Why is my NetFlow Analyzer reporting interface use over 100%?

This is a question that comes across the tech support desk all the time.

Let’s take a look at how this can happen.

I am going to start with some of the simple causes first.

Is the bandwidth on the interface burstable?

If it is, the over-utilization could be real.

Is the port speed set on the interface correct?

Our NetFlow Analysis tool uses SNMP to get the device/interface names and the port speeds of all interfaces. If the port speed is not correct, you can go to Admin Tab/Definitions/Device Details to set a custom port speed.

Are we exporting flow information from the routers and switches the the NetFlow analyzer on a 1 minute time interval?

Scrutinizer builds its raw NetFlow tables in 1 minute intervals. If we receive more than 1 minutes worth of data from the exporter, it gets put into a 1 minute data table, and will subsequently build the interface use averages on the inflated 1 minute data. We always recommend that any active template timeout or polling intervals be set to 1 min or 60 seconds.

To see what is being exported on any 1 interval, simple open a report, and drill in to 1 minute time intervals.

Look at Raw NetFlow 1 min Intervals

Are you only seeing Outbound traffic utilizing over 100% on the interface?

If you are seeing outbound traffic overstated, and you are exporting NetFlow v5, you might want to consider changing the version to v9 and adding IP FLOW EGRESS to the interfaces you are monitoring. I have seen a number of times where ingress traffic on a high speed interface gets over reported when the outbound or destination interface is a slower interface. Basically with NetFlow v5 the outbound traffic shown is the result of what is monitored on the inbound side. The out/destination interface in the flow record determines where the output traffic get assigned. By enabling NetFlow v9 and ingress and egress monitoring, we are reporting on the actual numbers from both the inbound and outbound side.

Is there any performance issues taking place on either the device, network, or NetFlow collector?

Above I touched on how we are building the 1 minute data tables and that we expect to receive the flow exports in 1 minute intervals. If the there are any performance issues on the router or switch that would prevent the export to take place or be processed in the 1 minute time frame, we may receive more than 60 seconds worth of data export and the 1 minute data table will be loaded with more than 1 minute worth of data.

If you are seeing over 100% utilization on any of your interfaces and wonder why, give me a call and we can take a look at what is causing the traffic spikes. (207)324-8805

Scott Robertson author pic

Scott

Scott provides Pre Sales Technical Support to the Sales team at Plixer. Scott comes from a technical support background, having years of experience doing everything from customer account management to system programming. Some of his interests include coaching youth sports programs here in Sanford, playing drums and guitar in local jam bands, and playing in neighborhood lawn dart tournaments.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply