TNPFA 4.1.1 Installation and User Guide - e IBM Tivoli Composite ...
TNPFA 4.1.1 Installation and User Guide - e IBM Tivoli Composite ...
TNPFA 4.1.1 Installation and User Guide - e IBM Tivoli Composite ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Note: Before using this information <strong>and</strong> the product it supports, read the information in Notices.<br />
This edition applies to <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer version <strong>4.1.1</strong> <strong>and</strong> to all subsequent releases <strong>and</strong><br />
modifications until otherwise indicated in new editions.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010<br />
US Government <strong>User</strong>s Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with<br />
<strong>IBM</strong> Corp.<br />
ii <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Contents<br />
About this guide ..................................................................................................................................................................................... 1<br />
Chapter 1. Overview ........................................................................................................................................................................ 5<br />
1.1 Reporting ................................................................................................................................................................................. 6<br />
1.2 Aggregation database ............................................................................................................................................................ 6<br />
1.3 High performance <strong>and</strong> scalability ........................................................................................................................................ 7<br />
1.4 <strong>User</strong> interface .......................................................................................................................................................................... 7<br />
1.5 Interoperability ....................................................................................................................................................................... 7<br />
Chapter 2. System requirements .................................................................................................................................................... 9<br />
2.1 Hardware ................................................................................................................................................................................ 9<br />
2.2 Operating system <strong>and</strong> software ........................................................................................................................................... 9<br />
Chapter 3. Getting started ............................................................................................................................................................. 11<br />
3.1 Installing ................................................................................................................................................................................ 11<br />
3.1.1 Installing the package .............................................................................................................................................. 11<br />
3.1.2 Installing as an upgrade .......................................................................................................................................... 11<br />
3.1.3 Creating an administrator account ........................................................................................................................ 12<br />
3.1.4 Starting <strong>and</strong> stopping the system ........................................................................................................................... 12<br />
3.1.5 Logging into the <strong>Tivoli</strong> Netcool Performance Flow Analyzer server ............................................................... 15<br />
3.1.6 Updating the license ................................................................................................................................................ 16<br />
3.1.7 Creating a user account ........................................................................................................................................... 18<br />
3.2 Uninstalling ........................................................................................................................................................................... 19<br />
3.3 Memory management ......................................................................................................................................................... 20<br />
Chapter 4. Configuration .............................................................................................................................................................. 25<br />
4.1 Site management .................................................................................................................................................................. 25<br />
4.2 Aspects ................................................................................................................................................................................... 27<br />
4.2.1 <strong>Tivoli</strong> Netcool Performance Flow Analyzer filter expressions .......................................................................... 32<br />
4.3 Domains................................................................................................................................................................................. 33<br />
4.4 <strong>User</strong> management ................................................................................................................................................................ 36<br />
4.5 Other configuration files ..................................................................................................................................................... 39<br />
4.6 Reporting ............................................................................................................................................................................... 43<br />
Chapter 5. Traffic analyzer ........................................................................................................................................................... 45<br />
5.1 Overview ............................................................................................................................................................................... 45<br />
5.2 Aspect views ......................................................................................................................................................................... 48<br />
5.3 Domain views ....................................................................................................................................................................... 67<br />
Chapter 6. St<strong>and</strong>ard reports .......................................................................................................................................................... 69<br />
Chapter 7. Zoom reports ................................................................................................................................................................ 71<br />
7.1 Zoom report list page .......................................................................................................................................................... 71<br />
7.2 Zoom Report configuration page ....................................................................................................................................... 72<br />
7.3 Processing .............................................................................................................................................................................. 73<br />
7.4 Viewing the results .............................................................................................................................................................. 73<br />
Chapter 8. System status ............................................................................................................................................................... 75<br />
Chapter 9. Import ............................................................................................................................................................................ 79<br />
Chapter 10. Troubleshooting .......................................................................................................................................................... 81<br />
Appendix A. Integration <strong>and</strong> scripting ........................................................................................................................................... 85<br />
Appendix B. 95 th<br />
percentile billing .................................................................................................................................................. 87<br />
Notices ........................................................................................................................................................................................ 89<br />
Glossary ........................................................................................................................................................................................ 93<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010<br />
iii
iv <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
About this guide<br />
Introduction<br />
Audience<br />
This <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong> tells you how to install <strong>and</strong> configure <strong>IBM</strong> ® <strong>Tivoli</strong> ® Netcool ®<br />
Performance Flow Analyzer version <strong>4.1.1</strong>.<br />
The audience for this information is anyone who must install <strong>and</strong> operate <strong>Tivoli</strong> Netcool Performance<br />
Flow Analyzer. Typically, the audience consists of experienced system administrators, network<br />
administrators, <strong>and</strong> IT technicians. Some background in networking, operating systems, <strong>and</strong> software<br />
installation procedures is assumed.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 1
How this guide is organised<br />
This guide is divided into the following chapters <strong>and</strong> appendixes:<br />
Chapter 1. Overview<br />
A brief product description<br />
Chapter 2. System requirements<br />
A description of the hardware <strong>and</strong> software requirements<br />
Chapter 3. Getting started<br />
A description of the basic installing <strong>and</strong> uninstalling procedures, as well as how to start, stop, <strong>and</strong><br />
reset the system<br />
Chapter 4. Configuration<br />
A description of the <strong>Tivoli</strong> Netcool Performance Flow Analyzer configuration options<br />
Chapter 5. Traffic analyzer<br />
A description of the traffic analysis functions in the user interface<br />
Chapter 6. St<strong>and</strong>ard reports<br />
A description of how to generate <strong>and</strong> view st<strong>and</strong>ard reports<br />
Chapter 7. Zoom reports<br />
A description of how to generate <strong>and</strong> view zoom reports<br />
Chapter 8. System status<br />
A description of the functions to control the system status<br />
Chapter 9. Import<br />
A description of the import function<br />
Chapter 10. Troubleshooting<br />
Help with miscellaneous problems<br />
Appendix A. Integration <strong>and</strong> scripting<br />
A brief introduction to the <strong>Tivoli</strong> Netcool Performance Flow Analyzer Application Programming<br />
Interface (API)<br />
Appendix B. 95th percentile billing<br />
A description of the 95th percentile mathematical calculation<br />
Glossary<br />
A description of terms used in this document<br />
2 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Related documents<br />
For additional information, refer to the following documents:<br />
IETF RFC 5101<br />
Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow<br />
Information, 2008<br />
IETF RFC 3954<br />
Cisco Systems NetFlow Services Export Version 9, 2004<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 3
4 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 1. Overview<br />
Analysis <strong>and</strong> visualization of network traffic is important for optimizing <strong>and</strong> protecting the operation<br />
of networked IT infrastructures. <strong>Tivoli</strong> Netcool Performance Flow Analyzer is designed to gain tight<br />
control over end-to-end resource usage for hosts, servers, services, applications, protocols, domains,<br />
autonomous systems, quality-of-service classes, interfaces, <strong>and</strong> user-defined combinations of these<br />
aspect components.<br />
The system operates passively by generating detailed network traffic reports from flow-information<br />
streams such as NetFlow, IPFIX, jFlow, cflowd <strong>and</strong> NetStream. Traffic views <strong>and</strong> reports provide<br />
detailed asset usage information that ranges from seconds to years. The system supports network<br />
planning as well as network operation — for instance, through identification of network congestion<br />
causes. The system can also be used to estimate traffic impact with server consolidation <strong>and</strong> new<br />
application roll-outs or pilots.<br />
Figure 1.1: <strong>Tivoli</strong> Netcool Performance Flow Analyzer user interface<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 5
1.1 Reporting<br />
Traffic usage reports are provided for bit, packet, <strong>and</strong> flow rates in tables, pie charts, <strong>and</strong> interactive<br />
graphs. The reports contain information about single or combinations of the following traffic aspects:<br />
• Applications (for example, mail, http, backup, printer, Lotus Notes)<br />
• Hosts <strong>and</strong> servers<br />
• Domains defined by lists of subnets, autonomous systems, or flow filters<br />
• Individual end-to-end flows<br />
• Traffic types (for example, unicast, broadcast, multicast, IPv4/IPv6, ICMP)<br />
• Service types (for example, IETF DiffServ)<br />
• Protocols (for example, TCP, UDP, ICMP)<br />
• TCP/UDP ports <strong>and</strong> services (for example, DFS, DNS, SSH, telnet, POP3, SMTP)<br />
• Flow-information exporters <strong>and</strong> interfaces<br />
Total traffic volumes are reported by direction (sent or received) for all configured aspects. Reports are<br />
automatically generated for selected periods, in PDF format. You can use <strong>Tivoli</strong> Netcool Performance<br />
Flow Analyzer to generate customised reports in HTML, JSON, <strong>and</strong> as textual output, using the flow<br />
analyzer application programming interface (API), see Appendix A. <strong>Tivoli</strong> Netcool Performance Flow<br />
Analyzer supports domain views including 95th-percentile computation per direction, see Appendix<br />
B.<br />
<strong>User</strong>-defined combinations of traffic aspect components provide better underst<strong>and</strong>ing of end-to-end<br />
traffic flows. An example of a user-defined aspect is a quality-of-service breakdown by application <strong>and</strong><br />
source or destination autonomous system.<br />
1.2 Aggregation database<br />
Traffic flow profiling requires advanced database technology to h<strong>and</strong>le high flow volumes in large<br />
enterprise <strong>and</strong> service provider infrastructures. <strong>Tivoli</strong> Netcool Performance Flow Analyzer uses an<br />
aggregation database (ADB) that is specifically designed for efficient memory <strong>and</strong> storage footprints.<br />
The ADB provides a mechanism for efficient incremental storage of primary traffic data values which<br />
are associated with time intervals. The database stores data values in groups of circular arrays of<br />
period-dependent resolution. Therefore, the database is able to h<strong>and</strong>le large flow data sets with fast<br />
access times <strong>and</strong> limited storage.<br />
The ADB uses lower resolution for arrays that cover longer time periods. Additionally, the design of<br />
the ADB reduces memory-to-disk synchronization <strong>and</strong> accelerates data import <strong>and</strong> export. <strong>User</strong>s can<br />
quickly change their viewpoint when looking at traffic flows. Because data is represented in the ADB<br />
for multiple viewpoints, flow files do not have to be reanalyzed or newly indexed.<br />
Array grouping in the ADB optimizes the creation of sorted views of related parameters. This feature<br />
is of great importance to efficiently display sorted lists of top protocols, top hosts, top flows, <strong>and</strong> so on.<br />
The ADB supports period durations of hour, day, week, month, quarter, <strong>and</strong> year.<br />
6 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
1.3 High performance <strong>and</strong> scalability<br />
1.4 <strong>User</strong> interface<br />
1.5 Interoperability<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer is designed for high performance. The system uses<br />
parallelism on multicore architectures <strong>and</strong> uses a fast in-memory ADB. A single installation can<br />
accommodate flow-information records that are exported from many routers, switches, <strong>and</strong> interfaces.<br />
On a typical dual-core server with default configuration, a processing speed of 50,000 flows per second<br />
can be achieved. Higher flow rates require more resources, a distributed setup, or a less complex<br />
configuration.<br />
The user interface of <strong>Tivoli</strong> Netcool Performance Flow Analyzer is Web-based <strong>and</strong> exists over Secure<br />
Socket Layer, when configured on the Web server. Built-in user management provides user roles with<br />
password-protected access. Configuration of user roles, aspect composition, <strong>and</strong> item grouping (for<br />
example, domain definition) is supported in the user interface.<br />
Tables, pie charts, <strong>and</strong> graphs are linked <strong>and</strong> enabled to interactively drill down based on AJAX/SVG.<br />
The interactive functions are as follows:<br />
• Ability to drill down time ranges in graphs<br />
• Pop-up legends inside graphs<br />
• Ability to show or hide breakdown items that includes total of non-classified items<br />
• Selection of sorting criteria by direction- sent, received, total<br />
• Selection of units- octets, packets, flows<br />
• Selection of scaling- linear, log, trend<br />
• Automatic time scrolling<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer offers an API to the flow analyzer daemon. All<br />
configuration, control, <strong>and</strong> database access functions are supported by the API. The API is also used<br />
for scripted output (for example, in CSV <strong>and</strong> PDF format). Periodically, advanced users can write<br />
custom scripts to export into a desired output format. The scripting language can also be used for<br />
event notification. Events can be signalled as syslog messages.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 7
8 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 2. System requirements<br />
2.1 Hardware<br />
For optimum performance, you need at least a dual 2 GHz 64 bit processor machine with 4 GB of<br />
memory. Storage capacity of at least 70 GB is necessary to save flow files for import <strong>and</strong> zooming. A<br />
network interface is needed to receive flow-information data.<br />
The exact hardware configuration depends on the data traffic profile <strong>and</strong> the software configuration. A<br />
rough estimation is that a single installation as described above can support 50,000 flows per second.<br />
With the assumption that flow information export can be estimated as 1% of the data traffic <strong>and</strong> a<br />
single flow record is about 50 B, a total traffic throughput of 50,000/s × 50 B × 100 × 8 b/B = 2 Gb/s can<br />
be supported with a single installation. Higher flow rates require more resources or a distributed<br />
setup. For a more detailed discussion <strong>and</strong> guidance on memory usage, see section 3.3.<br />
2.2 Operating system <strong>and</strong> software<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer is supported on the following operating systems:<br />
Operating System Version Platform<br />
AIX ®<br />
5.3 Power Series<br />
AIX 6.1 Power Series<br />
Red Hat Enterprise Linux ®<br />
(RHEL)<br />
4.X Intel x86 32 bit<br />
Red Hat Enterprise Linux 4.X Intel x86 64 bit<br />
Red Hat Enterprise Linux 5.X Intel x86 32 bit<br />
Red Hat Enterprise Linux 5.X Intel x86 64 bit<br />
Solaris 9 Sun SPARC 64 bit<br />
Solaris 10 Sun SPARC 64 bit<br />
SUSE Linux Enterprise<br />
Server (SLES)<br />
9.X Intel x86 32 bit<br />
SUSE Enterprise Linux 9.X Intel x86 64 bit<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 9
Operating System Version Platform<br />
SUSE Enterprise Linux 10.X Intel x86 32 bit<br />
SUSE Enterprise Linux 10.X Intel x86 64 bit<br />
SUSE Enterprise Linux 11.X Intel x86 32 bit<br />
SUSE Enterprise Linux 11.X Intel x86 64 bit<br />
The following software packages are required:<br />
• Apache2 Web server, preferably with SSL support if the user interface is used<br />
• Network Time Protocol (NTP)<br />
These packages are loosely coupled with the <strong>Tivoli</strong> Netcool Performance Flow Analyzer system <strong>and</strong><br />
do not run in a shared address space with the system. The core collection, database, <strong>and</strong> reporting<br />
components of <strong>Tivoli</strong> Netcool Performance Flow Analyzer do not depend on any of these packages.<br />
10 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 3. Getting started<br />
3.1 Installing<br />
Ensure that Apache2 Web Server is installed <strong>and</strong> running before you start to install <strong>Tivoli</strong> Netcool<br />
Performance Flow Analyzer. The installation steps are as follows:<br />
1. Install the package.<br />
2. Create an administrator account.<br />
3. Restart the system.<br />
4. Log into the <strong>Tivoli</strong> Netcool Performance Flow Analyzer server.<br />
5. Update the license (only needed for trial version).<br />
6. Create a user account.<br />
3.1.1 Installing the package<br />
<strong>Installation</strong> requires root administration rights. You can create an operating-system account called<br />
tnpfa with root privileges, or you can use the root account.<br />
Note: On a RHEL environment, SELinux should be disabled before installation.<br />
To disable SELinux, turn off SELinux enforcing. Complete the following steps as root administrator:<br />
1. Open the /etc/sysconfig/selinux file.<br />
2. Find the following line:<br />
SELINUX=enforcing<br />
3. Change this line as follows:<br />
SELINUX=disabled<br />
4. Restart the system.<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer is packaged as a physical DVD, a DVD image, or an<br />
electronic archive (that is, a tar file). Extract the files from the archive with the following comm<strong>and</strong>:<br />
# tar xf CZ5FAEN.tar<br />
Note: The archive might be distributed with a different file name.<br />
The INSTALL installation script is in the top directory (on DVD or extracted archive):<br />
# cd CZ5FAEN<br />
# ./INSTALL<br />
3.1.2 Installing as an upgrade<br />
To install the <strong>Tivoli</strong> Netcool Performance Flow Analyzer <strong>4.1.1</strong> release on a system that already has<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer 4.1.0 installed, there are a number of steps that must be<br />
performed<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 11
1. Uninstall <strong>Tivoli</strong> Netcool Performance Flow Analyzer 4.1.0 in accordance with the<br />
corresponding installation guide.<br />
Note: If you are prompted to delete the files by the uninstall script, select no.<br />
2. Install <strong>Tivoli</strong> Netcool Performance Flow Analyzer <strong>4.1.1</strong> by following the instruction in section<br />
3.1.1.<br />
The INSTALL script referenced in section 3.1.1 reports that there exist users <strong>and</strong> a configuration from<br />
the previous <strong>Tivoli</strong> Netcool Performance Flow Analyzer 4.1.0 installation. You are advised to perform<br />
/INSTALL copyold comm<strong>and</strong> to copy the old data into the new installation. Depending on the user<br />
inputs, the copyold comm<strong>and</strong> performs the following actions:<br />
1. Copy an updated form of the user definition files into the <strong>4.1.1</strong>-specific location.<br />
2. Delete the obsolete 4.1.0 user definition files.<br />
3. Copy the site definition <strong>and</strong> data files from the 4.1.0 location to the corresponding <strong>4.1.1</strong><br />
location<br />
4. Delete the obsolete 4.1.0 configuration <strong>and</strong> data.<br />
Note: You must clear the browser cache for any client machine that has previously accessed the 4.1.0<br />
GUI. For more information, consult your browser documentation.<br />
3.1.3 Creating an administrator account<br />
After you install the system, you must create an administrator account:<br />
# tnpfa addroot<br />
<strong>User</strong> ID: admin<br />
<strong>User</strong> ’admin’ successfully created in file ’users/admin’<br />
The password for this account is ’************<br />
Record the administrator password that is provided. When <strong>Tivoli</strong> Netcool Performance Flow Analyzer<br />
is upgraded or reinstalled, a previous administrator account may exists. You can also generate new<br />
administrator accounts.<br />
To delete an administrator account:<br />
1. Stop <strong>Tivoli</strong> Netcool Performance Flow Analyzer.<br />
2. To delete the account, use the deluser comm<strong>and</strong> as follows:<br />
# tnpfa deluser admin<br />
3.1.4 Starting <strong>and</strong> stopping the system<br />
Starting <strong>and</strong> stopping the <strong>Tivoli</strong> Netcool Performance Flow Analyzer requires root administration<br />
rights. Run the following comm<strong>and</strong>s as the root user or the tnpfa user.<br />
12 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
To start the <strong>Tivoli</strong> Netcool Performance Flow Analyzer system, use the start comm<strong>and</strong> from the<br />
server console:<br />
# tnpfa start<br />
This comm<strong>and</strong> runs <strong>Tivoli</strong> Netcool Performance Flow Analyzer in the background.<br />
To stop the <strong>Tivoli</strong> Netcool Performance Flow Analyzer background process, use the stop<br />
comm<strong>and</strong> from the server console:<br />
# tnpfa stop<br />
Stopping (may take a moment)...<br />
To check the status, use the status comm<strong>and</strong> from the server console:<br />
# tnpfa status<br />
To reset the system, use the reset comm<strong>and</strong> from the server console:<br />
# tnpfa reset<br />
Do you want to reset the system? [yes]<br />
Do you want to reset site ’Test’? [yes]<br />
Reset ’adb’ at site ’Test’? [yes]<br />
Resetting... done.<br />
Reset ’flow’ at site ’Test’? [yes] no<br />
Reset ’log’ at site ’Test’? [yes]<br />
Resetting... done.<br />
Reset ’reports’ at site ’Test’? [yes]<br />
Resetting... done.<br />
Do you want to reset common components? [yes]<br />
Reset common ’log’? [yes]<br />
Resetting... done.<br />
The collected <strong>and</strong> generated data (including report <strong>and</strong> log file data) can be individually deleted with<br />
the reset comm<strong>and</strong> if the user answers yes to the relevant questions. All aspects are retained but their<br />
related data is deleted when the reset comm<strong>and</strong> is executed.<br />
Use the help comm<strong>and</strong>, to display all options for the tnpfa comm<strong>and</strong>:<br />
# tnpfa help<br />
<strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer<br />
Version <strong>4.1.1</strong>.0<br />
Release 2010.02.03<br />
Usage: tnpfa OPTIONS<br />
start [verbose|confirm] : Start<br />
restart [verbose] : Restart<br />
stop [verbose|confirm] : Stop<br />
reset [] : Reset interactively<br />
connect : Connect to system CLI<br />
showsites : Show all sites<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 13
addsite [] : Add new site<br />
delsite [] : Delete site<br />
showusers : Show all user accounts<br />
showuser [] : Show single user account<br />
addroot [] : Add new root user account<br />
adduser [] : Add new user account<br />
deluser [] : Delete user account<br />
setflowurl [] : Set the flow URL<br />
import [ [
3.1.5 Logging into the <strong>Tivoli</strong> Netcool Performance Flow Analyzer server<br />
The user interface of <strong>Tivoli</strong> Netcool Performance Flow Analyzer is Web-based <strong>and</strong> requires a Web<br />
browser (for example, Mozilla Firefox, Microsoft® Internet Explorer Version 7 or 8). Enable cookies<br />
<strong>and</strong> Scalable Vector Graphics (SVG) support.<br />
Note: Internet Explorer does not natively support SVG. If you chose Internet Explorer, install the<br />
Adobe ® SVG 6 plug-in from http://www.adobe.com/svg/viewer/install/beta.html. Internet<br />
Explorer Version 6 is not supported.<br />
The installation procedure requires that the Apache2 Web server is installed <strong>and</strong> running on the<br />
system. A configuration file is installed in the Apache2 configuration directory:<br />
RHEL, SLES: /etc/httpd/conf.d<br />
Solaris: /etc/apache2/httpd.conf<br />
The configuration of the Web server is reloaded automatically during installation. If the Web server is<br />
not running during installation, it has to be started manually.<br />
To start apache2 on RHEL, follow this comm<strong>and</strong>:<br />
/etc/rc.d/init.d/httpd start<br />
Log into the <strong>Tivoli</strong> Netcool Performance Flow Analyzer server with flow-analyzer administrator<br />
credentials (see sections 3.1.2 <strong>and</strong> 3.1.5) by using the following URL:<br />
http:///tnpfa/<br />
The name or IP address of the host on which <strong>Tivoli</strong> Netcool Performance Flow Analyzer is installed<br />
must be used instead of localhost in the URL. Figure 3-1 shows the login page as shown in the browser<br />
window.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 15
3.1.6 Updating the license<br />
Figure 3-1 Administrator login<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer requires a valid license file for complete operation. By<br />
default, the <strong>Tivoli</strong> Netcool Performance Flow Analyzer package contains a license file that is enabled<br />
during the installation. If that is the case, this section can be skipped. The availability of the license file<br />
can be checked from the server console with the tnpfa comm<strong>and</strong>:<br />
# tnpfa status<br />
For license configuration, log into the system with your administrator credentials <strong>and</strong> click<br />
Administrative Site > Configuration > License > Update. Figure 3-3 shows the license update<br />
window. Paste the license file content (including the signature section) into the text field <strong>and</strong> apply.<br />
When <strong>Tivoli</strong> Netcool Performance Flow Analyzer is upgraded or reinstalled, the license file might<br />
exist already in the /etc/tnpfa directory. The license file might have to be decompressed - for<br />
example, if it is distributed with the .gz file extension.<br />
The license determines the duration <strong>and</strong> set of enabled features. The license can be viewed as a text<br />
file, or in the user interface by using the administrator site at Configuration > License Information<br />
(see Figure 3-1).<br />
16 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 3-2 License information<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 17
3.1.7 Creating a user account<br />
Figure 3-3 License update<br />
The final step for basic installation is to create a normal user account. To create user accounts, log into<br />
the system, <strong>and</strong> then click Configuration > <strong>User</strong> Management > New user. For more information<br />
about how to create user accounts, see section 4.4.<br />
18 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
3.2 Uninstalling<br />
You must stop the <strong>Tivoli</strong> Netcool Performance Flow Analyzer system before uninstalling. If none or<br />
only some of the data collected <strong>and</strong> generated by the system must be retained, the system can be reset<br />
before uninstalling (see section 3.1.4). The comm<strong>and</strong> for uninstalling <strong>Tivoli</strong> Netcool Performance Flow<br />
Analyzer is as follows:<br />
# tnpfa deinstall<br />
Do you want to deinstall the package? [yes]<br />
The data <strong>and</strong> configuration is not automatically deleted by the deinstall comm<strong>and</strong>, <strong>and</strong> can be reused<br />
by a new installation.<br />
The <strong>Tivoli</strong> Netcool Performance Flow Analyzer deinstall comm<strong>and</strong> requires the main configuration<br />
file. However, the st<strong>and</strong>ard package deinstallation procedure (rpm -e tnpfa for RHEL <strong>and</strong> SLES)<br />
can be used if the <strong>Tivoli</strong> Netcool Performance Flow Analyzer deinstallation procedure is stopped<br />
because the tnpfa.conf file is moved or deleted from the /etc/tnpfa directory.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 19
3.3 Memory management<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer is designed for high performance. Therefore, efficient<br />
management of memory utilization is strongly advised. It is a good practice to keep track of aspects, <strong>and</strong><br />
to recognize when user-defined aspects are no longer required. Remove redundant aspects to make<br />
memory available for subsequent definitions. As a result, you improve memory usage <strong>and</strong> increase<br />
system performance.<br />
Within <strong>Tivoli</strong> Netcool Performance Flow Analyzer, there are one or more sites. Within each site, there are<br />
one or more domains. The data stored in a domain is subdivided by aspect, unit, <strong>and</strong> period. See Figure<br />
3-4.<br />
Site 1<br />
US<br />
Domain 1<br />
Others<br />
Aspect 2<br />
Domain<br />
Unit 1<br />
Octets<br />
Period1<br />
Hour<br />
Site 2<br />
UK<br />
Domain 2<br />
Permitted<br />
Unit 2<br />
Packets<br />
Period 2<br />
Day<br />
Site 3<br />
Austria<br />
Unit 3<br />
Flows<br />
Site 4<br />
Pol<strong>and</strong><br />
Domain 3<br />
Banned<br />
Aspect 2<br />
Host Application<br />
Period 3<br />
Week<br />
Period4<br />
Month<br />
Aspect 2<br />
Protocol<br />
Period 5<br />
Year<br />
Figure 3-4 <strong>Tivoli</strong> Netcool Performance Flow Analyzer data storage overview<br />
20 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
127.0.0.2, HTTP<br />
1500<br />
1000<br />
500<br />
0<br />
-500<br />
-1000<br />
-1500<br />
14:01<br />
14:02<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer collects values from emitters based on the configured list of<br />
collected aspects <strong>and</strong> the associated time periods <strong>and</strong> unit types. For example, if <strong>Tivoli</strong> Netcool<br />
Performance Flow Analyzer is configured to collect octets for a day for the Host Application aspect,<br />
then the flow analyzer creates an in-memory database to hold the received data.<br />
The Host Application aspect is made up of two components- IP Address <strong>and</strong> Application Name. IP<br />
Address comes from the destination address of the flow. Application Name is based on a mapping from<br />
the destination port of the flow to the corresponding application name.<br />
This new database stores the amount of octets received in each of 300 'buckets' of 300 seconds, for each<br />
combination of IP Address <strong>and</strong> Application Name that it receives from the emitter. The data for each<br />
combination is held in its own Time-Value Array (TVA), that records an amount of traffic reported (an<br />
integer) for an array of time slices (buckets). A TVA can be visualised as being one of a number of<br />
graphs of traffic, that records the data relevant for its own combination of key details.<br />
For example: data is received for two combinations of IP Address <strong>and</strong> Application Name:<br />
127.0.0.1 <strong>and</strong> port 80 (HTTP)<br />
127.0.0.2 <strong>and</strong> port 80 (HTTP)<br />
Therefore, all the periods for this site/domain/aspect/period contain two TVAs (see Figure 3-5).<br />
14:03<br />
Hour Day Week<br />
14:04<br />
127.0.0.1, HTTP 127.0.0.1, HTTP 127.0.0.1, HTTP<br />
127.0.0.2, HTTP 127.0.0.2, HTTP 127.0.0.2, HTTP<br />
14:05<br />
14:06<br />
14:07<br />
14:08<br />
Figure 3-5 TVAs within period<br />
127.0.0.1, HTTP<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 21<br />
1500<br />
1000<br />
500<br />
0<br />
-500<br />
-1000<br />
-1500<br />
14:01<br />
14:02<br />
14:03<br />
14:04<br />
14:05<br />
14:06<br />
14:07<br />
14:08
The same data is added to the corresponding TVAs in each time period but each period stores the data<br />
differently, based on the resolution of that period. A TVA can be visualised as being one of a number<br />
of graphs of traffic that records the data relevant for its own combination of key details.<br />
Figure 3-6 Web representation of data in Figure 3.5<br />
22 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
The memory footprint for each TVA is dependent on how many buckets it has to hold.<br />
Period Coverage Number of<br />
Buckets<br />
Resolution<br />
(seconds)<br />
Resolution TVA Memory<br />
Requirement<br />
Hour 1 hour 360 10 10 seconds 12296 Bytes<br />
Day 25 hours 300 300 5 minutes 10376 Bytes<br />
Week 7 days 1 hour 338 1800 30 minutes 11592 Bytes<br />
Month 31 days 2 373 7200 2 hours 12712 Bytes<br />
hours<br />
Quarter 93 days<br />
4 hours<br />
26 minutes<br />
40 seconds<br />
272 29600 8 hours<br />
13 minutes<br />
20 seconds<br />
9480 Bytes<br />
Year 366 days 366 86400 24 hours 12488 Bytes<br />
Month 31 days 8940 300 5 minutes 286856 Bytes.<br />
(HiRes) 1 hour<br />
Figure 3-7 Memory requirements<br />
The number of TVAs that must be stored depends on the traffic that is received. If all the flows are for<br />
one IP Address, Application Name pair then there is one TVA. If only a single octet is sent to another<br />
port on that same IP address then a second TVA is created for that IP Address, Application Name pair<br />
to hold that information. The memory footprint is the same for any aspect that records octets, flows, or<br />
packets.<br />
As traffic information is analyzed by <strong>Tivoli</strong> Netcool Performance Flow Analyzer, the number of TVAs<br />
increases as the flow analyzer recognises that existing TVAs do not cover the data presented. If the<br />
traffic is quite widely spread across IP address <strong>and</strong> ports, the memory required to store all the octets<br />
broken down by IP Address, Application Name increases by TVA, until the available RAM is used up<br />
by <strong>Tivoli</strong> Netcool Performance Flow Analyzer. To avoid RAM being consumed without restrictions,<br />
there are two attributes of each aspect- Upper Limit <strong>and</strong> Maximal Number. By default, these values are<br />
4000 <strong>and</strong> 2000 respectively.<br />
If the number of TVAs grows to reach the value of Upper Limit, TVAs are deleted to bring the number<br />
of TVAs down to the Maximal Number. The TVAs that are removed are deleted, <strong>and</strong> their data is lost.<br />
The total amounts are still maintained. No guarantee is made regarding which TVAs are removed, but<br />
an effort is made to keep the same distribution of TVAs based on amount of traffic.<br />
For the data for one hour of octets, 4000 separate IP Address <strong>and</strong> Application Name combinations, the<br />
amount of RAM required is 4000 * 12,296 Bytes = 49,184,000 Bytes or 46.9 MB.<br />
If we were to record an hour, day, week, month, quarter, <strong>and</strong> year of octets, packets, <strong>and</strong> flows for<br />
Host Application that hit 4000 TVAs, then the calculation would be:<br />
(12,296 + 10,376 + 11,592 + 12,712 + 9,480 + 12,488) * 3 units * 4,000 TVAs = 68,944 * 3 * 4,000 =<br />
827,328,000 Bytes or 789 MB.<br />
The same default values for Upper Limit <strong>and</strong> Maximal Number operate for each aspect type even though<br />
certain aspects could not reach 4000 TVAs. For example, there are likely to be only a certain number of<br />
flow emitters in a network.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 23
24 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 4. Configuration<br />
This chapter describes the configuration options of <strong>Tivoli</strong> Netcool Performance Flow Analyzer.<br />
4.1 Site management<br />
Sites are used to separate traffic information between administrative domains. Each site can be<br />
regarded as a logical <strong>Tivoli</strong> Netcool Performance Flow Analyzer installation with a separate database<br />
<strong>and</strong> individual settings, including user accounts. A single <strong>Tivoli</strong> Netcool Performance Flow Analyzer<br />
installation can be used for many administrative domains with potentially overlapping (private)<br />
address spaces <strong>and</strong> individual configurations.<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer is preconfigured with a default site. New sites can be<br />
added <strong>and</strong> existing sites can be removed with following server console comm<strong>and</strong>s:<br />
# tnpfa addsite test<br />
# tnpfa delsite test<br />
Note: The site configuration as well as collected <strong>and</strong> generated data (report data <strong>and</strong> log file data) is<br />
deleted with the site. An additional site increases the amount of memory being used.<br />
Flow information packets (for example, Netflow, IPFIX) are collected <strong>and</strong> analyzed for a particular site<br />
if the corresponding exporters are registered with the site (see Configuration > Site configuration ><br />
General in Figure 4-1). The general settings of each site contain site name, language, skin, registered<br />
exporters (for example, routers), <strong>and</strong> a description. The site name can be used to refer to a particular<br />
administrative domain. Any exporter registers all exporters with the site that are not registered with<br />
any other site. Every exporter registers all exporters with the site that export to the <strong>Tivoli</strong> Netcool<br />
Performance Flow Analyzer installation. If only data exported from specific exporters should be<br />
processed by the site, select Specific exporters.<br />
Site configuration changes that are applied are valid for the running system. However, the<br />
configuration files that are used when you restart the system are not automatically updated. It is<br />
therefore important to save the current configuration file at Configuration > Site configuration ><br />
Running config > Commit to disk of the server after all site configuration changes are done (see<br />
Figure 4-2).<br />
Flow information as received from exporters can be stored in binary format on disk if the option Store<br />
flows is enabled in Configuration > Site configuration > Advanced. Over longer time periods, flow<br />
files can use a considerable amount of storage. A task for either removal or compression of flow files<br />
can be configured (see Figure 4-3).<br />
Received flow information packets are stored by <strong>Tivoli</strong> Netcool Performance Flow Analyzer in a flow<br />
buffer before analysis. The size of the flow buffer can be altered with the Flow buffer size option. If<br />
the data arrives in large chunks, widely separated, you need a larger flow buffer to deal with the data,<br />
compared to the same amount of data being sent in a more even manner. A flow buffer size of 200 MB<br />
is sufficient for a maximum burst size of 4 million flow records in 5 minutes.<br />
Note: Increasing the buffer size leads to higher memory usage.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 25
To enable the user to configure the site to collect only flow files <strong>and</strong> disable any further processing of<br />
flow information, click Configuration > Site configuration > Advanced . Furthermore, the mapping<br />
of IP addresses to host names as well as account expiration can be enabled.<br />
Figure 4-1 Site configuration > General settings<br />
26 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
4.2 Aspects<br />
Figure 4-2 Site configuration > Running config<br />
The configuration of aspects <strong>and</strong> domains including the collection are the key site configuration tasks.<br />
These tasks are described in the following sections.<br />
Flow-based traffic information is presented in <strong>Tivoli</strong> Netcool Performance Flow Analyzer with respect<br />
to various traffic aspects. Aspects are defined from components such as domain, traffic type, protocol,<br />
service type, port, application, host, interface, autonomous system, <strong>and</strong> so on. Aspects provide the means to<br />
look at collected traffic information from different viewpoints. Aspects can also be composed of<br />
multiple aspect components.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 27
Figure 4-3 Site configuration > Advanced<br />
28 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 4-4 shows how aspects are defined in the user interface. The default collection type for<br />
collecting usage variation information is Time Array. This type of aspect represents traffic in sent <strong>and</strong><br />
received directions separately. Sent traffic is above the x-axis. Received traffic is below the x-axis. A<br />
Unidirectional Time Array does not differentiate between sent <strong>and</strong> received traffic – both are added<br />
above the x-axis. A Counter aspect records separate totals for sent <strong>and</strong> received data for the current<br />
<strong>and</strong> last time period. The only graphical representation for the data in counter aspects is pie charts.<br />
Figure 4-4 Site Configuration > Aspects<br />
A defined aspect has to be enabled for collection before the database maintains information for the<br />
aspect. To enable each aspect for collection with respect to time periods <strong>and</strong> units, click Configuration<br />
> Site configuration > Collection. The possible time periods are hour, day, week, month, quarter,<br />
<strong>and</strong> year. The possible units are octets, packets, <strong>and</strong> flows (see Figure 4-5). In addition, the system<br />
provides a means to filter <strong>and</strong> rewrite the incoming flow information records during the collection<br />
process (see Figure 4-6).<br />
Note: When you configure aspect collection with more periods <strong>and</strong> units enabled, the memory<br />
consumption increases.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 29
Figure 4-5 Site configuration > Collection<br />
30 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 4-6 Site configuration > Global filters<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 31
4.2.1 <strong>Tivoli</strong> Netcool Performance Flow Analyzer filter expressions<br />
Version: 4.1.0.0<br />
= not |<br />
(<strong>and</strong>|or) |<br />
(ipversion|ip_version) (ipv4|ipv6) |<br />
(ip|ipv4|ipv6) [] [/] |<br />
prefixlength [] |<br />
type [] |<br />
proto [] |<br />
(icmp|icmptype|icmpcode) |<br />
port [] |<br />
(iface|interface) [] |<br />
(app|application) [] (|) |<br />
tos [] |<br />
flowlabel [] |<br />
domain [] (|current) |<br />
asn [] [AS] |<br />
(packets|octets|octperpkt|bps|pps) [] |<br />
(sourceid|flowversion|flowtemplateid) [] |<br />
(tcpflag|tcpflags) [|&] (|) |<br />
true | false |<br />
set [|] [|]<br />
= src | dst | both | either<br />
= | router | router_src | router_dst | nexthop<br />
= eq | == | ne | != | ge | >= | gt | > | more | le |
4.3 Domains<br />
A domain is used in <strong>Tivoli</strong> Netcool Performance Flow Analyzer as an important grouping concept.<br />
The grouping can be defined with a list of subnets, a list of autonomous systems or a filter expression.<br />
Figure 4-7 <strong>and</strong> Figure 4-8 show the user interface for configuring domains. Description, flag,<br />
committed rate, <strong>and</strong> collected aspects are optional for domain definition. A domain can be defined as<br />
being local or remote to discriminate between traffic within a local administrative domain <strong>and</strong> traffic<br />
entering as well as leaving a local administrative domain.<br />
Figure 4-7 Site configuration > Domains<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 33
Figure 4-8 Site configuration > New domain<br />
34 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 4-9 Site configuration > New domain > Collection<br />
Figure 4-9 shows how a domain is configured with individual collection for domain views. Here in<br />
addition to the global aspects, the database maintains information about the domain-specific aspects.<br />
Section 5.3 describes how to switch between the global view <strong>and</strong> the domain view when analyzing<br />
traffic.<br />
Note: Domain views can be responsible for significant increase in memory usage because an instance<br />
of the aggregation database is maintained per domain that is configured with individual collection.<br />
For a more detailed discussion <strong>and</strong> guidance on memory usage consumption, see section 3.3.<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 35
4.4 <strong>User</strong> management<br />
To generate a new user, click Configuration > <strong>User</strong> Management > New user. Figure 4-10 shows the<br />
fields to be entered for account generation. The user name must not contain special characters. <strong>User</strong>s<br />
can be given normal user permissions with specific access to selected sites or root permissions.<br />
To view the user profile, click Configuration > <strong>User</strong> Profile > <strong>User</strong> Profile Information (see Figure<br />
4-12 ). <strong>User</strong>s with root or site administrator rights can also create <strong>and</strong> edit other user accounts.<br />
Figure 4-13 <strong>and</strong> Figure 4-10 show the configuration in the user interface.<br />
Figure 4-10 Site configuration > Create a new user<br />
When the Firefox password manager is enabled, users with basic privileges will be asked to "confirm<br />
which user you are changing the password for ". The cancel <strong>and</strong> close options on the<br />
Confirm Password Change dialogue box do not affect <strong>Tivoli</strong> Netcool Performance Flow Analyzer<br />
password management. The <strong>Tivoli</strong> Netcool Performance Flow Analyzer system password is updated<br />
regardless of any action taken.<br />
36 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 4-11 Site configuration > <strong>User</strong> profile<br />
Figure 4-12 Site configuration > <strong>User</strong> profile information<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 37
Figure 4-13 Site configuration > <strong>User</strong> management<br />
38 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
4.5 Other configuration files<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer uses the tnpfa.conf configuration file, which contains<br />
settings valid for all sites. Site-specific configuration issues are stored in individual site configuration<br />
files. The settings shared by all sites are maintained in the main configuration file stored at<br />
/etc/tnpfa/tnpfa/tnpfa.conf<br />
In general, the system must be restarted after you modify the configuration file. Configuration options<br />
of the main configuration file cannot be modified with the user interface. The Configuration options<br />
are described here.<br />
Note: Default values are underlined. The values in bold font are recommended.<br />
identity ". . ."<br />
The name of the installation.<br />
flow url (|any)://(any||):<br />
for example, flow_url udp://any:2055<br />
With this option the protocols <strong>and</strong> ports for listening for flow information packets (for example,<br />
NetFlow, IPFIX) are specified. Possible protocols are tcp, udp or sctp. The recommended st<strong>and</strong>ard<br />
port for NetFlow is 2055 <strong>and</strong> 4739 for IPFIX. For security <strong>and</strong> robustness of the installation, it is<br />
important to restrict the collection to the known exporters. The user interface makes the restriction<br />
easy to configure. Otherwise, the reporting could be influenced in the case of bad configuration,<br />
malicious intent, or vulnerability scans. Here is an example for typical flow URL accepting flow<br />
information from any export on UDP port 2055:<br />
flowrelay ://(|):<br />
for example, flowrelay udp://10.10.10.10:2055<br />
To specify IPv6- or IPv4-only for a flow relay entry, append the IP version to the protocol, for example,<br />
tcp4.<br />
This option configures <strong>Tivoli</strong> Netcool Performance Flow Analyzer to forward all received flow records<br />
to another machine. To minimize ICMP error messages when the receiving host does not collect on the<br />
specified port, flow forwarding is disabled for 30 minutes if no socket peer can be determined. Here is<br />
an example for relaying flow information records to port 2055 on host 10.10.10.10:<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 39
<strong>Tivoli</strong> Netcool Performance Flow Analyzer uses further configuration files for modifying the default<br />
name <strong>and</strong> description of protocols, services, applications, service types, ICMP codes, autonomous<br />
system numbers <strong>and</strong> SNMP interface indexes to be modified. For instance, if the http protocol is<br />
known to be used over the non-st<strong>and</strong>ard port 8080 in addition to port 80, it can be entered in the<br />
services configuration file. Changes in these configuration files affect newly generated reports after the<br />
modification. The filenames with examples of contents are listed below.<br />
/etc/tnpfa/protocols<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
# <strong>TNPFA</strong> registered protocols<br />
#<br />
# Number Name Description<br />
# ----------------------------------------------------------------------<br />
0 HOPOPT "IPv6 Hop-by-Hop Option [RFC1883]"<br />
1 ICMP "Internet Control Message Protocol [RFC792]"<br />
2 IGMP "Internet Group Management Protocol [RFC1112]"<br />
3 GGP "Gateway-to-Gateway Protocol [RFC823]"<br />
/etc/tnpfa/services<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
# <strong>TNPFA</strong> registered services<br />
#<br />
# Name Port Protocol Appl Description<br />
#-----------------------------------------------------------------------<br />
#port0 0 TCP,UDP OTHER "TCP/UDP port 0<br />
forbidden)"<br />
tcpmux 1 TCP OTHER "TCP port service<br />
multiplexer"<br />
compressnet 2 UDP NETMNG "Management utility"<br />
compressnet 3 UDP NETMNG "Compression<br />
/etc/tnpfa/applications<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
process"<br />
40 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
# <strong>TNPFA</strong> registered applications<br />
#<br />
# Name Number Description<br />
# ----------------------------------------------------------------------<br />
OTHER 0 "Other"<br />
TIVOLI 1 "<strong>IBM</strong> TIVOLI applications (eg TCM, ADSM)"<br />
CITRIX 2 "Citrix MetaFrame <strong>and</strong> MetaFrameXP software"<br />
CORBA 3 "Common Object Request Broker Architecture"<br />
CVS 4 "Concurrent Versions System"<br />
DATABASE 5 "Database applications (eg LDAP/SQL)"<br />
/etc/tnpfa/tos<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#"<br />
# TOS mapping to description<br />
#<br />
# TOS Description<br />
#-----------------------------------------------------------------------<br />
0 "Best Effort - BE (0x00)"<br />
8 "Other (0x08)"<br />
16 "Other (0x10)"<br />
32 "CS1 (0x20)"<br />
/etc/tnpfa/icmp<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
# <strong>TNPFA</strong> registered icmp types + codes<br />
#<br />
# htp://www.iana.org/assignments/icmp-parameters (synced to: 2008-02-13)<br />
#<br />
# High 16 bits = Type<br />
# Low 16 bits = Code<br />
#<br />
# Message description will be made up from the Type + Code.<br />
# Code is ignored when there is no more specific available.<br />
#<br />
# Code Description<br />
#-----------------------------------------------------------------------<br />
# 12 "Example Type"<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 41
# 12ab "Example Code"<br />
00 "Echo Reply"<br />
03 "Destination Unreachable"<br />
0300 "Net Unreachable"<br />
0301 "Host Unreachable"<br />
0302 "Protocol Unreachable"<br />
/etc/tnpfa/asn<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
# <strong>TNPFA</strong> registered services<br />
#<br />
1 "LVLT-1" "LVLT-1"<br />
2 "DCN-AS" "DCN-AS"<br />
3 "MIT-GATEWAYS" "MIT-GATEWAYS"<br />
4 "ISI-AS" "ISI-AS"<br />
/etc/tnpfa/interfaces<br />
# (C) Copyright <strong>IBM</strong> Corp. 2003 - 2010 All Rights Reserved<br />
#<br />
# Interface mapping to description<br />
#<br />
# Interface Description<br />
#-------------------------------------------------------------------------<br />
# 200@2001:db8:20d:0:290:27ff:fe24:c19f "IPv6 uplink"<br />
# 1@192.0.2.42 "Internet uplink to provider A"<br />
# 2@192.0.2.42 "Internet uplink to provider B"<br />
# 3@192.0.2.42 "Sales"<br />
# 4@192.0.2.42 "Labor"<br />
# 1@192.0.2.11 "Accounting"<br />
# 6@192.0.2.13 "Servers"<br />
# 1@192.0.2.12 "Research"<br />
42 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
4.6 Reporting<br />
The user interface provides access to st<strong>and</strong>ard reports, which are pre-generated PDF traffic reports for<br />
the fixed time periods such as hourly, daily, weekly, monthly, quarterly <strong>and</strong> yearly. Figure 4-14 shows<br />
the user interface for configuring reports for a defined period.<br />
Figure 4-14 Site configuration > Reporting<br />
© Copyright <strong>IBM</strong> Corp. 2004, 2010 43
44 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 5. Traffic analyzer<br />
5.1 Overview<br />
After authentication to the user interface with user name <strong>and</strong> password as described in section 3.1.5 an<br />
overview is shown for the site. The overview provides total usage graphs for the configured periods<br />
(see section 4.2), such as last hour, day, week, month, quarter <strong>and</strong> year (see Figure 5-4). The periods<br />
can be changed using the tabs above the graph (see Figure 5-1).<br />
Figure 5-1 Analyzer > period selection<br />
Graphs display traffic variation over time in rates of octet, packet, packet-per-octet or flow. The unit<br />
can be chosen <strong>and</strong> is displayed at the y-axis (see Figure 5-2). Positive values show sent traffic <strong>and</strong><br />
negative values refer to received traffic (see Figure 5-3).<br />
Figure 5-2 Analyzer > unit selection<br />
Figure 5-3 Analyzer > interactive time series graph<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 45
Figure 5-4 Analyzer > hourly overview<br />
46 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-5 Analyzer > weekly overview<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 47
5.2 Aspect views<br />
Traffic views are snapshots of the currently occurring traffic situation. The current traffic situation can<br />
be viewed for configured traffic aspects, periods <strong>and</strong> various display options (for example, normal <strong>and</strong><br />
trend graph, pie chart, stacked or lines as well as linear or logarithmic, or Log format). The periods are<br />
the last hour (that is, last 60 minutes), last day (that is, last 24 hours), last month (last 31 days) <strong>and</strong> so<br />
on 1<br />
.<br />
Traffic volumes are given with most display options. According to IEC St<strong>and</strong>ard, volumes are<br />
provided in B (bytes), KiB (kilo binary bytes), MiB (mega binary bytes), GiB (giga binary bytes), <strong>and</strong><br />
TiB (tera binary bytes):<br />
The table below shows the differences between the units used by the IEC st<strong>and</strong>ard <strong>and</strong> the Metric<br />
system in traffic volume calculations.<br />
Table 5-1 IEC St<strong>and</strong>ard v Metric System<br />
IEC St<strong>and</strong>ard Metric System<br />
1 KiB = 1024 B = 2 10<br />
B 1 KB = 1000 bytes<br />
1 MiB = 1024 KiB = 2 20 B<br />
1 MB = 1000 KBs<br />
1 GiB = 1024 MiB = 2 30 B 1 GB = 1000 MBs<br />
1 TiB = 1024 GiB = 2 40 B<br />
1 TB = 1000 GBs<br />
Traffic rates are provided in b/s (bit per second), Kb/s (kilo bit per second), Mb/s (mega bit per<br />
second) <strong>and</strong> Gb/s (giga bit per second):<br />
1 Kb/s = 1000 b/s = 10 3 b/s<br />
1 Mb/s = 1000 Kb/s = 10 6<br />
b/s<br />
1 Gb/s = 1000 Mb/s = 10 9<br />
b/s<br />
The user can navigate in the user interface between Overview <strong>and</strong> configured traffic aspect views with<br />
the menu on the left side. The menu appears with the Analyzer view. Daily views aspects application,<br />
type, <strong>and</strong> protocol are shown in Figure 5-6, Figure 5-7, <strong>and</strong> Figure 5-8.<br />
The port view in Figure 5-9 is given in packet rates <strong>and</strong> selected top ports. That is, the remaining<br />
difference between the stacked top ports <strong>and</strong> the total traffic usage (displayed in gray) is not shown.<br />
Figure 5-10 shows the port view in lines mode for better visualization of the usage of individual ports.<br />
Likewise Figure 5-13 <strong>and</strong> Figure 5-14.<br />
Figure 5-11 <strong>and</strong> Figure 5-12 show weekly type-of-service views with all items as well as with selected<br />
items after the y-axis was adjusted. The y-axis can be adjusted when you click Fit y-axis to scale the<br />
view to the available data.<br />
1 Note: This is different to the time periods used with st<strong>and</strong>ard reporting (see Chapter 6) which are aligned to full hours, calendar days, weeks, <strong>and</strong> so<br />
on.<br />
48 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-13 <strong>and</strong> Figure 5-14 show, respectively, the entire ICMP traffic breakdown in stacked mode<br />
<strong>and</strong> selected ICMP items in lines mode after adjusting the y-axis.<br />
A multi-component aspect is shown in Figure 5-15. The aspect named Domain & Application is<br />
composed of two aspect components- domain <strong>and</strong> application.<br />
A second example for a multi-component aspect is given in Figure 5-16. The aspect name Flow is<br />
composed of aspect components source IP, destination IP, <strong>and</strong> protocol <strong>and</strong> service port. The graph is<br />
mostly gray because individual flows contribute only little to the overall traffic volume. There are<br />
three options to focus on the individual flows in the graph.<br />
There are three options to focus on the individual flows in the graph. The first option is to drill-down<br />
into the graph by left-click or select a region with the mouse as shown in Figure 5-17. The second<br />
option is to switch to log mode as shown in Figure 5-18. Small values are blown up <strong>and</strong>, therefore<br />
clearly visible in the graph. The third option is to hide the gray part that shows the difference of the<br />
selected items to the total traffic. Figure 5-19 shows the result after adjustment of the y-axis.<br />
Multi-component aspects can also be defined with aspect components that are derived from the<br />
volume-based data in flow information records. An example of such an aspect is Octets per Packets<br />
shown with <strong>and</strong> without total in Figure 5-20 <strong>and</strong> Figure 5-21. In the later figure the display mode is<br />
further more changed from stacked to lines.<br />
Finally, Figure 5-22 shows a multi-component aspect defined by aspect components exporter <strong>and</strong><br />
application.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 49
Figure 5-6 Analyzer > Application view<br />
50 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-7 Analyzer > Type (traffic type) view<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 51
Figure 5-8 Analyzer > Protocol view<br />
52 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-9 Analyzer > Port view (no Other)<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 53
Figure 5-10 Analyzer > Port view (lines mode)<br />
54 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-11 Analyzer > TOS (type-of-service) view<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 55
Figure 5-12 Analyzer > TOS view (selected items)<br />
56 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-13 Analyzer > ICMP<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 57
Figure 5-14 Analyzer > ICMP (selected items, lines mode)<br />
58 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-15 Analyzer > multi-component aspect<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 59
Figure 5-16 Analyzer > Flow view<br />
60 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-17 Analyzer > Flow view (drill-down)<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 61
Figure 5-18 Analyzer > Flow view (log mode)<br />
62 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-19 Analyzer > Flow view (without total)<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 63
Figure 5-20 Analyzer > Octets per packet<br />
64 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 5-21 Analyzer > Octets per packets (without total, lines mode)<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 65
Figure 5-22 Analyzer > Exporter & Application view<br />
66 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
5.3 Domain views<br />
<strong>Tivoli</strong> Netcool Performance Flow Analyzer can be configured for domain-specific views that contain<br />
only traffic information about a particular domain or a particular combination of traffic aspects.<br />
Domain views can be limited to traffic of a particular geographic location.<br />
The calendar that is displayed with Reports shows a selection menu which enables the user to switch<br />
between domain report <strong>and</strong> the full reporting view (see Figure 5-23 Domain selection). Typically, the<br />
domain reports show only a subset of all traffic aspects.<br />
Figure 5-23 Domain selection<br />
Note: If collection is not configured for a user-created domain, you cannot choose that domain from<br />
the list.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 67
68 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 6. St<strong>and</strong>ard reports<br />
The user interface provides access to st<strong>and</strong>ard reports, which are pre-generated PDF traffic reports for<br />
fixed time periods, such as for every full hour as well as for every calendar day, month, <strong>and</strong> so on.<br />
St<strong>and</strong>ard reports can be accessed through a calendar interface (Figure 6-1).<br />
Figure 6-1 St<strong>and</strong>ard reports<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 69
70 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 7. Zoom reports<br />
This chapter describes how to generate zoom reports. Zoom reports allow the user to focus on specific<br />
traffic aspects within a selected time period in the past.<br />
Zoom reports are generated from stored flow files. These files must not be deleted but they may be<br />
compressed. For more information, see section 4.2.<br />
A Zoom report is a perspective on historical flows that the system has stored in regular or compressed<br />
flow files. The Zoom report is configured like a site. Additionally, a Zoom report has a start <strong>and</strong> end<br />
time period. The result is a snapshot that contains fixed <strong>and</strong> not updated data. In other words the<br />
snapshot is not dynamically updated when the system receives new flows. The report is accessible<br />
using an Analyzer-like interface <strong>and</strong> also as a PDF.<br />
Configuring a Zoom report is similar to configuring a site. This is intentional because the system that<br />
is running a Zoom report analyses the received flows in the same way as a site. The Zoom report<br />
facility allows a user to create the equivalent of a site to feed flows through. The result is a Zoom<br />
report, which matches a similarly-configured site.<br />
Zoom reports differ from a site definition only in terms of the time domain. A Zoom report is<br />
configured for a particular time period - the longer the period, the less the resolution. The <strong>Tivoli</strong><br />
Netcool Performance Flow Analyzer picks the finest of the existing resolutions that accounts for about<br />
800 buckets. For example, selecting a report time range of two hours will result in <strong>Tivoli</strong> Netcool<br />
Performance Flow Analyzer choosing the hour period resolution of 10 seconds. Two hours is 2 X 3600<br />
seconds or 720 X 10-second buckets. For more information, see section 3.3.<br />
7.1 Zoom report list page<br />
To access the Zoom reports control page click the Zoom reports link on the top of the window. The<br />
system displays the list of previously configured reports <strong>and</strong> a link called New Zoom report that<br />
allows a user to create a fresh Zoom report configuration.<br />
The list of Zoom reports contains information <strong>and</strong> links for each of the pre-existing report definitions.<br />
There are columns for the name, status, data availability, edit-lock <strong>and</strong> processing progress. To the<br />
right are links named open, details, clone, delete <strong>and</strong> abort. These links are active or not depending<br />
on the report’s status.<br />
The status field contains either open indicating that the report has been viewed by a user who is still<br />
logged on or closed where no logged on user has viewed it. The data field indicates if data is present<br />
in the Zoom report’s database that is the flow files have been analysed. Editable indicates whether or<br />
not a user can change the configuration of the Zoom report. This shows yes until the report has<br />
started running, <strong>and</strong> then it changes to no. The progress field shows the stage in its life that the Zoom<br />
report is at that time.<br />
The open link allows a user to view the results of a Zoom report as a snapshot using the Analyzer<br />
page. This option is only present when a report has been run. The details link allows the user to view<br />
the details of a report configuration <strong>and</strong> fine-grained status information. The user may also edit the<br />
configuration if the report has not already been run. The clone allows the user to copy an existing<br />
definition under a different name. The delete link provides a means by which the user can delete the<br />
report result <strong>and</strong> definition. The abort link allows the user to stop a report processing.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 71
When a report has just been created its status is open, data value will be No, editable value is Yes <strong>and</strong><br />
progress is idle. The links available are details, clone <strong>and</strong> delete.<br />
The system creates a fresh new Zoom report by copying the existing site configuration with the<br />
exception of the collection information. A cloned report definition contains the original Zoom report’s<br />
collection specification. The users can then modify the site as they wish.<br />
7.2 Zoom Report configuration page<br />
To configure a report definition you must click on the details link in the Zoom report list page. The<br />
Zoom report configuration page for the report in question appears.<br />
The page has six tabs – General, Filters, Aspects, Collection, Domains <strong>and</strong> Status.<br />
The General tab contains fields for the name, description <strong>and</strong> start <strong>and</strong> end times for this report.<br />
The Filters <strong>and</strong> Aspects tab contain interfaces that allow the user to configure the filter <strong>and</strong> aspects<br />
for the report just like the site configuration page. For more information, see sections 4.1 <strong>and</strong> 4.2.<br />
The Collection tab is like the collection tab for sites with one important difference. Because the<br />
time period for the report is limited to one time range <strong>and</strong> is specified on the General tab, the<br />
Collection tab contains a check box for the units being collected, not the units <strong>and</strong> time periods.<br />
The Domains tab works like the domain tab in the site configuration (section 4.3). But in a Zoom<br />
report the collection per domain only appears for the Web-interface snapshots <strong>and</strong> not for their<br />
PDF counterparts.<br />
The Status tab contains three status items <strong>and</strong> a link to a PDF form of the report, if complete. The<br />
Data field shows whether or not flows have been analysed <strong>and</strong> put in the Zoom report’s database.<br />
The Configuration locked field indicates if the configuration of the report has been frozen to<br />
avoid it being edited after analysis has been requested. The Data Locked field indicates whether or<br />
not the data in the report has been fully analysed.<br />
At the bottom of the Status tab is a list of background jobs that are associated with a report as it<br />
runs.<br />
At the bottom of the window, there are three buttons that are as follows:<br />
Cancel – to close the window<br />
Save – to save the configuration<br />
Run analysis - to run the Zoom report analysis<br />
72 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
7.3 Processing<br />
Initially the Progress field for a newly-created report is Idle. When you ask the system to run the<br />
report analysis, the progress field changes to Queued, <strong>and</strong> the editable field changes to no. The abort<br />
link becomes active <strong>and</strong> offers the user a way to stop the analysis before it finishes itself. When the<br />
system starts the analysis, the Progress field changes to Analysing. Eventually, the analysis<br />
completes. The Progress field changes to Finished <strong>and</strong> the Data field changes to yes. The abort link is<br />
deactivated <strong>and</strong> the open link becomes active. You can view the snapshot by using the Analyzer page.<br />
7.4 Viewing the results<br />
Table 7-1 Display changes for report<br />
Status Data Editable Progress<br />
Start Open No Yes Idle<br />
Open No No Queued<br />
Open No No Analysing<br />
End Open Yes No Finished<br />
There are two ways to access the Zoom report snapshot using the user interface. You can click on the<br />
open link for the report on the Zoom report list page. Alternatively, in the Analyzer page there are two<br />
fields where the snapshot <strong>and</strong> domain are selected on the top left of the window – the Snapshot link to<br />
select the snapshot <strong>and</strong> the Domain drop-down list box for selecting the domain. Click the Snapshot<br />
field to display a window that shows the exiting snapshots from Zoom reports <strong>and</strong> the Live system.<br />
To access the PDF generated by the report, click the Zoom Report. Select the details link for the report.<br />
Click the Status tab, <strong>and</strong> then click the Download link to download the PDF file.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 73
74 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 8. System status<br />
Underst<strong>and</strong>ing the status of an operational <strong>Tivoli</strong> Netcool Performance Flow Analyzer system is<br />
important to avoid resource <strong>and</strong> configuration problems. The user interface provides system status<br />
information at Status > System information (see Figure 8-1) <strong>and</strong> Status > Backend information (see<br />
Figure 8-2). System information includes version <strong>and</strong> timezone etc, whereas the backend information<br />
is related to the status of the <strong>Tivoli</strong> Netcool Performance Flow Analyzer backend such as processing<br />
rate of last analysis, flow URL (see section 4.5), flow buffer fill level etc.<br />
An advanced way to investigate the system status is provided with the <strong>Tivoli</strong> Netcool Performance<br />
Flow Analyzer console. The <strong>Tivoli</strong> Netcool Performance Flow Analyzer console can be used to issue<br />
comm<strong>and</strong>s to the backend system. The <strong>Tivoli</strong> Netcool Performance Flow Analyzer console can be used<br />
from a server console using tnpfa connect 1 . Type help for the list of possible comm<strong>and</strong>s 2 .<br />
#> tnpfa connect<br />
Trying 127.0.0.1...<br />
Connected to localhost.localdomain (127.0.0.1).<br />
Escape character is ’ˆ]’.<br />
200 <strong>Tivoli</strong> Netcool Performance Flow Analyzer <strong>4.1.1</strong><br />
session login default admin *******<br />
200 Greetings Administrator<br />
A further means for underst<strong>and</strong>ing the system status is the Flow state aspect (see Figure 8-3 Status ><br />
Flow state). The amount of accepted, dropped <strong>and</strong> filtered flow information records is displayed with<br />
this aspect. A multi-component aspect using exporter, flow version (for example, NetFlow version)<br />
<strong>and</strong> flow state can be defined by the user for more detailed status display of the received flow<br />
information records.<br />
1 The TCP port 9084 is registered at IANA for the <strong>Tivoli</strong> Netcool Performance Flow Analyzer console.<br />
2 Sometimes the CTRL-Backspace key combination has to be used to delete preceding characters in the<br />
console.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 75
Figure 8-1 Status > System information<br />
76 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Figure 8-2 Status > Backend information<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 77
Figure 8-3 Status > Flow state<br />
78 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 9. Import<br />
Flow files that have been collected previously can be imported into the <strong>Tivoli</strong> Netcool Performance<br />
Flow Analyzer database. The user can select the flow files to be imported from Configuration > Flow<br />
file import. The default <strong>Tivoli</strong> Netcool Performance Flow Analyzer flow file directory<br />
/opt/tnpfa/var/default/flow is used for the selection (see Figure 9-1).<br />
Figure 9-1 Flow file import<br />
The imported flow information is added to the current time periods (that is, current <strong>and</strong> previous<br />
hour, day, month, <strong>and</strong> year). Data that falls outside the period start <strong>and</strong> period end time boundaries is<br />
not added. The added data is included in reports that are generated after the import is finished. The<br />
reports that existed before the import are not updated.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 79
80 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Chapter 10. Troubleshooting<br />
Problem: No graphs or reports.<br />
Solution: This can have various reasons.<br />
No flow information packets (for example, NetFlow, IPFIX) have been received by the system.<br />
Check the flow url setting in the main configuration file (see section 4.5).<br />
Check with a packet sniffing tool whether NetFlow packets are received at the <strong>Tivoli</strong> Netcool<br />
Performance Flow Analyzer server.<br />
Make sure that the version of the flow information records is valid.<br />
Check whether flow files in the flow directories are not empty.<br />
Make sure a firewall does not hinder the NetFlow stream to the collector.<br />
Make sure the routers/switches/meters export to the correct port <strong>and</strong> IP address of the <strong>Tivoli</strong><br />
Netcool Performance Flow Analyzer server.<br />
Check log messages from user interface or in /opt/tnpfa/var/log.<br />
Compare clock settings on the server <strong>and</strong> exporters (routers, switches or NetFlow meters).<br />
Make sure exporters <strong>and</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer server are set for correct<br />
time <strong>and</strong> date.<br />
Consider using ntpdate .<br />
Make sure to restart <strong>Tivoli</strong> Netcool Performance Flow Analyzer when the system time was<br />
modified.<br />
Make sure the license is valid.<br />
Check whether the process named tnpfad is running, if not restart the system.<br />
Problem: When you use Internet Explorer, no graphs are shown.<br />
Solution: Verify that Internet Explorer (Version 7 or 8) is used. Verify that the Adobe SVG 6 plug-in is<br />
installed (see section 3.1.5).<br />
Problem: The backend process of <strong>Tivoli</strong> Netcool Performance Flow Analyzer (that is, tnpfad) does not<br />
listen on IPv6 (localhost)<br />
Solution: Check that /etc/hosts contains the following lines :<br />
127.0.0.1 localhost<br />
::1 localhost<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 81
Problem: SCTP is not visible in netstat -an<br />
Solution: Current netstat does not support listing SCTP. Check /proc/net/sctp/pdf for the<br />
listing.<br />
Problem: Log file reports about an unknown NetFlow/IPFIX template.<br />
Solution: This can happen during start of the system when NetFlow/IPFIX records are received<br />
before the template has been exported. This template describes the data layout of the records.<br />
Problem: You must authenticate every time you click on a menu item.<br />
Solution: Make sure that cookies are enabled in your browser.<br />
Problem: The user interface does not work.<br />
Solution: Make sure the Apache2 Web server was started, for example, with<br />
/etc/rc.d/init.d/httpd start or /etc/rc.d/init.d/apache2 start<br />
Or<br />
/etc/rc.d/init.d/apache2 startapachectl start.<br />
Make sure you use the http or https protocols. Check the log file of the Web server (for example,<br />
/var/log/httpd/error.log). Make sure the server is accessed with the correct IP or host name.<br />
Make sure the server does not run a firewall that blocks http or https traffic.<br />
Problem: When you change the user interface languages, some menus <strong>and</strong> titles are still in English.<br />
Solution: Some language files are not complete. The system falls back to English in these cases.<br />
Problem: The systems stopped or reports are wrong.<br />
Solution: For security <strong>and</strong> robustness of the installation it is important to restrict the collection to the<br />
known exporters. Otherwise, the reporting could be influenced in the case of bad configuration,<br />
malicious intent, or vulnerability scans (see Sections 4.1, 4.2, 4.3 <strong>and</strong>4.5).<br />
Problem: The systems stopped <strong>and</strong> the log file shows that the system is out of memory.<br />
Solution: Reduce memory usage by collecting with fewer periods or by collecting with fewer aspects<br />
or by collecting with fewer units or by reducing flow buffer size or by removing a site (see Section4.5).<br />
82 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Problem: <strong>Tivoli</strong> Netcool Performance Flow Analyzer shows only a fraction of the known volume of<br />
data.<br />
Or<br />
Problem: The following error message appears in the tnpfa.log file:<br />
― info tnpfad: Couldn't set Receive Buffer Size (SO_RCVBUF)<br />
on socket 0x6 (2:17:2): No buffer space available (errno 74) ‖<br />
Solution: The TCP receive buffers that are too small. Fixing this depends on the environment.<br />
For AIX, perform the following comm<strong>and</strong>s as root user:<br />
> no -o sb_max=4194304<br />
Setting sb_max to 4194304<br />
> no -o tcp_recvspace=4194304<br />
Setting tcp_recvspace to 4194304<br />
For Linux, perform the following comm<strong>and</strong>s as root user:<br />
sudo /sbin/sysctl -w net.core.rmem_max=33554432<br />
sudo /sbin/sysctl -w net.core.wmem_max=33554432<br />
Also for Linux add the following lines to /etc/sysctl.conf<br />
net.core.rmem_max = 33554432<br />
net.core.wmem_max = 33554432<br />
Problem: The system ran out of disk space or flow files are empty or database is not written back to<br />
the system.<br />
Solution: Verify that there is a disk usage problem with df -h. Consider using a different disk partition<br />
by following these steps:<br />
Stop system.<br />
Move directory /var/lib/tnpfa to new partitions.<br />
Make sure file permissions remain.<br />
If problems persist, consult the log file or run the system in verbose mode:<br />
#> tnpfa stop<br />
#> tnpfa start verbose<br />
When reporting problems, gather the following information:<br />
Collect the product-specific information from the user interface as follows:<br />
Click Status > System information<br />
Click Status > Backend information<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 83
Collect the product-specific information from a server console as follows:<br />
Output: tnpfa status<br />
File: /etc/tnpfa/tnpfa.conf<br />
File: /etc/tnpfa/crontab<br />
File: /opt/tnpfa/var/log/tnpfa.log<br />
File: /etc/tnpfa/var/sites/default/etc/site.conf<br />
Collect the general information from a UNIX server console as follows:<br />
Output: df -h<br />
Output: df -h /opt/tnpfa/var<br />
Output: ulimit -a<br />
Output: cat /proc/cpuinfo<br />
Output: cat /proc/meminfo<br />
Output: date<br />
Output: iptables -L<br />
Output: cat /etc/selinux/conf<br />
Output: ls -l /opt/tnpfa/var/sites/*/*<br />
Output: ls -l /etc/tnpfa<br />
84 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Appendix A. Integration <strong>and</strong> scripting<br />
The <strong>Tivoli</strong> Netcool Performance Flow Analyzer console can be used to issue comm<strong>and</strong>s to the backend system using the<br />
flow analyzer Application Programming Interface (API).<br />
# tnpfa connect<br />
Connecting to comm<strong>and</strong> line interface (CLI) ...<br />
Trying 127.0.0.1...<br />
Connected to localhost.localdomain (127.0.0.1).<br />
Escape character is '^]'.<br />
200 <strong>TNPFA</strong>d<br />
The <strong>Tivoli</strong> Netcool Performance Flow Analyzer API can be regarded as an execution environment in which flow-analyzer<br />
shell scripts are executed.<br />
Example - Configure a .csv report showing Hourly Textual Output of Flow Information Records<br />
Step 1: Put the following lines in /opt/tnpfa/var/sites/default/etc/report site.ash .<br />
site select default<br />
site domain select 0<br />
site period select hour current<br />
site aspect select domain octets<br />
$per$ = site period get epoch half<br />
$date$ = strftime %Y-%m-%d_%H $per$<br />
site set csvoutput /opt/tnpfa/var/sites/default/reports/report_$date$.csv<br />
Step 2: Add the following line to the file /etc/tnpfa/crontab (not system crontab)<br />
30 * * * * root * exec /opt/tnpfa/var/sites/default/etc/report_site.ash<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 85
86 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Appendix B. 95 th percentile billing<br />
The 95 th<br />
percentile is a widely used mathematical calculation to evaluate the regular <strong>and</strong> sustained utilization of a<br />
network connection. The 95 th percentile method more closely reflects the needed capacity of the link in question than<br />
tracking by other methods such as mean or maximum rate. Rather than charge for total traffic, customers get charged a<br />
per-megabit rate (Mbit/s). This rate is calculated by taking 5-minute transfer rate readings throughout the month, then<br />
disregarding the top 5% of readings (in an attempt to remove all of the spikes) <strong>and</strong> charging for the next highest rate on<br />
the list.<br />
Figure B-1 demonstrates the 95 th<br />
percentile rate for sent <strong>and</strong> received traffic for a particular month.<br />
Figure B-1 95th Percentile Rate<br />
Figure 9-1 shows how the customer’s interface ports on their routers <strong>and</strong> switches are polled or sampled at regular<br />
intervals throughout the billing cycle. In this example, 8,640 samples are accumulated in a 30 day calendar month. Each<br />
sample contains the number of bytes transmitted to the customer <strong>and</strong> the number of bytes received from the customer<br />
since the sample took place.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 87
This example shows that the customer’s transfer rate actually peaked at the midway point in the month, but this is<br />
disregarded for charging purposes as it falls outside of the 95th percentile. After sorting, these transfers were in the peak<br />
5% of the month, <strong>and</strong> are not chargeable.<br />
Example report showing CSV Export for Daily Top Domains including 95th Percentile<br />
Step 1: Add the following lines into file /opt/tnpfa/var/sites/default/etc/report site.ash .<br />
Step 2: Invoke the script<br />
site domain select 0<br />
site period select day previous<br />
site aspect select domain octets<br />
$per$ = site period get epoch half<br />
$date$ = strftime %Y-%m-%d $per$<br />
set cleanoutput on<br />
set output /opt/tnpfa/var/tmp/report_$date$.csv.incomplete<br />
$keys$ = site aspect get keys<br />
loop i 1 1 @@keys@@<br />
{<br />
site aspect printf<br />
"DomainId=%flow:domain%,DomainName=%flow:domain#name%,TotSent=%tva:tot_sent%,<br />
TotRcvd=%tva:tot_recv%,AvgSent=%tva:avg_sent%,AvgRcvd=%tva:avg_recv%,P95=%tva:p95%\n<br />
" @@keys:$i$@@<br />
}<br />
set output session<br />
set cleanoutput off<br />
rename /opt/tnpfa/var/tmp/report_$date$.csv.incomplete<br />
/opt/tnpfa/var/sites/default/reports/report_$date$.csv<br />
tnpfa connect<br />
session login default admin <br />
exec /opt/tnpfa/var/sites/default/etc/report_site.ash<br />
Step 3: View the 95th Percentile result in the output file<br />
vi /opt/tnpfa/var/sites/default/reports/report_YYYY-MM.csv<br />
DomainId=0,DomainName=Other,TotSent=34661243.00,TotRcvd=33539267.00,AvgSent=360.33,A<br />
vgRcvd=348.66,P95=326.00<br />
DomainId=0,DomainName=Private,TotSent=0.00,TotRcvd=917178.00,AvgSent=0.00,AvgRcvd=10<br />
.67,P95=36.13<br />
88 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Notices<br />
This information was developed for products <strong>and</strong> services offered in the U.S.A.<br />
<strong>IBM</strong> may not offer the products, services, or features discussed in this document in other countries.<br />
Consult your local <strong>IBM</strong> representative for information about the products <strong>and</strong> services currently<br />
available in your area. Any reference to an <strong>IBM</strong> product, program, or service is not intended to state or<br />
imply that only that <strong>IBM</strong> product, program, or service may be used. Any functionally equivalent<br />
product, program, or service that does not infringe any <strong>IBM</strong> intellectual property right may be used<br />
instead. However, it is the user’s responsibility to evaluate <strong>and</strong> verify the operation of any non-<strong>IBM</strong><br />
product, program, or service.<br />
<strong>IBM</strong> may have patents or pending patent applications covering subject matter described in this<br />
document. The furnishing of this document does not grant you any license to these patents. You can<br />
send license inquiries, in writing, to:<br />
<strong>IBM</strong> Director of Licensing<br />
<strong>IBM</strong> Corporation<br />
North Castle Drive<br />
Armonk, NY 10504-1785<br />
U.S.A.<br />
For license inquiries regarding double-byte character set (DBCS) information, contact the <strong>IBM</strong><br />
Intellectual Property Department in your country or send inquiries, in writing, to:<br />
Intellectual Property Licensing<br />
Legal <strong>and</strong> Intellectual Property Law<br />
<strong>IBM</strong> Japan Ltd.<br />
1623-14, Shimotsuruma, Yamato-shi<br />
Kanagawa 242-8502 Japan<br />
The following paragraph does not apply to the United Kingdom or any other country where such<br />
provisions are inconsistent with local law:<br />
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS<br />
IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT<br />
NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY<br />
OR FITNESS FOR A PARTICULAR PURPOSE.<br />
Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore,<br />
this statement might not apply to you.<br />
This information could include technical inaccuracies or typographical errors. Changes are<br />
periodically made to the information herein; these changes will be incorporated in new editions of the<br />
publication. <strong>IBM</strong> may make improvements <strong>and</strong>/or changes in the product(s) <strong>and</strong>/or the program(s)<br />
described in this publication at any time without notice.<br />
Any references in this information to non-<strong>IBM</strong> Web sites are provided for convenience only <strong>and</strong> do not<br />
in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not<br />
part of the materials for this <strong>IBM</strong> product <strong>and</strong> use of those Web sites is at your own risk.<br />
<strong>IBM</strong> may use or distribute any of the information you supply in any way it believes appropriate<br />
without incurring any obligation to you.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 89
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the<br />
exchange of information between independently created programs <strong>and</strong> other programs (including this<br />
one) <strong>and</strong> (ii) the mutual use of the information which has been exchanged, should contact:<br />
<strong>IBM</strong> Corporation<br />
2Z4A/101<br />
11400 Burnet Road<br />
Austin, TX 78758<br />
U.S.A.<br />
Such information may be available, subject to appropriate terms <strong>and</strong> conditions, including in some<br />
cases payment of a fee.<br />
The licensed program described in this document <strong>and</strong> all licensed material available for it are<br />
provided by <strong>IBM</strong> under terms of the <strong>IBM</strong> Customer Agreement, <strong>IBM</strong> International Program License<br />
Agreement or any equivalent agreement between us.<br />
Any performance data contained herein was determined in a controlled environment. Therefore, the<br />
results obtained in other operating environments may vary significantly. Some measurements may<br />
have been made on development-level systems <strong>and</strong> there is no guarantee that these measurements<br />
will be the same on generally available systems. Furthermore, some measurements may have been<br />
estimated through extrapolation. Actual results may vary. <strong>User</strong>s of this document should verify the<br />
applicable data for their specific environment.<br />
Information concerning non-<strong>IBM</strong> products was obtained from the suppliers of those products, their<br />
published announcements or other publicly available sources. <strong>IBM</strong> has not tested those products <strong>and</strong><br />
cannot confirm the accuracy of performance, compatibility or any other claims related to non-<strong>IBM</strong><br />
products. Questions on the capabilities of non-<strong>IBM</strong> products should be addressed to the suppliers of<br />
those products.<br />
This information contains examples of data <strong>and</strong> reports used in daily business operations. To illustrate<br />
them as completely as possible, the examples include the names of individuals, companies, br<strong>and</strong>s,<br />
<strong>and</strong> products. All of these names are fictitious <strong>and</strong> any similarity to the names <strong>and</strong> addresses used by<br />
an actual business enterprise is entirely coincidental.<br />
COPYRIGHT LICENSE:<br />
This information contains sample application programs in source language, which illustrate<br />
programming techniques on various operating platforms. You may copy, modify, <strong>and</strong> distribute these<br />
sample programs in any form without payment to <strong>IBM</strong>, for the purposes of developing, using,<br />
marketing or distributing application programs conforming to the application programming interface<br />
for the operating platform for which the sample programs are written. These examples have not been<br />
thoroughly tested under all conditions. <strong>IBM</strong>, therefore, cannot guarantee or imply reliability,<br />
serviceability, or function of these programs. The sample programs are provided "AS IS", without<br />
warranty of any kind. <strong>IBM</strong> shall not be liable for any damages arising out of your use of the sample<br />
programs.<br />
If you are viewing this information in softcopy form, the photographs <strong>and</strong> color illustrations might not<br />
appear.<br />
Trademarks<br />
<strong>IBM</strong>, the <strong>IBM</strong> logo, <strong>and</strong> ibm.com are trademarks or registered trademarks of International Business<br />
Machines Corp., registered in many jurisdictions worldwide. Other product <strong>and</strong> service names might<br />
90 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
e trademarks of <strong>IBM</strong> or other companies. A current list of <strong>IBM</strong> trademarks is available on the Web at<br />
―Copyright <strong>and</strong> trademark information‖ at www.ibm.com/legal/copytrade.shtml.<br />
Adobe is either a registered trademark or trademark of Adobe Systems Incorporated in the<br />
United States, <strong>and</strong>/or other countries.<br />
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or<br />
both.<br />
Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or<br />
both.<br />
Other product <strong>and</strong> service names might be trademarks of <strong>IBM</strong> or other companies.<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 91
92 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Glossary<br />
The installation, configuration, <strong>and</strong> operation of the <strong>Tivoli</strong> Netcool Performance Flow Analyzer system<br />
are described in this document with consistent terminology. The important terms are defined here.<br />
Traffic Flow<br />
A traffic flow is a sequence of packets with common end-to-end properties (for example,<br />
protocol, source <strong>and</strong> destination addresses <strong>and</strong> source <strong>and</strong> destination ports).<br />
Traffic Aspect<br />
Flow-based traffic information is presented in <strong>Tivoli</strong> Netcool Performance Flow Analyzer with<br />
respect to various traffic aspects. Aspects are defined from aspect components such as domain,<br />
traffic type, protocol, service type, port, application, host, interface, autonomous system, <strong>and</strong> so on.<br />
Aspects provide the means to look at collected traffic information from different viewpoints <strong>and</strong><br />
help to underst<strong>and</strong> the composition of traffic in the network. Aspects are composed of multiple<br />
aspect components. The configuration of aspects is defined in section 4.2.<br />
Host<br />
The host aspect component shows the composition of traffic with respect to the sending <strong>and</strong><br />
receiving end machines. A host is identified by its IP address. <strong>Tivoli</strong> Netcool Performance Flow<br />
Analyzer uses DNS reverse lookup to determine the host name from the IP address. Reverse<br />
lookup can be disabled. IP version 4 <strong>and</strong> 6 addressing is supported.<br />
Domain<br />
A domain is defined as a grouping of IP addresses <strong>and</strong> represents a set of hosts. The grouping<br />
can be defined with a list of subnets, a list of autonomous systems, or a filter expression. The<br />
default domain is called Other. If a host is not applicable to any explicitly defined domain, then it<br />
falls into Other. Other can be used as a synonym for the rest of the network.<br />
Traffic Type<br />
The traffic type aspect component provides a breakdown of traffic with respect to IPv4, IPv6,<br />
unicast, broadcast, <strong>and</strong> multicast traffic.<br />
Protocol<br />
The protocol aspect component provides a breakdown of traffic with respect to the transport layer<br />
protocols (for example, ICMP, TCP, UDP, ESP). ICMP (Internet Control Message Protocol) is<br />
additionally provided as an individual aspect to provide a breakdown of ICMP messages. See the<br />
/etc/tnpfa/protocols file <strong>and</strong> the /etc/tnpfa/icmp file for configuration.<br />
Service Type<br />
The service type aspect component provides a breakdown of traffic with respect to the type of<br />
service settings in the IP header. <strong>Tivoli</strong> Netcool Performance Flow Analyzer is preconfigured for<br />
the IETF Differentiated Services code points (DSCPs). See the /etc/tnpfa/tos file for<br />
configuration.<br />
Port<br />
A large part of IP traffic is transmitted over session-oriented transport layer protocols, such as<br />
TCP <strong>and</strong> UDP. Transport layer protocols use source <strong>and</strong> destination ports that indicate the<br />
higher-layer application protocols (or services) offered on the end hosts. Thus the port aspect<br />
component provides a breakdown of traffic with respect to the application protocols (for<br />
example, http, pop3, ssh).<br />
The heuristic for determining the service from the source <strong>and</strong> destination port numbers is as<br />
follows:<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 93
If only one port is registered with a service, this registered service is used; if both ports are<br />
registered, the service registered with the smaller port number is used; if no port is registered, the<br />
smaller port number is used <strong>and</strong> assigned to the unclassified service. See the<br />
/etc/tnpfa/services file for configuration.<br />
Application<br />
The application aspect component provides a breakdown of traffic with respect to groups of<br />
application protocols. For example, the MAIL application is a grouping of typical application<br />
protocols used to send <strong>and</strong> receive e-mail (that is, smtp, imap, pop3, <strong>and</strong> so on). See the<br />
/etc/tnpfa/applications file for configuration.<br />
Interface<br />
The interface aspect component provides a breakdown of traffic with respect to the interfaces<br />
which are used to forward the traffic at the switches <strong>and</strong> routers exporting flow information<br />
records. See the /etc/tnpfa/interfaces file for configuration.<br />
ASN<br />
The ASN (Autonomous System Number) aspect provides a breakdown of traffic with respect to<br />
the Autonomous Systems to which the source <strong>and</strong> destination IP addresses belong. An ASN is<br />
used in the Internet as a globally unique number for identifying IP networks which are treated<br />
with a common routing policy. See the /etc/tnpfa/asn file for configuration.<br />
Local/Remote<br />
A domain can be defined as being local or remote. You can differentiate between traffic within a<br />
local administrative domain, <strong>and</strong> traffic entering <strong>and</strong> leaving a local administrative domain. The<br />
Other domain is always considered to be remote.<br />
Sent/Received<br />
Traffic aspects in tables <strong>and</strong> graphs are presented separately for sent <strong>and</strong> received traffic. The<br />
rules if packets are accounted as sent or received vary between aspects. The following table<br />
shows these rules.<br />
Aspect Sent if packets are... Received if packets are...<br />
Host Sent by source host Received by destination host<br />
Domain Sent by source domain Received by destination domain<br />
Traffic Type Sent by local domain <strong>and</strong><br />
Received by local or remote<br />
domain<br />
Protocol <strong>and</strong> ICMP Sent by local domain <strong>and</strong><br />
Received by local or remote<br />
domain<br />
Service Type Sent by local domain <strong>and</strong><br />
Received by local or remote<br />
domain<br />
Sent by remote domain <strong>and</strong><br />
Received by local domain<br />
Sent by remote domain <strong>and</strong><br />
Received by local domain<br />
Sent by remote domain <strong>and</strong><br />
Received by local domain<br />
Port Sent by this port Received by this port<br />
Application Sent by local domain <strong>and</strong><br />
Received by local or remote<br />
domain<br />
Sent by remote domain <strong>and</strong><br />
Received by local domain<br />
Interface Sent by out interface Received by in interface<br />
Autonomous System (AS) Sent by source AS Received by destination AS<br />
94 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
Site<br />
For illustration, consider two local domains D1 with ip1 <strong>and</strong> D2 with ip2 as well as two remote<br />
domains D3 with ip3 <strong>and</strong> D4 with ip4. In , the colour of the arrows show which flows are<br />
considered as sent <strong>and</strong> which flows are considered as received. For some aspects, traffic volume<br />
is accounted twice, as sent <strong>and</strong> as received. The traffic volume (that is, transmitted bytes, packets)<br />
is accounted for the destination host as received <strong>and</strong> for the source host as sent. Double<br />
accounting is done for aspect components host, domain, port, interface, <strong>and</strong> autonomous system.<br />
Graphs <strong>and</strong> tables for these aspect components add up to 200% in total.<br />
Traffic between hosts within the same domain is tagged received if data is received by a server (as<br />
determined from the service port) <strong>and</strong> sent otherwise.<br />
Sites are used to separate traffic information between administrative domains. A single <strong>Tivoli</strong><br />
Netcool Performance Flow Analyzer installation can be configured for multiple administrative<br />
domains with potentially overlapping (private) address spaces <strong>and</strong> individual configurations.<br />
Flow information packets (for example, Netflow, IPFIX) are collected <strong>and</strong> analyzed for a<br />
particular site if the corresponding exporter is registered with the site.<br />
Traffic View<br />
The user interface provides sliding views into the traffic information database. Such traffic views<br />
cover the last 60 minutes, the last 24 hours, the last 31 days, <strong>and</strong> so on. Traffic views differ from<br />
traffic reports as they constantly change due to the sliding time periods.<br />
Example for sent <strong>and</strong> received traffic with local <strong>and</strong> remote domains<br />
Traffic Report<br />
The user interface provides pre-generated traffic reports for fixed time periods, such as for every full<br />
hour as well as for every calendar day, month, <strong>and</strong> so on. Pre-generated traffic reports can be accessed<br />
immediately. A special form of traffic report is a zoom report. A zoom report is dynamically generated<br />
by the user given a time period <strong>and</strong> a filter to zoom into certain traffic aspects (for example, protocol,<br />
host, or subnet).<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 95
96 <strong>IBM</strong> <strong>Tivoli</strong> Netcool Performance Flow Analyzer: <strong>Installation</strong> <strong>and</strong> <strong>User</strong> <strong>Guide</strong>
®<br />
Printed in USA<br />
Copyright <strong>IBM</strong> Corp. 2004, 2010 97