Seeing 10 times a network’s average traffic in Auvik TrafficInsights can be scary. The jump might be the result of an actual spike in traffic, which could be cause for concern. But the spike could also just be a long flow.
One way to tell the difference is to look at the relevant flow in the Flows area. If the start and end times for the spiking flow are the same, it’s almost certainly a long flow rather than actual network traffic.
How does TrafficInsights handle long flows?
TrafficInsights continuously receives flow records, processes them immediately, and presents them on the dashboard with one-minute granularity so you can react as soon as possible.
When the system processes long flows, it shows all the data in the last minute of the flow (the end timestamp) instead of spreading the data between the initial timestamp and end timestamp. This shows up as a traffic spike in TrafficInsights.
Why does TrafficInsights show the data at the end of a long flow instead of spreading the data out?
In TrafficInsights, many processes happen at once to help aggregate data and provide you with meaningful insights. During a long flow, the system would normally be forced to recalculate many data points (for example, top talkers) over and over. So instead we force the data to the end timestamp.
How to configure NetFlow to avoid seeing long-flow spikes
Configure the active timeout parameter of NetFlow or IPFIX to one minute. With the active timeout set, NetFlow and IPFIX split long flows into one-minute flows and you’ll no longer see spikes related to the processing of long flows. (Of course, you may still see spikes when there’s an actual burst of network traffic.)