Riverbed NetFlow Analyzer

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Riverbed NetFlow Analyzer

Last year we had a customer contact us to help them invest in the ideal Riverbed NetFlow Analyzer. After receiving a good size packet capture, I spent some time with the other engineers developing a whole bunch of new reports.

Riverbed NetFlow Analyzer
Most companies investing in a NetFlow or IPFIX solution are looking to observe exports from Cisco hardware. Although Cisco tends to be the leader in innovative flow elements, our Riverbed NetFlow Analysis exposed some really progressive details coming from Riverbed Steelhead appliances. Below you can see a Riverbed NetFlow report showing the source and destination IP addresses, the IC CFE IP, the IC SFE IP and the corresponding round trip time (RTT) for each entry.

Riverbed NetFlow Analyzer

One of my co-workers posted several references to these new elements and our NetFlow reporting back when we were building support for these elements into the January release of Scrutinizer. We went on to build Riverbed NetFlow Support for WAN optimization, non optimized traffic and several other reports which include metrics on retransmitted packets and bytes.

Perhaps one of the largest opportunities for these new Riverbed exports is in the area of cloud service monitoring. With many companies leveraging Internet services such as SalesForce.com and Google Mail, these new metrics available in our Riverbed Netflow Analyzer allow administrators to confirm that these critical Internet services are receiving priority over applications such as YouTube, Facebook and Skype. Often times this is done by looking at the RTTs for the connections with preferred DSCP or ToS values. Other times reports by subnet are used to isolate consistencies in poor performance. These reports can help pinpoint slowness to a specific router, firewall or WAN optimization appliance.

Riverbed Lacks Application Awareness
One of the more important features we have seen from other WAN optimization appliances is the use of Deep Packet Inspection (DPI) to identify layer 7 applications. Both Cisco and Exinda support this. These appliances monitor a series of packets looking for signatures and tell–tale behaviors indicative of applications like Webex, BitTorrent, Skype and others. DPI is also use to export details such as called ID, jitter, SSRC, codec, retransmits, HTTP host, URL, TCP window size and much more. Hopefully, Riverbed will follow Cisco suit and release a DPI capability for determining layer 7 applications similar to Cisco’s NBAR technology.

These same reports are also useful for ensuring that WAN optimization goals are being met. However, they require that egress flows be exported correctly without special considerations.


WAN optimization reporting is one of several important areas where a Riverbed NetFlow Analyzer must be able to deliver. Reach out to the team at Plixer if you need help reporting on the NetFlow data being exported from your Riverbed Steelhead appliances.

Related Articles to 'Riverbed NetFlow Analyzer'
Feedback for Riverbed NetFlow Analyzer

Leave a comment

Featured Events