0 Replies Latest reply on Dec 23, 2015 6:04 PM by jturner

    Netflow data interpretation from Cisco ASA 8.4(2)

    jturner

      So I am curious how the solarwinds netflow collector interprets and graphs the data collected.

       

      More specifically does the graph that solarwinds generates to represent Mbps over time take into consideration the duration of the flow?

      Capture1.PNG

       

      For instance this graph above caused some alarm for us today. Digging into the data it appeared that 4 web servers moved over 40Gigs of data to a SQL database.

      Looking at the server I/O, the jobs running, and the interfaces that the servers and the DB are connected to we could not account for anywhere close to this amount of data.

       

      Looking at the firewall logs at this time I found about 30 flows that all closed around 2:38pm which is the same time on the graph that we see the spike.

      Each of the closed flows had moved over 1gig of data however they also all had a duration of about 24 hours.

      And yes we have some custom in house apps that required us to lift the limit in the firewall for the flow duration. I am not happy about it but it's not something I can control.

       

      So my real question is does solarwinds take into account the flow duration and average that data out over the time to graph the flow?

       

      For instance if a flow moved 45 Gigabytes of data in 1 hour then if the graph was 10 minute resolutions you would get a square wave with all 10 data points being at roughly 100Mbps?

       

      Or does it just look at the close time and the total bytes transferred and graph that as a single point? So in the example I gave it would be just a single spike at the end of the flow at 45Gbps.

       

      Based on what I have seen I am leaning toward the later, but I just thought I would reach out to Thwack to see if someone can confirm this behavior.

       

      Any help on this would be greatly appreciated.