Many NetFlow Reporting applications claim to tell you who the top 10 bandwidth hogs are by displaying the top 10 or so hosts for a time period based on total amount of traffic sent or received.  Yes, this is helpful but it can paint a distorted picture when it comes to network traffic analysis.  What about Flow Volume?

bandwidthhog
“Customers across the country have received letters from Comcast warning them to limit their bandwidth consumption or face a one-year termination of service. “
Source:  The New York Times

I think that it is safe to say that all sFlow and NetFlow analyzers display a top hosts report.  Unfortunately, this is just the beginning when trying to diagnose a congestion issue.  Often times we need to drill in further for details on the behavior of the hog to gain a more accurate picture of the problem.  Below is a Top Hosts listing the total bytes transmitted per host for the time frame but, it doesn’t tell us how many flows (i.e. virtual circuits) each created.  Should you care?

topHosts

Benoit Felton of the Yankee Group said “Unfortunately, to the best of our knowledge, the way that telcos identify the Bandwidth Hogs is not by monitoring if they cause unfair traffic congestion for other users. No, they just measure the total data downloaded per user, list the top 5% and call them hogs.”
benoitFelten

Benoit Felton

Some applications BitTorrent are more aggressive than traditional practices such as FTP when it comes to downloading files.  I think Richard Bennett of the Information Technology and Innovation Foundation in Washington, DC explained it well:

“…… while TCP may be fair across all TCP virtual circuits, it doesn’t ensure fairness across all users of the network. This is because some users and some applications employ more TCP virtual circuits than others. This is particularly bothersome when users are running applications such as BitTorrent. In a typical scenario, BitTorrent uses 20-40 TCP virtual circuits at a time for each download in progress. TCP fairness ensures that each of these 20-40 VCs has a “fair” chunk of bandwidth, but it does nothing about the fact that the BitTorrent user is grabbing 20-40 times the bandwidth as the ftp user, who is only downloading on 1 VC.”

richardBennett
Richard Bennett

A report on Flow Volume is necessary to determine who is creating the most flows or the flow volume created by each of the top hosts.

hostFlows

How are you identifying top bandwidth hogs?  If you are undecided, check out Scrutinizer for its best at NetFlow reporting which includes volume of flows per host!.

Mike Patterson author pic

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

Posted on - by Jeff Morrison

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply