NetProfiler Flow List Report Format

There is a tendency for customers to misinterpret Flow List topology as the actual reflection of the physical path of the traffic flow reported ie. traceroute.

This is NOT the case as explained below. Flow lists display statistics for each traffic flow seen on the monitored network during the time frame of the report.

The Topology columns in the Flow List table identify the devices and interfaces that have reported traffic flows. The cli > srv (client to server) column and srv > cli (server to client) column each list up to five hops per minute made by each flow that is reported. The order in which the hops are listed does not reflect the physical path of the flow through the network. The list for each flow can be built from multiple flow reports that the Profiler receives from reporting devices. 

Each flow report that the Profiler receives covers one minute of traffic from one source. The Profiler can combine:

• Reports of flows in different directions (cli > srv and srv > cli)
• Reports from multiple sources
• Multiple reports from each source

Each row of the table lists the devices that reported the flow within the time frame of the report. A typical flow list shows the same device in both the cli > srv and srv > cli columns, but the ingress and egress interfaces are reversed because of the different directions. This indicates that the two directions of the flow are symmetrical. However, this may not always be the case. The columns could show different topology information for several reasons, such as:

• Asymmetric routing – Packets sent from the server back to the client are routed differently through the network, causing them to traverse different devices and/or interfaces.
• Timing – The sources for the cli > srv flow reported the flow earlier than the sources for the srv > cli, or vice versa.
• Unidirectional flow – For UDP flow in one direction only, one of the topology columns will be blank.

Each row in the topology columns displays a comma-separated list the device and interfaces for each hop of the reported flow. Devices and interfaces are listed in the following format:

device:ingress_interface:ingress_description:ingress_dscp > egress_interface:egress_description:egress_dscp
 

where:

device – IP address or DNS name of the device that reported the flow

ingress_interface – the name (ifDescr) of the ingress interface for this direction of the flow, if this has been specified on the Profiler System > Devices/Interfaces page Interfaces (List) tab. If you have not specified a name, then this is the description (ifAlias) obtained from the reporting device. If no description has been specified on the reporting device, then this is the ifIndex.

ingress_dscp – the Differentiated Services Code Point marking of the of the flow as received at the ingress interface. This is displayed as a DSCP Marking name, if one has been defined on the Definitions > DSCP page. If no DSCP Marking name has been assigned, this is displayed as the DSCP number.

egress_interface – the name (ifDescr) of the egress interface for this direction of the flow, if this has been specified on the Profiler System > Devices/Interfaces page Interfaces (List) tab. If you have not specified a name, then this is the description (ifAlias) obtained from the reporting device. If no description has been specified on the reporting device, then this is the ifIndex.

egress_dscp – the Differentiated Services Code Point marking of the of the flow as it leaves the egress interface. This is displayed as a DSCP Marking name, if one has been defined on the Definitions > DSCP page. If no DSCP Marking name has been assigned, this is displayed as the DSCP number.

Sensor hops do not have the egress_interface or egress_dscp fields.

Cascade Profiler