Flowalyzer field definition

[zxyahsoge003]

Hello,

I would like to find a user manual about Flowalyzer to understnad what the fields displayed on the GUI mean.

To be more accurate, I need to know what do "Packet Count" and "Flow Time" mean in the "generator tab of Flowalyzer. How shall they be configured (both of them expect to be fill with an interval).

Moreover, when generating a simple UDP flow, I can see in the "statistics" panel of the "generator" tab the number of packets per second and also the number of flows per second. In my case, I always see that the number of packets per sec is equal to the number of flows per sec. I don't understand that and need information.

Thank you in advance.

[pauld]

Hello zxyahsoge003,

Packet count is the number of NetFlow packets sent from Flowalyzer.

Flow Time is the start and end time of the flow. A flow would be considered a conversation on your network broken into 1 minute summaries.

The reason you're seeing the number of packets equal to the number of flows is because you only have 1 flow record defined in Flowalyzer.

To define more records, change the name, IP's, src port and dst port and press the "add" button at the bottom.

1 NetFlow v5 packet can contain up to 30 flow records.

Thanks,
Paul

[zxyahsoge003]

Thanks pauld for your answer.

However, some points remain confused for me. Let me explain more accurately.

As you can see on the attached screenshot, I configured the "speed" to 1000ms for easier computation.

1/ In Statistics, it always remain to 1 packet per second. I would have expected 100 as configured in "packet count". So, why only 1? I don't understand, I probably missed something.

2/ About Flow time, what is the unit?
Moreover, why must the start time be a negative value and the end time not greater than 0? I really don't catch what it really means and what impact it has on the flows.

By the way, is there any documentation on Flowalyzer configuration?

Thank you very much.

[pauld]

Hi zxyahsoge003,

1) There are two things happening here. The "Packet Count" field is for defining how many packets are in the flow record not for defining how many NetFlow packets get sent. If you want to control the amount of NetFlow packets that are sent this is done by changing the "speed" value. With your current speed value set to 1000ms your delay between packets sent (or speed) is 1 second, so it will send 1 NetFlow packet per second. Remember that each NetFlow packet can contain up to 30 flow records.

2) The Flow Time is in seconds. ‘0’ represents ‘now’ and ‘-10’ means ten seconds before ‘now’. This means that the flow record, or conversation on the network, that you have defined lasted for 10 seconds.

I don't have any extended documentation on Flowalyzer, but I'd be glad to answer your questions.

Thanks,
Paul

[zxyahsoge003]

Hello,

Thanks for your answers, I am a novice in the field of Netflow and this is very helpful.
(sorry in advance for my stupid questions )

1/ Packet Count
You said the "Packet Count" field is for defining how many packets are in the flow record. Do you confirm that the packets in the flow records are then UDP or TCP ones?
--> To synthetize globally, does it mean that (according to the example I gave in my previous message) 1 Netflow packet (emitted each second) will contain 2 flow records (UDP_tftp and TCP_http). And each of these flow records contains 100 UDP/TCP packets, right?

2/ Flow Time
Following your explanation, does it mean that each Netflow packet sent each second will indicate that the current conversation lasted for the last 10sec?
So for a 60sec test, 60 Netflow packets will be sent saying 60 times that the conversation has been active for the last 10sec?
In this case, I really don't understand what the interest of this parameter is! Actually, if I send a Netflow packet containing a flow record each second, it implicitly means that my conversation is currently active. So why configuring a time intervall [-10;0]?

3/ GUI
In the left panel of the Flowalyzer GUI entitled "Flows", there is a box that can be ticked in front of each flow. Ticked or not, it seems that the Netflow packet is emitted. But is the Netflow packet empty (without any flow record) if the flow is not ticked?


Thanks for your patience

Julien.

[pauld]

1/ Packet Count
You said the "Packet Count" field is for defining how many packets are in the flow record. Do you confirm that the packets in the flow records are then UDP or TCP ones?

TCP or UDP is determined by the "Protocol" field in Flowalayzer.

--> To synthetize globally, does it mean that (according to the example I gave in my previous message) 1 Netflow packet (emitted each second) will contain 2 flow records (UDP_tftp and TCP_http). And each of these flow records contains 100 UDP/TCP packets, right?

Yes

2/ Flow Time
Following your explanation, does it mean that each Netflow packet sent each second will indicate that the current conversation lasted for the last 10sec?
So for a 60sec test, 60 Netflow packets will be sent saying 60 times that the conversation has been active for the last 10sec?
In this case, I really don't understand what the interest of this parameter is! Actually, if I send a Netflow packet containing a flow record each second, it implicitly means that my conversation is currently active. So why configuring a time intervall [-10;0]?

In a production environment, you would typically receive 1 Flow record each minute for every conversation so the time interval will keep track of how long the flow lasted. In this synthetic traffic, you can accomplish the same thing by sending 1 packet every minute containing 1 flow record with a time interval of [-60,0].

3/ GUI
In the left panel of the Flowalyzer GUI entitled "Flows", there is a box that can be ticked in front of each flow. Ticked or not, it seems that the Netflow packet is emitted. But is the Netflow packet empty (without any flow record) if the flow is not ticked?

The check boxes are used for selecting which flow records to delete when pressing the delete button.

Thanks,
Paul

[zxyahsoge003]

Hi Paul,

Thank you very much for these clarifications, I think I better understand now how it works.

Regards.

Julien.

[zxyahsoge003]

Hi,

I configured 2 flows (see attached pictures: UDP and TCP streams) within Flowalyzer and wanted to verify that the datarates observed on an NMS tool (see attached graph) were matching what was expected to be sent.

As you can see for the UDP stream for instance, 100 UDP packets of 500 bytes are sent in each Netflow packet each 100ms.
So, I compute:
100 * 500 = 50000 Bytes sent each 100 ms. In other way, 500000 bytes / second, or 488 kbps.

For TCP, the same computation leads to: 97kbps.

However, on the graphs provided by my tool (which collects Netflow packets) I can read respectively 40kbps and 15kbps.

I absolutely do not understand how the datarate shall be considered at the output of Flowalyzer.
Did I make a mistake when computing the expected datarates ?

Thanks,

Julien.

[pauld]

Hello zxyahsoge003,

I see where the confusion is.

In Flowalyzer, you're defining a summary of an entire conversation.

What you've configured says:

-sent from 10.0.0.42 to 10.0.0.75
-with a src port of 4242 and a dst port of 69
-the conversation entered a network device on src interface 2 and went out dst interface 5
-in that conversation there was a TOTAL of 500 bytes
-in that conversation there was a TOTAL of 100 packets
-the ToS field was set to DSCP 61
-the src AS was 6
-the dst AS was 9
-the src subnet mask was 255.255.255.255
-the dst subnet mas was 255.255.255.255
-the conversation lasted for 10 seconds

-the netflow version is 9
-the dst for the netflow packets is 140.94.13.232
-the dst port for the netflow packets is 2055
-the rate at which netflow packets are sent is every 100ms

Here's where things get confusing:

What you've defined says, every .1 seconds (100ms) send another netflow packet saying that 10 seconds of traffic occurred between the same two hosts. This would never happen in a production environment. This means that within 1 second, you're saying that 100 seconds of traffic occurred between the same two hosts.

For the sake of sanity, change your Flow Time to -60,0 and change your Speed to 60000ms. This means, once a minute a netflow packet gets sent summarizing the last 60 seconds worth of data. This is how netflow works in a production environment.

Now let's do some math with the flow time set to -60,0 (1 minute) and the speed set to 60,000ms (1 minute).

Every minute, a TOTAL of 500 BYTES of traffic and a TOTAL of 100 packets were sent between the two hosts.

Your graph is in KILOBITS, so we have to convert from BYTES to KILOBITS.

500 BYTES = 0.48828 KILOBITS (http://www.speedguide.net/conversion.php)

Your graph is in 15 minute data intervals, so we have to multiply by 15 minutes

0.48828 KILOBITS * 15 MINUTES = 7.3242 KILOBITS

Your graph is in KILOBITS PER SECOND so we have to divide by 900 seconds (15 minutes).

7.3242 KILOBITS PER 15 MINUTES / 900 SECONDS = .008138 KILOBITS PER SECOND

-------------------

Does this make since?

[zxyahsoge003]

Thank you so much Paul.

[zxyahsoge003]

Hi again,

Using Flowalyzer, I was sending a TCP stream at 16kbps (DSCP 11) and an UDP stream at 40kbps (DSCP 61), I have noticed that the TCP stream was displayed at 14kbps.

I noticed in the past days that sometimes for a given stream, some kbps are missing.

My question is, can it be related to the DSCP value (that I fixed randomly)? Could it result in packet dropping?
(If not, I guess this is a bug in the application that displays my streams (Solarwinds Orion) because a few minutes ago I edited the view to change chart properties and after that the next displayed value was 16kbps. As if it needed a manual refresh... but well, this is not so clear.)

Thank you.

[pauld]

Hello zxyahsoge003,

Since NetFlow is UDP, it's possible a packet got dropped on the network, it's also possible for the NetFlow collector to have dropped some packets.

Have you tried our Scrutinizer NetFlow and IPFIX analyzer?

Thanks,
Paul

[zxyahsoge003]

Hi,

Thanks for your reply.

I have tried Scrutinizer a few weeks ago (evaluation version). I enjoyed it.
But now I need to perform some NMS testing on the COTS purchased by a customer (and of course he is not using Scrutinizer).

Julien.