TNPFA 4.1.1 Installation and User Guide - e IBM Tivoli Composite ...

Note: Before using this information and the product it supports, read the information in Notices. 

This edition applies to IBM Tivoli Netcool Performance Flow Analyzer version 4.1.1 and to all subsequent releases and 

modifications until otherwise indicated in new editions. 

© Copyright IBM Corp. 2004, 2010 

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with 

IBM Corp. 

ii IBM Tivoli Netcool Performance Flow Analyzer: Installation and User Guide

Contents 

About this guide ..................................................................................................................................................................................... 1 

Chapter 1. Overview ........................................................................................................................................................................ 5 

1.1 Reporting ................................................................................................................................................................................. 6 

1.2 Aggregation database ............................................................................................................................................................ 6 

1.3 High performance and scalability ........................................................................................................................................ 7 

1.4 User interface .......................................................................................................................................................................... 7 

1.5 Interoperability ....................................................................................................................................................................... 7 

Chapter 2. System requirements .................................................................................................................................................... 9 

2.1 Hardware ................................................................................................................................................................................ 9 

2.2 Operating system and software ........................................................................................................................................... 9 

Chapter 3. Getting started ............................................................................................................................................................. 11 

3.1 Installing ................................................................................................................................................................................ 11 

3.1.1 Installing the package .............................................................................................................................................. 11 

3.1.2 Installing as an upgrade .......................................................................................................................................... 11 

3.1.3 Creating an administrator account ........................................................................................................................ 12 

3.1.4 Starting and stopping the system ........................................................................................................................... 12 

3.1.5 Logging into the Tivoli Netcool Performance Flow Analyzer server ............................................................... 15 

3.1.6 Updating the license ................................................................................................................................................ 16 

3.1.7 Creating a user account ........................................................................................................................................... 18 

3.2 Uninstalling ........................................................................................................................................................................... 19 

3.3 Memory management ......................................................................................................................................................... 20 

Chapter 4. Configuration .............................................................................................................................................................. 25 

4.1 Site management .................................................................................................................................................................. 25 

4.2 Aspects ................................................................................................................................................................................... 27 

4.2.1 Tivoli Netcool Performance Flow Analyzer filter expressions .......................................................................... 32 

4.3 Domains................................................................................................................................................................................. 33 

4.4 User management ................................................................................................................................................................ 36 

4.5 Other configuration files ..................................................................................................................................................... 39 

4.6 Reporting ............................................................................................................................................................................... 43 

Chapter 5. Traffic analyzer ........................................................................................................................................................... 45 

5.1 Overview ............................................................................................................................................................................... 45 

5.2 Aspect views ......................................................................................................................................................................... 48 

5.3 Domain views ....................................................................................................................................................................... 67 

Chapter 6. Standard reports .......................................................................................................................................................... 69 

Chapter 7. Zoom reports ................................................................................................................................................................ 71 

7.1 Zoom report list page .......................................................................................................................................................... 71 

7.2 Zoom Report configuration page ....................................................................................................................................... 72 

7.3 Processing .............................................................................................................................................................................. 73 

7.4 Viewing the results .............................................................................................................................................................. 73 

Chapter 8. System status ............................................................................................................................................................... 75 

Chapter 9. Import ............................................................................................................................................................................ 79 

Chapter 10. Troubleshooting .......................................................................................................................................................... 81 

Appendix A. Integration and scripting ........................................................................................................................................... 85 

Appendix B. 95 th 

percentile billing .................................................................................................................................................. 87 

Notices ........................................................................................................................................................................................ 89 

Glossary ........................................................................................................................................................................................ 93 

© Copyright IBM Corp. 2004, 2010 

iii

iv IBM Tivoli Netcool Performance Flow Analyzer: Installation and User Guide

About this guide 

Introduction 

Audience 

This Installation and User Guide tells you how to install and configure IBM ® Tivoli ® Netcool ® 

Performance Flow Analyzer version 4.1.1. 

The audience for this information is anyone who must install and operate Tivoli Netcool Performance 

Flow Analyzer. Typically, the audience consists of experienced system administrators, network 

administrators, and IT technicians. Some background in networking, operating systems, and software 

installation procedures is assumed. 

© Copyright IBM Corp. 2004, 2010 1

How this guide is organised 

This guide is divided into the following chapters and appendixes: 

Chapter 1. Overview 

A brief product description 

Chapter 2. System requirements 

A description of the hardware and software requirements 

Chapter 3. Getting started 

A description of the basic installing and uninstalling procedures, as well as how to start, stop, and 

reset the system 

Chapter 4. Configuration 

A description of the Tivoli Netcool Performance Flow Analyzer configuration options 

Chapter 5. Traffic analyzer 

A description of the traffic analysis functions in the user interface 

Chapter 6. Standard reports 

A description of how to generate and view standard reports 

Chapter 7. Zoom reports 

A description of how to generate and view zoom reports 

Chapter 8. System status 

A description of the functions to control the system status 

Chapter 9. Import 

A description of the import function 

Chapter 10. Troubleshooting 

Help with miscellaneous problems 

Appendix A. Integration and scripting 

A brief introduction to the Tivoli Netcool Performance Flow Analyzer Application Programming 

Interface (API) 

Appendix B. 95th percentile billing 

A description of the 95th percentile mathematical calculation 

Glossary 

A description of terms used in this document 

2 IBM Tivoli Netcool Performance Flow Analyzer: Installation and User Guide

Related documents 

For additional information, refer to the following documents: 

IETF RFC 5101 

Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow 

Information, 2008 

IETF RFC 3954 

Cisco Systems NetFlow Services Export Version 9, 2004 



Chapter 1. Overview 

Analysis and visualization of network traffic is important for optimizing and protecting the operation 

of networked IT infrastructures. Tivoli Netcool Performance Flow Analyzer is designed to gain tight 

control over end-to-end resource usage for hosts, servers, services, applications, protocols, domains, 

autonomous systems, quality-of-service classes, interfaces, and user-defined combinations of these 

aspect components. 

The system operates passively by generating detailed network traffic reports from flow-information 

streams such as NetFlow, IPFIX, jFlow, cflowd and NetStream. Traffic views and reports provide 

detailed asset usage information that ranges from seconds to years. The system supports network 

planning as well as network operation — for instance, through identification of network congestion 

causes. The system can also be used to estimate traffic impact with server consolidation and new 

application roll-outs or pilots. 

Figure 1.1: Tivoli Netcool Performance Flow Analyzer user interface 


1.1 Reporting 

Traffic usage reports are provided for bit, packet, and flow rates in tables, pie charts, and interactive 

graphs. The reports contain information about single or combinations of the following traffic aspects: 

• Applications (for example, mail, http, backup, printer, Lotus Notes) 

• Hosts and servers 

• Domains defined by lists of subnets, autonomous systems, or flow filters 

• Individual end-to-end flows 

• Traffic types (for example, unicast, broadcast, multicast, IPv4/IPv6, ICMP) 

• Service types (for example, IETF DiffServ) 

• Protocols (for example, TCP, UDP, ICMP) 

• TCP/UDP ports and services (for example, DFS, DNS, SSH, telnet, POP3, SMTP) 

• Flow-information exporters and interfaces 

Total traffic volumes are reported by direction (sent or received) for all configured aspects. Reports are 

automatically generated for selected periods, in PDF format. You can use Tivoli Netcool Performance 

Flow Analyzer to generate customised reports in HTML, JSON, and as textual output, using the flow 

analyzer application programming interface (API), see Appendix A. Tivoli Netcool Performance Flow 

Analyzer supports domain views including 95th-percentile computation per direction, see Appendix 

B. 

User-defined combinations of traffic aspect components provide better understanding of end-to-end 

traffic flows. An example of a user-defined aspect is a quality-of-service breakdown by application and 

source or destination autonomous system. 

1.2 Aggregation database 

Traffic flow profiling requires advanced database technology to handle high flow volumes in large 

enterprise and service provider infrastructures. Tivoli Netcool Performance Flow Analyzer uses an 

aggregation database (ADB) that is specifically designed for efficient memory and storage footprints. 

The ADB provides a mechanism for efficient incremental storage of primary traffic data values which 

are associated with time intervals. The database stores data values in groups of circular arrays of 

period-dependent resolution. Therefore, the database is able to handle large flow data sets with fast 

access times and limited storage. 

The ADB uses lower resolution for arrays that cover longer time periods. Additionally, the design of 

the ADB reduces memory-to-disk synchronization and accelerates data import and export. Users can 

quickly change their viewpoint when looking at traffic flows. Because data is represented in the ADB 

for multiple viewpoints, flow files do not have to be reanalyzed or newly indexed. 

Array grouping in the ADB optimizes the creation of sorted views of related parameters. This feature 

is of great importance to efficiently display sorted lists of top protocols, top hosts, top flows, and so on. 

The ADB supports period durations of hour, day, week, month, quarter, and year. 


1.3 High performance and scalability 

1.4 User interface 

1.5 Interoperability 

Tivoli Netcool Performance Flow Analyzer is designed for high performance. The system uses 

parallelism on multicore architectures and uses a fast in-memory ADB. A single installation can 

accommodate flow-information records that are exported from many routers, switches, and interfaces. 

On a typical dual-core server with default configuration, a processing speed of 50,000 flows per second 

can be achieved. Higher flow rates require more resources, a distributed setup, or a less complex 

configuration. 

The user interface of Tivoli Netcool Performance Flow Analyzer is Web-based and exists over Secure 

Socket Layer, when configured on the Web server. Built-in user management provides user roles with 

password-protected access. Configuration of user roles, aspect composition, and item grouping (for 

example, domain definition) is supported in the user interface. 

Tables, pie charts, and graphs are linked and enabled to interactively drill down based on AJAX/SVG. 

The interactive functions are as follows: 

• Ability to drill down time ranges in graphs 

• Pop-up legends inside graphs 

• Ability to show or hide breakdown items that includes total of non-classified items 

• Selection of sorting criteria by direction- sent, received, total 

• Selection of units- octets, packets, flows 

• Selection of scaling- linear, log, trend 

• Automatic time scrolling 

Tivoli Netcool Performance Flow Analyzer offers an API to the flow analyzer daemon. All 

configuration, control, and database access functions are supported by the API. The API is also used 

for scripted output (for example, in CSV and PDF format). Periodically, advanced users can write 

custom scripts to export into a desired output format. The scripting language can also be used for 

event notification. Events can be signalled as syslog messages. 



Chapter 2. System requirements 

2.1 Hardware 

For optimum performance, you need at least a dual 2 GHz 64 bit processor machine with 4 GB of 

memory. Storage capacity of at least 70 GB is necessary to save flow files for import and zooming. A 

network interface is needed to receive flow-information data. 

The exact hardware configuration depends on the data traffic profile and the software configuration. A 

rough estimation is that a single installation as described above can support 50,000 flows per second. 

With the assumption that flow information export can be estimated as 1% of the data traffic and a 

single flow record is about 50 B, a total traffic throughput of 50,000/s × 50 B × 100 × 8 b/B = 2 Gb/s can 

be supported with a single installation. Higher flow rates require more resources or a distributed 

setup. For a more detailed discussion and guidance on memory usage, see section 3.3. 

2.2 Operating system and software 

Tivoli Netcool Performance Flow Analyzer is supported on the following operating systems: 

Operating System Version Platform 

AIX ® 

5.3 Power Series 

AIX 6.1 Power Series 

Red Hat Enterprise Linux ® 

(RHEL) 

4.X Intel x86 32 bit 

Red Hat Enterprise Linux 4.X Intel x86 64 bit 



Solaris 9 Sun SPARC 64 bit 

Solaris 10 Sun SPARC 64 bit 

SUSE Linux Enterprise 

Server (SLES) 

9.X Intel x86 32 bit 

SUSE Enterprise Linux 9.X Intel x86 64 bit 


Operating System Version Platform 





The following software packages are required: 

• Apache2 Web server, preferably with SSL support if the user interface is used 

• Network Time Protocol (NTP) 

These packages are loosely coupled with the Tivoli Netcool Performance Flow Analyzer system and 

do not run in a shared address space with the system. The core collection, database, and reporting 

components of Tivoli Netcool Performance Flow Analyzer do not depend on any of these packages. 


Chapter 3. Getting started 

3.1 Installing 

Ensure that Apache2 Web Server is installed and running before you start to install Tivoli Netcool 

Performance Flow Analyzer. The installation steps are as follows: 

1. Install the package. 

2. Create an administrator account. 

3. Restart the system. 

4. Log into the Tivoli Netcool Performance Flow Analyzer server. 

5. Update the license (only needed for trial version). 

6. Create a user account. 

3.1.1 Installing the package 

Installation requires root administration rights. You can create an operating-system account called 

tnpfa with root privileges, or you can use the root account. 

Note: On a RHEL environment, SELinux should be disabled before installation. 

To disable SELinux, turn off SELinux enforcing. Complete the following steps as root administrator: 

1. Open the /etc/sysconfig/selinux file. 

2. Find the following line: 

SELINUX=enforcing 

3. Change this line as follows: 

SELINUX=disabled 

4. Restart the system. 

Tivoli Netcool Performance Flow Analyzer is packaged as a physical DVD, a DVD image, or an 

electronic archive (that is, a tar file). Extract the files from the archive with the following command: 

# tar xf CZ5FAEN.tar 

Note: The archive might be distributed with a different file name. 

The INSTALL installation script is in the top directory (on DVD or extracted archive): 

# cd CZ5FAEN 

# ./INSTALL 

3.1.2 Installing as an upgrade 

To install the Tivoli Netcool Performance Flow Analyzer 4.1.1 release on a system that already has 

Tivoli Netcool Performance Flow Analyzer 4.1.0 installed, there are a number of steps that must be 

performed 


1. Uninstall Tivoli Netcool Performance Flow Analyzer 4.1.0 in accordance with the 

corresponding installation guide. 

Note: If you are prompted to delete the files by the uninstall script, select no. 

2. Install Tivoli Netcool Performance Flow Analyzer 4.1.1 by following the instruction in section 

3.1.1. 

The INSTALL script referenced in section 3.1.1 reports that there exist users and a configuration from 

the previous Tivoli Netcool Performance Flow Analyzer 4.1.0 installation. You are advised to perform 

/INSTALL copyold command to copy the old data into the new installation. Depending on the user 

inputs, the copyold command performs the following actions: 

1. Copy an updated form of the user definition files into the 4.1.1-specific location. 

2. Delete the obsolete 4.1.0 user definition files. 

3. Copy the site definition and data files from the 4.1.0 location to the corresponding 4.1.1 

location 

4. Delete the obsolete 4.1.0 configuration and data. 

Note: You must clear the browser cache for any client machine that has previously accessed the 4.1.0 

GUI. For more information, consult your browser documentation. 

3.1.3 Creating an administrator account 

After you install the system, you must create an administrator account: 

# tnpfa addroot 

User ID: admin 

User ’admin’ successfully created in file ’users/admin’ 

The password for this account is ’************ 

Record the administrator password that is provided. When Tivoli Netcool Performance Flow Analyzer 

is upgraded or reinstalled, a previous administrator account may exists. You can also generate new 

administrator accounts. 

To delete an administrator account: 

1. Stop Tivoli Netcool Performance Flow Analyzer. 

2. To delete the account, use the deluser command as follows: 

# tnpfa deluser admin 

3.1.4 Starting and stopping the system 

Starting and stopping the Tivoli Netcool Performance Flow Analyzer requires root administration 

rights. Run the following commands as the root user or the tnpfa user. 


To start the Tivoli Netcool Performance Flow Analyzer system, use the start command from the 

server console: 

# tnpfa start 

This command runs Tivoli Netcool Performance Flow Analyzer in the background. 

To stop the Tivoli Netcool Performance Flow Analyzer background process, use the stop 

command from the server console: 

# tnpfa stop 

Stopping (may take a moment)... 

To check the status, use the status command from the server console: 

# tnpfa status 

To reset the system, use the reset command from the server console: 

# tnpfa reset 

Do you want to reset the system? [yes] 

Do you want to reset site ’Test’? [yes] 

Reset ’adb’ at site ’Test’? [yes] 

Resetting... done. 

Reset ’flow’ at site ’Test’? [yes] no 

Reset ’log’ at site ’Test’? [yes] 


Reset ’reports’ at site ’Test’? [yes] 


Do you want to reset common components? [yes] 

Reset common ’log’? [yes] 


The collected and generated data (including report and log file data) can be individually deleted with 

the reset command if the user answers yes to the relevant questions. All aspects are retained but their 

related data is deleted when the reset command is executed. 

Use the help command, to display all options for the tnpfa command: 

# tnpfa help 

IBM Tivoli Netcool Performance Flow Analyzer 

Version 4.1.1.0 

Release 2010.02.03 

Usage: tnpfa OPTIONS 

start [verbose|confirm] : Start 

restart [verbose] : Restart 

stop [verbose|confirm] : Stop 

reset [] : Reset interactively 

connect : Connect to system CLI 

showsites : Show all sites 


addsite [] : Add new site 

delsite [] : Delete site 

showusers : Show all user accounts 

showuser [] : Show single user account 

addroot [] : Add new root user account 

adduser [] : Add new user account 

deluser [] : Delete user account 

setflowurl [] : Set the flow URL 

import [ [

3.1.5 Logging into the Tivoli Netcool Performance Flow Analyzer server 

The user interface of Tivoli Netcool Performance Flow Analyzer is Web-based and requires a Web 

browser (for example, Mozilla Firefox, Microsoft® Internet Explorer Version 7 or 8). Enable cookies 

and Scalable Vector Graphics (SVG) support. 

Note: Internet Explorer does not natively support SVG. If you chose Internet Explorer, install the 

Adobe ® SVG 6 plug-in from http://www.adobe.com/svg/viewer/install/beta.html. Internet 

Explorer Version 6 is not supported. 

The installation procedure requires that the Apache2 Web server is installed and running on the 

system. A configuration file is installed in the Apache2 configuration directory: 

RHEL, SLES: /etc/httpd/conf.d 

Solaris: /etc/apache2/httpd.conf 

The configuration of the Web server is reloaded automatically during installation. If the Web server is 

not running during installation, it has to be started manually. 

To start apache2 on RHEL, follow this command: 

/etc/rc.d/init.d/httpd start 

Log into the Tivoli Netcool Performance Flow Analyzer server with flow-analyzer administrator 

credentials (see sections 3.1.2 and 3.1.5) by using the following URL: 

http:///tnpfa/ 

The name or IP address of the host on which Tivoli Netcool Performance Flow Analyzer is installed 

must be used instead of localhost in the URL. Figure 3-1 shows the login page as shown in the browser 

window. 


3.1.6 Updating the license 

Figure 3-1 Administrator login 

Tivoli Netcool Performance Flow Analyzer requires a valid license file for complete operation. By 

default, the Tivoli Netcool Performance Flow Analyzer package contains a license file that is enabled 

during the installation. If that is the case, this section can be skipped. The availability of the license file 

can be checked from the server console with the tnpfa command: 

# tnpfa status 

For license configuration, log into the system with your administrator credentials and click 

Administrative Site > Configuration > License > Update. Figure 3-3 shows the license update 

window. Paste the license file content (including the signature section) into the text field and apply. 

When Tivoli Netcool Performance Flow Analyzer is upgraded or reinstalled, the license file might 

exist already in the /etc/tnpfa directory. The license file might have to be decompressed - for 

example, if it is distributed with the .gz file extension. 

The license determines the duration and set of enabled features. The license can be viewed as a text 

file, or in the user interface by using the administrator site at Configuration > License Information 

(see Figure 3-1). 


Figure 3-2 License information 


3.1.7 Creating a user account 

Figure 3-3 License update 

The final step for basic installation is to create a normal user account. To create user accounts, log into 

the system, and then click Configuration > User Management > New user. For more information 

about how to create user accounts, see section 4.4. 


3.2 Uninstalling 

You must stop the Tivoli Netcool Performance Flow Analyzer system before uninstalling. If none or 

only some of the data collected and generated by the system must be retained, the system can be reset 

before uninstalling (see section 3.1.4). The command for uninstalling Tivoli Netcool Performance Flow 

Analyzer is as follows: 

# tnpfa deinstall 

Do you want to deinstall the package? [yes] 

The data and configuration is not automatically deleted by the deinstall command, and can be reused 

by a new installation. 

The Tivoli Netcool Performance Flow Analyzer deinstall command requires the main configuration 

file. However, the standard package deinstallation procedure (rpm -e tnpfa for RHEL and SLES) 

can be used if the Tivoli Netcool Performance Flow Analyzer deinstallation procedure is stopped 

because the tnpfa.conf file is moved or deleted from the /etc/tnpfa directory. 


3.3 Memory management 

Tivoli Netcool Performance Flow Analyzer is designed for high performance. Therefore, efficient 

management of memory utilization is strongly advised. It is a good practice to keep track of aspects, and 

to recognize when user-defined aspects are no longer required. Remove redundant aspects to make 

memory available for subsequent definitions. As a result, you improve memory usage and increase 

system performance. 

Within Tivoli Netcool Performance Flow Analyzer, there are one or more sites. Within each site, there are 

one or more domains. The data stored in a domain is subdivided by aspect, unit, and period. See Figure 

3-4. 

Site 1 

US 

Domain 1 

Others 

Aspect 2 

Domain 

Unit 1 

Octets 

Period1 

Hour 

Site 2 

UK 

Domain 2 

Permitted 

Unit 2 

Packets 

Period 2 

Day 

Site 3 

Austria 

Unit 3 

Flows 

Site 4 

Poland 

Domain 3 

Banned 

Aspect 2 

Host Application 

Period 3 

Week 

Period4 

Month 

Aspect 2 

Protocol 

Period 5 

Year 

Figure 3-4 Tivoli Netcool Performance Flow Analyzer data storage overview 


127.0.0.2, HTTP 

1500 

1000 

500 

0 

-500 

-1000 

-1500 

14:01 

14:02 

Tivoli Netcool Performance Flow Analyzer collects values from emitters based on the configured list of 

collected aspects and the associated time periods and unit types. For example, if Tivoli Netcool 

Performance Flow Analyzer is configured to collect octets for a day for the Host Application aspect, 

then the flow analyzer creates an in-memory database to hold the received data. 

The Host Application aspect is made up of two components- IP Address and Application Name. IP 

Address comes from the destination address of the flow. Application Name is based on a mapping from 

the destination port of the flow to the corresponding application name. 

This new database stores the amount of octets received in each of 300 'buckets' of 300 seconds, for each 

combination of IP Address and Application Name that it receives from the emitter. The data for each 

combination is held in its own Time-Value Array (TVA), that records an amount of traffic reported (an 

integer) for an array of time slices (buckets). A TVA can be visualised as being one of a number of 

graphs of traffic, that records the data relevant for its own combination of key details. 

For example: data is received for two combinations of IP Address and Application Name: 

127.0.0.1 and port 80 (HTTP) 

127.0.0.2 and port 80 (HTTP) 

Therefore, all the periods for this site/domain/aspect/period contain two TVAs (see Figure 3-5). 

14:03 

Hour Day Week 

14:04 

127.0.0.1, HTTP 127.0.0.1, HTTP 127.0.0.1, HTTP 

127.0.0.2, HTTP 127.0.0.2, HTTP 127.0.0.2, HTTP 

14:05 

14:06 

14:07 

14:08 

Figure 3-5 TVAs within period 

127.0.0.1, HTTP 

© Copyright IBM Corp. 2004, 2010 21 

1500 

1000 

500 

0 

-500 

-1000 

-1500 

14:01 

14:02 

14:03 

14:04 

14:05 

14:06 

14:07 

14:08

The same data is added to the corresponding TVAs in each time period but each period stores the data 

differently, based on the resolution of that period. A TVA can be visualised as being one of a number 

of graphs of traffic that records the data relevant for its own combination of key details. 

Figure 3-6 Web representation of data in Figure 3.5 


The memory footprint for each TVA is dependent on how many buckets it has to hold. 

Period Coverage Number of 

Buckets 

Resolution 

(seconds) 

Resolution TVA Memory 

Requirement 

Hour 1 hour 360 10 10 seconds 12296 Bytes 

Day 25 hours 300 300 5 minutes 10376 Bytes 

Week 7 days 1 hour 338 1800 30 minutes 11592 Bytes 

Month 31 days 2 373 7200 2 hours 12712 Bytes 

hours 

Quarter 93 days 

4 hours 

26 minutes 

40 seconds 

272 29600 8 hours 

13 minutes 

20 seconds 

9480 Bytes 

Year 366 days 366 86400 24 hours 12488 Bytes 

Month 31 days 8940 300 5 minutes 286856 Bytes. 

(HiRes) 1 hour 

Figure 3-7 Memory requirements 

The number of TVAs that must be stored depends on the traffic that is received. If all the flows are for 

one IP Address, Application Name pair then there is one TVA. If only a single octet is sent to another 

port on that same IP address then a second TVA is created for that IP Address, Application Name pair 

to hold that information. The memory footprint is the same for any aspect that records octets, flows, or 

packets. 

As traffic information is analyzed by Tivoli Netcool Performance Flow Analyzer, the number of TVAs 

increases as the flow analyzer recognises that existing TVAs do not cover the data presented. If the 

traffic is quite widely spread across IP address and ports, the memory required to store all the octets 

broken down by IP Address, Application Name increases by TVA, until the available RAM is used up 

by Tivoli Netcool Performance Flow Analyzer. To avoid RAM being consumed without restrictions, 

there are two attributes of each aspect- Upper Limit and Maximal Number. By default, these values are 

4000 and 2000 respectively. 

If the number of TVAs grows to reach the value of Upper Limit, TVAs are deleted to bring the number 

of TVAs down to the Maximal Number. The TVAs that are removed are deleted, and their data is lost. 

The total amounts are still maintained. No guarantee is made regarding which TVAs are removed, but 

an effort is made to keep the same distribution of TVAs based on amount of traffic. 

For the data for one hour of octets, 4000 separate IP Address and Application Name combinations, the 

amount of RAM required is 4000 * 12,296 Bytes = 49,184,000 Bytes or 46.9 MB. 

If we were to record an hour, day, week, month, quarter, and year of octets, packets, and flows for 

Host Application that hit 4000 TVAs, then the calculation would be: 

(12,296 + 10,376 + 11,592 + 12,712 + 9,480 + 12,488) * 3 units * 4,000 TVAs = 68,944 * 3 * 4,000 = 

827,328,000 Bytes or 789 MB. 

The same default values for Upper Limit and Maximal Number operate for each aspect type even though 

certain aspects could not reach 4000 TVAs. For example, there are likely to be only a certain number of 

flow emitters in a network. 



Chapter 4. Configuration 

This chapter describes the configuration options of Tivoli Netcool Performance Flow Analyzer. 

4.1 Site management 

Sites are used to separate traffic information between administrative domains. Each site can be 

regarded as a logical Tivoli Netcool Performance Flow Analyzer installation with a separate database 

and individual settings, including user accounts. A single Tivoli Netcool Performance Flow Analyzer 

installation can be used for many administrative domains with potentially overlapping (private) 

address spaces and individual configurations. 

Tivoli Netcool Performance Flow Analyzer is preconfigured with a default site. New sites can be 

added and existing sites can be removed with following server console commands: 

# tnpfa addsite test 

# tnpfa delsite test 

Note: The site configuration as well as collected and generated data (report data and log file data) is 

deleted with the site. An additional site increases the amount of memory being used. 

Flow information packets (for example, Netflow, IPFIX) are collected and analyzed for a particular site 

if the corresponding exporters are registered with the site (see Configuration > Site configuration > 

General in Figure 4-1). The general settings of each site contain site name, language, skin, registered 

exporters (for example, routers), and a description. The site name can be used to refer to a particular 

administrative domain. Any exporter registers all exporters with the site that are not registered with 

any other site. Every exporter registers all exporters with the site that export to the Tivoli Netcool 

Performance Flow Analyzer installation. If only data exported from specific exporters should be 

processed by the site, select Specific exporters. 

Site configuration changes that are applied are valid for the running system. However, the 

configuration files that are used when you restart the system are not automatically updated. It is 

therefore important to save the current configuration file at Configuration > Site configuration > 

Running config > Commit to disk of the server after all site configuration changes are done (see 

Figure 4-2). 

Flow information as received from exporters can be stored in binary format on disk if the option Store 

flows is enabled in Configuration > Site configuration > Advanced. Over longer time periods, flow 

files can use a considerable amount of storage. A task for either removal or compression of flow files 

can be configured (see Figure 4-3). 

Received flow information packets are stored by Tivoli Netcool Performance Flow Analyzer in a flow 

buffer before analysis. The size of the flow buffer can be altered with the Flow buffer size option. If 

the data arrives in large chunks, widely separated, you need a larger flow buffer to deal with the data, 

compared to the same amount of data being sent in a more even manner. A flow buffer size of 200 MB 

is sufficient for a maximum burst size of 4 million flow records in 5 minutes. 

Note: Increasing the buffer size leads to higher memory usage. 


To enable the user to configure the site to collect only flow files and disable any further processing of 

flow information, click Configuration > Site configuration > Advanced . Furthermore, the mapping 

of IP addresses to host names as well as account expiration can be enabled. 

Figure 4-1 Site configuration > General settings 


4.2 Aspects 

Figure 4-2 Site configuration > Running config 

The configuration of aspects and domains including the collection are the key site configuration tasks. 

These tasks are described in the following sections. 

Flow-based traffic information is presented in Tivoli Netcool Performance Flow Analyzer with respect 

to various traffic aspects. Aspects are defined from components such as domain, traffic type, protocol, 

service type, port, application, host, interface, autonomous system, and so on. Aspects provide the means to 

look at collected traffic information from different viewpoints. Aspects can also be composed of 

multiple aspect components. 


Figure 4-3 Site configuration > Advanced 


Figure 4-4 shows how aspects are defined in the user interface. The default collection type for 

collecting usage variation information is Time Array. This type of aspect represents traffic in sent and 

received directions separately. Sent traffic is above the x-axis. Received traffic is below the x-axis. A 

Unidirectional Time Array does not differentiate between sent and received traffic – both are added 

above the x-axis. A Counter aspect records separate totals for sent and received data for the current 

and last time period. The only graphical representation for the data in counter aspects is pie charts. 

Figure 4-4 Site Configuration > Aspects 

A defined aspect has to be enabled for collection before the database maintains information for the 

aspect. To enable each aspect for collection with respect to time periods and units, click Configuration 

> Site configuration > Collection. The possible time periods are hour, day, week, month, quarter, 

and year. The possible units are octets, packets, and flows (see Figure 4-5). In addition, the system 

provides a means to filter and rewrite the incoming flow information records during the collection 

process (see Figure 4-6). 

Note: When you configure aspect collection with more periods and units enabled, the memory 

consumption increases. 


Figure 4-5 Site configuration > Collection 


Figure 4-6 Site configuration > Global filters 


4.2.1 Tivoli Netcool Performance Flow Analyzer filter expressions 

Version: 4.1.0.0 

= not | 

(and|or) | 

(ipversion|ip_version) (ipv4|ipv6) | 

(ip|ipv4|ipv6) [] [/] | 

prefixlength [] | 

type [] | 

proto [] | 

(icmp|icmptype|icmpcode) | 

port [] | 

(iface|interface) [] | 

(app|application) [] (|) | 

tos [] | 

flowlabel [] | 

domain [] (|current) | 

asn [] [AS] | 

(packets|octets|octperpkt|bps|pps) [] | 

(sourceid|flowversion|flowtemplateid) [] | 

(tcpflag|tcpflags) [|&] (|) | 

true | false | 

set [|] [|] 

= src | dst | both | either 

= | router | router_src | router_dst | nexthop 

= eq | == | ne | != | ge | >= | gt | > | more | le |

4.3 Domains 

A domain is used in Tivoli Netcool Performance Flow Analyzer as an important grouping concept. 

The grouping can be defined with a list of subnets, a list of autonomous systems or a filter expression. 

Figure 4-7 and Figure 4-8 show the user interface for configuring domains. Description, flag, 

committed rate, and collected aspects are optional for domain definition. A domain can be defined as 

being local or remote to discriminate between traffic within a local administrative domain and traffic 

entering as well as leaving a local administrative domain. 

Figure 4-7 Site configuration > Domains 


Figure 4-8 Site configuration > New domain 


Figure 4-9 Site configuration > New domain > Collection 

Figure 4-9 shows how a domain is configured with individual collection for domain views. Here in 

addition to the global aspects, the database maintains information about the domain-specific aspects. 

Section 5.3 describes how to switch between the global view and the domain view when analyzing 

traffic. 

Note: Domain views can be responsible for significant increase in memory usage because an instance 

of the aggregation database is maintained per domain that is configured with individual collection. 

For a more detailed discussion and guidance on memory usage consumption, see section 3.3. 


4.4 User management 

To generate a new user, click Configuration > User Management > New user. Figure 4-10 shows the 

fields to be entered for account generation. The user name must not contain special characters. Users 

can be given normal user permissions with specific access to selected sites or root permissions. 

To view the user profile, click Configuration > User Profile > User Profile Information (see Figure 

4-12 ). Users with root or site administrator rights can also create and edit other user accounts. 

Figure 4-13 and Figure 4-10 show the configuration in the user interface. 

Figure 4-10 Site configuration > Create a new user 

When the Firefox password manager is enabled, users with basic privileges will be asked to "confirm 

which user you are changing the password for ". The cancel and close options on the 

Confirm Password Change dialogue box do not affect Tivoli Netcool Performance Flow Analyzer 

password management. The Tivoli Netcool Performance Flow Analyzer system password is updated 

regardless of any action taken. 


Figure 4-11 Site configuration > User profile 

Figure 4-12 Site configuration > User profile information 


Figure 4-13 Site configuration > User management 


4.5 Other configuration files 

Tivoli Netcool Performance Flow Analyzer uses the tnpfa.conf configuration file, which contains 

settings valid for all sites. Site-specific configuration issues are stored in individual site configuration 

files. The settings shared by all sites are maintained in the main configuration file stored at 

/etc/tnpfa/tnpfa/tnpfa.conf 

In general, the system must be restarted after you modify the configuration file. Configuration options 

of the main configuration file cannot be modified with the user interface. The Configuration options 

are described here. 

Note: Default values are underlined. The values in bold font are recommended. 

identity ". . ." 

The name of the installation. 

flow url (|any)://(any||): 

for example, flow_url udp://any:2055 

With this option the protocols and ports for listening for flow information packets (for example, 

NetFlow, IPFIX) are specified. Possible protocols are tcp, udp or sctp. The recommended standard 

port for NetFlow is 2055 and 4739 for IPFIX. For security and robustness of the installation, it is 

important to restrict the collection to the known exporters. The user interface makes the restriction 

easy to configure. Otherwise, the reporting could be influenced in the case of bad configuration, 

malicious intent, or vulnerability scans. Here is an example for typical flow URL accepting flow 

information from any export on UDP port 2055: 

flowrelay ://(|): 

for example, flowrelay udp://10.10.10.10:2055 

To specify IPv6- or IPv4-only for a flow relay entry, append the IP version to the protocol, for example, 

tcp4. 

This option configures Tivoli Netcool Performance Flow Analyzer to forward all received flow records 

to another machine. To minimize ICMP error messages when the receiving host does not collect on the 

specified port, flow forwarding is disabled for 30 minutes if no socket peer can be determined. Here is 

an example for relaying flow information records to port 2055 on host 10.10.10.10: 


Tivoli Netcool Performance Flow Analyzer uses further configuration files for modifying the default 

name and description of protocols, services, applications, service types, ICMP codes, autonomous 

system numbers and SNMP interface indexes to be modified. For instance, if the http protocol is 

known to be used over the non-standard port 8080 in addition to port 80, it can be entered in the 

services configuration file. Changes in these configuration files affect newly generated reports after the 

modification. The filenames with examples of contents are listed below. 

/etc/tnpfa/protocols 

# (C) Copyright IBM Corp. 2003 - 2010 All Rights Reserved 

# 

# TNPFA registered protocols 

# 

# Number Name Description 

# ---------------------------------------------------------------------- 

0 HOPOPT "IPv6 Hop-by-Hop Option [RFC1883]" 

1 ICMP "Internet Control Message Protocol [RFC792]" 

2 IGMP "Internet Group Management Protocol [RFC1112]" 

3 GGP "Gateway-to-Gateway Protocol [RFC823]" 

/etc/tnpfa/services 


# 

# TNPFA registered services 

# 

# Name Port Protocol Appl Description 

#----------------------------------------------------------------------- 

#port0 0 TCP,UDP OTHER "TCP/UDP port 0 

forbidden)" 

tcpmux 1 TCP OTHER "TCP port service 

multiplexer" 

compressnet 2 UDP NETMNG "Management utility" 

compressnet 3 UDP NETMNG "Compression 

/etc/tnpfa/applications 


# 

process" 


# TNPFA registered applications 

# 

# Name Number Description 

# ---------------------------------------------------------------------- 

OTHER 0 "Other" 

TIVOLI 1 "IBM TIVOLI applications (eg TCM, ADSM)" 

CITRIX 2 "Citrix MetaFrame and MetaFrameXP software" 

CORBA 3 "Common Object Request Broker Architecture" 

CVS 4 "Concurrent Versions System" 

DATABASE 5 "Database applications (eg LDAP/SQL)" 

/etc/tnpfa/tos 


#" 

# TOS mapping to description 

# 

# TOS Description 

#----------------------------------------------------------------------- 

0 "Best Effort - BE (0x00)" 

8 "Other (0x08)" 

16 "Other (0x10)" 

32 "CS1 (0x20)" 

/etc/tnpfa/icmp 


# 

# TNPFA registered icmp types + codes 

# 

# htp://www.iana.org/assignments/icmp-parameters (synced to: 2008-02-13) 

# 

# High 16 bits = Type 

# Low 16 bits = Code 

# 

# Message description will be made up from the Type + Code. 

# Code is ignored when there is no more specific available. 

# 

# Code Description 

#----------------------------------------------------------------------- 

# 12 "Example Type" 


# 12ab "Example Code" 

00 "Echo Reply" 

03 "Destination Unreachable" 

0300 "Net Unreachable" 

0301 "Host Unreachable" 

0302 "Protocol Unreachable" 

/etc/tnpfa/asn 


# 

# TNPFA registered services 

# 

1 "LVLT-1" "LVLT-1" 

2 "DCN-AS" "DCN-AS" 

3 "MIT-GATEWAYS" "MIT-GATEWAYS" 

4 "ISI-AS" "ISI-AS" 

/etc/tnpfa/interfaces 


# 

# Interface mapping to description 

# 

# Interface Description 

#------------------------------------------------------------------------- 

# 200@2001:db8:20d:0:290:27ff:fe24:c19f "IPv6 uplink" 

# 1@192.0.2.42 "Internet uplink to provider A" 

# 2@192.0.2.42 "Internet uplink to provider B" 

# 3@192.0.2.42 "Sales" 

# 4@192.0.2.42 "Labor" 

# 1@192.0.2.11 "Accounting" 

# 6@192.0.2.13 "Servers" 

# 1@192.0.2.12 "Research" 


4.6 Reporting 

The user interface provides access to standard reports, which are pre-generated PDF traffic reports for 

the fixed time periods such as hourly, daily, weekly, monthly, quarterly and yearly. Figure 4-14 shows 

the user interface for configuring reports for a defined period. 

Figure 4-14 Site configuration > Reporting 



Chapter 5. Traffic analyzer 

5.1 Overview 

After authentication to the user interface with user name and password as described in section 3.1.5 an 

overview is shown for the site. The overview provides total usage graphs for the configured periods 

(see section 4.2), such as last hour, day, week, month, quarter and year (see Figure 5-4). The periods 

can be changed using the tabs above the graph (see Figure 5-1). 

Figure 5-1 Analyzer > period selection 

Graphs display traffic variation over time in rates of octet, packet, packet-per-octet or flow. The unit 

can be chosen and is displayed at the y-axis (see Figure 5-2). Positive values show sent traffic and 

negative values refer to received traffic (see Figure 5-3). 

Figure 5-2 Analyzer > unit selection 

Figure 5-3 Analyzer > interactive time series graph 

Copyright IBM Corp. 2004, 2010 45

Figure 5-4 Analyzer > hourly overview 


Figure 5-5 Analyzer > weekly overview 


5.2 Aspect views 

Traffic views are snapshots of the currently occurring traffic situation. The current traffic situation can 

be viewed for configured traffic aspects, periods and various display options (for example, normal and 

trend graph, pie chart, stacked or lines as well as linear or logarithmic, or Log format). The periods are 

the last hour (that is, last 60 minutes), last day (that is, last 24 hours), last month (last 31 days) and so 

on 1 

. 

Traffic volumes are given with most display options. According to IEC Standard, volumes are 

provided in B (bytes), KiB (kilo binary bytes), MiB (mega binary bytes), GiB (giga binary bytes), and 

TiB (tera binary bytes): 

The table below shows the differences between the units used by the IEC standard and the Metric 

system in traffic volume calculations. 

Table 5-1 IEC Standard v Metric System 

IEC Standard Metric System 

1 KiB = 1024 B = 2 10 

B 1 KB = 1000 bytes 

1 MiB = 1024 KiB = 2 20 B 

1 MB = 1000 KBs 

1 GiB = 1024 MiB = 2 30 B 1 GB = 1000 MBs 

1 TiB = 1024 GiB = 2 40 B 

1 TB = 1000 GBs 

Traffic rates are provided in b/s (bit per second), Kb/s (kilo bit per second), Mb/s (mega bit per 

second) and Gb/s (giga bit per second): 

1 Kb/s = 1000 b/s = 10 3 b/s 

1 Mb/s = 1000 Kb/s = 10 6 

b/s 

1 Gb/s = 1000 Mb/s = 10 9 

b/s 

The user can navigate in the user interface between Overview and configured traffic aspect views with 

the menu on the left side. The menu appears with the Analyzer view. Daily views aspects application, 

type, and protocol are shown in Figure 5-6, Figure 5-7, and Figure 5-8. 

The port view in Figure 5-9 is given in packet rates and selected top ports. That is, the remaining 

difference between the stacked top ports and the total traffic usage (displayed in gray) is not shown. 

Figure 5-10 shows the port view in lines mode for better visualization of the usage of individual ports. 

Likewise Figure 5-13 and Figure 5-14. 

Figure 5-11 and Figure 5-12 show weekly type-of-service views with all items as well as with selected 

items after the y-axis was adjusted. The y-axis can be adjusted when you click Fit y-axis to scale the 

view to the available data. 

1 Note: This is different to the time periods used with standard reporting (see Chapter 6) which are aligned to full hours, calendar days, weeks, and so 

on. 


Figure 5-13 and Figure 5-14 show, respectively, the entire ICMP traffic breakdown in stacked mode 

and selected ICMP items in lines mode after adjusting the y-axis. 

A multi-component aspect is shown in Figure 5-15. The aspect named Domain & Application is 

composed of two aspect components- domain and application. 

A second example for a multi-component aspect is given in Figure 5-16. The aspect name Flow is 

composed of aspect components source IP, destination IP, and protocol and service port. The graph is 

mostly gray because individual flows contribute only little to the overall traffic volume. There are 

three options to focus on the individual flows in the graph. 

There are three options to focus on the individual flows in the graph. The first option is to drill-down 

into the graph by left-click or select a region with the mouse as shown in Figure 5-17. The second 

option is to switch to log mode as shown in Figure 5-18. Small values are blown up and, therefore 

clearly visible in the graph. The third option is to hide the gray part that shows the difference of the 

selected items to the total traffic. Figure 5-19 shows the result after adjustment of the y-axis. 

Multi-component aspects can also be defined with aspect components that are derived from the 

volume-based data in flow information records. An example of such an aspect is Octets per Packets 

shown with and without total in Figure 5-20 and Figure 5-21. In the later figure the display mode is 

further more changed from stacked to lines. 

Finally, Figure 5-22 shows a multi-component aspect defined by aspect components exporter and 

application. 


Figure 5-6 Analyzer > Application view 


Figure 5-7 Analyzer > Type (traffic type) view 


Figure 5-8 Analyzer > Protocol view 


Figure 5-9 Analyzer > Port view (no Other) 


Figure 5-10 Analyzer > Port view (lines mode) 


Figure 5-11 Analyzer > TOS (type-of-service) view 


Figure 5-12 Analyzer > TOS view (selected items) 


Figure 5-13 Analyzer > ICMP 


Figure 5-14 Analyzer > ICMP (selected items, lines mode) 


Figure 5-15 Analyzer > multi-component aspect 


Figure 5-16 Analyzer > Flow view 


Figure 5-17 Analyzer > Flow view (drill-down) 


Figure 5-18 Analyzer > Flow view (log mode) 


Figure 5-19 Analyzer > Flow view (without total) 


Figure 5-20 Analyzer > Octets per packet 


Figure 5-21 Analyzer > Octets per packets (without total, lines mode) 


Figure 5-22 Analyzer > Exporter & Application view 


5.3 Domain views 

Tivoli Netcool Performance Flow Analyzer can be configured for domain-specific views that contain 

only traffic information about a particular domain or a particular combination of traffic aspects. 

Domain views can be limited to traffic of a particular geographic location. 

The calendar that is displayed with Reports shows a selection menu which enables the user to switch 

between domain report and the full reporting view (see Figure 5-23 Domain selection). Typically, the 

domain reports show only a subset of all traffic aspects. 

Figure 5-23 Domain selection 

Note: If collection is not configured for a user-created domain, you cannot choose that domain from 

the list. 



Chapter 6. Standard reports 

The user interface provides access to standard reports, which are pre-generated PDF traffic reports for 

fixed time periods, such as for every full hour as well as for every calendar day, month, and so on. 

Standard reports can be accessed through a calendar interface (Figure 6-1). 

Figure 6-1 Standard reports 



Chapter 7. Zoom reports 

This chapter describes how to generate zoom reports. Zoom reports allow the user to focus on specific 

traffic aspects within a selected time period in the past. 

Zoom reports are generated from stored flow files. These files must not be deleted but they may be 

compressed. For more information, see section 4.2. 

A Zoom report is a perspective on historical flows that the system has stored in regular or compressed 

flow files. The Zoom report is configured like a site. Additionally, a Zoom report has a start and end 

time period. The result is a snapshot that contains fixed and not updated data. In other words the 

snapshot is not dynamically updated when the system receives new flows. The report is accessible 

using an Analyzer-like interface and also as a PDF. 

Configuring a Zoom report is similar to configuring a site. This is intentional because the system that 

is running a Zoom report analyses the received flows in the same way as a site. The Zoom report 

facility allows a user to create the equivalent of a site to feed flows through. The result is a Zoom 

report, which matches a similarly-configured site. 

Zoom reports differ from a site definition only in terms of the time domain. A Zoom report is 

configured for a particular time period - the longer the period, the less the resolution. The Tivoli 

Netcool Performance Flow Analyzer picks the finest of the existing resolutions that accounts for about 

800 buckets. For example, selecting a report time range of two hours will result in Tivoli Netcool 

Performance Flow Analyzer choosing the hour period resolution of 10 seconds. Two hours is 2 X 3600 

seconds or 720 X 10-second buckets. For more information, see section 3.3. 

7.1 Zoom report list page 

To access the Zoom reports control page click the Zoom reports link on the top of the window. The 

system displays the list of previously configured reports and a link called New Zoom report that 

allows a user to create a fresh Zoom report configuration. 

The list of Zoom reports contains information and links for each of the pre-existing report definitions. 

There are columns for the name, status, data availability, edit-lock and processing progress. To the 

right are links named open, details, clone, delete and abort. These links are active or not depending 

on the report’s status. 

The status field contains either open indicating that the report has been viewed by a user who is still 

logged on or closed where no logged on user has viewed it. The data field indicates if data is present 

in the Zoom report’s database that is the flow files have been analysed. Editable indicates whether or 

not a user can change the configuration of the Zoom report. This shows yes until the report has 

started running, and then it changes to no. The progress field shows the stage in its life that the Zoom 

report is at that time. 

The open link allows a user to view the results of a Zoom report as a snapshot using the Analyzer 

page. This option is only present when a report has been run. The details link allows the user to view 

the details of a report configuration and fine-grained status information. The user may also edit the 

configuration if the report has not already been run. The clone allows the user to copy an existing 

definition under a different name. The delete link provides a means by which the user can delete the 

report result and definition. The abort link allows the user to stop a report processing. 


When a report has just been created its status is open, data value will be No, editable value is Yes and 

progress is idle. The links available are details, clone and delete. 

The system creates a fresh new Zoom report by copying the existing site configuration with the 

exception of the collection information. A cloned report definition contains the original Zoom report’s 

collection specification. The users can then modify the site as they wish. 

7.2 Zoom Report configuration page 

To configure a report definition you must click on the details link in the Zoom report list page. The 

Zoom report configuration page for the report in question appears. 

The page has six tabs – General, Filters, Aspects, Collection, Domains and Status. 

The General tab contains fields for the name, description and start and end times for this report. 

The Filters and Aspects tab contain interfaces that allow the user to configure the filter and aspects 

for the report just like the site configuration page. For more information, see sections 4.1 and 4.2. 

The Collection tab is like the collection tab for sites with one important difference. Because the 

time period for the report is limited to one time range and is specified on the General tab, the 

Collection tab contains a check box for the units being collected, not the units and time periods. 

The Domains tab works like the domain tab in the site configuration (section 4.3). But in a Zoom 

report the collection per domain only appears for the Web-interface snapshots and not for their 

PDF counterparts. 

The Status tab contains three status items and a link to a PDF form of the report, if complete. The 

Data field shows whether or not flows have been analysed and put in the Zoom report’s database. 

The Configuration locked field indicates if the configuration of the report has been frozen to 

avoid it being edited after analysis has been requested. The Data Locked field indicates whether or 

not the data in the report has been fully analysed. 

At the bottom of the Status tab is a list of background jobs that are associated with a report as it 

runs. 

At the bottom of the window, there are three buttons that are as follows: 

Cancel – to close the window 

Save – to save the configuration 

Run analysis - to run the Zoom report analysis 


7.3 Processing 

Initially the Progress field for a newly-created report is Idle. When you ask the system to run the 

report analysis, the progress field changes to Queued, and the editable field changes to no. The abort 

link becomes active and offers the user a way to stop the analysis before it finishes itself. When the 

system starts the analysis, the Progress field changes to Analysing. Eventually, the analysis 

completes. The Progress field changes to Finished and the Data field changes to yes. The abort link is 

deactivated and the open link becomes active. You can view the snapshot by using the Analyzer page. 

7.4 Viewing the results 

Table 7-1 Display changes for report 

Status Data Editable Progress 

Start Open No Yes Idle 

Open No No Queued 

Open No No Analysing 

End Open Yes No Finished 

There are two ways to access the Zoom report snapshot using the user interface. You can click on the 

open link for the report on the Zoom report list page. Alternatively, in the Analyzer page there are two 

fields where the snapshot and domain are selected on the top left of the window – the Snapshot link to 

select the snapshot and the Domain drop-down list box for selecting the domain. Click the Snapshot 

field to display a window that shows the exiting snapshots from Zoom reports and the Live system. 

To access the PDF generated by the report, click the Zoom Report. Select the details link for the report. 

Click the Status tab, and then click the Download link to download the PDF file. 



Chapter 8. System status 

Understanding the status of an operational Tivoli Netcool Performance Flow Analyzer system is 

important to avoid resource and configuration problems. The user interface provides system status 

information at Status > System information (see Figure 8-1) and Status > Backend information (see 

Figure 8-2). System information includes version and timezone etc, whereas the backend information 

is related to the status of the Tivoli Netcool Performance Flow Analyzer backend such as processing 

rate of last analysis, flow URL (see section 4.5), flow buffer fill level etc. 

An advanced way to investigate the system status is provided with the Tivoli Netcool Performance 

Flow Analyzer console. The Tivoli Netcool Performance Flow Analyzer console can be used to issue 

commands to the backend system. The Tivoli Netcool Performance Flow Analyzer console can be used 

from a server console using tnpfa connect 1 . Type help for the list of possible commands 2 . 

#> tnpfa connect 

Trying 127.0.0.1... 

Connected to localhost.localdomain (127.0.0.1). 

Escape character is ’ˆ]’. 

200 Tivoli Netcool Performance Flow Analyzer 4.1.1 

session login default admin ******* 

200 Greetings Administrator 

A further means for understanding the system status is the Flow state aspect (see Figure 8-3 Status > 

Flow state). The amount of accepted, dropped and filtered flow information records is displayed with 

this aspect. A multi-component aspect using exporter, flow version (for example, NetFlow version) 

and flow state can be defined by the user for more detailed status display of the received flow 

information records. 

1 The TCP port 9084 is registered at IANA for the Tivoli Netcool Performance Flow Analyzer console. 

2 Sometimes the CTRL-Backspace key combination has to be used to delete preceding characters in the 

console. 


Figure 8-1 Status > System information 


Figure 8-2 Status > Backend information 


Figure 8-3 Status > Flow state 


Chapter 9. Import 

Flow files that have been collected previously can be imported into the Tivoli Netcool Performance 

Flow Analyzer database. The user can select the flow files to be imported from Configuration > Flow 

file import. The default Tivoli Netcool Performance Flow Analyzer flow file directory 

/opt/tnpfa/var/default/flow is used for the selection (see Figure 9-1). 

Figure 9-1 Flow file import 

The imported flow information is added to the current time periods (that is, current and previous 

hour, day, month, and year). Data that falls outside the period start and period end time boundaries is 

not added. The added data is included in reports that are generated after the import is finished. The 

reports that existed before the import are not updated. 



Chapter 10. Troubleshooting 

Problem: No graphs or reports. 

Solution: This can have various reasons. 

No flow information packets (for example, NetFlow, IPFIX) have been received by the system. 

Check the flow url setting in the main configuration file (see section 4.5). 

Check with a packet sniffing tool whether NetFlow packets are received at the Tivoli Netcool 

Performance Flow Analyzer server. 

Make sure that the version of the flow information records is valid. 

Check whether flow files in the flow directories are not empty. 

Make sure a firewall does not hinder the NetFlow stream to the collector. 

Make sure the routers/switches/meters export to the correct port and IP address of the Tivoli 

Netcool Performance Flow Analyzer server. 

Check log messages from user interface or in /opt/tnpfa/var/log. 

Compare clock settings on the server and exporters (routers, switches or NetFlow meters). 

Make sure exporters and Tivoli Netcool Performance Flow Analyzer server are set for correct 

time and date. 

Consider using ntpdate . 

Make sure to restart Tivoli Netcool Performance Flow Analyzer when the system time was 

modified. 

Make sure the license is valid. 

Check whether the process named tnpfad is running, if not restart the system. 

Problem: When you use Internet Explorer, no graphs are shown. 

Solution: Verify that Internet Explorer (Version 7 or 8) is used. Verify that the Adobe SVG 6 plug-in is 

installed (see section 3.1.5). 

Problem: The backend process of Tivoli Netcool Performance Flow Analyzer (that is, tnpfad) does not 

listen on IPv6 (localhost) 

Solution: Check that /etc/hosts contains the following lines : 

127.0.0.1 localhost 

::1 localhost 


Problem: SCTP is not visible in netstat -an 

Solution: Current netstat does not support listing SCTP. Check /proc/net/sctp/pdf for the 

listing. 

Problem: Log file reports about an unknown NetFlow/IPFIX template. 

Solution: This can happen during start of the system when NetFlow/IPFIX records are received 

before the template has been exported. This template describes the data layout of the records. 

Problem: You must authenticate every time you click on a menu item. 

Solution: Make sure that cookies are enabled in your browser. 

Problem: The user interface does not work. 

Solution: Make sure the Apache2 Web server was started, for example, with 

/etc/rc.d/init.d/httpd start or /etc/rc.d/init.d/apache2 start 

Or 

/etc/rc.d/init.d/apache2 startapachectl start. 

Make sure you use the http or https protocols. Check the log file of the Web server (for example, 

/var/log/httpd/error.log). Make sure the server is accessed with the correct IP or host name. 

Make sure the server does not run a firewall that blocks http or https traffic. 

Problem: When you change the user interface languages, some menus and titles are still in English. 

Solution: Some language files are not complete. The system falls back to English in these cases. 

Problem: The systems stopped or reports are wrong. 

Solution: For security and robustness of the installation it is important to restrict the collection to the 

known exporters. Otherwise, the reporting could be influenced in the case of bad configuration, 

malicious intent, or vulnerability scans (see Sections 4.1, 4.2, 4.3 and4.5). 

Problem: The systems stopped and the log file shows that the system is out of memory. 

Solution: Reduce memory usage by collecting with fewer periods or by collecting with fewer aspects 

or by collecting with fewer units or by reducing flow buffer size or by removing a site (see Section4.5). 


Problem: Tivoli Netcool Performance Flow Analyzer shows only a fraction of the known volume of 

data. 

Or 

Problem: The following error message appears in the tnpfa.log file: 

― info tnpfad: Couldn't set Receive Buffer Size (SO_RCVBUF) 

on socket 0x6 (2:17:2): No buffer space available (errno 74) ‖ 

Solution: The TCP receive buffers that are too small. Fixing this depends on the environment. 

For AIX, perform the following commands as root user: 

> no -o sb_max=4194304 

Setting sb_max to 4194304 

> no -o tcp_recvspace=4194304 

Setting tcp_recvspace to 4194304 

For Linux, perform the following commands as root user: 

sudo /sbin/sysctl -w net.core.rmem_max=33554432 

sudo /sbin/sysctl -w net.core.wmem_max=33554432 

Also for Linux add the following lines to /etc/sysctl.conf 

net.core.rmem_max = 33554432 

net.core.wmem_max = 33554432 

Problem: The system ran out of disk space or flow files are empty or database is not written back to 

the system. 

Solution: Verify that there is a disk usage problem with df -h. Consider using a different disk partition 

by following these steps: 

Stop system. 

Move directory /var/lib/tnpfa to new partitions. 

Make sure file permissions remain. 

If problems persist, consult the log file or run the system in verbose mode: 

#> tnpfa stop 

#> tnpfa start verbose 

When reporting problems, gather the following information: 

Collect the product-specific information from the user interface as follows: 

Click Status > System information 

Click Status > Backend information 


Collect the product-specific information from a server console as follows: 

Output: tnpfa status 

File: /etc/tnpfa/tnpfa.conf 

File: /etc/tnpfa/crontab 

File: /opt/tnpfa/var/log/tnpfa.log 

File: /etc/tnpfa/var/sites/default/etc/site.conf 

Collect the general information from a UNIX server console as follows: 

Output: df -h 

Output: df -h /opt/tnpfa/var 

Output: ulimit -a 

Output: cat /proc/cpuinfo 

Output: cat /proc/meminfo 

Output: date 

Output: iptables -L 

Output: cat /etc/selinux/conf 

Output: ls -l /opt/tnpfa/var/sites/*/* 

Output: ls -l /etc/tnpfa 


Appendix A. Integration and scripting 

The Tivoli Netcool Performance Flow Analyzer console can be used to issue commands to the backend system using the 

flow analyzer Application Programming Interface (API). 

# tnpfa connect 

Connecting to command line interface (CLI) ... 

Trying 127.0.0.1... 

Connected to localhost.localdomain (127.0.0.1). 

Escape character is '^]'. 

200 TNPFAd 

The Tivoli Netcool Performance Flow Analyzer API can be regarded as an execution environment in which flow-analyzer 

shell scripts are executed. 

Example - Configure a .csv report showing Hourly Textual Output of Flow Information Records 

Step 1: Put the following lines in /opt/tnpfa/var/sites/default/etc/report site.ash . 

site select default 

site domain select 0 

site period select hour current 

site aspect select domain octets 

$per$ = site period get epoch half 

$date$ = strftime %Y-%m-%d_%H $per$ 

site set csvoutput /opt/tnpfa/var/sites/default/reports/report_$date$.csv 

Step 2: Add the following line to the file /etc/tnpfa/crontab (not system crontab) 

30 * * * * root * exec /opt/tnpfa/var/sites/default/etc/report_site.ash 



Appendix B. 95 th percentile billing 

The 95 th 

percentile is a widely used mathematical calculation to evaluate the regular and sustained utilization of a 

network connection. The 95 th percentile method more closely reflects the needed capacity of the link in question than 

tracking by other methods such as mean or maximum rate. Rather than charge for total traffic, customers get charged a 

per-megabit rate (Mbit/s). This rate is calculated by taking 5-minute transfer rate readings throughout the month, then 

disregarding the top 5% of readings (in an attempt to remove all of the spikes) and charging for the next highest rate on 

the list. 

Figure B-1 demonstrates the 95 th 

percentile rate for sent and received traffic for a particular month. 

Figure B-1 95th Percentile Rate 

Figure 9-1 shows how the customer’s interface ports on their routers and switches are polled or sampled at regular 

intervals throughout the billing cycle. In this example, 8,640 samples are accumulated in a 30 day calendar month. Each 

sample contains the number of bytes transmitted to the customer and the number of bytes received from the customer 

since the sample took place. 


This example shows that the customer’s transfer rate actually peaked at the midway point in the month, but this is 

disregarded for charging purposes as it falls outside of the 95th percentile. After sorting, these transfers were in the peak 

5% of the month, and are not chargeable. 

Example report showing CSV Export for Daily Top Domains including 95th Percentile 

Step 1: Add the following lines into file /opt/tnpfa/var/sites/default/etc/report site.ash . 

Step 2: Invoke the script 

site domain select 0 

site period select day previous 

site aspect select domain octets 

$per$ = site period get epoch half 

$date$ = strftime %Y-%m-%d $per$ 

set cleanoutput on 

set output /opt/tnpfa/var/tmp/report_$date$.csv.incomplete 

$keys$ = site aspect get keys 

loop i 1 1 @@keys@@ 

{ 

site aspect printf 

"DomainId=%flow:domain%,DomainName=%flow:domain#name%,TotSent=%tva:tot_sent%, 

TotRcvd=%tva:tot_recv%,AvgSent=%tva:avg_sent%,AvgRcvd=%tva:avg_recv%,P95=%tva:p95%\n 

" @@keys:$i$@@ 

} 

set output session 

set cleanoutput off 

rename /opt/tnpfa/var/tmp/report_$date$.csv.incomplete 

/opt/tnpfa/var/sites/default/reports/report_$date$.csv 

tnpfa connect 

session login default admin 

exec /opt/tnpfa/var/sites/default/etc/report_site.ash 

Step 3: View the 95th Percentile result in the output file 

vi /opt/tnpfa/var/sites/default/reports/report_YYYY-MM.csv 

DomainId=0,DomainName=Other,TotSent=34661243.00,TotRcvd=33539267.00,AvgSent=360.33,A 

vgRcvd=348.66,P95=326.00 

DomainId=0,DomainName=Private,TotSent=0.00,TotRcvd=917178.00,AvgSent=0.00,AvgRcvd=10 

.67,P95=36.13 


Notices 

This information was developed for products and services offered in the U.S.A. 

IBM may not offer the products, services, or features discussed in this document in other countries. 

Consult your local IBM representative for information about the products and services currently 

available in your area. Any reference to an IBM product, program, or service is not intended to state or 

imply that only that IBM product, program, or service may be used. Any functionally equivalent 

product, program, or service that does not infringe any IBM intellectual property right may be used 

instead. However, it is the user’s responsibility to evaluate and verify the operation of any non-IBM 

product, program, or service. 

IBM may have patents or pending patent applications covering subject matter described in this 

document. The furnishing of this document does not grant you any license to these patents. You can 

send license inquiries, in writing, to: 

IBM Director of Licensing 

IBM Corporation 

North Castle Drive 

Armonk, NY 10504-1785 

U.S.A. 

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM 

Intellectual Property Department in your country or send inquiries, in writing, to: 

Intellectual Property Licensing 

Legal and Intellectual Property Law 

IBM Japan Ltd. 

1623-14, Shimotsuruma, Yamato-shi 

Kanagawa 242-8502 Japan 

The following paragraph does not apply to the United Kingdom or any other country where such 

provisions are inconsistent with local law: 

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS 

IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT 

NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY 

OR FITNESS FOR A PARTICULAR PURPOSE. 

Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, 

this statement might not apply to you. 

This information could include technical inaccuracies or typographical errors. Changes are 

periodically made to the information herein; these changes will be incorporated in new editions of the 

publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) 

described in this publication at any time without notice. 

Any references in this information to non-IBM Web sites are provided for convenience only and do not 

in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not 

part of the materials for this IBM product and use of those Web sites is at your own risk. 

IBM may use or distribute any of the information you supply in any way it believes appropriate 

without incurring any obligation to you. 


Licensees of this program who wish to have information about it for the purpose of enabling: (i) the 

exchange of information between independently created programs and other programs (including this 

one) and (ii) the mutual use of the information which has been exchanged, should contact: 

IBM Corporation 

2Z4A/101 

11400 Burnet Road 

Austin, TX 78758 

U.S.A. 

Such information may be available, subject to appropriate terms and conditions, including in some 

cases payment of a fee. 

The licensed program described in this document and all licensed material available for it are 

provided by IBM under terms of the IBM Customer Agreement, IBM International Program License 

Agreement or any equivalent agreement between us. 

Any performance data contained herein was determined in a controlled environment. Therefore, the 

results obtained in other operating environments may vary significantly. Some measurements may 

have been made on development-level systems and there is no guarantee that these measurements 

will be the same on generally available systems. Furthermore, some measurements may have been 

estimated through extrapolation. Actual results may vary. Users of this document should verify the 

applicable data for their specific environment. 

Information concerning non-IBM products was obtained from the suppliers of those products, their 

published announcements or other publicly available sources. IBM has not tested those products and 

cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM 

products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of 

those products. 

This information contains examples of data and reports used in daily business operations. To illustrate 

them as completely as possible, the examples include the names of individuals, companies, brands, 

and products. All of these names are fictitious and any similarity to the names and addresses used by 

an actual business enterprise is entirely coincidental. 

COPYRIGHT LICENSE: 

This information contains sample application programs in source language, which illustrate 

programming techniques on various operating platforms. You may copy, modify, and distribute these 

sample programs in any form without payment to IBM, for the purposes of developing, using, 

marketing or distributing application programs conforming to the application programming interface 

for the operating platform for which the sample programs are written. These examples have not been 

thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, 

serviceability, or function of these programs. The sample programs are provided "AS IS", without 

warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample 

programs. 

If you are viewing this information in softcopy form, the photographs and color illustrations might not 

appear. 

Trademarks 

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business 

Machines Corp., registered in many jurisdictions worldwide. Other product and service names might 


e trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at 

―Copyright and trademark information‖ at www.ibm.com/legal/copytrade.shtml. 

Adobe is either a registered trademark or trademark of Adobe Systems Incorporated in the 

United States, and/or other countries. 

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or 

both. 

Microsoft is a trademark of Microsoft Corporation in the United States, other countries, or 

both. 

Other product and service names might be trademarks of IBM or other companies. 



Glossary 

The installation, configuration, and operation of the Tivoli Netcool Performance Flow Analyzer system 

are described in this document with consistent terminology. The important terms are defined here. 

Traffic Flow 

A traffic flow is a sequence of packets with common end-to-end properties (for example, 

protocol, source and destination addresses and source and destination ports). 

Traffic Aspect 

Flow-based traffic information is presented in Tivoli Netcool Performance Flow Analyzer with 

respect to various traffic aspects. Aspects are defined from aspect components such as domain, 

traffic type, protocol, service type, port, application, host, interface, autonomous system, and so on. 

Aspects provide the means to look at collected traffic information from different viewpoints and 

help to understand the composition of traffic in the network. Aspects are composed of multiple 

aspect components. The configuration of aspects is defined in section 4.2. 

Host 

The host aspect component shows the composition of traffic with respect to the sending and 

receiving end machines. A host is identified by its IP address. Tivoli Netcool Performance Flow 

Analyzer uses DNS reverse lookup to determine the host name from the IP address. Reverse 

lookup can be disabled. IP version 4 and 6 addressing is supported. 

Domain 

A domain is defined as a grouping of IP addresses and represents a set of hosts. The grouping 

can be defined with a list of subnets, a list of autonomous systems, or a filter expression. The 

default domain is called Other. If a host is not applicable to any explicitly defined domain, then it 

falls into Other. Other can be used as a synonym for the rest of the network. 

Traffic Type 

The traffic type aspect component provides a breakdown of traffic with respect to IPv4, IPv6, 

unicast, broadcast, and multicast traffic. 

Protocol 

The protocol aspect component provides a breakdown of traffic with respect to the transport layer 

protocols (for example, ICMP, TCP, UDP, ESP). ICMP (Internet Control Message Protocol) is 

additionally provided as an individual aspect to provide a breakdown of ICMP messages. See the 

/etc/tnpfa/protocols file and the /etc/tnpfa/icmp file for configuration. 

Service Type 

The service type aspect component provides a breakdown of traffic with respect to the type of 

service settings in the IP header. Tivoli Netcool Performance Flow Analyzer is preconfigured for 

the IETF Differentiated Services code points (DSCPs). See the /etc/tnpfa/tos file for 

configuration. 

Port 

A large part of IP traffic is transmitted over session-oriented transport layer protocols, such as 

TCP and UDP. Transport layer protocols use source and destination ports that indicate the 

higher-layer application protocols (or services) offered on the end hosts. Thus the port aspect 

component provides a breakdown of traffic with respect to the application protocols (for 

example, http, pop3, ssh). 

The heuristic for determining the service from the source and destination port numbers is as 

follows: 


If only one port is registered with a service, this registered service is used; if both ports are 

registered, the service registered with the smaller port number is used; if no port is registered, the 

smaller port number is used and assigned to the unclassified service. See the 

/etc/tnpfa/services file for configuration. 

Application 

The application aspect component provides a breakdown of traffic with respect to groups of 

application protocols. For example, the MAIL application is a grouping of typical application 

protocols used to send and receive e-mail (that is, smtp, imap, pop3, and so on). See the 

/etc/tnpfa/applications file for configuration. 

Interface 

The interface aspect component provides a breakdown of traffic with respect to the interfaces 

which are used to forward the traffic at the switches and routers exporting flow information 

records. See the /etc/tnpfa/interfaces file for configuration. 

ASN 

The ASN (Autonomous System Number) aspect provides a breakdown of traffic with respect to 

the Autonomous Systems to which the source and destination IP addresses belong. An ASN is 

used in the Internet as a globally unique number for identifying IP networks which are treated 

with a common routing policy. See the /etc/tnpfa/asn file for configuration. 

Local/Remote 

A domain can be defined as being local or remote. You can differentiate between traffic within a 

local administrative domain, and traffic entering and leaving a local administrative domain. The 

Other domain is always considered to be remote. 

Sent/Received 

Traffic aspects in tables and graphs are presented separately for sent and received traffic. The 

rules if packets are accounted as sent or received vary between aspects. The following table 

shows these rules. 

Aspect Sent if packets are... Received if packets are... 

Host Sent by source host Received by destination host 

Domain Sent by source domain Received by destination domain 

Traffic Type Sent by local domain and 

Received by local or remote 

domain 

Protocol and ICMP Sent by local domain and 


domain 

Service Type Sent by local domain and 


domain 

Sent by remote domain and 

Received by local domain 





Port Sent by this port Received by this port 

Application Sent by local domain and 


domain 



Interface Sent by out interface Received by in interface 

Autonomous System (AS) Sent by source AS Received by destination AS 


Site 

For illustration, consider two local domains D1 with ip1 and D2 with ip2 as well as two remote 

domains D3 with ip3 and D4 with ip4. In , the colour of the arrows show which flows are 

considered as sent and which flows are considered as received. For some aspects, traffic volume 

is accounted twice, as sent and as received. The traffic volume (that is, transmitted bytes, packets) 

is accounted for the destination host as received and for the source host as sent. Double 

accounting is done for aspect components host, domain, port, interface, and autonomous system. 

Graphs and tables for these aspect components add up to 200% in total. 

Traffic between hosts within the same domain is tagged received if data is received by a server (as 

determined from the service port) and sent otherwise. 

Sites are used to separate traffic information between administrative domains. A single Tivoli 

Netcool Performance Flow Analyzer installation can be configured for multiple administrative 

domains with potentially overlapping (private) address spaces and individual configurations. 

Flow information packets (for example, Netflow, IPFIX) are collected and analyzed for a 

particular site if the corresponding exporter is registered with the site. 

Traffic View 

The user interface provides sliding views into the traffic information database. Such traffic views 

cover the last 60 minutes, the last 24 hours, the last 31 days, and so on. Traffic views differ from 

traffic reports as they constantly change due to the sliding time periods. 

Example for sent and received traffic with local and remote domains 

Traffic Report 

The user interface provides pre-generated traffic reports for fixed time periods, such as for every full 

hour as well as for every calendar day, month, and so on. Pre-generated traffic reports can be accessed 

immediately. A special form of traffic report is a zoom report. A zoom report is dynamically generated 

by the user given a time period and a filter to zoom into certain traffic aspects (for example, protocol, 

host, or subnet). 



® 

Printed in USA

TNPFA 4.1.1 Installation and User Guide - e IBM Tivoli Composite ...

Create successful ePaper yourself

Delete template?

Save as template?