Interpret bandwidth graphs from source

[FoUStep]

Currently trying to interpret the bandwidth graphs from our source (two routers).

At some points the amount of Bytes is reaching 285.1 G, how do I interpret this? Is this a total of all flows? Or is this the total amount of the all the flows that are ended? I've been looking at the documentation (Understanding Network Flows and the Backend and View to no avail).

Can anyone give a detailed explanation how to read these graphs? See also my attachment.

Some information:
We have a 10 Gb backbone, so we are trying to see where the data all fits.

[bwallace]

The source bandwidth graph is the cumulative bandwidth of all flows (NetFlow or sFlow) being recorded. If your source has just one server sending flow data then it's simply the aggregated bandwidth (ingress and egress) for that server. If the source is collecting data from multiple hosts then it's the aggregated bandwidth of all of them. In your case, the devices submitting flow data are routers so it will be the aggregated flow data of all the traffic you've defined as "interesting" on those routers.

[FoUStep]

The source bandwidth graph is the cumulative bandwidth of all flows (NetFlow or sFlow) being recorded. If your source has just one server sending flow data then it's simply the aggregated bandwidth (ingress and egress) for that server. If the source is collecting data from multiple hosts then it's the aggregated bandwidth of all of them. In your case, the devices submitting flow data are routers so it will be the aggregated flow data of all the traffic you've defined as "interesting" on those routers.

Yeah I kind of figured that, but will it show duplicate flows (so a trafficflow from IP 10.0.0.1 to 10.0.0.2 on port 80 within an sFlow traffic packet (from Router 1) to Source A, and a trafficflow from IP 10.0.0.1 to 10.0.0.2 on port 80 within an sFlow trafficpacket to Source A (from Router 2)?

If that flow is 5 GB for example, the end result will be 10 GB of data from just 1 flow (which is not correct).

[tgriep]

If you are sending flows from 2 different devices to one source on the Network Analyzer and then send 5 Gig of data between those 2 devices, then the graph will show 10 Gig total as the data different.
The data will have different time stamps, etc as it traverses through the different devices and that it why it shows twice as large.
You may want to setup one source per device so you will get what you are looking for.

[tmcdonald]

I'll need to ask the developers about this, but I believe you may be correct about that behavior. If you don't hear an update from us by early next week, feel free to bump this thread.

[tmcdonald]

Just got back from the devs:

If they are both going to the same source then yeah they will be stacked ... as in both will send the same netflow data essentially

So pretty much what we had thought. Unfortunately the only way I can think to get around this entirely is to make sure that only one device is sending flow data for each network segment, so instead of (for example) 1 router with 3 connected switches all sending data, just do it for each switch and leave out the router. Probably not a perfect solution (some data going into the router might not hit any of those switches) but it helps a lot with the duplication.

[FoUStep]

Just got back from the devs:

If they are both going to the same source then yeah they will be stacked ... as in both will send the same netflow data essentially

So pretty much what we had thought. Unfortunately the only way I can think to get around this entirely is to make sure that only one device is sending flow data for each network segment, so instead of (for example) 1 router with 3 connected switches all sending data, just do it for each switch and leave out the router. Probably not a perfect solution (some data going into the router might not hit any of those switches) but it helps a lot with the duplication.

We are using sFlow from Brocades, I cannot create 150 new sources in NNA for all switches because it would require to change the UDP port of sFlow on all of my devices since it has to be unique. It would be useful if we can keep the port 6343 (UDP sFlow) for all 150 devices. Can anyone make this a feature request of some kind...?

[tgriep]

Try adding the sender IP addresses for the source and see if you can filter on that.

Sender IP Address(es): Use this to internally show what IP address(es) of switches, routers, or servers are sending to this source.

[FoUStep]

Try adding the sender IP addresses for the source and see if you can filter on that.

Sender IP Address(es): Use this to internally show what IP address(es) of switches, routers, or servers are sending to this source.

I am using this but I have no idea where to apply the filter to?

[tgriep]

I found out that filtering on the sender IP address isn't implemented yet.

If you monitor the endpoint routers in your network and not every router/switch in the path, that would be the only way to get the data to show how you want it to.
Doing that will minimize the duplicate data captured by Network Analyzer.