<%NUMBERING1%>.<%NUMBERING2%>.<%NUMBERING3%> PRTG Manual: Monitoring Bandwidth via Flows

Using flow protocols, you can monitor the bandwidth usage of all packets going through a device. In PRTG, you can view Toplists for all xFlow (NetFlow, jFlow, sFlow, IPFIX) sensors.

Flows are monitoring data pushed from network devices to PRTG. You can use them to monitor where and how much data is traveling to and from. This way, they determine which machine, protocol, or user is consuming bandwidth. PRTG currently supports the following flow types:

  • NetFlow v5/v9 and IPFIX: Originally introduced by Cisco and supported by several vendors.
  • jFlow: Traffic sampling technology introduced by Juniper networks.
  • sFlow: Short for sampled flow, introduced by HP. sFlow uses statistical sampling of the traffic at defined intervals to achieve scalability for high volume interfaces.

You can also use packet sniffing for bandwidth monitoring if your hardware does not support any of these flow versions.

How xFlow Monitoring works

You can measure bandwidth usage by IP address or by application in a network, using one of the xFlow protocols. They are the best choice especially for networks with high traffic (connections with hundreds of megabits or gigabits).

For xFlow monitoring, the router gathers bandwidth usage data (flows), aggregates it, and sends information about it to PRTG using User Datagram Protocol (UDP) packets. When you use sampling (mandatory for sFlow), only information about every n-th packet is sent to PRTG, which reduces CPU load a lot. Because the switch already performs an aggregation of traffic data beforehand, the flow of data to PRTG is much smaller than the monitored traffic. This makes xFlow the ideal option for high traffic networks that need to differentiate the bandwidth usage by network protocol and/or IP addresses.

NetFlow and IPFIX Monitoring

The NetFlow (and IPFIX) protocol is mainly used by Cisco devices. Once configured, the router sends a NetFlow or IPFIX packet for each data flow to the monitoring system running on a PRTG probe. You can filter and evaluate the data in PRTG. Different NetFlow and IPFIX sensors are available: The basic sensors offer predefined channel definitions, the custom variants enable you to define your own channels.

The advantage of using NetFlow or IPFIX:

  • Generates little CPU load on the router itself (according to Cisco, 10,000 active flows create about 7% additional CPU load; 45,000 active flows account for about 20% additional CPU load).
  • Generates less CPU load on the PRTG core system compared to Packet Sniffer sensors.

icon-i-round-redYou must enable NetFlow or IPFIX export on the device that you want to monitor. The device must send a flow data stream to the IP address of the probe system on which you set up the NetFlow or IPFIX sensor.

icon-i-roundYou can monitor Juniper jFlow with the corresponding sensors as well. Basically they are adjusted NetFlow v5 sensors.

icon-i-roundNetFlow Lite monitoring is possible using the Sampling Mode of the NetFlow V9 sensor or of the NetFlow V9 (Custom) sensor. You can turn on the sampling mode and define a suitable Sampling Rate in the sensor settings. Note that NetFlow Lite monitoring might not work in every case even with active sampling mode.

sFlow Monitoring

sFlow works similar to NetFlow monitoring. The router sends data flow packets to the monitoring system running on a PRTG probe. The most obvious difference between the two flow protocols: With sFlow, not all of the traffic is analyzed, but only every n-th packet.

The advantage is clear: There is less data to analyze, there is less CPU load needed, and less monitoring traffic is generated. Nevertheless, you can get a good insight into your network bandwidth usage.

icon-i-roundPRTG supports sFlow version 5.

Set Up Flow Sensors

Find details on how to set up the different flow sensors in the following sections:

Limitations

For example, with a dual core, 2.5 Ghz hardware system, you can process about 100,000 flows per second for one xFlow stream. Using sampling, the number of actual flows can be much higher. When using complex filters, the value can be much lower. For example, with a router sending about 2,000 flows/second (which corresponds to mixed traffic at gigabit/second level without sampling) you can expect to configure up to 50 xFlow sensors operating properly.

PRTG internally monitors its own xFlow processing. You can see decreased values in the Health channels of the Core Health and Probe Health Health sensors as soon as xFlow packets are not processed because of an overload (you find these sensors on the local probe device).

If you experience an overload, consider using sampling or setting up multiple probes and distributing the xFlow streams to them. We recommend that you do not add more than 50 xFlow sensors per PRTG probe.

You cannot use this sensor in cluster mode. You can only set it up on a local probe or a remote probe but not on a cluster probe.

icon-i-blueIPv6 flows are supported by NetFlow V9 and IPFIX sensors, other flow sensors only support IPv4.

More

Knowledge Base: Can I add custom channels to standard Packet Sniffer and NetFlow sensors?

Knowledge Base: What filter rules can be used for custom Packet Sniffing, xFlow, or IPFIX sensors?

Knowledge Base: How do the channel definitions for custom Packet Sniffing, xFlow, and IPFIX sensors work?

Knowledge Base: Does my Cisco device (Router/Switch) support NetFlow Export?

Knowledge Base: Do you have any configuration tips for Cisco routers and PRTG?

Knowledge Base: How do I monitor Cisco ASA Firewalls using NetFlow 9 and PRTG?

Knowledge Base: How can I change the default groups and channels for xFlow and Packet Sniffer sensors?

Knowledge Base: What is the Active Flow Timeout in Flow sensors?

Paessler Website NetFlow Generator and NetFlow Tester

Keywords: Flow,Flow Technology