Services Tab

This tab allows you to enable and configure NFO built-in services.

IPv4 Address to Host Name Translation

This service is using FQDN resolution to enrich your flow data with real-time domain names. This service is enabled by default. You can create a list of hosts to override DNS resolution, as “IP,domainName” (both IPv4 and IPv6 are supported).

Modules state persistence support

This service saves Module state which is used in case NFO server is restarted. It is always enabled and has no configuration parameters.

Original Flow Data Converter Service

This service provides mapping between flow data elements and their corresponding key names in key-value pairs in syslog output. There are two mapping files:

  1. For Blue Coat Packeteer-2 device. It allows you to map ClassIDs to application names

  2. Custom IPFIX Information Elements. It allows you to specify key names for custom enterprise fields in IPFIX, as well as override standard IPFIX elements names. This CSV file has the following format:

    PEN, IE ID, Format, Name, Description

    Where: PEN – IPFIX Private Enterprise number, e.g. for Netscaler it is 5951 IE ID – IPFIX Information Element ID Format – one of the values specified in the table below Name – key name for this IPFIX element Description – optional description

Format

Description

Example

FMT_NONE

no output

FMT_UNKNOWN

N bytes as hex

0102DEADBEEF0201

FMT_UINT8_DEC

unsigned integer 1 byte as decimal

127

FMT_UINT8_HEX

unsigned integer 1 byte as hex

1F

FMT_UINT16_DEC

unsigned integer 2 bytes as decimal

5000

FMT_FLOW_LABEL

unsigned integer 20 bits as decimal

106000

FMT_MPLS_LABEL

unsigned integer 3 bytes as text

17:28:39

FMT_APP_TAG

application tag 1 byte (engine ID) + n bytes (selector)

1:7000

FMT_HTTP_HOST

HTTP host n bytes: Application ID 4 bytes (engine ID + selector ID), sub-application ID 2 bytes, value (hostname) n bytes

"100:3000,hostA"

FMT_TCP_FLAGS

unsigned integer 1 byte as text

"FIN,RST"

FMT_UINT32_DEC

unsigned integer 4 bytes as decimal

77000

FMT_UINT32_HEX

unsigned integer 4 bytes as hex

01ABCD02

FMT_UINTN_DEC

unsigned integer n bytes as decimal

9600000

FMT_IPV4

4 bytes as text

127.0.0.1

FMT_IPV6

16 bytes as text

2001:0db8:11a3:09d7:1f34:8a2e:07a0:765d

FMT_STRING

n bytes ACSCII as text

"ascii text"

FMT_MAC

6 bytes as text

00:ab:cd:12:34:56

FMT_ARR32

4 bytes array as hex

01ABCD02

FMT_ARR64

8 bytes array as hex

01ABCD0201ABCD02

FMT_EVENT

unsigned integer 1 byte as text

"Flow created"

FMT_DTIME_SEC

unsigned integer 4 or 8 byte as text (date)

"1985-04-12T23:20:50Z"

FMT_DTIME_MSEC

unsigned integer 4 or 8 byte as text (date)

"1985-04-12T23:20:50.001Z"

FMT_DTIME_USEC

unsigned integer 4 or 8 byte as text (date)

"1985-04-12T23:20:50.000001Z"

FMT_DTIME_NSEC

unsigned integer 4 or 8 byte as text (date)

"1985-04-12T23:20:50.000000001Z"

SNMP Data Retrieval Service

This Service supports protocol version SNMPv2C and SNMPv3.

The service is always enabled.

NFO Modules query this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. SNMP information polled from network devices is cached in the Service (OIB + Exporter IP + if SNMP index), until it expires.

Go to Services tab and select SNMP data retrieval:

The service has the following parameters:

Parameter

Description

T – SNMP expiration time in secs

Expiration time of SNMP data held in cache, default is 86400 seconds (1 day)

SNMP transport timeout in sec

Time to wait for SNMP reply from network devices to polling requests

SNMP Credentials

Authentication credentials for SNMP polling

SNMP service watchlist: Exporter IP, Management IP, Port, Credentials ID

Maps exporter IP address to SNMP management IP address, and points to corresponding credentials

SNMP service watchlist: MIB Name

Allows you to upload SNMP MIBs. OIDs from these MIBs will be available for building SNMP OIDs sets in NFO Module: 10103: SNMP Custom OID Sets Monitor

SNMP Trap Inputs: Port, Credentials ID

SNMP Port, SNMP Credentials ID Note For SNMPv3 make sure you specify Engine ID in Credentials.

SNMP Credentials

Click on “> SNMP Credetials” to setup SNMP authentications, and press button. In popup screen select SNMPv2c or SNMPv3 and enter corresponding authentication information.

You can add unlimited number of Credetials entries.

SNMP service watchlist: Exporter IP, Management IP, Port, Credentials ID

Specify the mapping between Exporter IP and SNMP Management IP, SNMP polling port number, and the reference to Credential ID created in the previos step.

When flow records are processed, if NFO Module 10003: SNMP Information Monitor is enabled, the Module queries this Service to get SNMP data, passing Exporter IP and Interface SNMP index as parameters. In its turn SNMP Service polls corresponding network device, using this mapping, and caches this information, until it expires.

The following SNMP OIDs are polled:

  1. Interface index (ifIndex) – OID - 1.3.6.1.2.1.2.2.1.1

  2. Interface description (ifDescr) - OID 1.3.6.1.2.1.2.2.1.2

  3. Interface type (ifType) - OID 1.3.6.1.2.1.2.2.1.3

  4. Size of the largest packet (ifMtu) - OID 1.3.6.1.2.1.2.2.1.4

  5. Interface bandwidth (ifSpeed), (ifHighSpeed) - OID 1.3.6.1.2.1.2.2.1.5, OID 1.3.6.1.2.1.31.1.1.1.15

  6. Interface physical address (ifPhysAddress) - OID 1.3.6.1.2.1.2.2.1.6

  7. Desired state of the interface (ifAdminStatus) - OID 1.3.6.1.2.1.2.2.1.7

  8. Operational state of the interface (ifOperStatus) - OID 1.3.6.1.2.1.2.2.1.8

  9. IP address to which this entry's addressing information pertains (ipAdEntAddr) - OID 1.3.6.1.2.1.4.20.1.1

  10. Index value which uniquely identifies the interface to which this entry is applicable (ipAdEntIfIndex) – OID 1.3.6.1.2.1.4.20.1.2

  11. Interface InetAddressType (ipAddressAddrType) - OID 1.3.6.1.2.1.4.34.1.1

  12. Interface InetAddress (ipAddressAddr) - OID 1.3.6.1.2.1.4.34.1.2

  13. The index value that uniquely identifies the interface to which this entry is applicable (ipAddressIfIndex) - OID 1.3.6.1.2.1.4.34.1.3

  14. Interface duplex status (dot3StatsDuplexStatus) - OID 1.3.6.1.2.1.10.7.2.1.19

  15. An index value that uniquely identifies an interface to an ethernet-like medium (dot3StatsIndex) - OID 1.3.6.1.2.1.10.7.2.1.1

  16. Interface name (ifName) - OID 1.3.6.1.2.1.31.1.1.1.1

  17. Interface alias (ifAlias) - OID 1.3.6.1.2.1.31.1.1.1.18

This Module (10003: SNMP Information Monitor) sends out SNMP information in syslog as follows:

May 22 11:04:51 10.0.5.9 May 22 11:04:51 ff:ff:00:01 nfc_id=20003 exp_ip=10.0.5.21 mgmt_ip=10.0.3.2 sysName=GW02.nfclab ifIndex=2 ifName="Fa0/1" ifDescr="FastEthernet0/1" ifType=6 ifMtu=1500 ifSpeed=100000000 ifPhysAddress=0016ffffffc7 ifIPAddress=

May 22 11:04:51 10.0.5.9 May 22 11:04:51 ff:ff:00:01 nfc_id=20003 exp_ip=10.0.5.24 mgmt_ip=10.0.5.24 sysName=HP-E2620-48-upper ifIndex=2 ifName="2" ifDescr="2" ifType=6 ifMtu=1500 ifSpeed=100000000 ifPhysAddress=ffffffecffff ifIPAddress=na

SNMP service watchlist: MIB Name

If you’d like to use NFO for custom OIDs SNMP polling, perform the following:

  1. Upload your MIBs here:

  2. Build custom OID sets in NFO Module: 10103: SNMP Custom OID Sets Monitor