Reporting on QoS using NetFlow is a fairly rudimentary report for even the most basic NetFlow reporting tools.  Although the name of this report differs from vendor to vendor, we are all talking about the same 8 bit ToS field of an IP datagram.  Sometimes mistakenly referred to as DSCP, this 1 byte value is used in an effort to help ensure end to end QoS flow for select business applications.

In an attempt to prioritize QoS throughout the network for applications such as VoIP or Video, many companies configure DiffServ domains.  And when service isn’t up to par, these companies often turn to NetFlow Analysis as one part of their trouble shooting routine.  If you are not familiar with all these acronyms, a skim of my 5 part blog series on Tos, DSCP and NetFlow…. What the DiffServ will bring you up to speed fairly quickly.

Most people when discussing QoS service today are talking about a 6 bit portion of the ToS field called DSCP. Below is an example


Notice above that some of the entries have a read box around the letters ‘ECT’.   These are the Explicit Congestion Notification 2 bits that make up the rest of the 8 bit ToS field when using DSCP.  These fields are becoming more and more important as business applications start to implement them.

Wikipedia: “TCP uses two flags in the TCP header to signal the sender to reduce the amount of information it sends. These are the ECN-echo (ECE) and Congestion Window Reduced (CWR) bits explained below.”

Anyway, lets drill in on one of the DSCP values in the above screen capture and select from about 2 dozen different reports.  BTW: each report has additional report combinations:


Outlined in red above you can see that the DSCP 0 ECT (00000010) filter was passed.  Lets take it a step further and use Flow Analytics to set a threshold for this type of DSCP traffic.  A threshold allows us to be notified:


I could add additional filters to the above threshold:
• More interfaces on different routers/switches
• Specific IP address or subnets (even exclude them)
• TCP flags
• Add additional DSCP values
• Etc.

Yah, it is pretty cool.  We like to think that Scrutinizer takes ToS reporting to another level.  Many businesses today require this depth of reporting to trouble shoot today’s media applications over the network.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply