Bandwidth Traffic: Analyze Traffic Flow with a Bandwidth Monitoring Tool | HelpSystems
On-Demand Webinar

Analyze Traffic Flow with a Bandwidth Monitoring Tool

Get visibility into traffic bottlenecks and congestion with bandwidth monitoring
Windows, Linux, Mac OSX
September 28, 2021


Why is this host using 69% of my bandwidth? What’s causing my HTTP ports to spike? Bandwidth monitoring helps you answer these questions. With real-time visibility into bandwidth traffic data, you can easily identify who or what is consuming all your bandwidth.

Your flows data can tell you a lot about your network activity… and the right bandwidth monitoring tool helps you dig in. In just 30 minutes, we cover:

  • Why flows analysis helps you solve network performance mysteries
  • The benefits of bandwidth monitoring for busy IT teams
  • How to get started with bandwidth monitoring  

If you’ve ever wondered which users, protocols, and applications are draining your bandwidth, now’s your chance to find out. We’ll introduce you to Intermapper, a powerful bandwidth monitoring tool that gives you a complete picture of your network activity. 

A complete transcript of the webinar is below.



Kevin Jackson:    00:02    All right. Good morning and welcome to today's webinar. Today we'll be talking about flows protocol and how it can provide you with some additional monitoring coverage. We'll have a brief Q&A at the end if we have some time, and if you do have any questions, please feel free to send those questions within the questions window in the lower right. Also, if we do have some time left, we'll take a quick look at our NetFlow Collector product and then talk about what we can do going forward.

Kevin Jackson:    00:41    My name is Kevin Jackson. I am the Technical Solutions Consultant from HelpSystems by way of the Intermapper product, and I will be presenting to you today a little bit more about the solutions that we can provide from HelpSystems. Just a little bit about HelpSystems. HelpSystems is a global leader in software, all things software, and not just network operations, but we also perform well in business operations as well. So we have created three tiers to our product, or three groups to our product in terms of how we can essentially help our customers in their day-to-day operations. We have a ton of automation functionality built in, whether it's performance monitoring automation or workload automation products that we can provide to offload some of those manual tasks and processes. We have the ability to manage data. If you have large data processes that you currently are taking care of, we can support that function as well. And then from the security side, obviously security is a paramount in terms of trying to ensure that your company is properly secured. We have a number of different security applications from Secure FTP to managing just overall security whether it's your cloud services or your on-prem solutions we can support those endeavors as well. So we have a total solution built into our HelpSystems portfolio.

Kevin Jackson:    02:16    Our agenda today, we'll talk about bandwidth monitoring, on the different aspects of bandwidth monitoring. We'll talk a little bit about our solution, Intermapper software, and what we can do and how we can support this bandwidth monitoring. And then we give you an idea of how we can get started with the application to try to help you get a better understanding of how your bandwidth is being used.

Kevin Jackson:    02:41    So let's talk about bandwidth monitoring 101. There's two performance metrics that we consider when we talk about bandwidth monitoring. The first is bandwidth utilization, and bandwidth utilization monitoring is essentially is utilization that we can show past and present traffic levels on a specific segment of a link. And it's usually based on some type of level. So whether it's a minimum or an average threshold, or a maximum threshold, this is how we're able to capture that utilization and then present that information and better understand the utilization on your infrastructure. And then the second metrics is bandwidth usage, which refers to the rate of data transfer from a fixed period of time. So what we'll focus today on is from the bandwidth monitoring side is we're going to focus more on the usage side. So providing some parameters that are used to determine bandwidth usage on your network. In terms of bandwidth usage, what we're looking to do is we're looking to get that visibility and typically flows is the way we're able to capture this network usage. So we're trying to figure out who's using the bandwidth, bandwidth hogs applications, et cetera, and then get a better understanding of where we need to improve or what we need to do going forward.

Kevin Jackson:    04:04    So what does this bandwidth monitoring allows you to do? It allows you to identify IPs or hosts to give you a range in terms of percentage wise, or even just an idea of the amount of bandwidth that host is using. And it allows you to pinpoint those frequently visited sites. So if there's someone on your network that's primarily using or accessing a particular site, that information can be captured as well. And it just analyzes downloads and uploads, top talkers, things of that nature. So really good information there.

Kevin Jackson:    04:44    So how does a bandwidth monitoring help IT? First and foremost, one of the things that you want to consider if you don't have a security solution in place, maybe IDS or IPS, having some type of flows capable component or monitoring functionality can also help you and provide you with a low tier security approach. It's not going to replace your security function, but it can give you some semblance of who is trying to hit particular your gateways or your routers. So it can show you some information about possible DDoS attacks and allow for you to do some quick response to mitigate some of these attacks. If you understand the thresholds that you have, you understand your environment, you can also use this software to pinpoint some of those unusual traffic spikes. So if there's a spike in your traffic and you know that this is something that your environment is not used to, you can take a closer look and see if there's a potential issues.

Kevin Jackson:    05:58     And then you can use characterize new increased bandwidth use. Again, inbound, outbound traffic, you can get a better understanding of where the norms are, where optimal functionality is, and then if you need to throttle your bandwidth or you need to increase bandwidth, you can do that with that information. And then forensic information, you can see some historical information. You can go back and see how, maybe do some trend analysis on how your environment has been behaving, but also for compliance purposes you can capture this information and then if asked, you can be able to present this information if there's some type of security audit going on within your organization.

Kevin Jackson:    06:41    And then this gives you an overall data regarding user flows. It essentially allows you to just get an overall view of your bandwidth usage. And the one thing you want to keep an eye on is where you need to place these exporters, these devices, and then how you can capture that information and present it back to you.

Kevin Jackson:    07:05    So let's talk about the different types of flows. So what is flows? Essentially, flows is just how we are able to measure data traveling between devices. So it's how we can accurately determine traffic over a period of time. There is a number of different flows protocol that flow primarily created in the '90s by Cisco to be able to better collect that IP information and traffic as it enters and hits those particular devices and their interfaces. But over the years, NetFlow has evolved from its original inception and become a more adopted model in the industry for bandwidth monitoring or bandwidth usage monitoring. They started out with version one and two, and then they jumped to version five, and now most commonly they're using NetFlow version nine.

Kevin Jackson:    07:53    Some of the other vendors saw this capability and wanted to dip into that market as well. So they developed their own proprietary flows protocol like sFlows, which was created by a group of vendors in order to capture similar reporting and data, but is set up a little differently. Rather than report every packet across the interface, the sFlow functionality captures samples. So NetFlow is essentially allows you to capture a lot of data, pulls a lot of information from your devices. sFlows just looks for sample. So it's a less dataset, but it also just gives you a good understanding of how that traffic, how the indication of bandwidth usage. Now, later Cisco comes out with IPFIX, which is designated as NetFlow version 10, which is a more advanced version of flows that allows users to configure and add additional information to their standard field.

Kevin Jackson:    08:58    So typical flows have fixed templates with fixed amount of data. IPFIX allows you to expand that information that you're able to capture from these devices, create these additional groups of data so that you can collect. So this allows you more visibility into the type of information that you're able to capture. So again, the main protocols that you'll see is NetFlow, sFlow, JFlow. JFlow is primarily use for as Juniper proprietary protocol. So that's what they use for their devices. And then IPFIX supports moreso the Cisco infrastructure. But these are the different types of flows components that you're able to see. This is the data and information that you're able to capture. Source, destination IP addresses, the type of service that is being sent or being utilized, and then the interfaces that the devices are using to capture that information.

Kevin Jackson:    10:06    How does it work? So what we call a NetFlow exporter essentially is just a device that supports this type of protocol, this types of technology. And an exporter could be a router, it could be a switch, it could be a firewall, any device that can basically capture this type of traffic and present this traffic can be considered an exporter. So the first thing we need to do is identify whether the device supports this type of technology, and then figure out what amount of information or where the information we want to capture and where we want to push it to. So you have your flow is exporter, and then you need some type of software to be able to identify what this information is. So essentially what we do is the data is basically sent in this packet form and we need to figure out what this packet form this information is so we can extrapolate this information and present it back to you.

Kevin Jackson:    1:09    So this is just an example of how you would set up a typical exporter and from where the information and where the information is going to. So you have your network traffic information. You can have your remote offices if you have additional sites. And then you have your main office as well. And this device here, maybe it's a router or it's a firewall, or maybe it's a layer three switch that does routing, the device sits strategically between these two environments here. Now we want to capture that traffic information from wherever it's coming from and then we want to push it to some type of a collector. So the software is sitting on the server and it's collecting this data and then it's able to take that information and give you some feedback in terms of what that information is. So a very, very simplistic way of utilizing, and very simplistic way of identifying where strategically where these "exporters" need to live.

Kevin Jackson:    12:14    Why Intermapper? Intermapper has, part of the architecture of the software is we have our network monitoring solution, which is the ability to monitor your network infrastructure, the ability to capture bandwidth traffic and utilization information so you can get a better understanding and put thresholds to your devices so we can alert you and alarm you when those devices hit a particular threshold. And then we have an add-on to that product called Intermapper Flows Application, which is our NetFlow Collector application. So what we're able to do is A, use the main Intermapper software to monitor bandwidth utilization, and then use our Flows component to monitor bandwidth usage. So we're able to capture this information. We're able to show you the top talkers, we're able to show you the top listeners, we can analyze a NetFlow data in real-time and present you back feedback in terms of a charting function. So you can drill into the chart and see exactly who's talking at that particular time. You can show different increments in terms of timeframe. If you need to go down to the second of when that traffic was being used, you can go down to the second.

Kevin Jackson:    13:38    So again, this allows you to spot potential increase in bandwidth usage, see where the increase is happening, see who is using that particular bandwidth. And then this gives you some tangible information that you can utilize to make those necessary improvements. You can use this information as a way to A, if the traffic that you've just investigated is traffic that is work-related and needs to be improved upon, then you can go back to the higher ups and say, "Hey listen, this is information that we've gotten back from our product. This is saying that we don't have enough bandwidth to support business needs. So what we can do is we need to increase the bandwidth function so our employees are more efficient and have the tools that they require to be able to do their jobs." Or you can go back and say, "We've been analyzing the data and looking at this usage and we realize that there's a lot of folks that's not necessarily doing work-related functions. They're doing a lot of downloading of things from different sites or they have open connections to places that they're not supposed to." So what you can do is you can take this information and then throttle the bandwidth, or maybe add additional components built in to secure and control what the customers or what the users are utilizing. So that's another way to plan for those needs.

Kevin Jackson:    15:14    And then you can also use it to troubleshoot. You can use it to figure out if the traffic or the bandwidth that you're using is unusual based on your internal parameters. So once you've identify your baseline in terms of the traffic that your company or your organization use on a day-to-day basis, you can use this as a way to compare the two. So if there's unusual spikes in usage, then you know that there's something going on, and then you know that you need to take a look at this, that kind of inference. And then we can show some additional information in terms of the IP that are connected to the highest number of hosts. So you can capture that information and see who's really, really hogging up the bandwidth on your network.

Kevin Jackson:    16:06    So what is Intermapper? As I mentioned, Intermapper is a network monitoring solution. Primarily what we do is we're able to provide feedback in terms of our visualization components. So we can go out there and do network discovery. We can create network topology maps from a layer two and a layer three standpoint. We create these maps, these visuals, and then we're able to add performance and provide you with performance monitoring metrics within the maps themselves. We can also create charts and graphs. So it gives you a real-time look at the information at a glance. So we have our charting and graphing functionality, which is outside of the Flows component. Flows has its own interface and has his own capabilities and functions. But the Intermapper software, the main monitoring software has the charting and graphing functionality where we can show you spikes and peaks or anomalies from a bandwidth utilization standpoint. So we're able to monitor the bandwidth utilization of bandwidth traffic using our main monitoring function. And then using the Intermapper Flows component, we're able to monitor the actual usage.

Kevin Jackson:    17:24    So an example would be if you're monitoring one of your routers, you're monitoring the interfaces, we can see and show you the the traffic on each one of those interfaces in a percentages, or just give you in bytes. In terms of bytes, we can give you how much data is being transmitted and how much data is being received. But what exactly is that data? What does that data mean? Then you can use the Intermapper Flows component to give you a better understanding of what that data is. So that's how the two applications will work in conjunction with each other.

Kevin Jackson:    18:08    And then we have in terms of the flexibility in monitoring, just about anything with an IP address, whether it's a standard function or standard device within your organization, or even nonstandard devices that sits within your space, i.e. HVAC environmental sensors, IP cameras, door sensors, things of that nature, security systems. Intermapper does a really good job of identifying these devices and giving you the ability to add these devices on the map so you can see everything holistically and everything at a glance.

Kevin Jackson:    18:44    And then in terms of a compatibility, our software is supported on pretty much any other major operating system. So Windows, Linux, Mac, we can run our applications on. And then we have the free 30-day trial. So you can take a look at the product, you can install it, fully functional application. And one of the things to know with our application is if you do install the free trial, if you run and create your maps, if you build out your mapping network and configure the maps and the software to where you're seeing some data and capturing data, even from the Flows components side, to go from the free trial to a ready-made it's just a matter of changing the license. So there's no need to re-install. There's no need to recreate. To go from trial to production is just a matter of a license. So that makes what you've done prior, what you've done during the trial is something that you don't have to change once you go to a production environment.

Kevin Jackson:    20:01    So these are some of an examples of some of the live maps that we are able to present. You can make the maps as simplistic as you want to based on your environment, or you can make the maps as detailed and complex as you want to. You can nest maps and do drill-downs, so you can use background images. You can use icons built in to the product to create more accurate depiction of your network and the devices that you're working with as well.

Kevin Jackson:    20:32    And then these are some of the charts and graphs. Again, these are essentially the information presented by our NetFlow component. You can see top talkers, top listeners, top application ports. And then our flexibility and monitoring comes from the probes that we have built into the product. The probes essentially is the backbone of what we do. It's what we use to essentially interrogate the devices and capture information that these devices support and then present them within the mapping interface. So again, SNMP is what we support. We support ICNP as well, but we also are able to support every other protocol you can utilize. So whether it's TCP, HTTP, WMI, PowerShell. So we are very flexible in terms of the different types of protocols we can support. SNMP v1, v2c, v3. So we support all those SNMP versions.

Kevin Jackson:    21:34    And then we have the ability to create custom probes. We have close to 200 built-in probes within the product. If the built-ins is not enough for you to monitor your devices, you can create your own custom probes based on the information that you want to monitor based on the performance information that you're looking to do.

Kevin Jackson:    21:56    This is just a use case from one of our customers. The problem was, HR there was concerned about the business units there. They were wasting time using social media sites at work. So what solution is to use Intermapper, and what able to do is capture this information, and then they were able to send HR regular reports based on the internet activity of these employees. So at least HR can monitor information, see who's using social media sites and how often they're using those sites. So that's just a very basic use case where a product like Intermapper Flows can be able to help outside of the IT department, but also help the HR department determine and try to figure out where employees can be more efficient, or where time is being wasted during work hours.

Kevin Jackson:    22:59    So how do you get started? A few things to note and a few questions to ask when investigating Flows component is, the first thing and most important thing is does your equipment support Flows? And typically you can get that information by doing a search, or you can contact the vendor directly and the vendor should be able to identify and tell you whether your device support Flows. One thing to note about this as well is depending on the model and the operating system that the device supports, that can be the difference whether that device supports Flows or not. So what they'll do is, maybe you don't have the latest OS or iOS image on your device and that might be the difference between that device supporting Flows technology or not. So you might need to update your device to the latest version of the iOS or operating system so you can take advantage of the Flows protocol.

Kevin Jackson:    24:10    Then the next question to ask is how many exporters do I need? And this depends on the size and scope of your network. This depends on what kind of topology you have and where these devices are sitting. So you need to figure out do I want to have Flows exported from each one of my, if I have multiple sites or remote offices and I have routers at each one of those sites, do I want Flows to be... Do I care about Flows or usage at each one of these sites, or do I just care about my main site? Are all these routers coming back to my main router and then going out? So it really depends on how your network is laid out to determine how many exporters you need to be able to capture that information.

Kevin Jackson:    24:59    And then how can I plan for Flows traffic? Typically, planning for the Flows depends on the number of exporters, obviously, and how much data you're going to be collecting. It's very difficult to be able to size based on that, because you can have 20 exporters and not have a lot of data being collected, or you can have one exporter and have millions and millions of Flows being collected because you have a very active network. So we have to take those into consideration, understand that there is a load based on performance and also based on storage requirements because the data is stored locally. So we have to consider those factors as well.

Kevin Jackson:    25:49    And then that goes into the number four, how do I plan for Flows data storage? As I mentioned, it really depends on how much Flows per per hour you're generating. You can generate millions and millions of Flows using one exporter or multiple exporters, or you can generate very little Flows using multiple exporters. So once you start capturing the information, you'll be able to get a good understanding of the size and scope of the data that you're able to capture. And then from there you can determine how many Flows exporters you want to be able to utilize. And what you can do also is you can start with one to two and then ramp up, or you can stagger between the Flows exporters if you need to change from one. You don't want to do multiple exporters, but you want to be able to stagger from one to another. You can get two license or one license for two devices, and then turn one off on one device, and then turn one on on the other device and go back and forth.

Kevin Jackson:    26:51    Now, the caveat with that is once you stop exporting traffic from a device or stop capturing the information from a device, there's going to be a gap in when you turn the exporter off sending to when you re-enable that exporter and collecting the data again. So there's going to be that gap where you will no longer be capturing the information between that time frame. So that's what would happen if you were to stagger your Flows component between one license.

Kevin Jackson:    27:25    So how do we get started? As I mentioned, we have a free 30-day trial, fully functional software that has both the Intermapper main monitoring function as well as the Intermapper Flows component. These are some of the things that you need to keep it in consideration. Remove firewall restrictions and then you can configure your exporters to send the data to Intermapper Flows server, which will collect that information and then be able to provide that feedback. And then once configured, we'll be able to detect the data automatically. So 99% of the configuration is done on the device side. Intermapper will sit, listen, and collect the information, and then be able to present that information back to you.

Kevin Jackson:    28:13    So if you have any questions, please feel free to reach out to us. You can let us know questions, comments, feedback concerns. We have a ton of resources online to be able to help you through the process. If you have Cisco devices that you want to configure Flows for or Juniper devices, there's sample configurations on the site. And then to be able to get to the Intermapper free trial, just go to the HelpSystem site and to start the free trial. If you have any questions, please, once again, reach out to us and let us know.

Kevin Jackson:    28:49    And just really quickly, I just want to show you the interface of the software. This is our Intermapper main monitoring software. So as you can see, we're able to monitor from just a visual standpoint, you can see the traffic Flows on your devices. And as I mentioned before, we're able to monitor utilization traffic. So we're able to monitor the data being transmitted, data being received. You can see errors and discards. So the question is, I'm monitoring this particular device, what exactly is this 63% utilization traffic? So this is where the Intermapper Flows component will come into play where we're able to look at an interface and see exactly who's using 63% of the traffic on this particular interface. So our Flows component has its own interface, and this is the interface. It's able to show you top talkers, top listeners, and you can see top applications. We can scroll through the applications, see what type of applications, protocols, ports, how much data, percentage of bandwidth. We can see the top sessions as well. We can see, okay the client server connections, who's connected to what, what protocols that person is using, how much bandwidth, what ports, what protocols, et cetera.

Kevin Jackson:   30:19     So this gives you a really good understanding of bandwidth usage and consumption. And then you can also see some historical information. So if you need to go back months or whenever you started collecting data, you can go back and pull that information. You can drill into the chart if you need to get more granular to go down to the, maybe you want to go down to the second, see what kind of data was happening at that time. Or if you want to see specific interfaces, you can go on a specific interface and see who was talking on that particular interface. So if you have a device that's supporting multiple interfaces, capturing and pushing information to a collector, you can see exactly who's been talking on that particular interface as well. So that's a just a little bit about the software. And then once again, if you have any questions, please feel free to reach out. Thanks again for joining.

Try Monitoring Bandwidth Traffic Yourself

With Intermapper you can monitor bandwidth traffic and consumption in real time. Download a free 30-day trial to get started. 

Stay up to date on what matters.