What is Network Flow Monitoring, and Why You Shouldn’t Live Without It

Old network salts likely know all about network flows and the value of network flow monitoring. As former News Editor for Network World and Editor in Chief of Network Computing, network flows are part of my old stomping grounds. In fact, I remember when Cisco invented NetFlow in the late 1990’s to collect traffic data from its routers and switches so it could be analyzed by network pros.

What is Network Flow Monitoring? 

Before we dive into network flow monitoring, we must first define a network flow. Without totally geeking out, a network flow is simply the communications between two endpoints that occur during a session that opens and closes.  

Many of your network devices, such as firewalls, routers and switches capture these flows, which are packets with certain common characteristics such as protocol, destination port and source and destination address. Once the communication is complete and the flow dormant, records of the flow are exported by the device and can be gathered by a flow collector. More on flow collectors shortly. 

Network flow monitoring goes by a number of names, including packet analysis (but not deep packet analysis), network traffic analysis, bandwidth monitoring or bandwidth utilization analysis. 

How Network Flow Monitoring Works 

Flow monitoring requires that flows first be captured, which is the job of a flow collector — often a stand-alone appliance that gathers and stores flow data which it gets from flow-enabled devices such as routers, switches and load balancers. Today’s collectors can also get this data from dedicated probes and other flow sources. 

Benefits of Network Flow Monitoring 

Flow monitoring has a number of benefits. Here are a large handful: 

• RTT (Round Trip Time) – delay introduced by the network itself; length of time it takes for a data packet to be sent plus the length of time it takes for an acknowledgment of that packet to be received, this indicator is measured from clients to server in TCP traffic. 
• SRT (Server Response Time) – delay introduced by network service or application itself; length of time it takes for the server to start sending data after the request from the client is accepted and confirmed, this indicator is measured from server to client in TCP traffic. 
• Retransmissions – number of retransmitted packets which were damaged or lost. 
• Delay – time delays between packets, minimal, maximal, average value and deviation, this indicator is measured in both direction of network communication. 
• Jitter – calculated from delay as variance, minimal, maximal, average value and deviation. 
• Out-of-order Packets – number of packets delivered in a different order from which they were sent. 

With such data, network pros can: 

• Know what applications, hosts or users are eating up your precious network bandwidth; 
• Find and fix network congestion problems; 
• Make sure proper bandwidth is allocated to your most important applications; and 
• Discover malware and attacks before they cause harm. 

Flowmon: Master of Network Flows, Driver of Network Performance 

Flowmon is a flow-based network performance monitoring solution that tracks bandwidth usage, helps IT understand their traffic structure and uses this information to find the root cause of network problems whether they occur on-premises, the edge or in your cloud environment. 

In our case, the Flowmon Collector processes flow data including NetFlow, IPFIX, sFlow, jFlow, cflowd, NetStream and scads more, and gets flows from an array of network devices including switches, routers, firewalls, packet brokers or our own Flowmon Probes. 

On the cloud side, Flowmon supports AWS, Azure and Google Cloud Platform. 

Flowmon can be equipped with our network-centric Anomaly Detection System (ADS) that spots anomalous behaviors in network traffic that could indicate a breach attempt incursion, malware or insider threat and alerts IT. 

Bring Flow Monitoring to Next Level with NPMD 

“Network infrastructure is the nervous system of every business. Its outages, bottlenecks, delays and other issues can cause real troubles to employees and negatively impact customers,” the Flowmon Network Performance Monitoring page explains. “Network Performance Monitoring (NPM) tools help administrators to avoid these situations, troubleshoot performance issues and distinguish between delays caused by the network itself and delays caused by applications and services.” 

There is not just NPM, but these tools can also do diagnostics, thus the name Network Performance Monitoring and Diagnostics (NPMD) was coined. “NPMD solutions provide visibility and diagnostics to ensure enterprise networks can support mission-critical applications, especially with the advent of virtualization, the cloud and the Internet of Things,” Gartner argues. “Future-proof network monitoring by investing in NPMD tools that provide the required level of visibility in your hybrid environments, including edge network and cloud network monitoring.” 

Here are some items Flowmon NPMD handles handily: 

Performance Monitoring 

• Round trip time, server response time, delay, jitter 
• Triage and post-incident forensics tooling 
• Comprehensive flow and full packet capture-based network analysis 
• Monitor database-level application performance, SLAs, errors, latency. 
• SaaS performance monitoring 
• Measure fault, performance and availability 

Security Monitoring

• Encrypted traffic analysis 
• Behavior analysis and threat detection including malware, ransomware, insider/unknown threats, botnets, crypto mining and more 
• Automated incident response 

Benefit One: Fixing Intermittent Network Performance Issues 

One of the most vexing issues network pros face are intermittent performance problems. These problems stifle end user productivity and put Quality of Service (QoS) and related SLAs in jeopardy.  

“It is imperative that applications are always available and responsive. A problem of the latter kind is often a worse issue than an application being unavailable because offline applications are easy to spot. Your infrastructure monitoring tool’s display dashboard will probably turn red, and there will be email and SMS alerts to the IT team,” our Using Flow Data to Better Understand Your Networks and Application Experience blog explained. “But performance issues are more insidious than offline applications, and they not only impact the productivity of users, they also degrade the trust in the IT team. When apps are slow, it’s very frustrating for end-users, but for IT it’s often hard to find any issues. It’s the dreaded ‘it works fine for me’ problem.” 

Think your current solutions can handle this? Not necessarily. “Existing infrastructure monitoring tools are great for alerting IT teams when a piece of equipment, application, or service is down, but they are not very useful for pinpointing problems when users complain that ‘the system is slow!’” the blog warned. 

The good news is that flow monitoring is tailor made for such a situation that offers the network visibility needed to spot, define and fix intermittent issues. 

Network flow monitoring relieves these IT ills by offering visibility into them when the performance degrades, by how much and where exactly did it occur. This is the basis of root cause analysis that leads to a solution. 

Benefit Two: Boost Cybersecurity  

Flow data analysis can also help detect suspicious activity if there is a cybersecurity breach. Even with the best defenses in place, it’s only a matter of time before some attacker finds an entry point.  

Dwell time before discovery after cybercriminals have breached defenses is often measured in months. Flow data monitoring and analysis can reduce this dwell time dramatically.  

The behavior analysis engine built into Flowmon bridges the gap between perimeter defenses and endpoints on the network. It can alert about unexpected network activity such as sudden data transfers from the network to Internet locations, a common symptom of an impending ransomware attack. Often, cybercriminals copy data to sell on the dark web or to use to blackmail an organization after encrypting their data.  

“Thanks to the ability to capture, process and analyze network traffic, Flowmon helps us detect and investigate data flows that may indicate the possible compromise of a team (IoC). Flowmon provided us with deep visibility into all the tactics, techniques and procedures that attackers use to exploit the network, expand control and do persistence, as well as parameters to identify and avoid any possible case of data leakage,” said Carlos Cruz, Security Specialist at FUNO México. “Flowmon helped us expand network flows’ visibility to timely detect any possible attack, anomalous behaviors and better understand the network infrastructure. And, above all, to a timely decision making in the face of the diversity of events.” 

Benefit Three: Optimize Your Network and Save Money 

Flow monitoring understands the total state of traffic and bandwidth, and these reports help plan for economically efficient network upgrades. In current terms, you’ll also save money by making efficient use of the bandwidth you already have by prioritizing traffic and fixing snafus. 

Three Flowmon Customers Share Five Star Experiences 

A cardinal rule of IT: to get the truth about a product, ask a customer. That is exactly what Gartner did in its Network Performance Monitoring report. In it, Flowmon earned a 4.8 rating with a 5.0 being the highest a product can attain. 

Here’s what three customers who gave Flowmon 5 stars said. 

1. “Nowadays internet surge is very high and in these situations we really need a network analytic solution which will constantly monitor the Netflow and give you the best solution for your network visibility. It will also protect the network from cyber threats like DDoS,” enthused one customer. 
2. Another feels safer with Flowmon on guard. "Nowadays, keeping an eye on internet browsing history and analyzing the data flow is very difficult. The Flowmon solution made this task easier. We can analyze the network flow and also identify the security threats in the network,” the user said. 
3. Flowmon helped one customer make quick work of a DDoS attack. “Flowmon offers great features that help with responsive and proactive threat detection. We have detected several threats on our network before they were able to fully execute. This proactive detection sets it apart from other vendors. Flowmon response helped us to detect DDoS and botnet when we implemented it for our Security Operations team.”