Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

opFlow provides the option to use and keep RAW flow (NetFlow) data and/or to use summarised flow data.  There are several configuration options available to control how opFlow does this and this article will describe those configuration options.

...

There are 7 configuration options to control this behaviour, they are:

ConfigurationDefaultUnitDescription
opflow_summarisation_interval60Secondsthe number of seconds for a period raw flow will be summarised to
opflow_summarisation_enabledtrueBooleantrue or false to enable to disable flow summarisation
opflow_summarisation_displaytrueBooleantrue or false to enable the display of summarised flow data
opflow_keep_raw_flowstrueBooleantrue or false to keep the raw flow data or not
opflow_display_raw_flowstrueBooleantrue or false to enable the display of raw flow data, where it is best used, in the conversation matrix it is used by default
opflow_raw_flows_age_days8Daysthe number of days to keep the raw flow data
opflow_conversation_age_days42Daysthe number of days to keep the summarised flow data

...

As the raw flow records are processed, the data is pooled in a buffer grouped by combining the Summary Interval, the source IP address, the destination IP address and the application (which is derived from the protocol, and source and destination UDP or TCP port).  This means that if a network management server was requesting SNMP from a router, NetFlow would see each UDP get/response as a flow, which may possibly be a single packet, after summarisation, the information about the server talking to the router will still be there, and represented as a single summarised flow record, but with all the data summarised together.

...