Normal Operations

Replication

During normal operation the Flow Replicator will replicate incoming packets to all configured collectors in enabled profiles. At any time, executing show realtime will display the exporters in and out packet rates and totals.

Alarming

The Flow Replicator is actively tracking the number of packets received, packets sent, and the state of any exporter and collector. An alarm is generated and a syslog is sent if an exporter stops sending packets or a collector becomes unreachable.

By default, the Flow Replicator is configured to stop replicating traffic to collectors that are considered offline. Replication will resume once the collector is reachable.

Dropped packets

The Flow Replicator examines the netstat details of each interface and each direction (Rx and Tx) once every minute. When the OS reports there are interface drops a syslog alarm is sent to the server configured in the Notifications section of the settings tab.

The counting system used for the web interface that tracks the number of packets traversing the Replicator uses tcpdump instead of netstat and does a hard cut off on a timed basis. This means in the web interface there may be packets counted inbound that haven’t been counted outbound yet. The counters increment close to realtime, but not instantly. The web interface metrics are a good reference point for packet activity, but not for drops. In addition to device state and dropped packets, the Flow Replicator will send a notification if CPU is high or processes were terminated abnormally.

The following settings control alarming capabilities in the Flow Replicator.

  • downDisplayHour : The number of hours before an incoming stream is automatically acknowledged as being down. Default is 24 hours.
  • flowStopAlert : The number of minutes an incoming stream must stop or a collector is unreachable before it is considered down.
  • highCPUThreshold : Send alerts about the CPU when it exceeds this percentage. Default is 90%
  • noRepWhenDown : If ping is enabled and a collector is unreachable, stop replicating data to that device. Replication will continue when the collector begins to respond to pings.
  • notificationSent : Send Replicator Alert and Notification Syslogs to the SERVER and Port specified.
  • pingCollectors : If enabled, the Plixer replicator will routinely check the configured collectors for availability.

Use the setting CLI command to affect the global behavior of alarming.

Plixer’s Scrutinizer Incident Response System includes policies for all possible alarms from the Flow Replicator.

Reporting

The show or list command has several different options to generate reports based on live data. Additionally, the Flow Replicator can export replication statistics as IPFIX to a Flow Collector.

  • metricsSent : Export Replicator Statistics and Metrics to an IPFIX Collector on the specified Collector IP and Port Number.

Use the setting command to manage IPFIX metrics.

A profile can be set up to send IPFIX metrics to multiple collectors by configuring the metricsSent option to send metrics back to the Flow Replicator on a certain port (e.g. 10.1.4.66:2003)

+--------------------------------+-----------------------------------------+
| replicator_metrics             | IN PORT 2003 -> OUT PORT 2056
+--------------------------------+-----------------------------------------+

 Policies                     Exporters     ->    Collectors
 (include) 0.0.0.0/0          10.1.4.66           10.1.10.1
                                                  10.1.4.20

+--------------------------------+-----------------------------------------+
Done in 0.00897 secs

Plixer’s Scrutinizer Incident Response System supports different reports for the Flow Replicator. For additional information on reporting, reference the section in this manual on the show command.