Incorrect traffic information in Netflow analyzer

Incorrect traffic information in Netflow analyzer

NetFlow Analyzer shows the information based on the flow Packets (NetFlow, sflow, Jflow, netstream etc..) exported by the device to the NetFlow Analyzer installed server.

We have seen many customers come with the issue that the Utilization information based on the interface is showing wrong in NetFlow Analyzer. It can be due to the below-mentioned reasons:

1.  Active Timeout:

NetFlow Analyzer shows the traffic information with 1 min granularity for real-time traffic details from the interface. If the device does not send traffic information every 1 min, you will get wrong utilization reports for the interface in NetFlow Analyzer.

To make sure that the device sends traffic information every 1 min, it is important to set the active timeout to 1 min or 60 sec (by default it is 5 mins or 1800 sec) in the device configuration.

2. Link Speed not set correctly:

NetFlow Analyzer auto-discover the device and its interfaces based on the flow packets exported by the device. Here we discover the device in NetFlow Analyzer with the source interface IP address configured in the device and interfaces as Ifindex with default speed set as 1 Mbps.

NetFlow Analyzer calculates the utilization based on the link speed. For example, if the link has the capability to handle 1 Mbps and the actual traffic passing through an interface is about 512 Kbps, the utilization graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here is the formula which explains the utilization calculation on NetFlow Analyzer.

Utilization = Actual Speed/Link Speed * 100

So if the link speed or the interface speed is not configured properly, you will get wrong utilization information. We use read-only SNMP community configured in the device to update the Device Name, Interface name and interface speed (Please click on the link for the steps)  or you can Manually update the interface Speed to get the Correct traffic information. ( Inventory -> Flow Analysis -> Interfaces -> Drill down -> Interface Details ).

3. Configuration Command issue:

There are multiple commands to enable NetFlow Export from the interface like "IP flow ingress" and "IP flow egress" and "IP flow monitor":

If your requirement is to monitor only single interface of the device, please enable both "IP flow ingress" and "IP flow egress" command in that particular interface alone.

If you are going to monitor multiple interfaces for the interface enable the command "ip flow ingress" alone in all the interfaces of the device.

4. Non-dedicated burstable bandwidth:

Certain ISPs allows you to use the allocated bandwidth depending on the other customers sharing that link. So, even though the max bandwidth is 2Mbps, the ISP may allow you to use even more based on availability. This also affects the accurate reporting on NetFlow Analyzer causing incorrect bandwidth utilization values and even more than 100%.

5. ESP and GRE traffic:

This is another reason for traffic to get double counted in NetFlow Analyzer. With NetFlow data, the tunnel traffic will be accounted as the normal traffic before encryption and again as the encrypted traffic. NetFlow Analyzer has an option to filter this kind of encrypted tunnel traffic from the reports. This option is available under Settings –> NetFlow -> Flow Filter Settings ->  ESP or GRE Filter.

6. Interface Bandwidth of IN interface and OUT interface:

Any analyzer tools calculate the OUT traffic of an interface based on the IN traffic of the interface that sends traffic to it. When traffic is passing from higher speed interface to lower speed interface, the calculation of OUT traffic from a higher speed IN traffic causes incorrect traffic utilization to be shown on the OUT traffic.

The above reason for more than 100 % utilization on OUT traffic can be resolved by enabling only “ip flow egress” on all the interfaces.

                    New to ADSelfService Plus?