opFlow provides the option to use and keep RAW flow (NetFlow) data and/or to use summarised flow data. There are several configuration options available to control how opFlow does this and this article will describe those configuration options.
...
There are 7 configuration options to control this behaviour, they are:
Configuration | Default | Unit | Description |
---|---|---|---|
opflow_summarisation_interval | 60 | Seconds | the number of seconds for a period raw flow will be summarised to |
opflow_summarisation_enabled | true | Boolean | true or false to enable to disable flow summarisation |
opflow_summarisation_display | true | Boolean | true or false to enable the display of summarised flow data |
opflow_keep_raw_flows | true | Boolean | true or false to keep the raw flow data or not |
opflow_display_raw_flows | true | Boolean | true or false to enable the display of raw flow data, where it is best used, in the conversation matrix it is used by default |
opflow_raw_flows_age_days | 8 | Days | the number of days to keep the raw flow data |
opflow_conversation_age_days | 42 | Days | the number of days to keep the summarised flow data |
...
As the raw flow records are processed, the data is pooled in a buffer grouped by combining the Summary Interval, the source IP address, the destination IP address and the application (which is derived from the protocol, and source and destination UDP or TCP port). This means that if a network management server was requesting SNMP from a router, NetFlow would see each UDP get/response as a flow, which may possibly be a single packet, after summarisation, the information about the server talking to the router will still be there, and represented as a single summarised flow record, but with all the data summarised together.
...