How to use the Service Template NetworkAnalysis-NetFlow

The NetFlow plugin allows you to monitor the throughput generated by an application, a source IP or a destination IP and generate alerts if defined thresholds are exceeded, it also creates data and performance graphs in the same way as other plugins.


Use cases and good practices for using plugins:

The plugin has been created so that it can meet specific needs. It offers different fields populate, to target bandwidth consumption.

Ideally, each instantiated plugin should serve a particular need. For example, measuring the throughput generated by a messaging service. In this case, the user will fill in the different fields required for this measurement (destination mail server IP, SMTP port 25 ….).




NetFlow is a network protocol used to count IP network traffic. It was developed by Cisco Systems. Nowadays, NetFlow has become an industry standard supported by many devices. There are several versions of the protocol, but the most common versions are versions 5 and 9.


Network flows

NetFlow uses the concept of a stream to capture network behaviour data, such as the source and destination of network traffic, applications using the network, and the amount of bandwidth utilised by those applications.

A stream is a unidirectional sequence of packets between a source and a given destination, defined by a 7-tuple key comprising the following fields:

  • Source IP address
  • Destination IP address
  • Source Port
  • The port of destination
  • IP protocol
  • Input interface
  • Type of IP service
  • NetFlow records

The NetFlow information collected by the Flow Publisher is managed by creating records for each feed. Each record is managed in the NetFlow cache. When packets are captured, statistics for active flows are updated. Once a stream has been created and placed in the NetFlow cache, persisting until it times out. After the flow has elapsed, the flow record is added to a NetFlow export datagram for transmission to the NetFlow collector.


NetFlow support

In addition to Cisco, many network equipment manufacturers offer NetFlow support on their enclosures. The list includes Juniper, Alcatel-Lucent and Nortel, among others. For software platforms, there is support for VMWare servers and Linux.

Some manufacturers use alternative names for this technology:

  • Jflow or cflowd at Juniper Networks
  • NetStream at 3Com / HP
  • NetStream at Huawei Technologies
  • Cflowd at Alcatel-Lucent
  • Rflow at Ericsson
  • AppFlow at Citrix



Network elements (switches and routers) establish statistics on the network flow data they export to collectors. These detailed statistics can include numbers of packets and bytes, application ports, IP addresses, quality of service fields, interfaces through which they pass, and so on.

The architecture for collecting information on IP network traffic is as follows:

  • NetFlow Exporter: Monitors packet data, creates records of monitored network traffic, and passes this data to the NetFlow Collector.
  • NetFlow Collector: Collects the records sent by the exporter, stores them in a local database.
  • ServiceNav BOX: Retrieves information collected by the NetFlow Collector according to the requirements set in NetFlow plugin parameters
  • SNP (monitoring platform) allows for the visualisation the collected NetFlow data reported via the ServiceNav BOX



Configuring the NetworkAnalysis-NetFlow Service Template

In best practice, the NetworkAnalysis-NetFlow service template should be linked to the NetFlow Exporter (the switch or router that exports the NetFlow data) but you can also link it to any other host or System Up if needed.

After you have instantiated the NetworkAnalysis-NetFlow service, you need to configure the service based on the particular analysis requirement. As a reminder, the plugin has been designed to monitor the throughput of an application.

The following mandatory fields must be completed:

  • Collector Storage: Collector Storage Address
  • Bandwidth Allocated: Value in the chosen unit
  • Unit: Output Unit: kbps, Mbps, Gbps
  • Alert threshold: Alert threshold in%
  • Critical threshold: Critical threshold in%
  • Directory Name: The path of the directory containing the exports related to an interface
  • Absence status: Status to give in case of inactivity, eg 0 for OK

The other fields to be informed make it possible to target the flow to be monitored according to the need.


Example of a configuration targeting the throughput generated by a mail server:

The service will provide you with the following information:

  • A status according to the set thresholds
  • The flow rate generated in the chosen unit
  • Performance data
  • Metrics in absolute values and percentage of use

Metrics in absolute values:

Metrics in %:

Dashboard configuration

After you have instantiated as many NetworkAnalysis-NetFlow service as you have streams to monitor, you can create one or more dashboards to display the use of bandwidth, by business, and be alerted according to defined thresholds.

Here is a dashboard example:


UK ServiceNav Product Development Manager; my priority is to be needful of the particular requirements of all ‘English-speaking’ markets where ServiceNav is sold. I have over 20 years experience of the IT monitoring field - covering a wide variety of products and technologies.