Incorrect traffic information in Netflow analyzer

Incorrect traffic information in Netflow analyzer

NetFlow Analyzer shows the information based on the flow Packets (NetFlow, sflow, Jflow, netstream etc..) exported by the device to the NetFlow Analyzer installed server.

We have seen many customers come with the issue that the Utilization information based on the interface is showing wrong in NetFlow Analyzer. It can be due to the below-mentioned reasons:

1.  Active Timeout:

NetFlow Analyzer shows the traffic information with 1 min granularity for real-time traffic details from the interface. If the device does not send traffic information every 1 min, you will get wrong utilization reports for the interface in NetFlow Analyzer.

To make sure that the device sends traffic information every 1 min, it is important to set the active timeout to 1 min or 60 sec (by default it is 5 mins or 1800 sec) in the device configuration.

2. Link Speed not set correctly:

NetFlow Analyzer auto-discover the device and its interfaces based on the flow packets exported by the device. Here we discover the device in NetFlow Analyzer with the source interface IP address configured in the device and interfaces as Ifindex with default speed set as 1 Mbps.

NetFlow Analyzer calculates the utilization based on the link speed. For example, if the link has the capability to handle 1 Mbps and the actual traffic passing through an interface is about 512 Kbps, the utilization graph in NetFlow Analyzer displays the traffic percentage as 50 %. Here is the formula which explains the utilization calculation on NetFlow Analyzer.

Utilization = Actual Speed/Link Speed * 100

So if the link speed or the interface speed is not configured properly, you will get wrong utilization information. We use read-only SNMP community configured in the device to update the Device Name, Interface name and interface speed (Please click on the link for the steps)  or you can Manually update the interface Speed to get the Correct traffic information. ( Inventory -> Flow Analysis -> Interfaces -> Drill down -> Interface Details ).

3. Configuration Command issue:

There are multiple commands to enable NetFlow Export from the interface like "IP flow ingress" and "IP flow egress" and "IP flow monitor":

If your requirement is to monitor only single interface of the device, please enable both "IP flow ingress" and "IP flow egress" command in that particular interface alone.

If you are going to monitor multiple interfaces for the interface enable the command "ip flow ingress" alone in all the interfaces of the device.

4. Non-dedicated burstable bandwidth:

Certain ISPs allows you to use the allocated bandwidth depending on the other customers sharing that link. So, even though the max bandwidth is 2Mbps, the ISP may allow you to use even more based on availability. This also affects the accurate reporting on NetFlow Analyzer causing incorrect bandwidth utilization values and even more than 100%.

5. ESP and GRE traffic:

This is another reason for traffic to get double counted in NetFlow Analyzer. With NetFlow data, the tunnel traffic will be accounted as the normal traffic before encryption and again as the encrypted traffic. NetFlow Analyzer has an option to filter this kind of encrypted tunnel traffic from the reports. This option is available under Settings –> NetFlow -> Flow Filter Settings ->  ESP or GRE Filter.

 
6. Interface Bandwidth of IN interface and OUT interface:

Any analyzer tools calculate the OUT traffic of an interface based on the IN traffic of the interface that sends traffic to it. When traffic is passing from higher speed interface to lower speed interface, the calculation of OUT traffic from a higher speed IN traffic causes incorrect traffic utilization to be shown on the OUT traffic.

The above reason for more than 100 % utilization on OUT traffic can be resolved by enabling only “ip flow egress” on all the interfaces.


          • Related Articles

          • Consolidated fix for NetFlow Analyzer Build 10250 for Stand Alone

            Note: This can be done with NetFlow Analyzer build 10250 only. Take the backup of the files before replacing. For Distributed Edition, make sure to follow the steps in Central and Collector servers. The consolidated fix is available over 10250 which ...
          • UDP port block Message In NetFlow Analyzer

            In NetFlow Analyzer we do two types of check in windows firewall, while flows are being received in server 1) Check if there is any allow rules created to allow UDP port say "9996" -Once our product find out this rule then flows collection will get ...
          • Database Migration from Mysql to Postgres in NetFlow Analyzer version 10250

            Steps to Migrate NetFlow Standalone Mysql DB to pgsql Datase Note: Migration is applicable only in build 10250 Both the MYSQL and PGSQL installation should be in the same server to perform the Migration. Make sure that you have enough disk space ...
          • NetFlow Analyzer Tool Disk Space Requirement

            This this the Approximate Disk Space Calculation for Storing RAW Data , Aggregated Data and 1 min Flat files in NetFlow Analyzer: Aggregated Data: 1. Historic Data (Forever)   Connversation Data  =  (507000 byte * number of top record * number of ...
          • SFLOW IPv6 Patch for NetFlow Analyzer Build 11001

            This Patch is applicable only over the NetFlow Analyzer build 11001 Please download the patched files from the below link: Sflow_Patch The Patch consist for below folder with the patch files: NetFlowCollector.jar NetFlowClient.jar ...