Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Netflow Traffic Analyzer (NTA) > Netflow Traffic Analyzer (NTA) Training > Free SolarWinds Training Videos - NTA > Overview of Network Traffic Flow Technologies - Video

Overview of Network Traffic Flow Technologies - Video

Updated May 31, 2018

Overview

This video (7:11) introduces several network flow reporting technologies, discusses the advantages and limitations of each, and where it makes sense to use them.

 

 

This video is available in the following languages:  English

Environment

  • NTA

Video Transcription

Flow data is most commonly used to help troubleshoot bandwidth utilization issues, and answer questions about which applications drive network traffic. Long-term historical trends can offer key insights into how application traffic changes over time and impacts the network. Looking for patterns and changes in network traffic can also help uncover security issues. Knowing how endpoints communicate with each other can help us decide where best to place them. Understanding the path that application traffic takes through the network can help us decide how to make our network more robust and reliable.

A flow is the movement of data across a network from a source to a destination. That data includes headers to direct the movement, as well as an application payload. Flows are unidirectional, and described relative to the interface of the device. An "ingress" flow is being received by an interface; an "egress" flow is being transmitted to another interface.

That terminology may not match what you expect about traffic. A flow is one side of a conversation. Each side of a conversation is an endpoint, and is either a flow source or a destination. It's important to remember that each end of a network connection reports traffic relative to its own interface. A conversation includes flows in both directions between endpoints using a common application protocol. Traffic pairs represent several application conversations between the same endpoints.

Grouping endpoints together can give us some insights into the communication between locations—whether those groups represent data centers, businesses, or customers.

Most network devices are instrumented with some kind of flow technology. The most common flow technologies are NetFlow, sFlow, IPFIX, and J-Flow. The most common versions of NetFlow are version 5 with a fixed format, and version 9, which implements extensible templates.

SFlow® was created and is led by InMon Corporation, and has evolved into an industry consortium with over 60 participating vendors.

IPFIX is an IETF standard for defining flow records; it is similar to but distinct from NetFlow version 9. It was influenced by Cisco's contribution and participation in the IETF working group. It's an independent standard with some important differences from NetFlow.

J-Flow v5 from Juniper® and NetStream v5 from Huawei® are closely similar to NetFlow version 5's fixed format. Both J-Flow and NetStream also support template-based versions.

 If you look at the different types of flow technologies, there are two major categories of flow technologies: flow export and traffic sampling. Flow export technologies include NetFlow, IPFIX, and J-Flow. With flow export, IP flows are built and stored with timestamps onboard the network device, and then periodically exported to a collector.

Traffic sampling technologies like sFlow select and send sampled traffic frames immediately to a collector. Flow export technologies are more resource-intensive for the device exporting the flow, and for the network.

Traffic sampling depends upon reliable and accurate statistical sampling methods to present flow data.

Both of these methods offer access to the same common attributes to describe the source, the destination, and the protocol. This enables flow data from different technologies to be normalized and used to consistently represent traffic throughout the network.

Flow export technologies provide data based only on IP flows, and this makes them best suited for routed layer 3 networks. To gain visibility into switched layer 2 fabric, a sampled traffic technology like sFlow is ideal. SFlow is designed for switching networks. SFlow sends sampled, switched frames that include all of the frame headers for layer 2 and above.

Examining every packet that traverses an interface is promiscuous monitoring. Most flow export technologies support promiscuous monitoring, as well as some form of flow sampling. Promiscuous monitoring balances the resources required to examine every packet with the advantages of accuracy down to the conversation level. Promiscuous monitoring is processing and memory intensive, and requires that the collector must never miss an export, otherwise the data ends up skewed. High volumes of traffic with very diverse conversations can drive enormous rates of flow records.
Statistical sampling is a much lighter weight on the device and on the network, but offers much less granularity at the conversation level. It’s ideal for switching environments where the traffic volumes are high. As traffic volumes rise, the total number of samples rises, and the accuracy of the traffic data in aggregation also increases. Missing a sample has little or no effect on accuracy, because the accuracy depends on the total number of samples collected. The accuracy of sampled data can be reliably and simply calculated. To learn more about traffic sampling and packet sampling theory," visit sflow.org

A flow analysis system includes several components. Flow records are generated and then forwarded to one or more flow collectors. The collector consolidates the metadata, normalizes different kinds of flow data, and stores the flow record. For flow export devices, much of the flow information is created and stored in memory before being forwarded. For traffic sampling devices, the majority of the work is done in hardware, and the flow sample is forwarded immediately. With traffic sampling, the resource demands on the device are much lower, but for the collector they are much higher.

Flow applications query and present stored flow records, and can be a simple tabular or chart view, or a more elaborate visual representation of the relationships between endpoints. 

In any environment, there are flow export sources like NetFlow and J-Flow available from routers, and traffic sampling sources like sFlow available from switch fabric. There may also be IPFIX sources available.

SolarWinds® Netflow Traffic Analyzer can consume any of these, and normalize them to store flow data by interface. You should consider all available sources of flow, and collect along the major traffic paths in your network.

To manage sources of flow data, you can use an automation tool such as SolarWinds Network Configuration Manager to standardize and deploy device configuration.

Many collectors distribute inbound flows across multiple processors; you can simplify the flow destination configuration by using a load-balancing infrastructure.

Setting up flow collection follows the same basic process, although the mechanics differ between devices. For flow export, you need to configure the collection and composition of the flow record, and then configure the conditions and timing for the export. For traffic sampling, you configure the sampling rate for each interface. For both, you configure the destination to send flow records.

There are recommendations for sampling rates, and some of the commands for specific devices on the sFlow consortium home page at sflow.org.

 

 

Last modified

Tags

Classifications

Public