FlowTracker

FlowTracker

The FlowTracker tool creates a series of expanding time-frame graphs that permit a user to track a particular traffic flow (specified via a filter) over time. The graphs are produced by RRDtool and are replicas of the De-facto standard MRTG graphs familiar to network engineers around the world. The filtering criteria include:

* Source Address	* Source Port	* Source AS	* Source Interface
* Destination Address	* Destination Port	* Destination AS	* Destination Interface

These filtering criteria are common to the other tools, FlowViewer and FlowGrapher, as well. A normal FlowTracking is created without specifying a start time. Once submitted the new FlowTracking will be added to those updated every 5 minutes as the FlowTracker_Collector and FlowTracker_Grapher processes work continuously in the background. The user also has the ability to "re-create" a FlowTracking by specifying a start time. This will initiate FlowTracker_Recreate which will run in the background and work its way through stored netflow data "re-creating" a FlowTracking as if it had been created at a time in the past. An example FlowTracker input screen is shown in Figure 5 below:

Figure 5 - FlowTracker Input Screen

FlowTracker Reporting Parameters allow the user to modify the resulting FlowTracking. These parameters include:

* Tracking Label	* Tracking Type	* Sampling Multiplier	* Alert Threshold
* Alert Destination	* Alert Frequency	* General Comment	* SiLK Sources

Once a FlowTracking has been established via the input screen, two background processes take over: FlowTracker_Collector and FlowTracker_Grapher. FlowTracker_Collector wakes every 5 minutes to collect the latest five minute sample for each of the active FlowTrackings. This is accomplished by applying a saved FlowTracker filter to the netflow data and extracting a measurement for the 5-minute period in question. This value is then added to the RRDtool archive associated with that FlowTracking. Also every 5 minutes, FlowTracker_Grapher wakes and graphs each of five graphs for each FlowTracking to include: Last 24 Hours, Last 7 Days, Last 4 Weeks, Last 12 Months, and Last 3 Years. FlowTracking "Group" graphs are also created at this time.

An example FlowTracker output screen is shown in Figure 6 below. From the FlowTracker report screen the user may save either the filter or the report itself from the buttons in the bottom margin. It may seem perplexing at first why one would save a set of graphs that cover up to three years of data, but due to the nature of how RRDtool creates longer term graphs from the consolidated averaging of shorter term graph data points, a certain fidelity in the shorter term graphs disappears over time and it is useful to preserve it occasionally. The FlowTracker capability includes an option for the user to set up to be alerted via email whenever a FlowTracking exceeds (or is below) a specified threshold.

Figure 6 - Top of FlowTracker Output Screen

Figure 7 below shows the same report scrolled down to show the last two of the five time-series graphs, the Last 12 Months, and the Last 3 years. FlowTrackings can be preserved even though a user may modify a FlowTracker filter during a FlowTracking's lifetime. The Last 3 Years graph includes an (optional) vertical red line that was placed at the time of a filter modification.

Figure 7 - Bottom of FlowTracker Output Screen

FlowTracker also provides users the ability to create a Group FlowTracking from multiple individual FlowTrackings. The data is stacked to form a composite graph. Group components can be placed above or below the x-axis and can be any user specified color. An example Group FlowTracking is shown in Figure 8 below. Other Group FlowTrackings can be seen in the Dashboard (outside panels) in Figure 5 above.

Figure 7 - FlowTracker Group Screen