​This is another in a series of blogs on the important concepts of network management. Today's topic is flow monitoring. A network flow is the series of messages exchanged between the opening and closing of a communication session. Flow data is used by tools like network flow analyzers and flow collectors to generate insight into network performance and assist with problem resolution. Flow data is an aggregated form of data and is also referred to as metadata.

​PURPOSE OF FLOW MONITORING

Flow monitoring is a useful way to generate information engineers use to troubleshoot network issues. Flow data is aggregated and therefore different from packet data, which is a copy of the detailed data inside network packets. Most monitoring tools process only one or the other type of data. Some organizations treat the two types of data as mutually exclusive, but combining the two provides administrators with superior insight for issue identification and resolution.

​TYPICAL USE CASES AND BENEFITS

​Real-time bandwidth monitoring

Administrators use real-time monitoring tools to identify the interfaces, links, applications, users, and protocols taking up network bandwidth. A flow monitoring tool can examine bandwidth utilization over the LAN, WAN links, and specific devices. It also identifies internal and external traffic sources and destinations. Flow monitoring allows administrators to know the Top Senders, Top Protocols, and Top Applications that consume use up bandwidth. 

​Applying Quality of Service policies

​Flow monitoring can help administrators manage QoS policies for specific services. By default, each network channel operates on a best-effort basis—every application gets equal priority, whether it is a business-critical VoIP service, or a user streaming video content. Enterprises must set QoS polices to ensure business-critical applications get sufficient bandwidth.

​Identifying historical trends

 Identifying abnormal bandwidth usage

​Flow monitoring also proactively identifies DDos attacks, unauthorized downloading, and other suspicious and potentially malicious network behavior. Flows can be your best option for security forensics and analysis. Monitoring tools automatically identify high traffic flows to unmonitored ports, expose unauthorized applications like file sharing and video streaming, monitor traffic volumes between pairs of source and destinations, and detect failed connections.

​CONSIDERATIONS FOR FLOW MONITORING

​Efficient, dual data generation

​You can use the same network visibility platform you use to aggregate and process network packets to manage delivery of flow data to your flow monitoring tools. A visibility platform lets you offload flow generation from routers and other network devices to help them work more efficiently. You will need a solution that generates the specific type of flow data your tools are designed to process. Some network visibility platforms, such as the Ixia's Vision ONE network packet brokers (NPBs), generate your choice of NetFlow or IPFIX compatible data.

High-performance processing 

​You want to make sure that the solution you use for generating flow data has enough processing power to keep up with your traffic volume and support all your flow monitoring tools. Ixia Vision ONE NPBs, for example, are capable of simultaneously generating flow data, decrypting secure traffic, and filtering data based on application type. Ixia's high-performance processing engine generates flow records for up to 300K TCP sessions per second and supports up to ten flow monitoring tools (or collectors).

Enrichment of flow data 

Another benefit of a platform that handles both flow and packet data is the ability to enhance flow data with value-add extensions. With Ixia's solution, you determine what additional information to send your monitoring tools. You can include geographical information, application ID or name, browser type, and SSL cipher as part of the information flow to your tools. For subscriber-aware reporting, you can provide detail on applications and handset-device type for mobile users.

Summary 

​Use flow data for efficient on-the-fly monitoring and keep your team up-to-date with network events as they happen. And strengthen overall network monitoring by also deploying packet-based data capture and monitoring. With access to network packet history, you can quickly drill down to packet level, examine incidents and determine their root cause and severity. Combining these two monitoring techniques helps network and security analysts stay on top of the mountain of alerts they receive to ensure an unexamined issue doesn't escalate to become a serious outage or network breach.

 Thank you to Lora O'Haver of Ixia, a Keysight Business, for the article.