Help NetFlow Verifying Flows

Verifying if Site24x7 has received flows from your devices

For NetFlow analysis, you need to configure your devices to export flows to Site24x7's On-Premise Poller, which is the NetFlow collector. Site24x7 is a flow analyzer that processes raw data and presents it in intuitive formats for easy interpretation.

In flow export configuration, if you get the message "No flows received," it means that On-Premise Poller hasn't received any flows.

You can check this by:

Verifying the port

To troubleshoot, you have to first ensure that the NetFlow Port is not blocked by a firewall or used by any other service. The On-Premise Poller will be listening to the particular port to receive flows, which is why a proper port number should be configured for every flow export. Port numbers may vary with On-Premise Pollers, so it's important to mention the correct port number used by the associated On-Premise Poller.

The default port for NetFlow export is 9996. However, when an On-Premise Poller initializes, if it finds that the port is already occupied by another service, then the On-Premise Poller will use an alternative port, like 9997 or 9998.

You can view the port number by navigating to Admin > Inventory > Add Monitor > Flow Export (under NetFlow) > On-Premise Poller.

Verify On-Premise POller port

The NetFlow port corresponding to your On-Premise Poller is listed here. Copy this port number, and use for flow export configuration.

Creating Inbound Rule to allow the NetFlow port in Windows Firewall

Your Windows Firewall could be blocking flows to the On-Premise Poller if the firewall port is not whitelisted or allowed. To resolve this:

  1. Create an Inbound Rule for the UDP protocol and 9996 port in the machine in which your On-Premise Poller is installed.
  2. Restart the On-Premise Poller.
  3. Export flows from your NetFlow device and retry adding it in Site24x7.

Verifying using Wireshark

You can verify if flows are received by Site24x7 On-Premise Poller using the steps below:

  1. Install the latest version of Wireshark.
    • For Windows, you can download from Wireshark's official website.
    • For Linux, you can install using the following commands:
      apt install wireshark
  2. Run Wireshark with admin/root privileges.
  3. Select the required interfaces and Start Capture (double click, press Enter, or right-click to Start Capture).

    Start capture
  4. Filter the flows from UDP port 9996 by entering udp.port == 9996. Click Enter.

    Filter the port
  5. Once the filter is applied, only the flow packets exported through this port will be listed.
    • If your search result is empty, it means that the flows exported are not received by the machine in which Site24x7 On-Premise Poller is installed.
    • If you view filtered packets, you have to ensure that they are flow packets. Check the name of the protocol against the packets. If it's CFLOW or sFlow, then click and expand the packets, and ensure that flow data is present.

      Verify flow data
  6. If the protocol is shown as UDP, then follow the steps below:
    • For NetFlow v5, v9, IPFIX: Click Analyze > Decode. In the dialog box that opens, select the following from the respective drop-down menus:
      • Field: UDP port
      • Value: 9996
      • Current: CFLOW

        Decode and check
    • For sFlow: Under Current, select sFlow from the drop-down menu.
  7. If your flows are sFlow packets, then two types of packets will be received:
    • Counter samples: A type of sFlow sampling in which a polling interval defines how often the network device sends interface counters.
    • Flow samples: This is also a type of sFlow sampling but it has a defined sampling rate. Here, an average of 1 out of N packets/operations is randomly sampled.

      Flow samples are important for analyzing flows. This is why you need to make sure that you receive both these samples when you expand and check.

      Check both the samples
  8. If the flows are not received or if they fail any of the conditions mentioned in steps 5, 6, or 7, then this indicates an issue with receiving flows.

    Recheck if you have configured your device properly.

    If you don't find your device in the above list, or if the steps are not working on your device, please contact your device vendor's support portal for help with configuration.
  9. If the above steps work, and you verfied using Wireshark but still Site24x7 isn't receiving any flows, then try the following:
    • Ensure that the NetFlow port is allowed in the Windows Firewall if you are using a Windows On-Premise Poller.
    • Install a new On-Premise Poller and add devices using it. 
    • If the same issues continue, contact us with the details mentioned below.
  10. If the above steps 1-8 did not work for you, contact with the following details:
    • Vendor and model of the device for which you wish to monitor flows
    • The type of flow
    • Steps that you tried and where you failed
    • Network and On-Premise Poller logs
    • Wireshark packet captured: Export and save the data captured using Wireshark, and attach it for us to troubleshoot
Was this document helpful?
Thanks for taking the time to share your feedback. We’ll use your feedback to improve our online help resources.

Help NetFlow Verifying Flows