25 Replies Latest reply: Apr 18, 2012 8:01 AM by radekn RSS

95th Percentile Bandwidth Utilization using Netflow

Mattyo

I have a customer that is interested in obtaining 95th percentile values in Kbps/Mbps using the NTA product.  The catch is that they would like to do it per IP group. 

For example, they would like to get a single value for 95th percentile bandwidth inbound to 172.16.1.0/24.

Is there any way to do this using the product?

Thanks,

Matt

  • Re: 95th Percentile Bandwidth Utilization using Netflow
    radekn

    Hi,

    There is not currently in NTA 3.8 not possible to get 95th percentil via WeB UI charts.

    However You can create Custom Report by using report writer.

    I attached non official 95th percentile reports for IPGroups. Values are presented in (Bytes per seconds) Bps only. 

    [View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports.zip]

     

    Installation of reports:

    Copy files with extension OrionReport into reports directory (../Orion/Solarwinds/Reports) on main poller and addtional web sites

     

    Please let me know Your questions, comments about attached reports.

     

    Thanks

    Regards radek

    • Re: 95th Percentile Bandwidth Utilization using Netflow
      Mattyo

      Thanks Radekn.  This works great.  Do you know if there will be support for this type of functionality in the GUI in the future? 

      Another thing I was interested in using IP groups, but only to track a specific conversation, for example 172.16.1.1 to 192.168.1.1.  Is this possible using IP groups right now? 

      I guess what my question is, how do IP groups work?  For example when I enter two subnets in a single group:

      172.16.1.1/24

      192.168.1.1/24

      Does the flow have to match both subnets to fall under this IP group or just one?  It seems like there should be a way to specific the logical and or the logical or for the group.

      • Re: 95th Percentile Bandwidth Utilization using Netflow
        radekn

        Hi Mattyo,

        The 95th percentile on GUI is on the list of customer feature requests.

        I attached new 95th percentile IP Groups report which supports IP conversation filter (from Source IP to Destinantion IP).

        If you have two subnets in a single group then flow has to match at least one subnet in order to fall under this IP group.

        It is the logical OR.


        Please let me know any other questions,comments.

        Thanks

        Regards radekn
        [View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports-v2.zip]

        • Re: 95th Percentile Bandwidth Utilization using Netflow
          Mattyo

          Hi Radekn,

          For the "last month" report, is that using data from the last calendar month (say you ran a report on July 15, it would report on data from June 1 - 30) or is it by the last 30 days (running report on July 15 gets you data from June 15 - July 15) or none of the above?


          Thanks,

          Matt

          • Re: 95th Percentile Bandwidth Utilization using Netflow
            radekn

            Hi Mattyo,

            In Your example the "last month" report will show data for whole previous month (  from June 1 - 30 ).

            If You want to see a data for last 30 days from June 15 - July 15 than You will need to have a new report prepared.

            The new report for last 30 days You can create by copy of the report for the last 7 days and modify (by ReportWriter) start time variable ( from SET @StartTime=GETDATE()-7  to SET @StartTime=GETDATE()-30 ).

             

            Regards

            radekn

            • Re: 95th Percentile Bandwidth Utilization using Netflow
              Mattyo

              Hi Radekn,

               

              Another question for you.  In looking at the report for live traffic (for the current month).  These are the numbers that I am getting:

               

              This is for private addresses.

              Ingress           Egress             Total

              36364959    39829696        36364959  

               

              This doesn't make sense to me, that the total is equal to ingress traffic.  Could you please explain what the total field means and how it is computed? 

              My setup is 4 Cisco routers with ip flow ingress and egress configured on a single interface (logically the "inside" interface) streaming data to the SolarWinds collector.

              • Re: 95th Percentile Bandwidth Utilization using Netflow
                radekn

                Hi Mattyo,

                Yes this is a bug of the report. I fixed it and attached new version of the report.
                I also added maximum 95th percentile ( the percentile of maximum values from both Ingress and Egress traffic )

                Please let me know other questions You have.

                thanks

                Regards radekn


                [View:/cfs-file.ashx/__key/CommunityServer.Components.UserFiles/00.00.04.58.27/95-percentile-reports-v3.zip]

                • Re: 95th Percentile Bandwidth Utilization using Netflow
                  Mattyo

                  Hi Radekn,

                   

                  In the new version of the reports the ingress traffic is identical to egress traffic.  The total works fine, but I am curious as to why this is happening as I was expecting the traffic to be quite asymmetric (much more traffic going out versus coming in).  Any thoughts?

                   

                  Thanks,

                  Matt

                  • Re: 95th Percentile Bandwidth Utilization using Netflow
                    radekn

                    Hi Mattyo,

                    Can you send me example screenshot (NTA web page) with is asymmetric traffic, please?

                    Thanks

                    Regards                Radekn

                    • Re: 95th Percentile Bandwidth Utilization using Netflow
                      Mattyo

                      Hi Radekn,

                      Here is what the SolarWinds UI is looking like.  Router 1 is the Netflow exporter.  All the traffic captured in the IP Groups in the 95th percentile ip group report are going through this router.  It is thought that ingress and egress traffic are going to look different, rather than identical as in the report.  I think a previous version (the one that displayed units only in bps) had different values.  The scenario here is that Group 1 has a list of public IP addresses of http servers.  We want to know the breakdown of the web traffic for each group of web servers from users coming over the internet.

                      Router12/15/12 4:30 PMnever
                      GigabitEthernet0/0 · Outside/ISP interface4.49 Mbps11.01 Mbps2/15/12 4:31 PMnever
                      UpGigabitEthernet0/1 · Inside Interface11.07 Mbps4.74 Mbps2/15/12 4:31 PMnever
                      UpTunnel1 · VPN Tunnel 162.92 Kbps6548.09 bps2/15/12 4:31 PMnever
                      UpTunnel2 · VPN Tunnel 214.6 Kbps21.05 Kbps2/15/12 4:31 PMnever
                      UpTunnel3 ·VPN Tunnel 3130.78 Kbps136.2 Kbps2/15/12 4:31 PM

                      Here is an excerpt of the 95th percentile report.  It is strange to me that ingress bps and egress bps are equivalent.

                      95 Percentile Per IP Group - This Month

                                          
                      NameIngress bpsEgress bpsTotal bpsMaximum bps
                      Group 1667.3 Kbps667.3 Kbps1.3 Mbps667.3 Kbps
                      Group 22950.0 bps2950.0 bps5900.0 bps

                      2950.0 bps

                      • Re: 95th Percentile Bandwidth Utilization using Netflow
                        Mattyo

                        I also am wondering if it would be possible to get a 95th percentile bandwidth utilization report by IP Group but also by interface for a certain time period. 

                        • Re: 95th Percentile Bandwidth Utilization using Netflow
                          Mattyo

                          Any thoughts on this radekn?

                          • Re: 95th Percentile Bandwidth Utilization using Netflow
                            radekn

                            Hi Mattyo,


                             


                            For this report there was used IP groups report which puts Source IPs and Destination IPs together by definition.


                            This does not separate received and transmitted traffic to IP group but it display total traffic=(Received + Transmitted) by IP address group per interface with specific interfaces flow direction (Ingress/Egress).


                             


                            for example:


                             


                            communication between two endpoints A and B where A belongs to Group1 will be calculated as :


                             


                            Group1:  A


                             


                            Communication between two endpoints:


                             


                            from A to B  sent 10 bytes


                            from B to A  sent 10 bytes


                            -------------------------------


                            then  Group1 total traffic =20 bytes


                             


                            Group1 acted as source(transmitter) = 10 bytes


                            Group1 acted as destination(receiver) = 10 bytes


                             


                            To separate this ( A to B and B to A)  there will be needed to modify this report.


                             


                            Please check link to new reports and let me know if it is what you need.


                            95th Percentile Bandwidth Utilization using Netflow- IPGroups-Pxx1h


                             


                            New report mix original report with additional information by source and destination traffic.


                            It represents  three NTA resources "Top XX IP Address Groups", "Top XX Source IP Address Groups" and "Top XX Destination IP Address Groups"


                             


                             


                            Report presents source/destination and Ingress/Egress traffic.


                             


                            -          Ingress/Egress flow traffic per interface .


                             


                            -          Source/Destination traffic is traffic between two endpoints (source IP and destination IP).


                             


                             


                            Destination traffic means that Endpoints which belongs to IP address group were receiving traffic from others ( traffic which was sent to IP address group).


                             


                            For Source traffic it means that Endpoints from IP address group were sending data to others ( traffic received by Group).


                             


                            Source and Destination traffic is than divided to Ingress and Egress. So there is possible to see Source/Destination traffic via


                            interfaces  in Ingress or Egress flow direction


                             


                             


                            Report can also display nodes together with interfaces, nodes only or overall summaries. Check report SQL header section for possible filters choices.


                             


                            Please let me know any other questions.


                             


                            Regards Radekn

                            • Re: 95th Percentile Bandwidth Utilization using Netflow
                              Mattyo

                              Hi Radekn,

                               

                              The reports look great.  Is there a way to filter on a specific IP Group and interface easily?  For example, I have 4 groups for customer A:

                              Group 1 - web servers

                              Group 2 - application servers

                              Group 3 - database servers

                              Group 4 - Aggregate of Groups 1, 2, & 3 (basically all the IPs of the groups are added together into a single group).

                               

                              For a financial audience, I want to simply present to them the bandwidth that Customer A used on a certain WAN link.  So I want to map Group 4 to the interface of an edge router connected to that WAN link.  Basically all this data is already in the report, I just would like to find a way to filter it down so they don't have to make sense of it.

                              • Re: 95th Percentile Bandwidth Utilization using Netflow
                                radekn

                                Hi Mattyo,

                                I modified reports with new parameters InterfaceIDs,GroupIDs. Multiple filter values are identified as comma separated value.

                                Parameter @ConversationIPs is using comma separated values as well.

                                So for example to filter report by Your IP groups it will looks like this

                                SET @GroupIDs= ' Group 1 - web servers,Group 2 - application servers,Group 3 - database servers,Group 4 - Aggregate of Groups '

                                For Interfaces filter there is used InterfaceID instead of interface caption due to possible duplicated interface caption names.


                                Regards Radekn


                                reports are stored here

                                 

                                95th Percentile Bandwidth Utilization using Netflow- IPGroups-Pxx1h

                                • Re: 95th Percentile Bandwidth Utilization using Netflow
                                  Mattyo

                                  Thanks Radekn.  I ran into a issue with the reports.  It doesn't seem to be using the new IP Groups I implemented.  I see all the old ones but the 4 or 5 new ones I put in are not being reported on (neither 30 days or 7 days).  It is happening with both SW servers.   Any tips to make it use the current IP Groups in the custom reports?

                                  • Re: 95th Percentile Bandwidth Utilization using Netflow
                                    radekn

                                    Hi Mattyo,

                                    Reports will display only IPgroups which are enabled for display in TopXX IP Adress Groups Resourse.

                                    The "Enable display in Top XX IP Address Groups resources" choice in "Edit IP Address Groups" view has to be enabled. You can go there via "Netflow Settings/IP Address Groups/Manage IP Address Groups"

                                    Please let me know if this helped.

                                    Regards Radekn

                                    • Re: 95th Percentile Bandwidth Utilization using Netflow
                                      Mattyo

                                      Hi Radekn,

                                       

                                      Again thanks for the info.  Your assistance has been invaluable.

                                      Two more quick questions. 

                                       

                                      Is there a sample interval for these reports or do they operate by all flows the collector receives?  I noticed a discrepancy when creating an IP group for ALL TRAFFIC (0.0.0.0 - 255.255.255.255) then viewing the 95th percentile average in the report.  This value came back different (lower) than the SNMP sampled (30 min interval) 95th percentile utilization.  I'd imagine the sampling could have something to do with the different values (no sampling versus all flows).

                                       

                                       

                                      Also, is there a way to easily export the report data to MS Excel? 

                                       

                                      Thanks again,


                                      Matt

                                      • Re: 95th Percentile Bandwidth Utilization using Netflow
                                        radekn

                                         Hi Mattyo,


                                         


                                        Reports are using 24h interval for bandwith utilization therefore data to last date (23:59 PM of previous date) are the last data included in report.


                                        However NPM 95th percentile report is including today’s data.


                                         


                                        When compare the NTA 95th report data with NPM  95th report modify the end date of NPM report to same end date as is in NTA report (replace  SET @EndDate = GetDate() within  SET @EndDate = CAST((FLOOR((CAST(GETDATE() AS float)+5e-6)))  AS smalldatetime) )


                                        Also check if you have 95 top NTA talkers feature set  disabled(set to 100). By default the 95 top talkers Feature is set to 95.


                                         


                                        Export to excel is possible via ReportWriter.


                                         


                                         Thanks


                                         


                                        Regards Radekn

                                        • Re: 95th Percentile Bandwidth Utilization using Netflow
                                          Mattyo

                                          Hi Radekn,

                                           

                                          I don't understand.  Do I want to disable 95 Top talkers or have it enabled?

                                           

                                          Matt

                                          • Re: 95th Percentile Bandwidth Utilization using Netflow
                                            radekn

                                            Hi Mattyo,

                                            In case You want to compare NTA 95th report with NPM 95th report there will be discrepance because in case you have 95 top talker optimization set to value other then 100. By default it is set to 95 percent. This feature does improve performance by storing only most significant traffic.

                                            see also http://www.solarwinds.com/NetPerfMon/SolarWinds/wwhelp/wwhimpl/js/html/wwhelp.htm?context=SolarWinds&file=OrionNetFlowPHSettingsSmartTrafficOptimization.htm

                                             

                                            So the 95th NTA report is computing daily average bandwith values and is picking only 95th percentile of those values.

                                            Because NPM is using different retention periods you may see differences between two reports.

                                             

                                            NPM has following default retention periods

                                             -Detailed statistics retention 7 days

                                             -Hourly statistics retention 30 days

                                             

                                             

                                            NTA has following default retention periods

                                             -Detailed statistics retention 1 hour

                                             -Hourly statistics retention 24 hours

                                             

                                            So for example the NTA 95th report for 30 days and NPM  95 th report may differ because NTA report is using daily averages ( this is by design) and NPM is using hourly averadges+ no averadged detailed data.

                                             

                                            It is possible to tweak NTA data to extent retention periods but NTA 95 th report would need to be modified and  database server could be overloaded with a lot of data depends on the traffic the NTA is collecting.

                                            Please let me know if you need more Informations.

                                            Regards radekn

                                            • Re: 95th Percentile Bandwidth Utilization using Netflow
                                              Mattyo

                                              Hi Radekn,

                                               

                                              Very good response.  That clears up a lot of the discrepancy.

                                              So as far as the process of the 95th percentile custom NetFlow report...is this accurate?

                                               

                                              NTA collects data on the bandwidth usage in bps for an IP Group.  Since top talker optimization is enabled it is computing these averages based on 95% of total traffic. 

                                              It aggregates and caches that data daily because it cannot retain detailed statistics for more than a day.   For the month of February it keeps in its database values for Feb 1, 2, 3, 4 all the way to the 29th per IP group (or maybe it doesn't keep them explicitly in the database, but it has a way to compute the value). 

                                              When I call up a report on March 2nd for 95th percentile netflow by IP Group for February, it computes these averages, as mentioned above, puts them in high to low order (by day I guess?) and throws out the top 5% of them.   It then reports the highest value remaining in the report.    It does this for each IP Group.

                                              Is that accurate?  So in essence it is a 95th percentile report on the daily averages of bandwidth utilized based on 95% of the data?  If not please let me know.  Also, if it is easier to explain over the phone could you send me a PM with your # or I can send you mine and we can talk about it?  I really would like to understand this process.

                                              • Re: 95th Percentile Bandwidth Utilization using Netflow
                                                radekn

                                                Hi Mattyo,

                                                 

                                                Yes this is accurate, it computes daily averages in low order and from top 95 percent it pick the maximum value.

                                                By default( with top talker optimization 95%) the daily collapsed data shows 95 percent traffic in DB, I did not consider that before.

                                                So with this default option the 95% report will display  max of top95%( daily95%).

                                                 

                                                for example: for period March 2,3,4,5,6 ..

                                                 

                                                So in case top talkers optimization is 100 the results are:

                                                 

                                                max from top 95%( sum(March2),sum(March3),sum(March4),sum(March5),sum(March6),..)

                                                 

                                                in case top talkers optimization is 95:

                                                 

                                                max from top 95%( sum(95%March2),sum(95%March3),sum(95%March4),sum(95%March5),sum(95%March6),..)

                                                 

                                                It would  be probably better to modify report to throw max value only in case of top talker optimization is switched to 95 percents ( this is default value).

                                                 

                                                so it would look like this

                                                 

                                                max from ( sum(95%March2),sum(95%March3),sum(95%March4),sum(95%March5),sum(95%March6),..)

                                                in case user will have top talker would be 100  then old way would be used in report.

                                                 

                                                Please let me know if you want made this modification.

                                                 

                                                thanks

                                                Regards Radekn

                                                • Re: 95th Percentile Bandwidth Utilization using Netflow
                                                  Mattyo

                                                  Something tells me that modifying top talkers to 100% and using the existing report will not yield the same results as leaving the top talker at 95% and modifying the report.  What do you suggest?  I am leaning towards setting top talker to 100% so I get all the data and let the report handle 95th percentilization of the result.

                                                   

                                                  Your thoughts?


                                                  Matt