What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Netflow & Interface Bandwidth: Same Pattern, Different Amounts

Votes:

0

We have a number of edge routers/firewalls configured to send netflow v9 data to our probes. Additionally, we are monitoring interface traffic on these devices. We are noticing that the netflow and interface traffic show similar trends and patterns, indicating that the netflow data is coming in accurately, but the netflow data is reporting higher bandwidth amounts than the interfaces (somewhere around 10-20% higher).

Regarding the netflow data: - Active timeout is configured on the devices at 1 minute and the netflow sensors are configured to 2 minutes, per the prtg instructionals. - Interface filters are configured to separate active interfaces into separate sensors. Ingress and egress traffic is being pulled in per interface sensor for netflow data.

Given our configuration, I would presume that the bandwidth totals would more closely match between the interface sensors and the netflow sensors, but they don't among all measured devices. The traffic patterns between the two sensors for a given device don't match perfectly, so I know that the bandwidth totals won't be exact, but the netflow sensors are consistently higher than the interface sensors by about 10 or 20%. I'm wondering why this might be (some kind of netflow overhead?) and if there's anything we can do to try and more closely align those sensors so reported bandwidths match more closely.

netflow netflow-v9 snmp traffic-monitoring

Created on Mar 12, 2018 1:26:43 PM



Best Answer

Accepted Answer

Votes:

0

We followed up with Kyle via a support case.

In the end, the issue appears to have been the export rules on the device. Upon a closer look, PRTG was reporting exactly the double of the data reported by the SNMP Traffic sensors. Kyle contacted the vendor and they have identified that both interfaces (LAN and WAN) were exporting both ingress and egress flow.

This results as PRTG reporting "double" the data, since traffic flowing from the WAN to LAN will be reported once as ingress on the WAN interface and a second time as egress on the LAN interface, resulting in exactly double of the expected traffic.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Mar 23, 2018 1:03:21 PM by Luciano Lingnau [Paessler]

Last change on Mar 23, 2018 1:04:36 PM by Luciano Lingnau [Paessler]



3 Replies

Votes:

0

Hello Kyle,

Huh, interesting, usually we get the question the other way round, meaning traffic reported by flows is lower than by SNMP traffic sensors :)

I'll send you an email with further instructions what we can do analyze this further.

Kind regards,

Erhard

Created on Mar 13, 2018 1:37:31 PM by Erhard Mikulik [Paessler Support]



Votes:

0

Thank you Erhard!

Created on Mar 13, 2018 1:41:34 PM



Accepted Answer

Votes:

0

We followed up with Kyle via a support case.

In the end, the issue appears to have been the export rules on the device. Upon a closer look, PRTG was reporting exactly the double of the data reported by the SNMP Traffic sensors. Kyle contacted the vendor and they have identified that both interfaces (LAN and WAN) were exporting both ingress and egress flow.

This results as PRTG reporting "double" the data, since traffic flowing from the WAN to LAN will be reported once as ingress on the WAN interface and a second time as egress on the LAN interface, resulting in exactly double of the expected traffic.

Best Regards,
Luciano Lingnau [Paessler Support]

Created on Mar 23, 2018 1:03:21 PM by Luciano Lingnau [Paessler]

Last change on Mar 23, 2018 1:04:36 PM by Luciano Lingnau [Paessler]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.