command on your router(s) or switch(es), you can select "specify UDP-Port" and enter the port number:
4. Select the varios type of communication matrices RzKFlow should gather and save:
RzKFlow is able to calculate communication matrices for
For the (IP-Address <-> IP_Address) and for the (IP-Address+Service <-> IP_Address+Service) matrix you can select, if one or both IP addresses should be reduced to the network part of the address. This leads to smaller communication matrices because only one entry per Class A,B or C network is made and not for each address.
fuehren
5. RzKFlow collects and aggregates flow data on two time bases:
Please choose the length of the time
interval:
. You
can choose if RzKFlow should save the daily communication matrices after
each time interval or only once at the end of the day.
6. Decide if and whether you want to save data as HTML pages or CSV files:
7. Close the configuration menu and begin gathering NetFlow data by pressing
the start-button.
If you have received the first NetFlow record (visible in the middle of the
main screen) you can open the online view of the communication matrices by
pressing the
button.
The combo box in the upper left corner lets you select the router or switch which has sent the NetFlow data.
If the checkbox "automatic update" is checked the display will be refreshed for each new NetFlow packet received. This is only useful if the communication matrix is small.
Short explanation of grid contents:
The first four columns show the ip-addresses, UDP-ports which define the
flow. The interface is the number of the port, the computer with the IP-address
is connected to. The small arrows indicate the direction of the transmission.
So the first row means: 38.194.15.195 port "http" transmitted 822 packets
and 19262 bytes to 124.172.220.133 port 379A(hex) using router interface
2 to interface 3. In the other direction 622 packets with 51052 bytes were
sent.
RzKFlow gives you a basic insight into the flow data. The perfect reporting, accounting and billing tool for RzKFlow data is NetControl. For beeing able to collect RzKFlow data within NetControl you have to setup RzKFlow as a probe for NetControl.
If you have installed a NetControl PC in your network you have to specify its IP-address in the configuration "Probe for NetControl" register card. If NetControl runs on the same PC as RzKFlow you can use the localhost address (127.0.0.1) as NetControl destination IP address. The default UDP port used for transferring the RzKFlow probe data to NetControl is 1000.
RzKFlow can emulate two probes for NetControl for each NetFlow device. One probe counts packets and the other bytes. You can quickly turn on or off all packet- or byte-probes with the corresponding checkboxes.
A probe can only be active if its probe number for NetControl is not equal to 0. 0 is the default setting which is made, when a new entry is inserted or "learned". You define the probe numbers in the grid of the Netflow clients. Changes are possible only if data sampling is not active.
All probe numbers have to be different.
As described above RzKFlow can be configured to save each daily NetFlow communication matrices automatically at the end of the day to CSV files. Files will be organized in a yearly and monthly subdirectory structur with one directory for each NetFlow device. The filenames are derived form the date: yyyy-mm-dd.csv. You can process the files for example with Excel or you can write an application to put the data into a (SQL) database. If you have need for any special program development please contact RzK.
Limitations:
RzKFlow can only process NetFlow records with NetFlow version 5.
Enabling flow-export on a device:
The operating system of a CISCO router has to be at least IOS Version 12.0.
The flow records have to be send at least once per minute:
Router#config terminal
Router(config)#ip flow-cache timeout active 1
For each interface section sending of flow records must be enabled:
For example:
Router(config)#interface Ethernet 0/1
Router(config-if)#ip route-cache flow
(disabling by: Router(config-if)#no ip route-cache flow)
..
At the end of the router configuration process you have to select Flowformat
Version 5:
Router(config)#ip flow-export version 5
and determine destination Ip address and IP-port for the netflow records:
Router(config)#ip flow-export destination <ip-addr>
<port>
Don´t forget to save your new configuration:
Router#write