9 Replies Latest reply on Oct 31, 2008 7:18 AM by rob_ib

    Netflow collector - Does it show all ports?

    rob_ib

      We are trying to get a more acurate bandwidth tool that can really tell us our bandwidth since a 1 minute average is WAY off of what it really is.  Netflow was recommended to us.  We have thousands of applications using ports higher than 1024.  WIll the netflow show each port or show them as other adn only display the well know ports?

        • Re: Netflow collector - Does it show all ports?
          denny.lecompte

           Orion NTA has a large number of well-known ports that it automatically labels.  You can easily monitor all ports, however, even those that are not well-known.  Moreover, any port can be given an application name of your choosing.

            • Re: Netflow collector - Does it show all ports?
              rob_ib
              Say we use all ports from 1024 to 65225.  On different hosts they are different applications.  Does the NTA display the port numbers individually or grouped with all other unknown ports?
                • Re: Netflow collector - Does it show all ports?
                  denny.lecompte

                  A port is either assigned to one port, a collection of ports (new in NTA 3.0) or it is “unmonitored traffic”.  If it is unmonitored traffic, then as it is collected, it is summarized all in the one bucket of “unmonitored traffic”.  Note that NTA only saves data down to 1-minute granularity.

                    • Re: Netflow collector - Does it show all ports?
                      rob_ib

                       Is there anything that monitors at better intervals than 1 minute?  The 1 minute trending is a problem for us as the traffic is bursty and a 1 minute average is not even close to what we are hitting.  On a 1G port the average is 200M and the bursts are well over 500M - This is a huge difference when trying to manage WAN links where the traffic HAS to get through and not dropped by over utilization. 

                       

                      I know the Enginees tool kit can do closer to real time but we need trending of our interfaces as there are too many to watch real time.

                       

                      How does the Engineers tool kit do it in real time compared to the Orion as fas as bandwidth stats?

                          • Re: Netflow collector - Does it show all ports?
                            Andy McBride

                            Keep in mind that NetFlow traffic analysis does not attempt to completely measure bandwidth usage, only who is using the bandwidth and what they are doing. NetFlow accounting measures to the byte but is a different implementation of NetFlow.


                            It sounds more like you are interested in capturing very granular data on circuit usage. I my past life as a network performance engineer I did a lot of testing of this on WAN circuits. The way to test to see how the polling interval is affecting your reports is to run a IF monitor in real-time, like the B/W gauge from Toolset. Make sure charting is on. Then compare what you see here with data from your Orion usage. My findings were that very short traffic polling (ie 3sec) did not show significant differences in the graphs even comparing to 5-10 minute polling. WAN circuits, are usually sized to allow traffic to peak and recover quickly. If they act this way there is no impact to user traffic. If they peak and sustain then you will see this with longer polling intervals.  If your concern is that data is not being transmitted fast enough and application performance is being affected I suggest measuring application performance more directly.

                              • Re: Netflow collector - Does it show all ports?
                                rob_ib

                                 The problem is our data is time sensitve to the millisecond.  If we are over utuilizing the circuit we drop the data since allot of the data is multicast.  The 1 minute trend shows the circuit at 180Mbs but a real time shows spikes well over 300Mbs on a 300M circuit.  This is a huge problem when we are using Orion to trend the network.  At the 1 minute collection we think we are good at 180M with 120M to go but in reality we are over 300M.

                                  • Re: Netflow collector - Does it show all ports?
                                    Andy McBride

                                    So since SNMP polling is not realistic for millisecond periods I would do attack this 2 ways:


                                    1. Monitor bandwidth carefully, as you are doing.


                                    2. Measure the time sensitive apps If this is voice you can use IP SLA such as in the VoIP monitor product. If it is another app there are lots of ways to measure the app performance.


                                    Basically what I am saying is don't over measure the network to feel better about the apps, Measure the apps.


                                     Andy