Ensuring precise traffic monitoring for enterprise applications is vital. However, challenges often arise, leading to inaccuracies in NetFlow data analysis. These include: 

• Incorrect Sampling Ratios, 
• Incorrect Sampling Time Parameter Settings
• Incorrect Router Times
• Diverse Router Sampling Behaviors

To combat these issues, Nexusguard is introducing its newly developed Nexusguard Active NetFlow Smoothing and Nexusguard Active NetFlow Calibration for enhanced data accuracy. Let's first examine the aforementioned issues more closely.

‍

NetFlow Data Analysis Challenges

‍

Challenge 1: Incorrect Sampling Ratios

Typically, an increased sampling ratio enhances the precision of traffic profile rebuilding. Nevertheless, practical challenges emerge:

1. ‍Router Hardware Limitations:
   Certain routers face constraints in configuring an optimal sampling ratio due to hardware limitations.
   ‍
2. High Modification Costs:
   Adjusting the sampling ratio can result in substantial expenses.
   ‍
3. Increased Router Load:
   An excessively high sampling ratio can burden the customer's router, potentially leading to inaccurate NetFlow sampling. For example, instances have arisen where a 1:1 sampling ratio caused routers to export erroneous NetFlow data. Furthermore, a high FPS (flow per second) escalates operational costs for users.
   ‍
4. Data Distortion:
   Conversely, a sampling ratio that is too low may distort data accuracy.
   ‍

Challenge 2: Incorrect Sampling Time Parameter Settings (active/inactive timeout)

Active/Inactive Timeout parameters play a crucial role in flow generation, significantly shaping how flows are processed. Specifically:

A flow becomes export-ready under two conditions:

1. It remains inactive for a set duration (i.e., no new packets received for the flow), typically 15 seconds for Cisco routers.
   ‍
2. For long-lived flows (active), lasting beyond the active timer (e.g., during extended FTP downloads), set at 30 minutes for Cisco routers.

Additionally, a flow is flagged for export when specific TCP flags indicate flow termination (e.g., FIN, RST flags).

Typically, the Active Timeout is configured at 60 seconds, enabling the monitoring of traffic from long-lived connections with a minute-level granularity.

However, due to various constraints, customer routers may not always adhere to the recommended settings. In such instances, NetFlow-collected traffic data may lose accuracy. An evident symptom is the unexpected traffic spikes post-connection termination.

This discrepancy can create disparities between NetFlow-based traffic charts and actual traffic, potentially leading to false alarms triggered by perceived anomalous events.
‍

Challenge 3: Incorrect Router Times

Incorrect time settings on a customer's router can result in inaccuracies in NetFlow data. This can manifest in two scenarios:

1. Delayed NetFlow arrival:
   NetFlow data arrives later than the current processing time.

2. Early NetFlow arrival:
   NetFlow data arrives earlier than the current processing time.

‍

Challenge 4: Diverse Router Sampling Behaviors

When the Active Timeout is set accurately, the router is expected to export data for a long-lived connection at one-minute intervals until the connection ends. However, certain router brands or models, such as Juniper, may handle long-lived connections differently. Upon termination of such connections, these routers may aggregate all the traffic for the connection into the final NetFlow packet.

This behavior can result in:

Traffic spikes: Sudden peaks in the traffic chart caused by aggregating traffic into a single NetFlow record.

Double counting: The traffic for the long connection gets computed twice - first during periodic exports and then again in the final export - leading to inaccurate traffic metrics.

Such discrepancies can skew traffic analysis and necessitate corrective measures to ensure precise monitoring.

‍

Nexusguard Active NetFlow Smoothing

Nexusguard’s NetFlow Smoothing Algorithm employs a combination of active and passive adjustments to evenly distribute traffic data and address anomalies. Activating the smoothing feature prompts the algorithm to specifically manage NetFlow records exceeding 60 seconds by segmenting them into smaller intervals and redistributing the traffic. The steps are as follows:

Algorithm Overview

Step 1: Key Metrics Calculation

Number of Slots:

‍

This metric establishes the count of 60-second intervals encompassed by the NetFlow record.

Normalized Traffic:

The traffic flow (measured in packets per second or bits per second) is standardized across the calculated intervals.

‍Step 2: Smooth Traffic Across Intervals

‍

‍Implementation of Active NetFlow Smoothing

Specifically designed to tackle aforementioned Challenges 2 and 4, Nexusguard’s Active NetFlow Smoothing irons out out of sync sampling time settings, while implementing corrective measures to mitigate the effects of traffic spikes and double counting issues that may arise from certain router brands during the aggregation of traffic metrics.
‍

Addressing Challenge 2

Handling each NetFlow record ii between the start and end times involves adjusting the traffic values per interval for even distribution:

Smoothed NetFlow(i) BPS/PPS = NetFlow Original BPS/PPS + Normalized Traffic

This process ensures that traffic values are appropriately modified to achieve uniform traffic distribution.
‍

Addressing Challenge 4

Dealing with NetFlow at the end time requires a distinct approach:

Smoothed NetFlow(End Time) BPS/PPS = NetFlow Original BPS/PPS + Normalized Traffic

Specifically smoothing the traffic value for the final interval addresses aggregation concerns, ensuring consistency in the overall traffic distribution.

‍

Benefits of the Algorithm

1. ‍Even Distribution: Prevents traffic spikes by redistributing flow data over its entire duration.‍
2. Anomaly Correction: Addresses issues such as aggregated traffic at the end of long flows.‍
3. Improved Accuracy: Provides a more accurate and realistic representation of traffic trends.‍
4. Scalability: Handles both standard flows and outliers effectively without significant computational overhead.

The algorithm ensures smoother traffic graphs and enhances the dependability of NetFlow-driven analyses.

‍

‍

Through the utilization of Active NetFlow Smoothing, aforementioned Challenges 2 and 4 can be effectively addressed, as depicted by the green curve in the graph below.

‍

‍

Nexusguard Active NetFlow Calibration

Tailored specifically to tackle aforementioned Challenges 1 and 3, Nexusguard's Active NetFlow Calibration technology is crafted to enhance traffic precision, even in scenarios with low sampling ratios, while also rectifying and aligning router time settings accurately.

Nexuguard’s automatic calibration algorithm primarily works through the following methods:

1. ‍Automatic Padding (Fixed Padding)
   ‍By comparing the SNMP traffic, the algorithm automatically applies padding to reduce the inherent errors in NetFlow sampling. This helps address Challenge 1 by minimizing discrepancies caused by sampling inaccuracies.
   ‍‍
2. Time Detection and Adjustment
   ‍The algorithm detects the timestamp of the NetFlow data and automatically adjusts it to restore the real event time. This method solves Challenge 3, ensuring that the NetFlow data aligns with the actual time events occurred.

These techniques greatly improve the accuracy of NetFlow data and ensure reliable traffic analysis.

Don't let inaccuracies compromise your network insights. Embrace Nexusguard's Active NetFlow technologies for reliable and precise traffic analysis. For more information, speak to one of our security experts today.

Enhance your network insights and traffic monitoring accuracy with Nexusguard's Active NetFlow Smoothing and Calibration technologies.