What to do if you have interfaces reporting over 100% utilization from your Cisco NetFlow collection? Let’s take a look at how we would address this in Scrutinizer NetFlow Analyzer.

The following excerpt is taken from our Frequently Asked Questions:

Q23: Why are my graphs reporting over 100% utilization?

  1. The interface speed is not correct. Scrutinizer uses the speed specified in the SNMP OID. Click on the speed of the interface to manually type in the correct speed.
  2. The active timeout has not been set to 1 minute on the router.
  3. Non-dedicated burstable bandwidth, where the ISP allows you to use over the allocated bandwidth.
  4. Both ingress and egress NetFlow collection have been enabled on the interface. This can work properly, however NetFlow should be turned off on other interfaces. Scrutinizer works ideal when only ingress NetFlow collection is configured on all interfaces.
  5. Do you have any encrypted tunnels on the interface?
        47 – GRE, General Routing Encapsulation.
        50 – ESP, Encapsulating Security Payload.
        94 – IP-within-IP Encapsulation Protocol.
        97 – EtherIP.
        98 – Encapsulation Header.
      99 – Any private encryption scheme.

This can cause traffic to be counted twice on an interface.

In today’s blog, I’ll address item #5, including how to exclude encrypted packets in Scrutinizer NetFlow Analyzer and how to determine what other protocols you may want to exclude.

First, to confirm that the above protocols are being excluded in Scrutinizer, go to the Configuration page under the Settings tab.


By default, in version 6.0 and up, we exclude the protocols listed above in the FAQ. They will be entered in the text box with the heading “Exclude IP Types”. This is where you can edit which protocols you will be excluding.

If there are other protocols that you would like to exclude, but are unsure of the exact port used, there is a new gadget in Scrutinizer’s Flow Analytics module called Top Transports. With this gadget, you are given the top protocols used on your network, and the ports used per protocol.


This Top Transport gadget can also provide the conversation data by clicking on the Protocol (IGMP in this example), then click anywhere on the data line as shown below, with results displayed in the last image.

transport-gadget-1 transport-gadget-2
Joanne Ghidoni author pic

Joanne Ghidoni

Joanne is a Software Quality Assurance Engineer at Plixer. She has also held positions as Technical Support Engineer and Sales Engineer since joining Plixer in 2005. Prior to joining Plixer, Joanne has had numerous positions in the IT field, including data entry, computer operator, PC coordinator and support, mainframe programmer, and also Technical Support and web programmer at Cabletron Systems. In her spare time, Joanne enjoys traveling, always seeking out new and interesting places to visit.


Leave a Reply