Frequently Asked Questions
- How much disk space does Traffic Sentinel require?
- How do I adjust how much traffic history to keep?
- How do I configure email forwarding?
- Which devices does Traffic Sentinel support?
- How do I filter on IP Multicast traffic?
- How can I print the maps and real-time topN charts?
- How do I configure Traffic Sentinel to receive Cisco NetFlow?
- How do I extract traffic data for use in a billing system?
- How much bandwidth does sFlow use?
- Can I add my own web pages to Traffic Sentinel?
- How do I configure NetFlow on my Cisco router?
- How do I configure JFlow on my Juniper router?
- How do I configure sFlow on my Juniper switch?
- How do I configure sFlow on my Arista switch?
- How do I configure sFlow on my Brocade switch?
- How do I configure sFlow on my Force10 switch?
- How do I configure sFlow on my Hewlett-Packard ProCurve switch?
- How do I configure sFlow on my Extreme Networks switch?
- How do I configure sFlow on my Alcatel-Lucent OmniSwitch?
- How can I programmatically update a Traffic Sentinel configuration file?
- Which TCP/UDP ports does Traffic Sentinel use when monitoring a network?
- How can I see which end hosts are connected to each switch port?
- How can I install Traffic Sentinel on a VMWare virtual machine?
- How can I change the hostname to match the software key?
- What files should I backup to save all traffic data and configuration?
- How do I configure Traffic Sentinel to use HTTPS?
- How can I configure Traffic Sentinel to authenticate using LDAP, EAP, PAM, MSCHAP, CHAP... ?
How much disk space does Traffic Sentinel require?
The amount of disk space used by Traffic Sentinel is dependent on the size of the network and the amount of traffic it carries. For larger networks (200 - 1500 switches/routers) the space requirement falls in the range of 0.5 - 2.0 Gigabytes per day. A 300G disk would provide between 6 months and two years worth of storage.
How do I adjust how much traffic history to keep?
The form File>Configure>Edit>Edit Site contains settings that control the amount of traffic history that is kept (see online-help).
How do I configure email forwarding?
Taffic Sentinel makes use of sendmail to deliver email. Typically you will want to configure sendmail to forward mail from Traffic Sentinel to your site mail server for delivery. The following steps configure email forwarding:
- Make sure that the rpm packages postfix and mailx are installed.
- Edit /etc/postfix/main.cf, and change the setting for relayhost to:
relayhost=[your.smtp.relay.hostname]
- Restart postfix with:
systemctl restart postfix
- Test at the command line with:
echo "hello world" | mail -s "test subject"
- Test in Traffic Sentinel by configuring event forwarding under File>Forwarding>Events, then click in the top right hand corner of the page to logout, and then again to log in again. This should generate two inform events.
Which devices does Traffic Sentinel support?
Traffic Sentinel relies on instrumentation embedded within switches and routers to provide the raw traffic information.
- sFlow (including host, ADC, and web server extensions), see sFlow Capable Devices for a list.
- IPFIX (over UDP)
- Cisco NetFlow Versions 1, 5, 7 and 9 (non-aggregated)
- Juniper j-flow (non-aggregated)
- HP XRMON (Extended-RMON)
- SNMP (1, 2c, 3)
How do I filter on IP Multicast traffic?
In Traffic Sentinel there are several database fields included to help with selecting unicast, multicast and broadcast traffic. They take the value 0 or 1. For example, to select only multicast traffic, add this filter:
ismulticast=1
compare also:
islayer3multicast=1
isunicast=1
isbroadcast=1
How do I print the maps and topN charts?
The maps and real-time top N charts are rendered in the browser using HTML5. Some browsers do a poor job of printing, either loosing part of the chart or getting the scaling wrong.
If your browser does not print the applet well, then alternatives are to create a bitmap of the chart (on windows with alt+print screen or on X-windows platforms with xwd (x-windows dump)) and then to print the bitmap.
How do I configure Traffic Sentinel to receive Cisco NetFlow?
Configure the routers with a flow-export timeout active of 5 minutes or less and direct them to forward NetFlow version 1, 5, 7 or 9 to the Traffic Sentinel on UDP port 9985 (Consult your router documentation for instructions on configuring NetFlow).
To change the port that Sentinel is listening on, see the NetFlowPort preference setting.
You can confirm that NetFlow packets are arriving at the server by running:
% /usr/sbin/tcpdump -n udp port 9985
Even if you see packets arriving, you may still need to configure the software firewall on the server to allow these packets through to the application:
% iptables --list
The source IP address of these packets should ideally be that of a loopback IP address on the router.
To confirm that the packets are reaching the application, see the file:
% more /usr/local/inmsf/mib/NetFlowProbe.mib
This file is updated every minute.
The next test is to make sure that the Traffic Sentinel can make SNMP requests back to the IP address that the router is sending with:
% /usr/local/inmsf/bin/systemwalk <router IP> <community string>
If this does not work, then you may need to change the router configuration to enable read-only SNMP access.
To override the default community string for your router, create an agent entry in your configuration and then add a new SNMP setting just for that router.
To override the default sampling-interval for your router, create an agent entry in your configuration and then add a new Sampling setting just for that router. However, if you have configured a sampling-interval on the router, then that setting will take priority and no further sampling will be applied.
How do I extract traffic data for use in a billing system?
Traffic Sentinel provides a powerful web-based query mechanism for extracting traffic data (see Tutorials:Scripting). Any HTTP capable tool can be used to make queries and extract aggregated totals suitable for charging for network usage.
It is also possible to bypass the web-server and execute javascript queries directly on the server:
% /usr/local/inmsf/bin/query < myquery.js
How much bandwidth does sFlow use?
This example calculation shows that in a typical configuration sFlow traffic is less than 0.1% of the network bandwidth.
You can use this as a basis for calculating network overhead in a specific network configuration.
Assumptions
- sFlow datagram transport overhead (SDTO) = 66B (sFlow (24) + MAC(14) + IP(20) + UDP(8))
- Interface counters sample (ICS) = 108B
- Interface counters sampling rate (ICSR) = 1/30 (ie the counters of each interface in a switch are captured and forwarded every 30s)
- Flow sample average (FS) = 200B (range = 112 bytes to about 250, depending on whether there are subnets, as-paths etc)
- Packet sampling rate (PSR) = 1/1000 (ie on average 1 in 1000 packets are sampled)
- Network traffic rate (NTR) = 4000 pps (10Mb link running at 65% capacity with an average packet size of 200B)
Calculation for a 100-interface switch
Interface counter bits per second (ICBR) = 100*ICS*8*ICSR
ICBR = 100*108*8/30 = 2.88kbps
Flow samples per second (FSR) = NTR*PSR
FSR = 4000/1000 = 4
Flow sample bits per second (FSBR) = FSR*FS*8
FSBR = 4*200*8 = 6.4kbps
Typically all 4 flow samples and the counter samples will fit in a single datagram
sFlow datagram bits per second = ICBR + FSBR + (SDTO*8) = 2.88 + 6.4 + 0.53 = 9.81kbps
This is approximately 0.1% of a 10Mb link. If the sampling rate is 1/100 the network overhead for the same traffic rate and packet size is 0.7%
How can I add my own web pages to Traffic Sentinel?
Traffic Sentinel web pages all have the web path http://<server>/inmsf/. By default, when you connect to the home page, you are redirected to the Traffic Ser/web pages. This behavior is controlled by the file /usr/local/inmsf/etc/apache/inmsf_httpd.conf. If you wish to replace the home page with your own, simply edit the inmsf_httpd.conf file and comment out the redirect, then restart apache with:
% systemctl restart httpd
You can now make changes to the web server's home page (typically in /var/www/html/). To access Traffic Sentinel, you will need to explicitly type in the /inmsf/ path in your URL. It is generally a good idea to create a link from the home page to Traffic Sentinel so that you don't need to remember the path extension. Creating your own home page is a good way to provide contact information, additional information about the network and links to other network management tools. You can also create your own customized reports and navigational screens with links to specific Traffic Sentinel pages, reports and charts.
How do I configure NetFlow on my Cisco router?
The exact commands to configure NetFlow vary between products and IOS releases. The best way to find the appropriate commands for your Cisco product is to search the Cisco web site. As a starting point, here are a few useful links:
You need to configure the router to send NetFlow version 1, 5, 7 or 9 to port 9985 on the Traffic Sentinel server.
Please ensure that the active flow cache timeout is set to 5 minutes or less.
In order to allow Traffic Sentinel to provide long term trending you also need to ensure that you configure your switch or router to provide SNMP ifIndex Persistance.
How do I configure JFlow on my Juniper router?
The exact commands to configure JFlow vary between products and OS releases. The best way to find the appropriate commands for your Juniper router is to search the Juniper web site. As a starting point, here is an example configuration:
core-rtr-1-re1> show configuration forwarding-options sampling { input { family inet { rate 100; max-packets-per-second 7000; } } output { cflowd 140.221.135.130 { port 9985; source-address 140.221.250.127; version 5; no-local-dump; autonomous-system-type origin; } } } hash-key { family inet { layer-3; layer-4; } }
How do I configure sFlow on my Juniper switch?
The best way to find the appropriate commands for sFlow on your Juniper switch is to search the Juniper web site. As a starting point, here is an example configuration:
sflow { polling-interval 30; sample-rate 100; collector 10.0.0.81 { udp-port 6343; } collector 10.1.2.20 { udp-port 6343; } interfaces ge-0/0/0.0; interfaces ge-0/0/1.0; interfaces ge-0/0/2.0; interfaces ge-0/0/3.0; interfaces ge-0/0/4.0; interfaces ge-0/0/5.0; interfaces ge-0/0/6.0; interfaces ge-0/0/7.0; interfaces ge-0/0/8.0; interfaces ge-0/0/9.0; interfaces ge-0/0/10.0; interfaces ge-0/0/11.0; interfaces ge-0/0/12.0; interfaces ge-0/0/13.0; interfaces ge-0/0/14.0; interfaces ge-0/0/15.0; interfaces ge-0/0/16.0; interfaces ge-0/0/17.0; interfaces ge-0/0/18.0; interfaces ge-0/0/19.0; interfaces ge-0/0/20.0; interfaces ge-0/0/21.0; interfaces ge-0/0/22.0; interfaces ge-0/0/23.0 { polling-interval 30; sample-rate 200; } }
How do I configure sFlow on my Arista switch?
The following commands configure an Arista switch with IPAddress 10.10.2.3 to sample at 1-in-4000 and send the sFlow packets to Traffic Sentinel (192.168.4.5) over UDP port 6343:
config> sflow source 10.10.2.3
config> sflow destination 192.168.4.5
config> sflow rate 4000
config> sflow polling-interval 30
config> sflow run
How do I configure sFlow on my Brocade switch?
The following commands configure a Brocade switch to sample at 1-in-512 and send the sFlow packets to Traffic Sentinel (192.168.4.5) over UDP port 6343:
config> int e 1/1 to 1/8
interface> sflow forwarding
<repeat for all blades>>
config> sflow destination 192.168.4.5
config> sflow sample 512
config> sflow polling-interval 30
config> sflow enable
You can also use the command:
show sflow
to list the configuration settings.
Additional information can be found on the Brocade web site.
How do I configure sFlow on my Force10 switch?
The following commands configure a Force10 switch 192.168.1.1 to sample at 1-in-512 and send the sFlow packets to Traffic Sentinel (192.168.4.5) over UDP port 6343:
config> sflow collector 192.168.4.5 agent-addr 192.168.1.1
config> sflow sample 512
config> sflow polling 30
config> sflow extended-switch enable
config> sflow enable
Then for each interface:
interface> sflow enable
You can also use the command:
show sflow
to list the configuration settings.
Additional information can be found on the Force10 Networks web site.
How do I configure sFlow on my Extreme Networks switch?
The following commands configure an Extreme switch (192.168.1.1) to sample at 1-in-512 and send the sFlow packets to Traffic Sentinel (192.168.4.5) over UDP port 6343:
enable sflow
configure sflow agent 192.168.1.1
configure sflow collector 192.168.4.5
configure sflow sample-rate 512
configure sflow poll-interval 30
enable sflow backoff-threshold
configure sflow backoff-threshold 100
enable sflow port 1
enable sflow port 2
enable sflow port 3
enable sflow port 4
enable sflow port 5
enable sflow port 6
enable sflow port 7
enable sflow port 8
Additional information can be found on the Extreme Networks web site.
How do I configure sFlow on my Hewlett-Packard ProCurve switch?
The HP ProCurve switches support the standard sFlow MIB, so Traffic Sentinel can be configured to discover and configure them automatically.
Ensure that the Traffic Sentinel is given the read-write community string, and has "manager" priviledges on the switch. For example:
snmp-server community "private" Unrestricted
Next add an agent section for it in the Traffic Sentinel configuration, or add an agentrange section and then click File>Control>Scan For Agents. After a minute or two it should appear under Traffic>Status.
As an alternative, many ProCurve switches also support sFlow configuration via the switch CLI. For example:
sflow 1 destination 192.168.1.1
sflow 1 polling ethernet all 30
sflow 1 sampling ethernet all 512
show sflow agent
show sflow 1 destination
show sflow 1 polling
Additional information can be found on the HP ProCurve web site.
How do I configure sFlow on my Alcatel-Lucent OmniSwitch?
The Alcatel-Lucent OmniSwitches support the standard SNMP MIB, so Traffic Sentinel can be configured to discover and automatically configure these switches to send sFlow.
Ensure that the Traffic Sentinel is given the read-write community string. Then add an agent section for the switch in the Traffic Sentinel configuration (or add an agentrange section and then click File>Control>Scan For Agents).
Ensure that the switch is also configured with an appropriate loopback address so that Traffic Sentinel can uniquely identify the switch (see below).
Alcatel-Lucent OmniSwitches can also be configured by the command line to send sFlow. The following commands configure an OmniSwitch (192.168.1.1) to sample at 1-in-512 and send sFlow to the Traffic Sentinel (192.168.4.5) over UDP port 6343:
ip interface loopback0 192.168.1.1
sflow receiver 1 name TrafficSentinel address 192.168.4.5 udp-port 6343
sflow sampler 1 1/1-24 receiver 1 rate 512
sflow poller 1 1/1-24 receiver 1 interval 30
How do I programmatically update the Traffic Sentinel configuration file?
The following cURL commands can be used to GET and POST the XML configuration from the Linux command line (substituting user, password and server IP):
GET curl --output config.xml --basic --user administrator:administrator "http://10.0.0.162/inmsf/Config?authenticate=basic&action=xml&resultFormat=xml" POST curl --form file=@config.xml --basic --user administrator:administrator "http://10.0.0.162/inmsf/Config?authenticate=basic&action=xml&resultFormat=xml"
Which ports does Traffic Sentinel use when monitoring a network?
Traffic Sentinel makes use of a number of ports and services in order to monitor network traffic. Understanding which ports are required is helpful in setting access control/firewall controls.
- The server talks SNMP to the network devices, so that means it sends to the UDP destination port 161.
- The server sends traps (e.g. to OpenView) on UDP port 162.
- The server send email messages by connecting to the mail server on TCP port 25.
- The server also occasionally sends ICMP ECHO messages to the devices to test availability, and as part of the autodiscovery.
- The server exports a web interface, so TCP port 80 should be visible to clients trying to reach the server (or 443 if you use SSL).
- The server will make DNS requests to the nameserver on UDP port 53.
- The switch agents stream information back to the server in UDP packets. The HP Extended RMON, NetFlow and sFlow ports that the server listens on are displayed on the "File > Status" page. These are the default settings - they can be changed in the preferences.
- You will need to be able to log in to the server via ssh (TCP port 22).
- We strongly recommend running NTP (Network Time Protocol) on the server. NTP uses port 123.
How can I see which end hosts are connected to each switch port?
Traffic Sentinel attempts to keep an uptodate record of which end host is connected to which switch port, using a combination of sFlow and SNMP data. This information can be accessed in a number of ways:
- Under "Traffic > Status", drill down to view the ports on a switch, then change the Show option from interfaces to hosts
- Use the "Search > Host" to search for a particular host. If the location is known it will be shown on the resulting page.
- The report section Inventory > List Hosts can provide a tabular listing of the end hosts and their locations.
How can I install Traffic Sentinel on a VMWare virtual machine?
Traffic Sentinel can be installed on a VM, provided:
- The Linux OS is Red Hat Enterprise 5.0 or newer, Centos 5.0 or newer, or Fedora 10 or newer. This is because newer Linux kernels (starting with 2.6.21) handle clock distribution differently. For older Linux kernels see the steps below.
- The VM settings are adjusted to give this VM the highest possible priority access to disk. This is one of the settings that can only be changed when the VM is powered off. Using the default disk priority results in severe performance degradation and renders Traffic Sentinel unusable.
- The VM settings are adjusted to reserve memory for this VM. In particular, if memory "ballooning" is being used, then memory for this VM should be reserved. Otherwise the Linux disk caching scheme performance poorly, and Traffic Sentinel will run about 3 or 4 times slower than it should. For details on memory reservation, see section 4 of this VMWare white paper.
Older Linux Kernels
Older Linux installations are possible, but there are clock interrupt distribution issues that affect Traffic Sentinel. A work-around is available, but it forces you to use only a single-processor configuration, so it is not recommended:
- Configure the host OS to use the kernel parameters "clock=pit, noapictimer"
- Configure the VM (/etc/grub.conf) to use a non-SMP kernel, and add the kernel parameters "clock=pit noapictimer nosmp".
- Disable ntpd on the VM by running the following in a root terminal:
/sbin/service ntpd stop; /sbin/chkconfig --level 12345 ntpd off
- Install vmware-tools on the VM
- Run the "vmware-toolbox" application, and check the option: "Time synchronization between the virtual machine and the host operating system"
- Confirm the clock is stable on the VM by running the following in a terminal:
while [ 1 == 1 ] ; do date; sleep 3; done
If the clock is OK you'll see output every 3 seconds. If there is a problem, you'll see it take a lot longer than 3 seconds between lines of output, even though it only claims 3 seconds have passed each time. - If the clock is OK, then you can install and run Traffic Sentinel as normal.
How can I change the hostname to match the software key?
If the software key is rejected with "bad value" it is often because the hostname of the server does not match the fully-qualified hostname (e.g. "sentinel.mycompany.com") encoded in the key. Here are the steps to change the hostname on the linux server so that the key is accepted:
- edit the file /etc/sysconfig/network and add or edit the HOSTNAME line:
HOSTNAME=sentinel.mycompany.com
- edit the file /etc/hosts and make sure there is a separate entry for sentinel.mycompany.com with the correct IP address:
127.0.0.1 localhost.localdomain localhost 10.1.2.3 sentinel.mycompany.com sentinel
- reboot the server
What files should I backup to save all traffic data and configuration?
It is helpful to consider the Traffic Sentinel configuration and traffic history separately:
The various configuration files can be collected into one archive file using the /usr/local/inmsf/scripts/config_snapshot script.
The corresponding /usr/local/inmsf/scripts/config_restore script can be used to restore a configuration saved in this way.
For the traffic history database, which may be very large, you may choose to back up the contents of /usr/local/inmsf/data/historyData.
If moving to new hardware, please follow the steps outlined in the server migration tutorial
How do I configure Traffic Sentinel to use HTTPS?
Traffic Sentinel uses the Apache web server as its front end. Many Linux distributions enable HTTPS by default, but it is likely that your browser will create numerious security warnings relating to the security certificate. The steps for installing and configuring HTTPS are platform specific, please consult the relevant documentation for your Linux distribution, for example Setting up an SSL secured Webserver with CentOS. Once you have installed the certificate you should be able to connect to Traffic Sentinel using the URL https://<server>/ without receiving any warning messages.
If you want to automatically redirect all requests to HTTPS, then the following lines need to be added to the beginning of your /usr/local/inmsf/etc/apache/inmsf_httpd.conf file:
# Redirect All HTTP requests to HTTPS RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
After making these changes you will need to restart Apache using the command:
/sbin/service httpd restart
How can I configure Traffic Sentinel to authenticate using LDAP, EAP, PAM, MSCHAP, CHAP... ?
Traffic Sentinel supports two authentication schemes for verifying user passwords:
- Password, the username and password are tested against Traffic Sentinel's password file.
- RADIUS, the username and password are verified using a RADIUS server.
A RADIUS server can be used to bridge RADIUS authentication requests into other authentication protocol using the following steps:
- Install the RADIUS software on your Traffic Sentinel server. The FreeRADIUS server has been used successfully with Traffic Sentinel. The freeradius RPM should be available as part of your RedHat Linux distribution and may already be installed.
- Edit the RADIUS server configuration file (/etc/raddb/radiusd.conf for FreeRADUS) to specify the authentication schemes you want to allow.
- Create a client entry that will allow connections from Traffic Sentinel
to the RADIUS server. You will need to specify a shared secret, for example
testing123. If you are using FreeRADIUS, edit the
/etc/raddb/clients.conf
file to include the following:
client 127.0.0.1 { secret = testing123 shortname = trafficsentinel }
- Connect to Traffic Sentinel and use the File>Users>RADIUS form to
configure the following settings:
Server: 127.0.0.1 Secret: testing123 Authenticator: PAP
- Finally, use the File>Users>Edit Users form to set RADIUS as the authentication method for each users.