NetFlow Calculator for Supermen!

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

NetFlow Calculator for Supermen!

When sizing a NetFlow or IPFIX collection appliance, many consumers go looking for a NetFlow calculator.  In order to do some calculations, you'll need to have some numbers handy. For example, what volume of flows per second can all of the hardware combined generate?  This is an important question because it will likely influence the type of collector your team invests in.

A software based collector should be able to scale to well over 40,000 flows per second which is over a couple million flows per minute.  A hardware based solution should scale to well over 100,000 flows per second.  If the solution can be distributed, collection rates well into the multi millions, should be attainable.  The problem that customers need to be aware of is that flow volume is not always directly related to bandwidth consumed.

Flows Don’t Correlate with Bandwidth
A ten megabit connection could be 100% utilized with a few dozen users all downloading at the same time.  The same connection could have bandwidth to spare with hundreds of users all actively sharing the very same connection. When I ask a customer  “what is your total flow volume” and they respond with “we have two 40 gigabit connections that are nearly full” I realize that I’m going to have to ask more questions and possibly do some testing.  

Let me explain the problem using an analogy.  If I tell a carpenter that I want a 24x30 foot home, he might envision something like what is shown below:


However, in the city, I might have a 4 story house like this in mind for the exact same foundation foot print:


The interesting thing is that in either house the occupants consist of my wife and I (i.e. two people) and a dog.  The house envisioned by the carpenter is 720 square feet and the house I was dreaming about was 2880.  The point to this analogy is that more capacity doesn’t necessarily mean more occupants (i.e. more bandwidth doesn’t equal more flows).    

Show IP Cache Flow
I find that because of the above, I have to ask the question differently.  Depending on the OS version running on the Cisco routers, I ask “can you log into your busiest router and type in> show ip cache flow”. This command will list the number of active flows in the NetFlow cache at the time this command was entered.

Determining Flow Volume
Granted, this command doesn’t consider whether those flows are long or short lived however, if the customer responds with 40,000 I might guess on the high end that 10% (i.e. 4,000) of those are being exported every second because new flow entries are being added as quickly as they are being removed.  I then ask the customer some network configuration questions as well as the number of routers to get an idea on the total volume of flows they could be experiencing enterprise wide.

NOTE: Be aware that the default cache size for a Cisco 7500 router is 65,536 entries.  On the NGA 3240, the active flow cache can reach 80 million!

One way to take a more accurate baseline on the volume of flows being exported is to run a simple test with a free tool called Flowalyzer. Click on the Listener tab and the counter will clearly display the volume of flows per second across all actively sending flow exporters.

NetFlow Calculator
Some customers want to know “How much bandwidth is enabling NetFlow going to consume on my network?” This question is often answered with “It depends.” However, lets consider that basic NetFlow v5, V9 or IPFIX exports will fill a large Ethernet datagram (~1500 bytes) with 24-30 flows.  If the router is exporting 4000 flows per second, this is about 2 megabits / second. This is easier to calculate with a NetFlow calculator.

NOTE: 1 byte = 8 bits.

Due to the spread-out nature of most network configurations, the total flow volume is generally only combined at the egress point of the flow collector.

Evaluate the NetFlow Collector
The best way to determine the volume of flows on your network is to evaluate the NetFlow collector. This strategy will also all your company to ensure that the solution has the feature sets you need to support your company’s incident response needs.

Related Articles to 'NetFlow Calculator for Supermen!'
Feedback for NetFlow Calculator for Supermen!

Leave a comment

Featured Events