Documentation forEngineer's Toolset

Analyze NetFlow data

NetFlow Realtime offers up to 60 minutes of traffic to analyze. See the following groups:

Applications Applications enable you to see all the traffic passing through based on the application. Applications use specific ports to send data. This mapping between port, application, and traffic is used to create the specific data points. The number of applications listed in the tree changes based on the Top XX value. Click the top node, Applications, to view an inclusive graph.
Conversations Enables you to see traffic based on source and destination IP address, source and destination port, and the protocol. These five data points, grouped together and matched, create a single conversation. For example, a conversation between 1.1.10.10 and google.com is defined by 1.1.10.10, google.com, port 80 (HTTP) on both IP addresses, and the TCP protocol. Clicking an IP address in the tree provides a view of all the other IP addresses or domains with which this IP address is in communication. Clicking the top node, Conversations, provides an inclusive graph of your highest-traffic conversations.
Domains Enables you to see all traffic in a domain. The domain consists of all resolveable IP addresses using reverse DNS, to that domain. Clicking a domain or IP address in the tree provides a view of all the other domains or IP addresses with which this domain is in communication. Clicking the top node, Domains, provides an inclusive graph of all the domains on which traffic is being detected.
Endpoints Allows you to select specific IP addresses (hosts) and view all the data transmitted and received by that host. Clicking the top node, Endpoints, provides an inclusive graph. This view does not separate data by application (port) or protocol, but provides an overview of your highest traffic producers.
Protocols Displays all the traffic that matches a specific protocol, for example, TCP or UDP. Clicking a specific protocol provides a view of the individual applications the protocol uses to traverse the specified interface. Clicking the top node, Protocols, provides an inclusive graph of all traffic produced split into protocols.

Start Flow capture

  1. Click the interface through which NetFlow data is flowing to analyze, and then click Start Flow Capture.
  2. Review the information displayed in the analysis graphs.
  • The tree view can be expanded to reveal individual applications, conversations, domains, endpoints, and protocols. Tree views are dynamic; changing based on time period and the selected Top ## number.
  • The refresh rate is in seconds.