FlowScan - About Flows
FlowScan utilizes flows defined and exported by Cisco's NetFlow feature. In their definition an IP flow is a unidirectional series of IP packets of a given protocol type, traveling between a source and destination within a certain period of time. The source and destination are defined by IP addresses. Because the flow is unidirectional, nearly all useful exchanges between two hosts (e.g. client and server), are represented by at least two flows- one flow in each direction. (Note that this is quite different from the bidirectional notion of flows defined by RTFM.)
FlowScan and its component parts collect and process raw flows exported from routers. FlowScan examines each flow and maintains counters based on how that flow is classified. FlowScan reports its results (and may optionally initiate other actions) on a periodic basis. Raw flows may be archived or discarded after analysis, depending on FlowScan configuration.
In its current form, FlowScan is distributed with two canned report modules to illustrate its functionality: The first, CampusIO, is a full-featured report module that is often the first and only report run by most FlowScan users. The second report, SubNetIO, requires a bit more configuration on the part of the installer, but also maintains per-subnet statistics enabling billing a given campus "customer" based on their bandwidth usage.
Both reports interrogate the raw router flows, accumulate total counts and push these statistics into Round Robin Database (RRD) time-series databases. Each RRD database contains packet, byte, and flow counters, maintained separately for both in and out directions when appropriate.
Specifically, each RRD created by FlowScan contains between one and eight traffic statistics measured at five-minute intervals, identifying one of the following flow attributes:
- IP protocol (e.g., ICMP, TCP, UDP)
- service or application (e.g., ftp-data, ftp, smtp, nntp, http, RealMedia, Quake, Napster)
- class A,B,C network or CIDR block in which a "local" IP address resides
- autonomous system (AS) pair routing this traffic flow
Additionally, FlowScan maintains general traffic databases identifying total traffic, multicast traffic, and traffic involving unknown networks.
The figure below shows a sample FlowScan graph of campus traffic over a period of 48 hours. This graph was created using the CampusIO report.
Several events can be observed in this graph:
- A circadian rhythm to campus traffic can be seen, with a low point around 6am and peaks in the late evening
- There is more total outbound traffic than inbound, inferring that the campus consistently provides more Internet content than it consumes (irregardless of whether our web cache is enabled).
- There is a significant amount of Napster data content. In fact, Napster users were responsible for an amount of traffic both inbound and outbound that rivals or exceeds both general web traffic (HTTP) and file transfer traffic (FTP)